On Fri, Jul 24, 2020 at 02:24:32PM -0400, Qian Cai wrote: > On Fri, Jun 19, 2020 at 05:17:47PM -0700, Matthew Wilcox wrote: > > On Fri, Jun 19, 2020 at 05:17:50PM -0400, Qian Cai wrote: > > > Running a syscall fuzzer by a normal user could trigger this, > > > > > > [55649.329999][T515839] WARNING: CPU: 6 PID: 515839 at fs/iomap/direct-io.c:391 iomap_dio_actor+0x29c/0x420 > > ... > > > 371 static loff_t > > > 372 iomap_dio_actor(struct inode *inode, loff_t pos, loff_t length, > > > 373 void *data, struct iomap *iomap, struct iomap *srcmap) > > > 374 { > > > 375 struct iomap_dio *dio = data; > > > 376 > > > 377 switch (iomap->type) { > > > 378 case IOMAP_HOLE: > > > 379 if (WARN_ON_ONCE(dio->flags & IOMAP_DIO_WRITE)) > > > 380 return -EIO; > > > 381 return iomap_dio_hole_actor(length, dio); > > > 382 case IOMAP_UNWRITTEN: > > > 383 if (!(dio->flags & IOMAP_DIO_WRITE)) > > > 384 return iomap_dio_hole_actor(length, dio); > > > 385 return iomap_dio_bio_actor(inode, pos, length, dio, iomap); > > > 386 case IOMAP_MAPPED: > > > 387 return iomap_dio_bio_actor(inode, pos, length, dio, iomap); > > > 388 case IOMAP_INLINE: > > > 389 return iomap_dio_inline_actor(inode, pos, length, dio, iomap); > > > 390 default: > > > 391 WARN_ON_ONCE(1); > > > 392 return -EIO; > > > 393 } > > > 394 } > > > > > > Could that be iomap->type == IOMAP_DELALLOC ? Looking throught the logs, > > > it contains a few pread64() calls until this happens, > > > > It _shouldn't_ be able to happen. XFS writes back ranges which exist > > in the page cache upon seeing an O_DIRECT I/O. So it's not supposed to > > be possible for there to be an extent which is waiting for the contents > > of the page cache to be written back. > > Okay, it is IOMAP_DELALLOC. We have, Can you share the fuzzer? If we end up with delalloc space here we probably need to fix a bug in the cache invalidation code.