lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 26 Jul 2020 16:24:12 +0100
From:   Christoph Hellwig <hch@...radead.org>
To:     Qian Cai <cai@....pw>
Cc:     Matthew Wilcox <willy@...radead.org>, darrick.wong@...cle.com,
        hch@...radead.org, linux-xfs@...r.kernel.org,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        khlebnikov@...dex-team.ru
Subject: Re: WARN_ON_ONCE(1) in iomap_dio_actor()

On Fri, Jul 24, 2020 at 02:24:32PM -0400, Qian Cai wrote:
> On Fri, Jun 19, 2020 at 05:17:47PM -0700, Matthew Wilcox wrote:
> > On Fri, Jun 19, 2020 at 05:17:50PM -0400, Qian Cai wrote:
> > > Running a syscall fuzzer by a normal user could trigger this,
> > > 
> > > [55649.329999][T515839] WARNING: CPU: 6 PID: 515839 at fs/iomap/direct-io.c:391 iomap_dio_actor+0x29c/0x420
> > ...
> > > 371 static loff_t
> > > 372 iomap_dio_actor(struct inode *inode, loff_t pos, loff_t length,
> > > 373                 void *data, struct iomap *iomap, struct iomap *srcmap)
> > > 374 {
> > > 375         struct iomap_dio *dio = data;
> > > 376
> > > 377         switch (iomap->type) {
> > > 378         case IOMAP_HOLE:
> > > 379                 if (WARN_ON_ONCE(dio->flags & IOMAP_DIO_WRITE))
> > > 380                         return -EIO;
> > > 381                 return iomap_dio_hole_actor(length, dio);
> > > 382         case IOMAP_UNWRITTEN:
> > > 383                 if (!(dio->flags & IOMAP_DIO_WRITE))
> > > 384                         return iomap_dio_hole_actor(length, dio);
> > > 385                 return iomap_dio_bio_actor(inode, pos, length, dio, iomap);
> > > 386         case IOMAP_MAPPED:
> > > 387                 return iomap_dio_bio_actor(inode, pos, length, dio, iomap);
> > > 388         case IOMAP_INLINE:
> > > 389                 return iomap_dio_inline_actor(inode, pos, length, dio, iomap);
> > > 390         default:
> > > 391                 WARN_ON_ONCE(1);
> > > 392                 return -EIO;
> > > 393         }
> > > 394 }
> > > 
> > > Could that be iomap->type == IOMAP_DELALLOC ? Looking throught the logs,
> > > it contains a few pread64() calls until this happens,
> > 
> > It _shouldn't_ be able to happen.  XFS writes back ranges which exist
> > in the page cache upon seeing an O_DIRECT I/O.  So it's not supposed to
> > be possible for there to be an extent which is waiting for the contents
> > of the page cache to be written back.
> 
> Okay, it is IOMAP_DELALLOC. We have,

Can you share the fuzzer?  If we end up with delalloc space here we
probably need to fix a bug in the cache invalidation code.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