[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200726225154.GA929@lca.pw>
Date: Sun, 26 Jul 2020 18:51:54 -0400
From: Qian Cai <cai@....pw>
To: Christoph Hellwig <hch@...radead.org>
Cc: Matthew Wilcox <willy@...radead.org>, darrick.wong@...cle.com,
linux-xfs@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, khlebnikov@...dex-team.ru
Subject: Re: WARN_ON_ONCE(1) in iomap_dio_actor()
On Sun, Jul 26, 2020 at 04:24:12PM +0100, Christoph Hellwig wrote:
> On Fri, Jul 24, 2020 at 02:24:32PM -0400, Qian Cai wrote:
> > On Fri, Jun 19, 2020 at 05:17:47PM -0700, Matthew Wilcox wrote:
> > > On Fri, Jun 19, 2020 at 05:17:50PM -0400, Qian Cai wrote:
> > > > Running a syscall fuzzer by a normal user could trigger this,
> > > >
> > > > [55649.329999][T515839] WARNING: CPU: 6 PID: 515839 at fs/iomap/direct-io.c:391 iomap_dio_actor+0x29c/0x420
> > > ...
> > > > 371 static loff_t
> > > > 372 iomap_dio_actor(struct inode *inode, loff_t pos, loff_t length,
> > > > 373 void *data, struct iomap *iomap, struct iomap *srcmap)
> > > > 374 {
> > > > 375 struct iomap_dio *dio = data;
> > > > 376
> > > > 377 switch (iomap->type) {
> > > > 378 case IOMAP_HOLE:
> > > > 379 if (WARN_ON_ONCE(dio->flags & IOMAP_DIO_WRITE))
> > > > 380 return -EIO;
> > > > 381 return iomap_dio_hole_actor(length, dio);
> > > > 382 case IOMAP_UNWRITTEN:
> > > > 383 if (!(dio->flags & IOMAP_DIO_WRITE))
> > > > 384 return iomap_dio_hole_actor(length, dio);
> > > > 385 return iomap_dio_bio_actor(inode, pos, length, dio, iomap);
> > > > 386 case IOMAP_MAPPED:
> > > > 387 return iomap_dio_bio_actor(inode, pos, length, dio, iomap);
> > > > 388 case IOMAP_INLINE:
> > > > 389 return iomap_dio_inline_actor(inode, pos, length, dio, iomap);
> > > > 390 default:
> > > > 391 WARN_ON_ONCE(1);
> > > > 392 return -EIO;
> > > > 393 }
> > > > 394 }
> > > >
> > > > Could that be iomap->type == IOMAP_DELALLOC ? Looking throught the logs,
> > > > it contains a few pread64() calls until this happens,
> > >
> > > It _shouldn't_ be able to happen. XFS writes back ranges which exist
> > > in the page cache upon seeing an O_DIRECT I/O. So it's not supposed to
> > > be possible for there to be an extent which is waiting for the contents
> > > of the page cache to be written back.
> >
> > Okay, it is IOMAP_DELALLOC. We have,
>
> Can you share the fuzzer? If we end up with delalloc space here we
> probably need to fix a bug in the cache invalidation code.
This is just a wrapper of the trinity fuzzer.
# git clone https://gitlab.com/cailca/linux-mm
# cd linux-mm; make
# ./random -x 0-100 -f
https://gitlab.com/cailca/linux-mm/-/blob/master/random.c#L1383
Powered by blists - more mailing lists