On Thu, Jun 05, 2025 at 01:33:51PM -0400, Brian Foster wrote:
> The bug checks at the top of iomap_write_begin() assume the pos/len
> reflect exactly the next range to process. This may no longer be the
> case once the get folio path is able to process a folio batch from
> the filesystem. Move the check a bit further down after the folio
> lookup and range trim to verify everything lines up with the current
> iomap.
>
> Signed-off-by: Brian Foster <bfoster@xxxxxxxxxx>
> ---
> fs/iomap/buffered-io.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
> index 3729391a18f3..16499655e7b0 100644
> --- a/fs/iomap/buffered-io.c
> +++ b/fs/iomap/buffered-io.c
> @@ -805,15 +805,12 @@ static int iomap_write_begin(struct iomap_iter *iter, struct folio **foliop,
> {
> const struct iomap_folio_ops *folio_ops = iter->iomap.folio_ops;
> const struct iomap *srcmap = iomap_iter_srcmap(iter);
> - loff_t pos = iter->pos;
> + loff_t pos;
> u64 len = min_t(u64, SIZE_MAX, iomap_length(iter));
> struct folio *folio;
> int status = 0;
>
> len = min_not_zero(len, *plen);
> - BUG_ON(pos + len > iter->iomap.offset + iter->iomap.length);
> - if (srcmap != &iter->iomap)
> - BUG_ON(pos + len > srcmap->offset + srcmap->length);
Hmm. Do we even /need/ these checks?
len is already basically just min(SIZE_MAX, iter->len,
iomap->offset + iomap->length, srcmap->offset + srcmap->length)
So by definition they should never trigger, right?
--D
>
> if (fatal_signal_pending(current))
> return -EINTR;
> @@ -843,6 +840,9 @@ static int iomap_write_begin(struct iomap_iter *iter, struct folio **foliop,
> }
>
> pos = iomap_trim_folio_range(iter, folio, poffset, &len);
> + BUG_ON(pos + len > iter->iomap.offset + iter->iomap.length);
> + if (srcmap != &iter->iomap)
> + BUG_ON(pos + len > srcmap->offset + srcmap->length);
>
> if (srcmap->type == IOMAP_INLINE)
> status = iomap_write_begin_inline(iter, folio);
> --
> 2.49.0
>
>
