<div dir="ltr"><div>Applied to bionic/linux master-next, <br></div><div><br></div><div>Thanks! <br></div><div><br></div><div>- Luke<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 8, 2022 at 12:04 PM Thadeu Lima de Souza Cascardo <<a href="mailto:cascardo@canonical.com">cascardo@canonical.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">From: Qian Cai <<a href="mailto:cai@lca.pw" target="_blank">cai@lca.pw</a>><br>
<br>
BugLink: <a href="https://bugs.launchpad.net/bugs/1989144" rel="noreferrer" target="_blank">https://bugs.launchpad.net/bugs/1989144</a><br>
<br>
It is trivial to trigger a WARN_ON_ONCE(1) in iomap_dio_actor() by<br>
unprivileged users which would taint the kernel, or worse - panic if<br>
panic_on_warn or panic_on_taint is set. Hence, just convert it to<br>
pr_warn_ratelimited() to let users know their workloads are racing.<br>
Thank Dave Chinner for the initial analysis of the racing reproducers.<br>
<br>
Signed-off-by: Qian Cai <<a href="mailto:cai@lca.pw" target="_blank">cai@lca.pw</a>><br>
Reviewed-by: Christoph Hellwig <<a href="mailto:hch@lst.de" target="_blank">hch@lst.de</a>><br>
Reviewed-by: Darrick J. Wong <<a href="mailto:darrick.wong@oracle.com" target="_blank">darrick.wong@oracle.com</a>><br>
Signed-off-by: Darrick J. Wong <<a href="mailto:darrick.wong@oracle.com" target="_blank">darrick.wong@oracle.com</a>><br>
(backported from commit a805c111650cdba6ee880f528abdd03c1af82089)<br>
[cascardo: code was moved from fs/iomap.c to fs/iomap/direct-io.c]<br>
Signed-off-by: Thadeu Lima de Souza Cascardo <<a href="mailto:cascardo@canonical.com" target="_blank">cascardo@canonical.com</a>><br>
---<br>
 fs/iomap.c | 10 ++++++++++<br>
 1 file changed, 10 insertions(+)<br>
<br>
diff --git a/fs/iomap.c b/fs/iomap.c<br>
index b66b047ac1ac..8b022e8fa0a2 100644<br>
--- a/fs/iomap.c<br>
+++ b/fs/iomap.c<br>
@@ -899,6 +899,16 @@ iomap_dio_actor(struct inode *inode, loff_t pos, loff_t length,<br>
                                use_fua = true;<br>
                }<br>
                break;<br>
+       case IOMAP_DELALLOC:<br>
+               /*<br>
+                * DIO is not serialised against mmap() access at all, and so<br>
+                * if the page_mkwrite occurs between the writeback and the<br>
+                * iomap_apply() call in the DIO path, then it will see the<br>
+                * DELALLOC block that the page-mkwrite allocated.<br>
+                */<br>
+               pr_warn_ratelimited("Direct I/O collision with buffered writes! File: %pD4 Comm: %.20s\n",<br>
+                                   dio->iocb->ki_filp, current->comm);<br>
+               return -EIO;<br>
        default:<br>
                WARN_ON_ONCE(1);<br>
                return -EIO;<br>
-- <br>
2.34.1<br>
<br>
<br>
-- <br>
kernel-team mailing list<br>
<a href="mailto:kernel-team@lists.ubuntu.com" target="_blank">kernel-team@lists.ubuntu.com</a><br>
<a href="https://lists.ubuntu.com/mailman/listinfo/kernel-team" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/kernel-team</a><br>
</blockquote></div></div>