Filesystem fuzzing

Filesystem fuzzing

[Eric Sesterhenn]

hi,

i do some regular filesystem fuzzing, based on a modified version
of lmhs fsfuzzer. I try to test current -git at least once a week.
Most modifications are adding of new filesystems or mounting
them with different options, but i also added 
some new tests like invoking iozone, fsx or fsstress if available

I currently test  vfat, udf, msdos, swap, iso9660, ext2,
ext3, ext4, hfs, hfsplus, gfs2, ntfs, minix, qnx4, affs and bfs

I am not testing reiserfs and xfs since i dont even remotely have
a chance to get a clue when looking at the code, if someone maintaining
one of those filesystems is interested in oops reports please let me know.
Cramfs is not getting tested since it tends to end in long loops
with lots of warnings. I can only test on a 32bit x86 box at the
moment, so it might be interesting if someone runs this stuff on some
64bit box or other architecture.

The current, modified version of the fuzzer can be found here

http://www.cccmz.de/~snakebyte/fsfuzzer-0.6-lmh2.tar.bz2

To test bfs you need to put the bfs example files from
http://sourceforge.net/project/showfiles.php?group_id=39575 into
an images/ subdirectory. Same goes for hpfs with the file
from http://sourceforge.net/project/showfiles.php?group_id=39575
and for adf you need bubblebobble.adf (not sure if i am
allowed to link or redistribute this)
If someone can point me to an mkfs tool for bfs, hpfs or
adf i would be thankful. 
Same goes for vxfs, if someone has an image or a tool
to create images this would be helpful.
If someone has additional ideas what one could check, please
let me know :-)


At the moment the only oopses i see are with bfs and hfs,
if you are interested please take a look
http://kerneloops.org/raw.php?rawid=10088&msgid=
http://kerneloops.org/raw.php?rawid=11232&msgid=

I still have the images and can reproduce and try patches.
for the hfs one, there is similar code in hfs+ but with
a check to prevent this, triggering a warn and an oops later
if i try to port this to hfs.


Greetings, Eric

Re: Filesystem fuzzing

[Dave Kleikamp]

On Mon, 2008-05-19 at 12:07 +0200, Eric Sesterhenn wrote:
> hi,
> 
> i do some regular filesystem fuzzing, based on a modified version
> of lmhs fsfuzzer. I try to test current -git at least once a week.
> Most modifications are adding of new filesystems or mounting
> them with different options, but i also added 
> some new tests like invoking iozone, fsx or fsstress if available
> 
> I currently test  vfat, udf, msdos, swap, iso9660, ext2,
> ext3, ext4, hfs, hfsplus, gfs2, ntfs, minix, qnx4, affs and bfs

You didn't mention jfs.  If you want to test that, you can report any
bugs to me or to jfs-discussion@lists.sourceforge.net.

> I am not testing reiserfs and xfs since i dont even remotely have
> a chance to get a clue when looking at the code, if someone maintaining
> one of those filesystems is interested in oops reports please let me know.
> Cramfs is not getting tested since it tends to end in long loops
> with lots of warnings. I can only test on a 32bit x86 box at the
> moment, so it might be interesting if someone runs this stuff on some
> 64bit box or other architecture.
> 
> The current, modified version of the fuzzer can be found here
> 
> http://www.cccmz.de/~snakebyte/fsfuzzer-0.6-lmh2.tar.bz2

Thanks,
Shaggy
-- 
David Kleikamp
IBM Linux Technology Center

Re: Filesystem fuzzing

[Eric Sesterhenn]

* Dave Kleikamp (shaggy@linux.vnet.ibm.com) wrote:
> On Mon, 2008-05-19 at 12:07 +0200, Eric Sesterhenn wrote:
> > hi,
> > 
> > i do some regular filesystem fuzzing, based on a modified version
> > of lmhs fsfuzzer. I try to test current -git at least once a week.
> > Most modifications are adding of new filesystems or mounting
> > them with different options, but i also added 
> > some new tests like invoking iozone, fsx or fsstress if available
> > 
> > I currently test  vfat, udf, msdos, swap, iso9660, ext2,
> > ext3, ext4, hfs, hfsplus, gfs2, ntfs, minix, qnx4, affs and bfs
> 
> You didn't mention jfs.  If you want to test that, you can report any
> bugs to me or to jfs-discussion@lists.sourceforge.net.

ah, i removed jfs somewhen because the mkfs.jfs doesnt work
if the file is smaller than 16mb, i readded it and got
a first oops for you

[52500.590030] ERROR: (device loop1): diRead: i_ino != di_number
[52500.590308] BUG: unable to handle kernel NULL pointer dereference at
00000237
[52500.590518] IP: [<c019348a>] iput+0xa/0x50
[52500.590642] *pde = 00000000 
[52500.590749] Oops: 0000 [#2] PREEMPT DEBUG_PAGEALLOC
[52500.590958] Modules linked in: nfsd exportfs
[52500.591155] 
[52500.591220] Pid: 6938, comm: mount Tainted: G      D   (2.6.26-rc3
#26)
[52500.591304] EIP: 0060:[<c019348a>] EFLAGS: 00010282 CPU: 0
[52500.591356] EIP is at iput+0xa/0x50
[52500.591356] EAX: fffffffb EBX: fffffffb ECX: 00000001 EDX: 00000000
[52500.591356] ESI: c9811920 EDI: cbd5f780 EBP: cbc67e34 ESP: cbc67e30
[52500.591356]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[52500.591356] Process mount (pid: 6938, ti=cbc67000 task=cbeb3f00
task.ti=cbc67000)
[52500.591356] Stack: fffffffb cbc67e5c c0316078 cbc67e4c fffffffb
00000000 00000000 00000002 
[52500.591356]        00000000 c9811920 00000000 cbc67ea0 c01827ff
cf415d40 c07b93c0 cf415d40 
[52500.591356]        c9811920 706f6f6c 00000031 c01971ed c07e4ddc
c01971ed 000000d0 cf32e6c0 
[52500.591356] Call Trace:
[52500.591356]  [<c0316078>] ? jfs_fill_super+0x268/0x2a0
[52500.591356]  [<c01827ff>] ? get_sb_bdev+0xef/0x120
[52500.591356]  [<c01971ed>] ? alloc_vfsmnt+0xdd/0x120
[52500.591356]  [<c01971ed>] ? alloc_vfsmnt+0xdd/0x120
[52500.591356]  [<c0314fd2>] ? jfs_get_sb+0x22/0x30
[52500.591356]  [<c0315e10>] ? jfs_fill_super+0x0/0x2a0
[52500.591356]  [<c018234a>] ? vfs_kern_mount+0x3a/0x90
[52500.591356]  [<c01823f9>] ? do_kern_mount+0x39/0xd0
[52500.591356]  [<c0198425>] ? do_new_mount+0x65/0x90
[52500.591356]  [<c01985aa>] ? do_mount+0x15a/0x1b0
[52500.591356]  [<c015fc7b>] ? __get_free_pages+0x1b/0x30
[52500.591356]  [<c01962b8>] ? copy_mount_options+0x38/0x140
[52500.591356]  [<c0188d47>] ? getname+0xa7/0xc0
[52500.591356]  [<c019866f>] ? sys_mount+0x6f/0xb0
[52500.591356]  [<c0103d7d>] ? sysenter_past_esp+0x6a/0xb1
[52500.591356]  =======================
[52500.591356] Code: 4f fa ff 5d c3 8d b6 00 00 00 00 8d bf 00 00 00 00
55 89 e5 e8 d8 88 46 00 31 c0 5d c3 8d 74 26 00 55 85 c0 89 e5 53 89 c3
74 3d <83> b8 3c 02 00 00 40 74 37 8d 40 24 ba e0 ce 7a c0 e8 90 3c 1d 
[52500.591356] EIP: [<c019348a>] iput+0xa/0x50 SS:ESP 0068:cbc67e30
[52500.599040] ---[ end trace 299f5ea1b691e69f ]---

kerneloops.org also catched it, but the code is not disassembled
yet, http://kerneloops.org/raw.php?rawid=13020&msgid=
this is with linux-next from yesterday

A copy of the image file is available here:
http://www.cccmz.de/~snakebyte/jfs.7.img.bz2

Greetings, Eric

Re: Filesystem fuzzing

[Eric Sesterhenn]

* Eric Sesterhenn (snakebyte@gmx.de) wrote:

