From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D4283C433EF for ; Tue, 7 Dec 2021 22:10:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2460B6B0071; Tue, 7 Dec 2021 17:10:24 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 1F50A6B0072; Tue, 7 Dec 2021 17:10:24 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0E4736B0073; Tue, 7 Dec 2021 17:10:24 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0236.hostedemail.com [216.40.44.236]) by kanga.kvack.org (Postfix) with ESMTP id 007CD6B0071 for ; Tue, 7 Dec 2021 17:10:23 -0500 (EST) Received: from smtpin07.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id BD39285D75 for ; Tue, 7 Dec 2021 22:10:13 +0000 (UTC) X-FDA: 78892392306.07.7826B14 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by imf03.hostedemail.com (Postfix) with ESMTP id D9EE520004 for ; Tue, 7 Dec 2021 22:10:12 +0000 (UTC) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sin.source.kernel.org (Postfix) with ESMTPS id 3F4D8CE1D6A; Tue, 7 Dec 2021 22:10:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 39B93C341C3; Tue, 7 Dec 2021 22:10:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1638915008; bh=BHjSZ4MPBPA5I9nGCjac++vO6q6E/wPGv/taWiOLqC0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=R1fhtZrqvH8Zx9ctt1zYNJd1LPUsVopxNKFnFxUNZzMF4Cvluz2LX1SGjQgqD1GWu dr4+XRiQCFgarAiLpvOC2iER4TNB5wV8VX8CSYybdv89JdOWg40qJ/Mz+r4DLHO6Gx lJfCoELEFCu7VqfUydGGDKBO+EWFt4hPsptz8GyA48Dg+Nq6+VCuKmCjspIVR9Dn89 kgj6Js7ladxfNfBqXM3zyovYc8wo4qRM3A9DqjoTnAQ3I4059pEkBpbDj+2cZ8UclU 15w/X4djzH3e7J3FEmMRO62DCIHmSAa1n40v2qLEQPFWZ1V3d+stXA0QnVKZESDo7c X6aCn+855SZwA== Date: Tue, 7 Dec 2021 14:10:06 -0800 From: Jaegeuk Kim To: Matthew Wilcox Cc: Andrew Morton , syzbot , linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net Subject: Re: [f2fs-dev] [syzbot] BUG: unable to handle kernel NULL pointer dereference in folio_mark_dirty Message-ID: References: <0000000000005f297e05d24f05f6@google.com> <20211206175631.5d0c3caefa96f0479f0fc2e8@linux-foundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: D9EE520004 X-Stat-Signature: ztuxa8c9j4nkk3kge54fg7n3qfh45bca Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=R1fhtZrq; spf=pass (imf03.hostedemail.com: domain of jaegeuk@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=jaegeuk@kernel.org; dmarc=pass (policy=none) header.from=kernel.org X-HE-Tag: 1638915012-124546 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 12/07, Matthew Wilcox wrote: > On Tue, Dec 07, 2021 at 01:39:06PM -0800, Jaegeuk Kim wrote: > > On 12/07, Matthew Wilcox wrote: > > > > > Call Trace: > > > > > > > > > > folio_mark_dirty+0x136/0x270 mm/page-writeback.c:2639 > > > > > > if (likely(mapping)) { > > > ... > > > if (folio_test_reclaim(folio)) > > > folio_clear_reclaim(folio); > > > return mapping->a_ops->set_page_dirty(&folio->page); > > > > > > how do we get to a NULL ->set_page_dirty for a metadata page's > > > mapping->a_ops? This is definitely an f2fs expert question. > > > > I can't find anything in f2fs, since that page was got by f2fs_grab_meta_page > > along with grab_cache_page() that we never unlocked it. > > > > 40 struct page *f2fs_grab_meta_page(struct f2fs_sb_info *sbi, pgoff_t index) > > 41 { > > 42 struct address_space *mapping = META_MAPPING(sbi); > > 43 struct page *page; > > 44 repeat: > > 45 page = f2fs_grab_cache_page(mapping, index, false); > > > > -> grab_cache_page(mapping, index); > > > > 46 if (!page) { > > 47 cond_resched(); > > 48 goto repeat; > > 49 } > > 50 f2fs_wait_on_page_writeback(page, META, true, true); > > 51 if (!PageUptodate(page)) > > 52 SetPageUptodate(page); > > 53 return page; > > 54 } > > > > > > Suspecting something in folio wrt folio_mapping()? > > > > 81 bool set_page_dirty(struct page *page) > > 82 { > > 83 return folio_mark_dirty(page_folio(page)); > > 84 } > > ... huh? How could folio_mapping() be getting this wrong? Dunno. > page_folio() does the same thing as compound_head() -- as far as I know > you don't use compound pages for f2fs metadata, so this basically just > casts the page to a struct folio. > > folio_mapping() is just like the old page_mapping() (see commit > 2f52578f9c64). Unless you've done something like set the swapcache > bit on your metadata page, it's just going to return folio->mapping > (ie the same as page->mapping). Hmm, I've never seen this call stack before, so simply started to suspect folio.