Message ID | 20220908190302.1502070-1-cascardo@canonical.com |
---|---|
State | New |
Headers | show |
Series | [SRU,Bionic] iomap: fix WARN_ON_ONCE() from unprivileged users | expand |
On Thu, 2022-09-08 at 16:03 -0300, Thadeu Lima de Souza Cascardo wrote: > From: Qian Cai <cai@lca.pw> > > BugLink: https://bugs.launchpad.net/bugs/1989144 > > It is trivial to trigger a WARN_ON_ONCE(1) in iomap_dio_actor() by > unprivileged users which would taint the kernel, or worse - panic if > panic_on_warn or panic_on_taint is set. Hence, just convert it to > pr_warn_ratelimited() to let users know their workloads are racing. > Thank Dave Chinner for the initial analysis of the racing reproducers. > > Signed-off-by: Qian Cai <cai@lca.pw> > Reviewed-by: Christoph Hellwig <hch@lst.de> > Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > (backported from commit a805c111650cdba6ee880f528abdd03c1af82089) > [cascardo: code was moved from fs/iomap.c to fs/iomap/direct-io.c] > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Cengiz Can <cengiz.can@canonical.com> > --- > fs/iomap.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/fs/iomap.c b/fs/iomap.c > index b66b047ac1ac..8b022e8fa0a2 100644 > --- a/fs/iomap.c > +++ b/fs/iomap.c > @@ -899,6 +899,16 @@ iomap_dio_actor(struct inode *inode, loff_t pos, loff_t length, > use_fua = true; > } > break; > + case IOMAP_DELALLOC: > + /* > + * DIO is not serialised against mmap() access at all, and so > + * if the page_mkwrite occurs between the writeback and the > + * iomap_apply() call in the DIO path, then it will see the > + * DELALLOC block that the page-mkwrite allocated. > + */ > + pr_warn_ratelimited("Direct I/O collision with buffered writes! File: %pD4 Comm: %.20s\n", > + dio->iocb->ki_filp, current->comm); > + return -EIO; > default: > WARN_ON_ONCE(1); > return -EIO; > -- > 2.34.1 > >
On 08.09.22 21:03, Thadeu Lima de Souza Cascardo wrote: > From: Qian Cai <cai@lca.pw> > > BugLink: https://bugs.launchpad.net/bugs/1989144 > > It is trivial to trigger a WARN_ON_ONCE(1) in iomap_dio_actor() by > unprivileged users which would taint the kernel, or worse - panic if > panic_on_warn or panic_on_taint is set. Hence, just convert it to > pr_warn_ratelimited() to let users know their workloads are racing. > Thank Dave Chinner for the initial analysis of the racing reproducers. > > Signed-off-by: Qian Cai <cai@lca.pw> > Reviewed-by: Christoph Hellwig <hch@lst.de> > Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > (backported from commit a805c111650cdba6ee880f528abdd03c1af82089) > [cascardo: code was moved from fs/iomap.c to fs/iomap/direct-io.c] > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > fs/iomap.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/fs/iomap.c b/fs/iomap.c > index b66b047ac1ac..8b022e8fa0a2 100644 > --- a/fs/iomap.c > +++ b/fs/iomap.c > @@ -899,6 +899,16 @@ iomap_dio_actor(struct inode *inode, loff_t pos, loff_t length, > use_fua = true; > } > break; > + case IOMAP_DELALLOC: > + /* > + * DIO is not serialised against mmap() access at all, and so > + * if the page_mkwrite occurs between the writeback and the > + * iomap_apply() call in the DIO path, then it will see the > + * DELALLOC block that the page-mkwrite allocated. > + */ > + pr_warn_ratelimited("Direct I/O collision with buffered writes! File: %pD4 Comm: %.20s\n", > + dio->iocb->ki_filp, current->comm); > + return -EIO; > default: > WARN_ON_ONCE(1); > return -EIO;
Applied to bionic/linux master-next, Thanks! - Luke On Thu, Sep 8, 2022 at 12:04 PM Thadeu Lima de Souza Cascardo < cascardo@canonical.com> wrote: > From: Qian Cai <cai@lca.pw> > > BugLink: https://bugs.launchpad.net/bugs/1989144 > > It is trivial to trigger a WARN_ON_ONCE(1) in iomap_dio_actor() by > unprivileged users which would taint the kernel, or worse - panic if > panic_on_warn or panic_on_taint is set. Hence, just convert it to > pr_warn_ratelimited() to let users know their workloads are racing. > Thank Dave Chinner for the initial analysis of the racing reproducers. > > Signed-off-by: Qian Cai <cai@lca.pw> > Reviewed-by: Christoph Hellwig <hch@lst.de> > Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com> > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > (backported from commit a805c111650cdba6ee880f528abdd03c1af82089) > [cascardo: code was moved from fs/iomap.c to fs/iomap/direct-io.c] > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > fs/iomap.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/fs/iomap.c b/fs/iomap.c > index b66b047ac1ac..8b022e8fa0a2 100644 > --- a/fs/iomap.c > +++ b/fs/iomap.c > @@ -899,6 +899,16 @@ iomap_dio_actor(struct inode *inode, loff_t pos, > loff_t length, > use_fua = true; > } > break; > + case IOMAP_DELALLOC: > + /* > + * DIO is not serialised against mmap() access at all, and > so > + * if the page_mkwrite occurs between the writeback and the > + * iomap_apply() call in the DIO path, then it will see the > + * DELALLOC block that the page-mkwrite allocated. > + */ > + pr_warn_ratelimited("Direct I/O collision with buffered > writes! File: %pD4 Comm: %.20s\n", > + dio->iocb->ki_filp, current->comm); > + return -EIO; > default: > WARN_ON_ONCE(1); > return -EIO; > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
diff --git a/fs/iomap.c b/fs/iomap.c index b66b047ac1ac..8b022e8fa0a2 100644 --- a/fs/iomap.c +++ b/fs/iomap.c @@ -899,6 +899,16 @@ iomap_dio_actor(struct inode *inode, loff_t pos, loff_t length, use_fua = true; } break; + case IOMAP_DELALLOC: + /* + * DIO is not serialised against mmap() access at all, and so + * if the page_mkwrite occurs between the writeback and the + * iomap_apply() call in the DIO path, then it will see the + * DELALLOC block that the page-mkwrite allocated. + */ + pr_warn_ratelimited("Direct I/O collision with buffered writes! File: %pD4 Comm: %.20s\n", + dio->iocb->ki_filp, current->comm); + return -EIO; default: WARN_ON_ONCE(1); return -EIO;