since i forgot the CCs on the last msg i do a fullquote, sorry for this

> and here is another one:
> 
> [  458.684137] BUG: unable to handle kernel paging request at e0171576
> [  458.684348] IP: [<c0323eab>] dbFindLeaf+0x2b/0xb0
> [  458.684348] Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
> [  458.684348] Modules linked in: nfsd exportfs
> [  458.684348] 
> [  458.684348] Pid: 4831, comm: fsstress Not tainted
> (2.6.26-rc3-00243-gd40ace0 #26)
> [  458.684348] EIP: 0060:[<c0323eab>] EFLAGS: 00010206 CPU: 0
> [  458.684348] EIP is at dbFindLeaf+0x2b/0xb0
> [  458.684348] EAX: 00000000 EBX: ca81c010 ECX: 15955555 EDX: 05655555
> [  458.684348] ESI: 00cefff6 EDI: 00000000 EBP: ca8bd9a4 ESP: ca8bd984
> [  458.684348]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> [  458.684348] Process fsstress (pid: 4831, ti=ca8bd000 task=ca87af40
> task.ti=ca8bd000)
> [  458.684348] Stack: ca8bd9d4 c033017d 00000000 000007a6 ca8bd9c4
> ca859000 00000000 ca81c000 
> [  458.684348]        ca8bd9d4 c0324bb0 c1152380 00000000 00000046
> f21e31e8 00000001 ca848000 
> [  458.684348]        c01441ad ca859000 00000000 00000000 ca8bda28
> c0324fa3 00000000 ca8bdb7c 
> [  458.684348] Call Trace:
> [  458.684348]  [<c033017d>] ? __get_metapage+0xed/0x3d0
> [  458.684348]  [<c0324bb0>] ? dbAllocDmapLev+0x50/0xc0
> [  458.684348]  [<c01441ad>] ? put_lock_stats+0xd/0x30
> [  458.684348]  [<c0324fa3>] ? dbAllocCtl+0x383/0x3d0
> [  458.684348]  [<c01441ad>] ? put_lock_stats+0xd/0x30
> [  458.684348]  [<c032512d>] ? dbAllocAG+0x9d/0x450
> [  458.684348]  [<c013bfd6>] ? down_write_nested+0x76/0x90
> [  458.684348]  [<c03258d5>] ? dbAlloc+0x145/0x570
> [  458.684348]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> [  458.684348]  [<c03289c0>] ? add_index+0x2b0/0x520
> [  458.684348]  [<c0146ef4>] ? __lock_acquire+0x2c4/0x1120
> [  458.684348]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> [  458.684348]  [<c0328ed4>] ? dtInsertEntry+0x114/0x4b0
> [  458.684348]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> [  458.684348]  [<c032c53f>] ? dtInsert+0x27f/0x19e0
> [  458.684348]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> [  458.684348]  [<c017a131>] ? check_bytes_and_report+0x21/0xc0
> [  458.684348]  [<c0146ef4>] ? __lock_acquire+0x2c4/0x1120
> [  458.684348]  [<c032aa41>] ? dtSearch+0x721/0x9f0
> [  458.684348]  [<c032aa41>] ? dtSearch+0x721/0x9f0
> [  458.684348]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> [  458.684348]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> [  458.684348]  [<c0330018>] ? force_metapage+0x8/0x80
> [  458.684348]  [<c03187e2>] ? jfs_create+0x212/0x360
> [  458.684348]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> [  458.684348]  [<c03387b0>] ? jfs_permission+0x0/0x10
> [  458.684348]  [<c01880b4>] ? vfs_create+0xa4/0x100
> [  458.684348]  [<c018b223>] ? do_filp_open+0x683/0x780
> [  458.684348]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> [  458.684348]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> [  458.684348]  [<c017e1a9>] ? do_sys_open+0x49/0xe0
> [  458.684348]  [<c017e2a9>] ? sys_open+0x29/0x40
> [  458.684348]  [<c017e2e1>] ? sys_creat+0x21/0x30
> [  458.684348]  [<c0103d7d>] ? sysenter_past_esp+0x6a/0xb1
> [  458.684348]  =======================
> [  458.684348] Code: 55 89 e5 57 89 d7 56 be e4 ff ff ff 53 89 c3 83 ec
> 14 89 4d f0 0f be 40 11 39 d0 7c 74 8b 73 0c 31 c0 85 f6 7e 5f b9 01 00
> 00 00 <0f> be 44 19 11 39 c7 7e 67 8d 51 01 0f be 44 1a 1jfs.18.img.bz21 39 c7 7e 5d 
> [  458.684348] EIP: [<c0323eab>] dbFindLeaf+0x2b/0xb0 SS:ESP
> 0068:ca8bd984
> [  458.684348] ---[ end trace 6c51bcbd2c170a69 ]---
> 
> The image can be found at http://www.cccmz.de/~snakebyte/jfs.18.img.bz2
> 

and i just got another one... 

[ 2223.316259] ERROR: (device loop0): XT_GETPAGE: xtree page corrupt
[ 2223.322958] ERROR: (device loop0): XT_GETPAGE: xtree page corrupt
[ 2231.555219] ------------[ cut here ]------------
[ 2231.555344] WARNING: at kernel/mutex.c:134
mutex_lock_nested+0x252/0x2a0()
[ 2231.555346] Modules linked in: nfsd exportfs
[ 2231.555346] Pid: 8081, comm: mkdir Not tainted
2.6.26-rc3-00243-gd40ace0 #26
[ 2231.555346]  [<c01252c4>] warn_on_slowpath+0x54/0x70
[ 2231.555346]  [<c01441ad>] ? put_lock_stats+0xd/0x30
[ 2231.555346]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
[ 2231.555346]  [<c01465db>] ? mark_held_locks+0x4b/0x80
[ 2231.555346]  [<c05fcf8c>] ? __mutex_unlock_slowpath+0xac/0x140
[ 2231.555346]  [<c014676d>] ? trace_hardirqs_on+0xbd/0x140
[ 2231.555346]  [<c05fd282>] mutex_lock_nested+0x252/0x2a0
[ 2231.555346]  [<c0321ec1>] ? diAlloc+0x211/0x6d0
[ 2231.555346]  [<c0321ec1>] diAlloc+0x211/0x6d0
[ 2231.555346]  [<c05fed37>] ? _spin_unlock+0x27/0x50
[ 2231.555346]  [<c032e988>] ialloc+0x48/0x290
[ 2231.555346]  [<c0318984>] jfs_mkdir+0x54/0x370
[ 2231.555346]  [<c014686c>] ? debug_check_no_locks_freed+0x7c/0x130
[ 2231.555346]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
[ 2231.555346]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
[ 2231.555346]  [<c03387b0>] ? jfs_permission+0x0/0x10
[ 2231.555346]  [<c03387bd>] ? jfs_permission+0xd/0x10
[ 2231.555346]  [<c0187e98>] vfs_mkdir+0x98/0xf0
[ 2231.555346]  [<c05fed37>] ? _spin_unlock+0x27/0x50
[ 2231.555346]  [<c018a436>] sys_mkdirat+0xd6/0xf0
[ 2231.555346]  [<c013c176>] ? up_read+0x16/0x30
[ 2231.555346]  [<c0118287>] ? do_page_fault+0x2c7/0x640
[ 2231.555346]  [<c0103e67>] ? restore_nocheck+0x12/0x15
[ 2231.555346]  [<c018a470>] sys_mkdir+0x20/0x30
[ 2231.555346]  [<c0103d7d>] sysenter_past_esp+0x6a/0xb1
[ 2231.555346]  =======================
[ 2231.555346] ---[ end trace 91ffe6a3a3009964 ]---
[ 2231.555346] BUG: unable to handle kernel NULL pointer dereference at
00000000
[ 2231.555346] IP: [<c037b960>] __list_add+0x10/0x60
[ 2231.555346] *pde = 00000000 
[ 2231.555346] Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
[ 2231.555346] Modules linked in: nfsd exportfs
[ 2231.555346] 
[ 2231.555346] Pid: 8081, comm: mkdir Tainted: G        W
(2.6.26-rc3-00243-gd40ace0 #26)
[ 2231.555346] EIP: 0060:[<c037b960>] EFLAGS: 00010046 CPU: 0
[ 2231.555346] EIP is at __list_add+0x10/0x60
[ 2231.555346] EAX: 00000000 EBX: c28c7d98 ECX: c2f9f890 EDX: 00000000
[ 2231.555346] ESI: 00000246 EDI: c2f9f870 EBP: c28c7d70 ESP: c28c7d5c
[ 2231.555346]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[ 2231.555346] Process mkdir (pid: 8081, ti=c28c7000 task=cbed2f40
task.ti=c28c7000)
[ 2231.555346] Stack: c0321ec1 c2f9f8a4 c2f9f86c 00000246 c2f9f86c
c28c7db8 c05fd0e1 00000000 
[ 2231.555346]        00000002 c0321ec1 c2f9f890 c0321ec1 00000000
cbed2f40 c2f9f8a4 c28c7d98 
[ 2231.555346]        c28c7d98 11111111 c2f9f86c c28c7d98 c390c2d4
c2bdc000 00000010 c28c7e20 
[ 2231.555346] Call Trace:
[ 2231.555346]  [<c0321ec1>] ? diAlloc+0x211/0x6d0
[ 2231.555346]  [<c05fd0e1>] ? mutex_lock_nested+0xb1/0x2a0
[ 2231.555346]  [<c0321ec1>] ? diAlloc+0x211/0x6d0
[ 2231.555346]  [<c0321ec1>] ? diAlloc+0x211/0x6d0
[ 2231.555346]  [<c0321ec1>] ? diAlloc+0x211/0x6d0
[ 2231.555346]  [<c05fed37>] ? _spin_unlock+0x27/0x50
[ 2231.555346]  [<c032e988>] ? ialloc+0x48/0x290
[ 2231.555346]  [<c0318984>] ? jfs_mkdir+0x54/0x370
[ 2231.555346]  [<c014686c>] ? debug_check_no_locks_freed+0x7c/0x130
[ 2231.555346]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
[ 2231.555346]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
[ 2231.555346]  [<c03387b0>] ? jfs_permission+0x0/0x10
[ 2231.555346]  [<c03387bd>] ? jfs_permission+0xd/0x10
[ 2231.555346]  [<c0187e98>] ? vfs_mkdir+0x98/0xf0
[ 2231.555346]  [<c05fed37>] ? _spin_unlock+0x27/0x50
[ 2231.555346]  [<c018a436>] ? sys_mkdirat+0xd6/0xf0
[ 2231.555346]  [<c013c176>] ? up_read+0x16/0x30
[ 2231.555346]  [<c0118287>] ? do_page_fault+0x2c7/0x640
[ 2231.555346]  [<c0103e67>] ? restore_nocheck+0x12/0x15
[ 2231.555346]  [<c018a470>] ? sys_mkdir+0x20/0x30
[ 2231.555346]  [<c0103d7d>] ? sysenter_past_esp+0x6a/0xb1
[ 2231.555346]  =======================
[ 2231.555346] Code: 54 24 04 c7 04 24 10 98 73 c0 e8 cc a9 da ff 0f 0b
eb fe 90 8d b4 26 00 00 00 00 55 89 e5 53 89 c3 83 ec 10 8b 41 04 39 d0
75 16 <8b> 10 39 ca 75 2c 89 5a 04 89 13 89 43 04 89 18 83 c4 10 5b 5d 
[ 2231.555346] EIP: [<c037b960>] __list_add+0x10/0x60 SS:ESP
0068:c28c7d5c
[ 2231.555346] ---[ end trace 91ffe6a3a3009964 ]---



image can be found at http://www.cccmz.de/~snakebyte/jfs.11.img.bz2

I guess i will stop torturing jfs until monday or so :-)

