The quota index information in the image is tampered, causing illegal memory access. It is a regression test for Kernel commit 9bf3d2033129 quota: check block number when reading the block in quota file and commit d0e36a62bd4c quota: correct error number in free_dqentry(). Signed-off-by: Sun Ke <sunke32@xxxxxxxxxx> --- tests/ext4/055 | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ tests/ext4/055.out | 2 ++ 2 files changed, 55 insertions(+) create mode 100755 tests/ext4/055 create mode 100644 tests/ext4/055.out diff --git a/tests/ext4/055 b/tests/ext4/055 new file mode 100755 index 00000000..2e344106 --- /dev/null +++ b/tests/ext4/055 @@ -0,0 +1,53 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright (c) 2021 Huawei. All Rights Reserved. +# +# FS QA Test 055 +# +# The preceding illegal memory access problem occurs due to tampering with the +# quota index information in the image. +# +# Regression test for kernel +# commit 9bf3d2033129 quota: check block number when reading the block in quota file +# commit d0e36a62bd4c quota: correct error number in free_dqentry() +# +# The test is based on a testcase from Zhang Yi <yi.zhang@xxxxxxxxxx>. +# +. ./common/preamble +_begin_fstest auto quota + +# real QA test starts here + +# Modify as appropriate. +_require_scratch_nocheck +_supported_fs ext4 +_require_user fsgqa +_require_user fsgqa2 +_require_command "$DEBUGFS_PROG" debugfs + +echo "Silence is golden" + +# The 1K blocksize is designed for debugfs. +_scratch_mkfs "-F -O quota -b 1024" > $seqres.full 2>&1 +# Start from 0, fill block 1 with 6,replace the original 2. +# The purpose is change the normal index order from 1->2->3->4->5 to 1->6->0. +$DEBUGFS_PROG -w -R "zap_block -o 0 -l 1 -p 6 -f <3> 1" $SCRATCH_DEV >> $seqres.full 2>&1 +_scratch_mount >> $seqres.full 2>&1 + +# Quota with user id 0 switch to quota with user id fsgqa, quota with user id 0 should +# be release, but it can not be released because of block 6 is used by other quota. +chown fsgqa:fsgqa $SCRATCH_MNT >> $seqres.full 2>&1 +touch $SCRATCH_MNT/foo >> $seqres.full 2>&1 +# In the process of deleting foo, will get the next block is 0 from block 6. +# Block 0 is illegitimate, because it is the superblock of quota file. +# It will take magic number from block 0 as block number, and assign block number to +# info->dqi_free_blk +rm -f $SCRATCH_MNT/foo +# Switch the quota, the wrong block number will be larger then INX_MAX, and it will be +# return as a error code. Since the error code is not available, dqget() will change it +# to a invalid address, use this address will trigger problem. +chown fsgqa2:fsgqa2 $SCRATCH_MNT >> $seqres.full 2>&1 + +# success, all done +status=0 +exit diff --git a/tests/ext4/055.out b/tests/ext4/055.out new file mode 100644 index 00000000..e806fb56 --- /dev/null +++ b/tests/ext4/055.out @@ -0,0 +1,2 @@ +QA output created by 055 +Silence is golden -- 2.13.6
