lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 13 Aug 2020 03:52:13 -0400
From:   Qian Cai <cai@....pw>
To:     Dave Chinner <david@...morbit.com>
Cc:     Christoph Hellwig <hch@...radead.org>,
        Matthew Wilcox <willy@...radead.org>, darrick.wong@...cle.com,
        linux-xfs@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, khlebnikov@...dex-team.ru
Subject: Re: WARN_ON_ONCE(1) in iomap_dio_actor()



> On Aug 13, 2020, at 1:44 AM, Dave Chinner <david@...morbit.com> wrote:
> 
> Ok:
> 
> file.fd_write = safe_open("./testfile", O_RDWR|O_CREAT);
> ....
> file.fd_read = safe_open("./testfile", O_RDWR|O_CREAT|O_DIRECT);
> ....
> file.ptr = safe_mmap(NULL, fsize, PROT_READ|PROT_WRITE, MAP_SHARED,
>            file.fd_write, 0);
> 
> So this is all IO to the same inode....
> 
> and you loop
> 
> while !done {
> 
>    do {
>        rc = pread(file.fd_read, file.ptr + read, fsize - read,
>            read);
>        if (rc > 0)
>            read += rc;
>    } while (rc > 0);
> 
>    rc = safe_fallocate(file.fd_write,
>            FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE,
>            0, fsize);
> }
> 
> On two threads at once?
> 
> So, essentially, you do a DIO read into a mmap()d range from the
> same file, with DIO read ascending and the mmap() range descending,
> then once that is done you hole punch the file and do it again?
> 
> IOWs, this is a racing page_mkwrite()/DIO read workload, and the
> moment the two threads hit the same block of the file with a
> DIO read and a page_mkwrite at the same time, it throws a warning.
> 
> Well, that's completely expected behaviour. DIO is not serialised
> against mmap() access at all, and so if the page_mkwrite occurs
> between the writeback and the iomap_apply() call in the dio path,
> then it will see the delalloc block taht the page-mkwrite allocated.
> 
> No sane application would ever do this, it's behaviour as expected,
> so I don't think there's anything to care about here.

It looks me the kernel warning is trivial to trigger by an non-root user. Shouldn’t we worry a bit because this could be a DoS for systems which set panic_on_warn?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