Greetings, Eric

Re: Filesystem fuzzing

[Dave Kleikamp]

On Wed, 2008-05-21 at 10:26 +0200, Eric Sesterhenn wrote:

> ah, i removed jfs somewhen because the mkfs.jfs doesnt work
> if the file is smaller than 16mb, i readded it and got
> a first oops for you
> 
> [52500.590030] ERROR: (device loop1): diRead: i_ino != di_number
> [52500.590308] BUG: unable to handle kernel NULL pointer dereference at
> 00000237
> [52500.590518] IP: [<c019348a>] iput+0xa/0x50
> [52500.590642] *pde = 00000000 
> [52500.590749] Oops: 0000 [#2] PREEMPT DEBUG_PAGEALLOC
> [52500.590958] Modules linked in: nfsd exportfs
> [52500.591155] 
> [52500.591220] Pid: 6938, comm: mount Tainted: G      D   (2.6.26-rc3
> #26)
> [52500.591304] EIP: 0060:[<c019348a>] EFLAGS: 00010282 CPU: 0
> [52500.591356] EIP is at iput+0xa/0x50
> [52500.591356] EAX: fffffffb EBX: fffffffb ECX: 00000001 EDX: 00000000
> [52500.591356] ESI: c9811920 EDI: cbd5f780 EBP: cbc67e34 ESP: cbc67e30
> [52500.591356]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> [52500.591356] Process mount (pid: 6938, ti=cbc67000 task=cbeb3f00
> task.ti=cbc67000)
> [52500.591356] Stack: fffffffb cbc67e5c c0316078 cbc67e4c fffffffb
> 00000000 00000000 00000002 
> [52500.591356]        00000000 c9811920 00000000 cbc67ea0 c01827ff
> cf415d40 c07b93c0 cf415d40 
> [52500.591356]        c9811920 706f6f6c 00000031 c01971ed c07e4ddc
> c01971ed 000000d0 cf32e6c0 
> [52500.591356] Call Trace:
> [52500.591356]  [<c0316078>] ? jfs_fill_super+0x268/0x2a0
> [52500.591356]  [<c01827ff>] ? get_sb_bdev+0xef/0x120
> [52500.591356]  [<c01971ed>] ? alloc_vfsmnt+0xdd/0x120
> [52500.591356]  [<c01971ed>] ? alloc_vfsmnt+0xdd/0x120
> [52500.591356]  [<c0314fd2>] ? jfs_get_sb+0x22/0x30
> [52500.591356]  [<c0315e10>] ? jfs_fill_super+0x0/0x2a0
> [52500.591356]  [<c018234a>] ? vfs_kern_mount+0x3a/0x90
> [52500.591356]  [<c01823f9>] ? do_kern_mount+0x39/0xd0
> [52500.591356]  [<c0198425>] ? do_new_mount+0x65/0x90
> [52500.591356]  [<c01985aa>] ? do_mount+0x15a/0x1b0
> [52500.591356]  [<c015fc7b>] ? __get_free_pages+0x1b/0x30
> [52500.591356]  [<c01962b8>] ? copy_mount_options+0x38/0x140
> [52500.591356]  [<c0188d47>] ? getname+0xa7/0xc0
> [52500.591356]  [<c019866f>] ? sys_mount+0x6f/0xb0
> [52500.591356]  [<c0103d7d>] ? sysenter_past_esp+0x6a/0xb1
> [52500.591356]  =======================
> [52500.591356] Code: 4f fa ff 5d c3 8d b6 00 00 00 00 8d bf 00 00 00 00
> 55 89 e5 e8 d8 88 46 00 31 c0 5d c3 8d 74 26 00 55 85 c0 89 e5 53 89 c3
> 74 3d <83> b8 3c 02 00 00 40 74 37 8d 40 24 ba e0 ce 7a c0 e8 90 3c 1d 
> [52500.591356] EIP: [<c019348a>] iput+0xa/0x50 SS:ESP 0068:cbc67e30
> [52500.599040] ---[ end trace 299f5ea1b691e69f ]---
> 
> kerneloops.org also catched it, but the code is not disassembled
> yet, http://kerneloops.org/raw.php?rawid=13020&msgid=
> this is with linux-next from yesterday
> 
> A copy of the image file is available here:
> http://www.cccmz.de/~snakebyte/jfs.7.img.bz2

Thanks.  It's a bug in an error path that hadn't been caught before.
This patch should fix it.
 -------------------------------------
JFS: skip bad iput() call in error path

If jfs_iget() fails, we can't call iput() on the returned error.
Thanks to Eric Sesterhenn's fuzzer testing for reporting the problem.

Signed-off-by: Dave Kleikamp <shaggy@linux.vnet.ibm.com>
diff --git a/fs/jfs/super.c b/fs/jfs/super.c
index 50ea654..0288e6d 100644
--- a/fs/jfs/super.c
+++ b/fs/jfs/super.c
@@ -499,7 +499,7 @@ static int jfs_fill_super(struct super_block *sb, void *data, int silent)
 	inode = jfs_iget(sb, ROOT_I);
 	if (IS_ERR(inode)) {
 		ret = PTR_ERR(inode);
-		goto out_no_root;
+		goto out_no_rw;
 	}
 	sb->s_root = d_alloc_root(inode);
 	if (!sb->s_root)
@@ -521,9 +521,8 @@ static int jfs_fill_super(struct super_block *sb, void *data, int silent)
 	return 0;
 
 out_no_root:
-	jfs_err("jfs_read_super: get root inode failed");
-	if (inode)
-		iput(inode);
+	jfs_err("jfs_read_super: get root dentry failed");
+	iput(inode);
 
 out_no_rw:
 	rc = jfs_umount(sb);

-- 
David Kleikamp
IBM Linux Technology Center

Re: Filesystem fuzzing

[Dave Kleikamp]

On Wed, 2008-05-21 at 17:10 +0200, Eric Sesterhenn wrote:
> * Eric Sesterhenn (snakebyte@gmx.de) wrote:
> 
> since i forgot the CCs on the last msg i do a fullquote, sorry for this
> 
> > and here is another one:
> > 
> > [  458.684137] BUG: unable to handle kernel paging request at e0171576
> > [  458.684348] IP: [<c0323eab>] dbFindLeaf+0x2b/0xb0
> > [  458.684348] Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
> > [  458.684348] Modules linked in: nfsd exportfs
> > [  458.684348] 
> > [  458.684348] Pid: 4831, comm: fsstress Not tainted
> > (2.6.26-rc3-00243-gd40ace0 #26)
> > [  458.684348] EIP: 0060:[<c0323eab>] EFLAGS: 00010206 CPU: 0
> > [  458.684348] EIP is at dbFindLeaf+0x2b/0xb0
> > [  458.684348] EAX: 00000000 EBX: ca81c010 ECX: 15955555 EDX: 05655555
> > [  458.684348] ESI: 00cefff6 EDI: 00000000 EBP: ca8bd9a4 ESP: ca8bd984
> > [  458.684348]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> > [  458.684348] Process fsstress (pid: 4831, ti=ca8bd000 task=ca87af40
> > task.ti=ca8bd000)
> > [  458.684348] Stack: ca8bd9d4 c033017d 00000000 000007a6 ca8bd9c4
> > ca859000 00000000 ca81c000 
> > [  458.684348]        ca8bd9d4 c0324bb0 c1152380 00000000 00000046
> > f21e31e8 00000001 ca848000 
> > [  458.684348]        c01441ad ca859000 00000000 00000000 ca8bda28
> > c0324fa3 00000000 ca8bdb7c 
> > [  458.684348] Call Trace:
> > [  458.684348]  [<c033017d>] ? __get_metapage+0xed/0x3d0
> > [  458.684348]  [<c0324bb0>] ? dbAllocDmapLev+0x50/0xc0
> > [  458.684348]  [<c01441ad>] ? put_lock_stats+0xd/0x30
> > [  458.684348]  [<c0324fa3>] ? dbAllocCtl+0x383/0x3d0
> > [  458.684348]  [<c01441ad>] ? put_lock_stats+0xd/0x30
> > [  458.684348]  [<c032512d>] ? dbAllocAG+0x9d/0x450
> > [  458.684348]  [<c013bfd6>] ? down_write_nested+0x76/0x90
> > [  458.684348]  [<c03258d5>] ? dbAlloc+0x145/0x570
> > [  458.684348]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> > [  458.684348]  [<c03289c0>] ? add_index+0x2b0/0x520
> > [  458.684348]  [<c0146ef4>] ? __lock_acquire+0x2c4/0x1120
> > [  458.684348]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> > [  458.684348]  [<c0328ed4>] ? dtInsertEntry+0x114/0x4b0
> > [  458.684348]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> > [  458.684348]  [<c032c53f>] ? dtInsert+0x27f/0x19e0
> > [  458.684348]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> > [  458.684348]  [<c017a131>] ? check_bytes_and_report+0x21/0xc0
> > [  458.684348]  [<c0146ef4>] ? __lock_acquire+0x2c4/0x1120
> > [  458.684348]  [<c032aa41>] ? dtSearch+0x721/0x9f0
> > [  458.684348]  [<c032aa41>] ? dtSearch+0x721/0x9f0
> > [  458.684348]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> > [  458.684348]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> > [  458.684348]  [<c0330018>] ? force_metapage+0x8/0x80
> > [  458.684348]  [<c03187e2>] ? jfs_create+0x212/0x360
> > [  458.684348]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> > [  458.684348]  [<c03387b0>] ? jfs_permission+0x0/0x10
> > [  458.684348]  [<c01880b4>] ? vfs_create+0xa4/0x100
> > [  458.684348]  [<c018b223>] ? do_filp_open+0x683/0x780
> > [  458.684348]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> > [  458.684348]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> > [  458.684348]  [<c017e1a9>] ? do_sys_open+0x49/0xe0
> > [  458.684348]  [<c017e2a9>] ? sys_open+0x29/0x40
> > [  458.684348]  [<c017e2e1>] ? sys_creat+0x21/0x30
> > [  458.684348]  [<c0103d7d>] ? sysenter_past_esp+0x6a/0xb1
> > [  458.684348]  =======================
> > [  458.684348] Code: 55 89 e5 57 89 d7 56 be e4 ff ff ff 53 89 c3 83 ec
> > 14 89 4d f0 0f be 40 11 39 d0 7c 74 8b 73 0c 31 c0 85 f6 7e 5f b9 01 00
> > 00 00 <0f> be 44 19 11 39 c7 7e 67 8d 51 01 0f be 44 1a 1jfs.18.img.bz21 39 c7 7e 5d 
> > [  458.684348] EIP: [<c0323eab>] dbFindLeaf+0x2b/0xb0 SS:ESP
> > 0068:ca8bd984
> > [  458.684348] ---[ end trace 6c51bcbd2c170a69 ]---
> > 
> > The image can be found at http://www.cccmz.de/~snakebyte/jfs.18.img.bz2
> > 

I think I see the problem here.  JFS isn't sanity-checking all the
values it uses to access elements in an array.  I'll take a little more
time to make sure I get this fix right.

> 
> and i just got another one... 
> 
> [ 2223.316259] ERROR: (device loop0): XT_GETPAGE: xtree page corrupt
> [ 2223.322958] ERROR: (device loop0): XT_GETPAGE: xtree page corrupt
> [ 2231.555219] ------------[ cut here ]------------
> [ 2231.555344] WARNING: at kernel/mutex.c:134
> mutex_lock_nested+0x252/0x2a0()
> [ 2231.555346] Modules linked in: nfsd exportfs
> [ 2231.555346] Pid: 8081, comm: mkdir Not tainted
> 2.6.26-rc3-00243-gd40ace0 #26
> [ 2231.555346]  [<c01252c4>] warn_on_slowpath+0x54/0x70
> [ 2231.555346]  [<c01441ad>] ? put_lock_stats+0xd/0x30
> [ 2231.555346]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> [ 2231.555346]  [<c01465db>] ? mark_held_locks+0x4b/0x80
> [ 2231.555346]  [<c05fcf8c>] ? __mutex_unlock_slowpath+0xac/0x140
> [ 2231.555346]  [<c014676d>] ? trace_hardirqs_on+0xbd/0x140
> [ 2231.555346]  [<c05fd282>] mutex_lock_nested+0x252/0x2a0
> [ 2231.555346]  [<c0321ec1>] ? diAlloc+0x211/0x6d0
> [ 2231.555346]  [<c0321ec1>] diAlloc+0x211/0x6d0
> [ 2231.555346]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> [ 2231.555346]  [<c032e988>] ialloc+0x48/0x290
> [ 2231.555346]  [<c0318984>] jfs_mkdir+0x54/0x370
> [ 2231.555346]  [<c014686c>] ? debug_check_no_locks_freed+0x7c/0x130
> [ 2231.555346]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> [ 2231.555346]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> [ 2231.555346]  [<c03387b0>] ? jfs_permission+0x0/0x10
> [ 2231.555346]  [<c03387bd>] ? jfs_permission+0xd/0x10
> [ 2231.555346]  [<c0187e98>] vfs_mkdir+0x98/0xf0
> [ 2231.555346]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> [ 2231.555346]  [<c018a436>] sys_mkdirat+0xd6/0xf0
> [ 2231.555346]  [<c013c176>] ? up_read+0x16/0x30
> [ 2231.555346]  [<c0118287>] ? do_page_fault+0x2c7/0x640
> [ 2231.555346]  [<c0103e67>] ? restore_nocheck+0x12/0x15
> [ 2231.555346]  [<c018a470>] sys_mkdir+0x20/0x30
> [ 2231.555346]  [<c0103d7d>] sysenter_past_esp+0x6a/0xb1
> [ 2231.555346]  =======================
> [ 2231.555346] ---[ end trace 91ffe6a3a3009964 ]---
> [ 2231.555346] BUG: unable to handle kernel NULL pointer dereference at
> 00000000
> [ 2231.555346] IP: [<c037b960>] __list_add+0x10/0x60
> [ 2231.555346] *pde = 00000000 
> [ 2231.555346] Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
> [ 2231.555346] Modules linked in: nfsd exportfs
> [ 2231.555346] 
> [ 2231.555346] Pid: 8081, comm: mkdir Tainted: G        W
> (2.6.26-rc3-00243-gd40ace0 #26)
> [ 2231.555346] EIP: 0060:[<c037b960>] EFLAGS: 00010046 CPU: 0
> [ 2231.555346] EIP is at __list_add+0x10/0x60
> [ 2231.555346] EAX: 00000000 EBX: c28c7d98 ECX: c2f9f890 EDX: 00000000
> [ 2231.555346] ESI: 00000246 EDI: c2f9f870 EBP: c28c7d70 ESP: c28c7d5c
> [ 2231.555346]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> [ 2231.555346] Process mkdir (pid: 8081, ti=c28c7000 task=cbed2f40
> task.ti=c28c7000)
> [ 2231.555346] Stack: c0321ec1 c2f9f8a4 c2f9f86c 00000246 c2f9f86c
> c28c7db8 c05fd0e1 00000000 
> [ 2231.555346]        00000002 c0321ec1 c2f9f890 c0321ec1 00000000
> cbed2f40 c2f9f8a4 c28c7d98 
> [ 2231.555346]        c28c7d98 11111111 c2f9f86c c28c7d98 c390c2d4
> c2bdc000 00000010 c28c7e20 
> [ 2231.555346] Call Trace:
> [ 2231.555346]  [<c0321ec1>] ? diAlloc+0x211/0x6d0
> [ 2231.555346]  [<c05fd0e1>] ? mutex_lock_nested+0xb1/0x2a0
> [ 2231.555346]  [<c0321ec1>] ? diAlloc+0x211/0x6d0
> [ 2231.555346]  [<c0321ec1>] ? diAlloc+0x211/0x6d0
> [ 2231.555346]  [<c0321ec1>] ? diAlloc+0x211/0x6d0
> [ 2231.555346]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> [ 2231.555346]  [<c032e988>] ? ialloc+0x48/0x290
> [ 2231.555346]  [<c0318984>] ? jfs_mkdir+0x54/0x370
> [ 2231.555346]  [<c014686c>] ? debug_check_no_locks_freed+0x7c/0x130
> [ 2231.555346]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> [ 2231.555346]  [<c010974f>] ? native_sched_clock+0x7f/0xb0
> [ 2231.555346]  [<c03387b0>] ? jfs_permission+0x0/0x10
> [ 2231.555346]  [<c03387bd>] ? jfs_permission+0xd/0x10
> [ 2231.555346]  [<c0187e98>] ? vfs_mkdir+0x98/0xf0
> [ 2231.555346]  [<c05fed37>] ? _spin_unlock+0x27/0x50
> [ 2231.555346]  [<c018a436>] ? sys_mkdirat+0xd6/0xf0
> [ 2231.555346]  [<c013c176>] ? up_read+0x16/0x30
> [ 2231.555346]  [<c0118287>] ? do_page_fault+0x2c7/0x640
> [ 2231.555346]  [<c0103e67>] ? restore_nocheck+0x12/0x15
> [ 2231.555346]  [<c018a470>] ? sys_mkdir+0x20/0x30
> [ 2231.555346]  [<c0103d7d>] ? sysenter_past_esp+0x6a/0xb1
> [ 2231.555346]  =======================
> [ 2231.555346] Code: 54 24 04 c7 04 24 10 98 73 c0 e8 cc a9 da ff 0f 0b
> eb fe 90 8d b4 26 00 00 00 00 55 89 e5 53 89 c3 83 ec 10 8b 41 04 39 d0
> 75 16 <8b> 10 39 ca 75 2c 89 5a 04 89 13 89 43 04 89 18 83 c4 10 5b 5d 
> [ 2231.555346] EIP: [<c037b960>] __list_add+0x10/0x60 SS:ESP
> 0068:c28c7d5c
> [ 2231.555346] ---[ end trace 91ffe6a3a3009964 ]---
> 
> 
> 
> image can be found at http://www.cccmz.de/~snakebyte/jfs.11.img.bz2

I'll take a closer look at this one.  A quick look isn't enough to
figure this one out.

> I guess i will stop torturing jfs until monday or so :-)

No problem.  I'll let you know when these are fixed.

> Greetings, Eric

Thanks,
Shaggy
-- 
David Kleikamp
IBM Linux Technology Center

Re: Filesystem fuzzing

[Sunil Mushran]

Eric Sesterhenn wrote:
> i do some regular filesystem fuzzing, based on a modified version
> of lmhs fsfuzzer. I try to test current -git at least once a week.
> Most modifications are adding of new filesystems or mounting
> them with different options, but i also added 
> some new tests like invoking iozone, fsx or fsstress if available
>
> I currently test  vfat, udf, msdos, swap, iso9660, ext2,
> ext3, ext4, hfs, hfsplus, gfs2, ntfs, minix, qnx4, affs and bfs

Please can you add ocfs2 to the mix. To make it easy, you
can format with "mkfs.ocfs2 -M local" to mark the volume
for local mount only and thus not deal with any cluster config.

Issues can be reported to ocfs2-devel@oss.oracle.com.... though
developers monitor linux-fsdevel too.

Sunil

Re: Filesystem fuzzing

[Eric Sesterhenn]

* Sunil Mushran (Sunil.Mushran@oracle.com) wrote:
> Eric Sesterhenn wrote:
>> i do some regular filesystem fuzzing, based on a modified version
>> of lmhs fsfuzzer. I try to test current -git at least once a week.
>> Most modifications are adding of new filesystems or mounting
>> them with different options, but i also added some new tests like invoking 
>> iozone, fsx or fsstress if available
>>
>> I currently test  vfat, udf, msdos, swap, iso9660, ext2,
>> ext3, ext4, hfs, hfsplus, gfs2, ntfs, minix, qnx4, affs and bfs
>
> Please can you add ocfs2 to the mix. To make it easy, you
> can format with "mkfs.ocfs2 -M local" to mark the volume
> for local mount only and thus not deal with any cluster config.

sure. might take some days until i find the time to do this,
but if any bugs pop up i'll let you know.

greetings, Eric

Re: Filesystem fuzzing

[Eric Sesterhenn]

* Dave Kleikamp (shaggy@linux.vnet.ibm.com) wrote:
> > 
> > [52500.590030] ERROR: (device loop1): diRead: i_ino != di_number
> > [52500.590308] BUG: unable to handle kernel NULL pointer dereference at
> > 00000237
> > [52500.590518] IP: [<c019348a>] iput+0xa/0x50
> > [52500.590642] *pde = 00000000 
> > [52500.590749] Oops: 0000 [#2] PREEMPT DEBUG_PAGEALLOC
> > [52500.590958] Modules linked in: nfsd exportfs
> > [52500.591155] 
> > [52500.591220] Pid: 6938, comm: mount Tainted: G      D   (2.6.26-rc3
> > #26)
> > [52500.591304] EIP: 0060:[<c019348a>] EFLAGS: 00010282 CPU: 0
> > [52500.591356] EIP is at iput+0xa/0x50
> > [52500.591356] EAX: fffffffb EBX: fffffffb ECX: 00000001 EDX: 00000000
> > [52500.591356] ESI: c9811920 EDI: cbd5f780 EBP: cbc67e34 ESP: cbc67e30
> > [52500.591356]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> > [52500.591356] Process mount (pid: 6938, ti=cbc67000 task=cbeb3f00
> > task.ti=cbc67000)
> > [52500.591356] Stack: fffffffb cbc67e5c c0316078 cbc67e4c fffffffb
> > 00000000 00000000 00000002 
> > [52500.591356]        00000000 c9811920 00000000 cbc67ea0 c01827ff
> > cf415d40 c07b93c0 cf415d40 
> > [52500.591356]        c9811920 706f6f6c 00000031 c01971ed c07e4ddc
> > c01971ed 000000d0 cf32e6c0 
> > [52500.591356] Call Trace:
> > [52500.591356]  [<c0316078>] ? jfs_fill_super+0x268/0x2a0
> > [52500.591356]  [<c01827ff>] ? get_sb_bdev+0xef/0x120
> > [52500.591356]  [<c01971ed>] ? alloc_vfsmnt+0xdd/0x120
> > [52500.591356]  [<c01971ed>] ? alloc_vfsmnt+0xdd/0x120
> > [52500.591356]  [<c0314fd2>] ? jfs_get_sb+0x22/0x30
> > [52500.591356]  [<c0315e10>] ? jfs_fill_super+0x0/0x2a0
> > [52500.591356]  [<c018234a>] ? vfs_kern_mount+0x3a/0x90
> > [52500.591356]  [<c01823f9>] ? do_kern_mount+0x39/0xd0
> > [52500.591356]  [<c0198425>] ? do_new_mount+0x65/0x90
> > [52500.591356]  [<c01985aa>] ? do_mount+0x15a/0x1b0
> > [52500.591356]  [<c015fc7b>] ? __get_free_pages+0x1b/0x30
> > [52500.591356]  [<c01962b8>] ? copy_mount_options+0x38/0x140
> > [52500.591356]  [<c0188d47>] ? getname+0xa7/0xc0
> > [52500.591356]  [<c019866f>] ? sys_mount+0x6f/0xb0
> > [52500.591356]  [<c0103d7d>] ? sysenter_past_esp+0x6a/0xb1
> > [52500.591356]  =======================
> > [52500.591356] Code: 4f fa ff 5d c3 8d b6 00 00 00 00 8d bf 00 00 00 00
> > 55 89 e5 e8 d8 88 46 00 31 c0 5d c3 8d 74 26 00 55 85 c0 89 e5 53 89 c3
> > 74 3d <83> b8 3c 02 00 00 40 74 37 8d 40 24 ba e0 ce 7a c0 e8 90 3c 1d 
> > [52500.591356] EIP: [<c019348a>] iput+0xa/0x50 SS:ESP 0068:cbc67e30
> > [52500.599040] ---[ end trace 299f5ea1b691e69f ]---
> > 
> > kerneloops.org also catched it, but the code is not disassembled
> > yet, http://kerneloops.org/raw.php?rawid=13020&msgid=
> > this is with linux-next from yesterday
> > 
> > A copy of the image file is available here:
> > http://www.cccmz.de/~snakebyte/jfs.7.img.bz2
> 
> Thanks.  It's a bug in an error path that hadn't been caught before.
> This patch should fix it.

with this patch i cant reproduce this, i can confirm that this does
fix the issue

greetings, Eric

Re: Filesystem fuzzing

[Eric Sesterhenn]

* Sunil Mushran (Sunil.Mushran@oracle.com) wrote:
> Eric Sesterhenn wrote:
>> i do some regular filesystem fuzzing, based on a modified version
>> of lmhs fsfuzzer. I try to test current -git at least once a week.
>> Most modifications are adding of new filesystems or mounting
>> them with different options, but i also added some new tests like invoking 
>> iozone, fsx or fsstress if available
>>
>> I currently test  vfat, udf, msdos, swap, iso9660, ext2,
>> ext3, ext4, hfs, hfsplus, gfs2, ntfs, minix, qnx4, affs and bfs
>
> Please can you add ocfs2 to the mix. To make it easy, you
> can format with "mkfs.ocfs2 -M local" to mark the volume
> for local mount only and thus not deal with any cluster config.

here is a first one:

[  146.790010] (4230,0):ocfs2_read_locked_inode:475 ERROR: bug
expression: !!(fe->i_flags & cpu_to_le32(OCFS2_SYSTEM_FL)) !=
!!(args->fi_flags & OCFS2_FI_FLAG_SYSFILE)
[  146.790282] (4230,0):ocfs2_read_locked_inode:475 ERROR: Inode 9: system file state is ambigous
[  146.790584] ------------[ cut here ]------------
[  146.790717] kernel BUG at fs/ocfs2/inode.c:475!
[  146.790848] invalid opcode: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
[  146.791224] Modules linked in:
[  146.791381] 
[  146.791381] Pid: 4230, comm: mount.ocfs2 Not tainted (2.6.26-rc4 #44)
[  146.791381] EIP: 0060:[<c039bb9f>] EFLAGS: 00010282 CPU: 0
[  146.791381] EIP is at ocfs2_iget+0x6bf/0xc90
[  146.791381] EAX: 00000065 EBX: 000001db ECX: 00000001 EDX: 00000001
[  146.791381] ESI: 00000000 EDI: 00000000 EBP: cbf83db4 ESP: cbf83d54
[  146.791381]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[  146.791381] Process mount.ocfs2 (pid: 4230, ti=cbf83000 task=cbf8af70 task.ti=cbf83000)
[  146.791381] Stack: c081be00 00001086 00000000 c06f978f 000001db 00000009 00000000 c08dcddc 
[  146.791381]        c038be6b 000000d0 ccae339e cbf83d88 00000000 cbf83db4 c038be76 00000009 
[  146.791381]        00000000 00000009 00000001 00000000 cc33ea28 00000000 cbe14180 c7879800 
[  146.791381] Call Trace:
[  146.791381]  [<c038be6b>] ? ocfs2_new_dlm_debug+0x1b/0x100
[  146.791381]  [<c038be76>] ? ocfs2_new_dlm_debug+0x26/0x100
[  146.791381]  [<c03c556a>] ? ocfs2_fill_super+0x1f2a/0x2910
[  146.791381]  [<c018281f>] ? get_sb_bdev+0xef/0x120
[  146.791381]  [<c019758d>] ? alloc_vfsmnt+0xdd/0x120
[  146.791381]  [<c019758d>] ? alloc_vfsmnt+0xdd/0x120
[  146.791381]  [<c03bf742>] ? ocfs2_get_sb+0x22/0x30
[  146.791381]  [<c03c3640>] ? ocfs2_fill_super+0x0/0x2910
[  146.791381]  [<c018236a>] ? vfs_kern_mount+0x3a/0x90
[  146.791381]  [<c0182419>] ? do_kern_mount+0x39/0xd0
[  146.791381]  [<c01987c5>] ? do_new_mount+0x65/0x90
[  146.791381]  [<c019894a>] ? do_mount+0x15a/0x1b0
[  146.791381]  [<c017bab5>] ? kmem_cache_alloc+0x95/0xc0
[  146.791381]  [<c015fcab>] ? __get_free_pages+0x1b/0x30
[  146.791381]  [<c0196658>] ? copy_mount_options+0x38/0x140
[  146.791381]  [<c0188dc7>] ? getname+0xa7/0xc0
[  146.791381]  [<c0198a0f>] ? sys_mount+0x6f/0xb0
[  146.791381]  [<c0103d7d>] ? sysenter_past_esp+0x6a/0xb1
[  146.791381]  =======================
[  146.791381] Code: 09 8b c0 31 d2 89 d1 83 e0 01 09 c1 74 1d f6 05 6a
09 8b c0 80 75 14 a1 6c 09 8b c0 31 d2 89 d3 83 e0 01 09 c3 0f 84 56 04
00 00 <0f> 0b eb fe 89 f0 e8 36 96 df ff 81 fb 00 fe ff ff 0f 84 cc fb 
[  146.791381] EIP: [<c039bb9f>] ocfs2_iget+0x6bf/0xc90 SS:ESP 0068:cbf83d54
[  146.806059] ---[ end trace 48ff23e66ef1f905 ]---

Image can be found at http://cccmz.de/~snakebyte/ocfs2.3.img.bz2
(server is a bit flaky at the moment due to dns
issues, just try again if you get the united domains site)

Greetings, Eric

Re: Filesystem fuzzing

[Eric Sesterhenn]

* Eric Sesterhenn (snakebyte@gmx.de) wrote:
> * Sunil Mushran (Sunil.Mushran@oracle.com) wrote:
> > Eric Sesterhenn wrote:
> >> i do some regular filesystem fuzzing, based on a modified version
> >> of lmhs fsfuzzer. I try to test current -git at least once a week.
> >> Most modifications are adding of new filesystems or mounting
> >> them with different options, but i also added some new tests like invoking 
> >> iozone, fsx or fsstress if available
> >>
> >> I currently test  vfat, udf, msdos, swap, iso9660, ext2,
> >> ext3, ext4, hfs, hfsplus, gfs2, ntfs, minix, qnx4, affs and bfs
> >
> > Please can you add ocfs2 to the mix. To make it easy, you
> > can format with "mkfs.ocfs2 -M local" to mark the volume
> > for local mount only and thus not deal with any cluster config.
> 
> here is a first one:

...

> Image can be found at http://cccmz.de/~snakebyte/ocfs2.3.img.bz2
> (server is a bit flaky at the moment due to dns
> issues, just try again if you get the united domains site)

[  253.538562] (4238,0):ocfs2_populate_inode:277 ERROR: ip_blkno 10 !=
i_blkno 34314!
[  253.538861] ------------[ cut here ]------------
[  253.538995] kernel BUG at fs/ocfs2/inode.c:484!
[  253.539125] invalid opcode: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
[  253.539356] Modules linked in:
[  253.539356] 
[  253.539356] Pid: 4238, comm: mount.ocfs2 Not tainted (2.6.26-rc4 #44)
[  253.539356] EIP: 0060:[<c039bf71>] EFLAGS: 00010206 CPU: 0
[  253.539356] EIP is at ocfs2_iget+0xa91/0xc90
[  253.539356] EAX: 00008600 EBX: 00000000 ECX: 00008600 EDX: 0000860a
[  253.539356] ESI: cbfc0a78 EDI: cbbcb120 EBP: cbb1fdb4 ESP: cbb1fd54
[  253.539356]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[  253.539356] Process mount.ocfs2 (pid: 4238, ti=cbb1f000 task=cbb89fa0
task.ti=cbb1f000)
[  253.539356] Stack: 00000001 cbb1fda4 00000000 00000000 cbb1fd88
00000296 c038be6b c08dcddc 
[  253.539356]        c038be6b 000000d0 cf306d3e cbb1fd88 00000000
cbb1fdb4 c038be76 0000000a 
[  253.539356]        00000000 0000000a 00000001 00000000 cbddb208
00000000 cbbcb120 c9f1f800 
[  253.539356] Call Trace:
[  253.539356]  [<c038be6b>] ? ocfs2_new_dlm_debug+0x1b/0x100
[  253.539356]  [<c038be6b>] ? ocfs2_new_dlm_debug+0x1b/0x100
[  253.539356]  [<c038be76>] ? ocfs2_new_dlm_debug+0x26/0x100
[  253.539356]  [<c03c5594>] ? ocfs2_fill_super+0x1f54/0x2910
[  253.539356]  [<c018281f>] ? get_sb_bdev+0xef/0x120
[  253.539356]  [<c019758d>] ? alloc_vfsmnt+0xdd/0x120
[  253.539356]  [<c019758d>] ? alloc_vfsmnt+0xdd/0x120
[  253.539356]  [<c03bf742>] ? ocfs2_get_sb+0x22/0x30
[  253.539356]  [<c03c3640>] ? ocfs2_fill_super+0x0/0x2910
[  253.539356]  [<c018236a>] ? vfs_kern_mount+0x3a/0x90
[  253.539356]  [<c0182419>] ? do_kern_mount+0x39/0xd0
[  253.539356]  [<c01987c5>] ? do_new_mount+0x65/0x90
[  253.539356]  [<c019894a>] ? do_mount+0x15a/0x1b0
[  253.539356]  [<c017bab5>] ? kmem_cache_alloc+0x95/0xc0
[  253.539356]  [<c015fcab>] ? __get_free_pages+0x1b/0x30
[  253.539356]  [<c0196658>] ? copy_mount_options+0x38/0x140
[  253.539356]  [<c0188dc7>] ? getname+0xa7/0xc0
[  253.539356]  [<c0198a0f>] ? sys_mount+0x6f/0xb0
[  253.539356]  [<c0103d7d>] ? sysenter_past_esp+0x6a/0xb1
[  253.539356]  =======================
[  253.539356] Code: 89 da 89 f0 e8 61 ec ff ff 85 c0 0f 88 e6 f7 ff ff
8b 55 e0 8b 4b 54 8b 45 dc 31 d1 8b 53 50 31 db 31 d0 09 c1 0f 84 d1 f7
ff ff <0f> 0b eb fe 8b 83 b8 00 00 00 89 c2 0f b6 c8 c1 ea 0c 25 00 ff 
[  253.539356] EIP: [<c039bf71>] ocfs2_iget+0xa91/0xc90 SS:ESP
0068:cbb1fd54
[  253.554755] ---[ end trace 8befff9d4b19c14a ]---

Image can be found here:
http://www.cccmz.de/~snakebyte/ocfs2.4.img.bz2

Greetings, Eric

Re: Filesystem fuzzing

[Sunil Mushran]

Eric,

Thanks. I've filed few bugzillas for tracking them.
I'll need to think about this.

http://oss.oracle.com/bugzilla/show_bug.cgi?id=970
http://oss.oracle.com/bugzilla/show_bug.cgi?id=971

Eric Sesterhenn wrote:
> * Sunil Mushran (Sunil.Mushran@oracle.com) wrote:
>   
>> Eric Sesterhenn wrote:
>>     
>>> i do some regular filesystem fuzzing, based on a modified version
>>> of lmhs fsfuzzer. I try to test current -git at least once a week.
>>> Most modifications are adding of new filesystems or mounting
>>> them with different options, but i also added some new tests like invoking 
>>> iozone, fsx or fsstress if available
>>>
>>> I currently test  vfat, udf, msdos, swap, iso9660, ext2,
>>> ext3, ext4, hfs, hfsplus, gfs2, ntfs, minix, qnx4, affs and bfs
>>>       
>> Please can you add ocfs2 to the mix. To make it easy, you
>> can format with "mkfs.ocfs2 -M local" to mark the volume
>> for local mount only and thus not deal with any cluster config.
>>     
>
> here is a first one:
>
> [  146.790010] (4230,0):ocfs2_read_locked_inode:475 ERROR: bug
> expression: !!(fe->i_flags & cpu_to_le32(OCFS2_SYSTEM_FL)) !=
> !!(args->fi_flags & OCFS2_FI_FLAG_SYSFILE)
> [  146.790282] (4230,0):ocfs2_read_locked_inode:475 ERROR: Inode 9: system file state is ambigous
> [  146.790584] ------------[ cut here ]------------
> [  146.790717] kernel BUG at fs/ocfs2/inode.c:475!
> [  146.790848] invalid opcode: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
> [  146.791224] Modules linked in:
> [  146.791381] 
> [  146.791381] Pid: 4230, comm: mount.ocfs2 Not tainted (2.6.26-rc4 #44)
> [  146.791381] EIP: 0060:[<c039bb9f>] EFLAGS: 00010282 CPU: 0
> [  146.791381] EIP is at ocfs2_iget+0x6bf/0xc90
> [  146.791381] EAX: 00000065 EBX: 000001db ECX: 00000001 EDX: 00000001
> [  146.791381] ESI: 00000000 EDI: 00000000 EBP: cbf83db4 ESP: cbf83d54
> [  146.791381]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> [  146.791381] Process mount.ocfs2 (pid: 4230, ti=cbf83000 task=cbf8af70 task.ti=cbf83000)
> [  146.791381] Stack: c081be00 00001086 00000000 c06f978f 000001db 00000009 00000000 c08dcddc 
> [  146.791381]        c038be6b 000000d0 ccae339e cbf83d88 00000000 cbf83db4 c038be76 00000009 
> [  146.791381]        00000000 00000009 00000001 00000000 cc33ea28 00000000 cbe14180 c7879800 
> [  146.791381] Call Trace:
> [  146.791381]  [<c038be6b>] ? ocfs2_new_dlm_debug+0x1b/0x100
> [  146.791381]  [<c038be76>] ? ocfs2_new_dlm_debug+0x26/0x100
> [  146.791381]  [<c03c556a>] ? ocfs2_fill_super+0x1f2a/0x2910
> [  146.791381]  [<c018281f>] ? get_sb_bdev+0xef/0x120
> [  146.791381]  [<c019758d>] ? alloc_vfsmnt+0xdd/0x120
> [  146.791381]  [<c019758d>] ? alloc_vfsmnt+0xdd/0x120
> [  146.791381]  [<c03bf742>] ? ocfs2_get_sb+0x22/0x30
> [  146.791381]  [<c03c3640>] ? ocfs2_fill_super+0x0/0x2910
> [  146.791381]  [<c018236a>] ? vfs_kern_mount+0x3a/0x90
> [  146.791381]  [<c0182419>] ? do_kern_mount+0x39/0xd0
> [  146.791381]  [<c01987c5>] ? do_new_mount+0x65/0x90
> [  146.791381]  [<c019894a>] ? do_mount+0x15a/0x1b0
> [  146.791381]  [<c017bab5>] ? kmem_cache_alloc+0x95/0xc0
> [  146.791381]  [<c015fcab>] ? __get_free_pages+0x1b/0x30
> [  146.791381]  [<c0196658>] ? copy_mount_options+0x38/0x140
> [  146.791381]  [<c0188dc7>] ? getname+0xa7/0xc0
> [  146.791381]  [<c0198a0f>] ? sys_mount+0x6f/0xb0
> [  146.791381]  [<c0103d7d>] ? sysenter_past_esp+0x6a/0xb1
> [  146.791381]  =======================
> [  146.791381] Code: 09 8b c0 31 d2 89 d1 83 e0 01 09 c1 74 1d f6 05 6a
> 09 8b c0 80 75 14 a1 6c 09 8b c0 31 d2 89 d3 83 e0 01 09 c3 0f 84 56 04
> 00 00 <0f> 0b eb fe 89 f0 e8 36 96 df ff 81 fb 00 fe ff ff 0f 84 cc fb 
> [  146.791381] EIP: [<c039bb9f>] ocfs2_iget+0x6bf/0xc90 SS:ESP 0068:cbf83d54
> [  146.806059] ---[ end trace 48ff23e66ef1f905 ]---
>
> Image can be found at http://cccmz.de/~snakebyte/ocfs2.3.img.bz2
> (server is a bit flaky at the moment due to dns
> issues, just try again if you get the united domains site)
>
> Greetings, Eric
>   

Re: Filesystem fuzzing

[Eric Sesterhenn]

* Sunil Mushran (Sunil.Mushran@oracle.com) wrote:
> Eric,
>
> Thanks. I've filed few bugzillas for tracking them.
> I'll need to think about this.
>
> http://oss.oracle.com/bugzilla/show_bug.cgi?id=970
> http://oss.oracle.com/bugzilla/show_bug.cgi?id=971


hi,

i just hit the following on current -git

[13643.111621] ocfs2: Unmounting device (7,1) on (node local)
[13645.520545] JBD: Ignoring recovery information on journal
[13645.535059] kjournald starting.  Commit interval 5 seconds
[13645.541779] ocfs2: Mounting device (7,2) on (node local, slot 0) with
ordered data mode.
[13646.555938] 
[13646.555945] =======================================================
[13646.556168] [ INFO: possible circular locking dependency detected ]
[13646.556272] 2.6.26-rc4-00027-g0a2ce2f #4
[13646.556352] -------------------------------------------------------
[13646.556352] rm/16437 is trying to acquire lock:
[13646.556352]  (&oi->ip_alloc_sem){----}, at: [<c03a89b7>]
ocfs2_bread+0xa7/0x220
[13646.556352] 
[13646.556352] but task is already holding lock:
[13646.556352]  (jbd_handle){--..}, at: [<c022175a>]
journal_start+0xaa/0x100
[13646.556352] 
[13646.556352] which lock already depends on the new lock.
[13646.556352] 
[13646.556352] 
[13646.556352] the existing dependency chain (in reverse order) is:
[13646.556352] 
[13646.556352] -> #3 (jbd_handle){--..}:
[13646.556352]        [<c0147f18>] __lock_acquire+0xc58/0x1100
[13646.556352]        [<c0148440>] lock_acquire+0x80/0xa0
[13646.556352]        [<c022177e>] journal_start+0xce/0x100
[13646.556352]        [<c03aca7d>] ocfs2_start_trans+0x12d/0x260
[13646.556352]        [<c03b80f4>] ocfs2_mknod+0x224/0xd80
[13646.556352]        [<c03b9319>] ocfs2_create+0x49/0x180
[13646.556352]        [<c0192e01>] vfs_create+0xc1/0x150
[13646.556352]        [<c0195706>] do_filp_open+0x556/0x7a0
[13646.556352]        [<c0187f29>] do_sys_open+0x49/0xd0
[13646.556352]        [<c0188019>] sys_open+0x29/0x40
[13646.556352]        [<c0103d6d>] sysenter_past_esp+0x6a/0xb1
[13646.556352]        [<ffffffff>] 0xffffffff
[13646.556352] 
[13646.556352] -> #2 (&journal->j_trans_barrier){..--}:
[13646.556352]        [<c0147f18>] __lock_acquire+0xc58/0x1100
[13646.556352]        [<c0148440>] lock_acquire+0x80/0xa0
[13646.556352]        [<c06d9a7e>] down_read+0x3e/0x80
[13646.556352]        [<c03aca72>] ocfs2_start_trans+0x122/0x260
[13646.556352]        [<c03b80f4>] ocfs2_mknod+0x224/0xd80
[13646.556352]        [<c03b9199>] ocfs2_mkdir+0x49/0x180
[13646.556352]        [<c0192907>] vfs_mkdir+0xb7/0x140
[13646.556352]        [<c0194a55>] sys_mkdirat+0xd5/0xf0
[13646.556352]        [<c0194a90>] sys_mkdir+0x20/0x30
[13646.556352]     [<c0103d6d>] sysenter_past_esp+0x6a/0xb1
[13646.556352]        [<ffffffff>] 0xffffffff
[13646.556352] 
[13646.556352] -> #1
(&ocfs2_sysfile_lock_key[args->fi_sysfile_type]#3){--..}:
[13646.556352]        [<c0147f18>] __lock_acquire+0xc58/0x1100
[13646.556352]       lock_acquire+0x80/0xa0
[13646.556352]       mutex_lock_nested+0x8e/0x2a0
[13646.556352]      [<c03c87a5>] ocfs2_reserve_suballoc_bits+0x65/0x730
[13646.556352]       ocfs2_reserve_cluster_bitmap_bits+0x30/0x140
[13646.556352]      [<c03c91f9>] ocfs2_reserve_clusters+0x249/0x560
[13646.556352]     [<c039bac3>] ocfs2_lock_allocators+0x203/0x410
[13646.556352]      [<c0380b04>] ocfs2_write_begin_nolock+0x214/0x1450
[13646.556352]     [<c0384425>] ocfs2_write_begin+0x155/0x2d0
[13646.556352]       generic_file_buffered_write+0xf4/0x5e0
[13646.556352]       __generic_file_aio_write_nolock+0x265/0x520
[13646.556352]      [<c01652e6>] generic_file_aio_write_nolock+0x46/0xb0
[13646.556352]      [<c03a3b54>] ocfs2_file_aio_write+0x3b4/0x700
[13646.556352]     [<c0189acc>] do_sync_write+0xcc/0x110
[13646.556352]      vfs_write+0x99/0x130
[13646.556352]      [<c018a8ed>] sys_write+0x3d/0x70
[13646.556352]       sysenter_past_esp+0x6a/0xb1
[13646.556352]       0xffffffff
[13646.556352] 
[13646.556352] -> #0 (&oi->ip_alloc_sem){----}:
[13646.556352]      [<c0147d20>] __lock_acquire+0xa60/0x1100
[13646.556352]      [<c0148440>] lock_acquire+0x80/0xa0
[13646.556352]      down_read+0x3e/0x80
[13646.556352]       ocfs2_bread+0xa7/0x220
[13646.556352]      [<c03899ff>] ocfs2_find_entry+0x26f/0x940
[13646.556352]     [<c03be835>] ocfs2_orphan_del+0x75/0x700
[13646.556352]       ocfs2_remove_inode+0xac/0x730
[13646.556352]       ocfs2_wipe_inode+0x123/0xbb0
[13646.556352]     [<c03a9630>] ocfs2_delete_inode+0x730/0xcc0
[13646.556352]      [<c019e3b0>] generic_delete_inode+0x90/0x110
[13646.556352]       generic_drop_inode+0x119/0x160
[13646.556352]       ocfs2_drop_inode+0x87/0x210
[13646.556352]        iput+0x47/0x50
[13646.556352]     [<c019478f>] do_unlinkat+0xdf/0x160
[13646.556352]       sys_unlinkat+0x30/0x40
[13646.556352]       sysenter_past_esp+0x6a/0xb1
[13646.556352]   [13646.556352]  [<c0145013>]
print_circular_bug_entry+0x43/0x50
[13646.556352]  [<c0147d20>] __lock_acquire+0xa60/0x1100
[13646.556352]  [<c0109727>] ? native_sched_clock+0x77/0xb0
[13646.556352]  [<c0109727>] ? native_sched_clock+0x77/0xb0
[13646.556352]  [<c0148440>] lock_acquire+0x80/0xa0
[13646.556352]  [<c03a89b7>] ? ocfs2_bread+0xa7/0x220
[13646.556352]  [<c06d9a7e>] down_read+0x3e/0x80
[13646.556352]  [<c03a89b7>] ? ocfs2_bread+0xa7/0x220
[13646.556352]  [<c03a89b7>] ocfs2_bread+0xa7/0x220
[13646.556352]  [<c03899ff>] ocfs2_find_entry+0x26f/0x940
[13646.556352]  [<c04463f7>] ? vsnprintf+0x2d7/0x5e0
[13646.556352]  [<c044679d>] ? snprintf+0x1d/0x20
[13646.556352]  [<c03b6a53>] ? ocfs2_blkno_stringify+0x53/0x400
[13646.556352]  [<c022175a>] ? journal_start+0xaa/0x100
[13646.556352]  [<c03be835>] ocfs2_orphan_del+0x75/0x700
[13646.556352]  [<c022175a>] ? journal_start+0xaa/0x100
[13646.556352]  [<c03aca7d>] ? ocfs2_start_trans+0x12d/0x260
[13646.556352]  [<c03a4aec>] ocfs2_remove_inode+0xac/0x730
[13646.556352]  [<c03a5293>] ocfs2_wipe_inode+0x123/0xbb0
[13646.556352]  [<c014483d>] ? put_lock_stats+0xd/0x30
[13646.556352]  [<c016cdba>] ? truncate_inode_pages+0x1a/0x20
[13646.556352]  [<c03a4269>] ? ocfs2_inode_is_valid_to_delete+0x89/0x320
[13646.556352]  [<c03a9630>] ocfs2_delete_inode+0x730/0xcc0
[13646.556352]  [<c0147584>] ? __lock_acquire+0x2c4/0x1100
[13646.556352]  [<c0147584>] ? __lock_acquire+0x2c4/0x1100
[13646.556352]  [<c0109727>] ? native_sched_clock+0x77/0xb0
[13646.556352]  [<c014483d>] ? put_lock_stats+0xd/0x30
[13646.556352]  [<c03a8f00>] ? ocfs2_delete_inode+0x0/0xcc0
[13646.556352]  [<c019e3b0>] generic_delete_inode+0x90/0x110
[13646.556352]  [<c019e549>] generic_drop_inode+0x119/0x160
[13646.556352]  [<c03a8787>] ocfs2_drop_inode+0x87/0x210
[13646.556352]  [<c0440ab8>] ? _atomic_dec_and_lock+0x18/0x40
[13646.556352]  [<c06da99c>] ? _spin_lock+0x5c/0x70
[13646.556352]  [<c0440ab8>] ? _atomic_dec_and_lock+0x18/0x40
[13646.556352]  [<c019d9a7>] iput+0x47/0x50
[13646.556352]  [<c019478f>] do_unlinkat+0xdf/0x160
[13646.556352]  [<c01182b7>] ? do_page_fault+0x2c7/0x640
[13646.556352]  [<c0103e57>] ? restore_nocheck+0x12/0x15
[13646.556352]  [<c0117ff0>] ? do_page_fault+0x0/0x640
[13646.556352]  [<c0146dfd>] ? trace_hardirqs_on+0xbd/0x140
[13646.556352]  [<c0194950>] sys_unlinkat+0x30/0x40
[13646.556352]  [<c0103d6d>] sysenter_past_esp+0x6a/0xb1
[13646.556352]  =======================
[13661.614478] ocfs2: Unmounting device (7,2) on (node local)


Greetings, Eric

Re: Filesystem fuzzing

[Szabolcs Szakacsits]

Hi Eric,

On Mon, 19 May 2008, Eric Sesterhenn wrote:

> i do some regular filesystem fuzzing, based on a modified version
> of lmhs fsfuzzer. I try to test current -git at least once a week.
> Most modifications are adding of new filesystems or mounting
> them with different options, but i also added 
> some new tests like invoking iozone, fsx or fsstress if available
> 
> I currently test  vfat, udf, msdos, swap, iso9660, ext2,
> ext3, ext4, hfs, hfsplus, gfs2, ntfs, minix, qnx4, affs and bfs

Thanks for doing this :-)

We added ntfs-3g and fuse support, fixed the one crash and three hang 
problems it found and made a new stable ntfs-3g 1.2531 release available:

	http://ntfs-3g.org/

The fsfuzzer patch is attached below, it includes

 - fixes for potentially leaking loop device
 - simplification for mkntfs which can be used on files
 - ntfs-3g and fuse support

> if someone maintaining one of those filesystems is interested in oops 
> reports please let me know.

We would appreciate ntfs-3g testing a lot. FUSE is used by over a hundred 
file systems and ntfs-3g by many users, devices. 

Kernel changes sometimes introduced new behaviours which resulted subtle 
bugs or exposed hidded ones. We were lucky a few times, even if we're 
always looking for and keep improving the quality process.

> I can only test on a 32bit x86 box at the moment, so it might be 
> interesting if someone runs this stuff on some 64bit box or other 
> architecture.

We are using fsfuzz on x86_64 too and hopefully soon on big-endian MIPS 
and ARM.

You would only need FUSE module support in the kernel and 
'./configure && make && make install' for the ntfs-3g package. 
Then everything works just like if it were a fully in-kernel driver 
(mount -t, etc).

Ntfs-3g bug reports could go to ntfs-3g-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org, fuse 
ones to fuse-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org, or anywhere else, we monitor 
several lists.

If you have any question, problem then we'd be happy to answer and help any 
time.

This tool is really great. It will be very useful for hot-repair testing as
well in the future :-)

Thanks,
	   Szaka
 
diff -ur fsfuzzer-0.6-lmh.orig/fsfuzz fsfuzzer-0.6-lmh/fsfuzz
--- fsfuzzer-0.6-lmh.orig/fsfuzz	2008-05-19 12:14:33.000000000 +0300
+++ fsfuzzer-0.6-lmh/fsfuzz	2008-05-29 19:06:03.000000000 +0300
@@ -50,7 +50,7 @@
 fi
 
 if [ -x /sbin/mkfs.ntfs ] ; then
-	filesystems="$filesystems ntfs"
+	filesystems="$filesystems ntfs ntfs-3g"
 fi
 
 if [ -x /sbin/mkfs.reiserfs ] ; then
@@ -97,14 +97,14 @@
 	rm -f fs/* 2>/dev/null
 	rmdir cfs 2>/dev/null
 	rmdir fs 2>/dev/null
-	umount /media/test 2>/dev/null
+	umount -d /media/test 2>/dev/null
 	if [ -d /media/test ] ; then
 		rmdir /media/test
 	fi
 }
 
 cleanup () {
-	umount /media/test 2>/dev/null
+	umount -d /media/test 2>/dev/null
 	rmdir /media/test
 }
 
@@ -239,10 +239,8 @@
 		/sbin/mkfs.minix /dev/loop0 $BLOCKSIZE
 		losetup -d /dev/loop0
 	;;
-	ntfs)
-		losetup /dev/loop0 $file
-		/sbin/mkfs.ntfs -C -L TEST1 /dev/loop0
-		losetup -d /dev/loop0
+	ntfs|ntfs-3g)
+		/sbin/mkfs.ntfs -C -L TEST1 -F $file
 	;;
 	# Let xfs extend the file image, it needs about 16m
 	xfs) /sbin/mkfs.xfs -b size=$BLOCKSIZE -f -dname=$file >/dev/null
diff -ur fsfuzzer-0.6-lmh.orig/run_test fsfuzzer-0.6-lmh/run_test
--- fsfuzzer-0.6-lmh.orig/run_test	2008-05-19 12:13:51.000000000 +0300
+++ fsfuzzer-0.6-lmh/run_test	2008-05-29 19:08:50.000000000 +0300
@@ -24,7 +24,7 @@
 dmesg -c >/dev/null 2>&1
 
 cleanup () {
-	umount /media/test 2>/dev/null
+	umount -d /media/test 2>/dev/null
 	rmdir /media/test
 }
 
@@ -272,6 +272,35 @@
 	check_results
 fi
 
+if [ $fs = "ntfs-3g" ] ; then
+
+	mount ./cfs/$fs.$i.img /media/test -t $fs -o loop >/dev/null 2>&1
+
+	typeset ret=$?
+
+	if [ $ret -eq 0 ] ; then
+		perform_operations
+		FAULT=`/bin/ls /media/test | grep -Ei 'Transport endpoint is not connected|Software caused connection abort'`
+		if [ x"$FAULT" != "x" ] ; then
+			echo "++ Something found (`pwd`/fs/$fs.$i.img)..."
+			exit 1
+		fi
+		echo "++ unmounting ./cfs/$fs.$i.img"
+		umount -d /media/test >/dev/null 2>&1
+		if [ $? -ne 0 ] ; then
+			echo "Failed to unmount test file system"
+			exit 1
+		fi
+		sync
+	fi
+	losetup -d /dev/loop0 2> /dev/null
+	if [ $ret -eq 2 ] ; then
+		exit 1
+	fi	
+	check_results
+	exit 0
+fi
+
 mount ./cfs/$fs.$i.img /media/test -t $fs -o loop >/dev/null 2>&1
 
 




-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Re: Filesystem fuzzing

[Eric Sesterhenn]

Hi,

* Szabolcs Szakacsits (szaka@ntfs-3g.org) wrote:
> 
> We added ntfs-3g and fuse support, fixed the one crash and three hang 
> problems it found and made a new stable ntfs-3g 1.2531 release available:
> 
> 	http://ntfs-3g.org/
> 
> The fsfuzzer patch is attached below, it includes
> 
>  - fixes for potentially leaking loop device
>  - simplification for mkntfs which can be used on files
>  - ntfs-3g and fuse support

nice, i added them to my lokal version

> > if someone maintaining one of those filesystems is interested in oops 
> > reports please let me know.
> 
> We would appreciate ntfs-3g testing a lot. FUSE is used by over a hundred 
> file systems and ntfs-3g by many users, devices. 
> 
> > I can only test on a 32bit x86 box at the moment, so it might be 
> > interesting if someone runs this stuff on some 64bit box or other 
> > architecture.
> 
> We are using fsfuzz on x86_64 too and hopefully soon on big-endian MIPS 
> and ARM.

nice, to you only use those to test fuse/ntfs-3g or
also the other filesystems?

> If you have any question, problem then we'd be happy to answer and help any 
> time.
> 
> This tool is really great. It will be very useful for hot-repair testing as
> well in the future :-)

yeah, lmh did some nice job for the month of kernel bugs

I added ntfs-3g testing to my testbox, and use the mercurial tree
from http://mercurial.creo.hu/repos/ntfs-3g-hg to always test
the latest version. The only problem I have is that when
i mount images with -t ntfs the fuse driver also gets
used, not the kernel one. is there an option to only use
ntfs-3g when using -t ntfs-3g?

Greetings, Eric

Re: Filesystem fuzzing

[Szabolcs Szakacsits]

Hi,

On Fri, 30 May 2008, Eric Sesterhenn wrote:
> * Szabolcs Szakacsits (szaka-IyvsvuGDJ8VAfugRpC6u6w@public.gmane.org) wrote:
> > 
> > We added ntfs-3g and fuse support, fixed the one crash and three hang 
> > problems it found and made a new stable ntfs-3g 1.2531 release available:
> > 
> > 	http://ntfs-3g.org/
> > 
> > The fsfuzzer patch is attached below, it includes
> > 
> >  - fixes for potentially leaking loop device
> >  - simplification for mkntfs which can be used on files
> >  - ntfs-3g and fuse support
> 
> nice, i added them to my lokal version

Thanks!
 
> > > if someone maintaining one of those filesystems is interested in oops 
> > > reports please let me know.
> > 
> > We would appreciate ntfs-3g testing a lot. FUSE is used by over a hundred 
> > file systems and ntfs-3g by many users, devices. 
> > 
> > > I can only test on a 32bit x86 box at the moment, so it might be 
> > > interesting if someone runs this stuff on some 64bit box or other 
> > > architecture.
> > 
> > We are using fsfuzz on x86_64 too and hopefully soon on big-endian MIPS 
> > and ARM.
> 
> nice, to you only use those to test fuse/ntfs-3g or
> also the other filesystems?

We're focusing to fuse/ntfs-3g development, other file systems are tested 
only in benchmarks and feature-compatibility evaluations. The latter two 
have only jffs2 but I can give a try to some file systems on a 64-bit box.
 
> I added ntfs-3g testing to my testbox, and use the mercurial tree
> from http://mercurial.creo.hu/repos/ntfs-3g-hg to always test
> the latest version. 

That's great, thanks! The development repository must have always already
tested code.

> The only problem I have is that when i mount images with -t ntfs the fuse 
> driver also gets used, not the kernel one. is there an option to only use 
> ntfs-3g when using -t ntfs-3g?

Ntfs-3 doesn't override the 'ntfs' file system type but some distos do.
If you have a /sbin/mount.ntfs symlink to the ntfs-3g executable then
just remove it and '-t ntfs' should work fine.

Thaks again,
		Szaka	 

--
NTFS-3G:  http://ntfs-3g.org


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/