From: syzbot <syzbot+4af46ee83100e99bce09@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] f2fs: DEBUG: full lifecycle trace for node folio write-end-io BUG
Date: Thu, 14 May 2026 18:00:03 -0700 [thread overview]
Message-ID: <6a067013.050a0220.2921a.0003.GAE@google.com> (raw)
In-Reply-To: <6a062e5c.170a0220.196691.0007.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] f2fs: DEBUG: full lifecycle trace for node folio write-end-io BUG
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Not for upstream. Instrumentation to identify how a node folio
with mismatched folio->index and nid_of_node(folio) reaches
f2fs_write_end_io and triggers the BUG_ON reported by syzbot.
Previous test run confirmed the read-side sanity check fires
(rc=-EFSCORRUPTED) yet the same folio still reaches writeback.
This round adds traces at every cache lifecycle event so the
leak path can be pinned down:
- f2fs_finish_read_bio - async read footer check, page state
- f2fs_write_end_io - write footer check, page state
- f2fs_new_node_folio - entry, after grab, after fill_footer,
after mark_dirty
- read_node_folio - entry, with current page state
- __get_node_folio - entry and after grab, page state
- __get_node_folio - sync sanity failure on page_hit
Each trace logs folio->index, footer nid/ino, and the relevant
page flags (uptodate, dirty, writeback, refcount) so the journey
of a single NID can be reconstructed across read failure, cache
reuse, and writeback submission.
BUG_ON in f2fs_write_end_io() is intentionally retained so the
kernel halts at the failing folio and the preceding trace output
appears in the syzbot console log.
Link: https://syzkaller.appspot.com/bug?extid=4af46ee83100e99bce09
Not-Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
fs/f2fs/data.c | 16 +++++++++++-----
fs/f2fs/node.c | 19 ++++++++++++++++++-
2 files changed, 29 insertions(+), 6 deletions(-)
diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index 8d4f1e75dee3..571ba13916ef 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -174,10 +174,14 @@ static void f2fs_finish_read_bio(struct bio *bio, bool in_task)
dec_page_count(F2FS_F_SB(folio), __read_io_type(folio));
if (bio->bi_status == BLK_STS_OK &&
- F2FS_F_SB(folio)->node_inode && is_node_folio(folio) &&
- f2fs_sanity_check_node_footer(F2FS_F_SB(folio),
- folio, folio->index, NODE_TYPE_REGULAR, true))
- bio->bi_status = BLK_STS_IOERR;
+ F2FS_F_SB(folio)->node_inode && is_node_folio(folio)) {
+ int rc = f2fs_sanity_check_node_footer(F2FS_F_SB(folio),
+ folio, folio->index, NODE_TYPE_REGULAR, true);
+ pr_info("f2fs-dbg: READ end_io: index=%lu footer_nid=%u ino=%u uptodate=%d dirty=%d rc=%d\n",
+ folio->index,nid_of_node(folio),ino_of_node(folio),folio_test_uptodate(folio),folio_test_dirty(folio),rc);
+ if (rc)
+ bio->bi_status = BLK_STS_IOERR;
+ }
if (finished)
folio_end_read(folio, bio->bi_status == BLK_STS_OK);
@@ -383,8 +387,10 @@ static void f2fs_write_end_io(struct bio *bio)
}
if (is_node_folio(folio)) {
- f2fs_sanity_check_node_footer(sbi, folio,
+ int rc = f2fs_sanity_check_node_footer(sbi, folio,
folio->index, NODE_TYPE_REGULAR, true);
+ pr_info("f2fs-dbg: WRITE end_io: index=%lu footer_nid=%u ino=%u uptodate=%d dirty=%d rc=%d\n",
+ folio->index,nid_of_node(folio),ino_of_node(folio),folio_test_uptodate(folio),folio_test_dirty(folio),rc);
f2fs_bug_on(sbi, folio->index != nid_of_node(folio));
}
if (f2fs_in_warm_node_list(folio))
diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
index 4e5bd9e4cfc3..d38b32fe7ee9 100644
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -1384,6 +1384,8 @@ struct folio *f2fs_new_node_folio(struct dnode_of_data *dn, unsigned int ofs)
struct folio *folio;
int err;
+ pr_info("f2fs-dbg: NEW entry: nid=%u ino=%lu ofs=%u\n",
+ dn->nid, dn->inode->i_ino, ofs);
if (unlikely(is_inode_flag_set(dn->inode, FI_NO_ALLOC)))
return ERR_PTR(-EPERM);
@@ -1391,6 +1393,8 @@ struct folio *f2fs_new_node_folio(struct dnode_of_data *dn, unsigned int ofs)
if (IS_ERR(folio))
return folio;
+ pr_info("f2fs-dbg: NEW grabbed: nid=%u uptodate=%d dirty=%d writeback=%d refcount=%d\n",
+ dn->nid,folio_test_uptodate(folio),folio_test_dirty(folio),folio_test_writeback(folio),folio_ref_count(folio));
if (unlikely((err = inc_valid_node_count(sbi, dn->inode, !ofs))))
goto fail;
@@ -1423,10 +1427,14 @@ struct folio *f2fs_new_node_folio(struct dnode_of_data *dn, unsigned int ofs)
f2fs_folio_wait_writeback(folio, NODE, true, true);
fill_node_footer(folio, dn->nid, dn->inode->i_ino, ofs, true);
set_cold_node(folio, S_ISDIR(dn->inode->i_mode));
+ pr_info("f2fs-dbg: NEW after fill_footer: nid=%u footer_nid=%u footer_ino=%u\n",
+ dn->nid, nid_of_node(folio), ino_of_node(folio));
if (!folio_test_uptodate(folio))
folio_mark_uptodate(folio);
- if (folio_mark_dirty(folio))
+ if (folio_mark_dirty(folio)) {
+ pr_info("f2fs-dbg: NEW marked dirty: nid=%u\n", dn->nid);
dn->node_changed = true;
+ }
if (f2fs_has_xattr_block(ofs))
f2fs_i_xnid_write(dn->inode, dn->nid);
@@ -1459,6 +1467,10 @@ static int read_node_folio(struct folio *folio, blk_opf_t op_flags)
};
int err;
+ pr_info("f2fs-dbg: read_node_folio entry: index=%lu uptodate=%d dirty=%d\n",
+ folio->index,
+ folio_test_uptodate(folio),
+ folio_test_dirty(folio));
if (folio_test_uptodate(folio)) {
if (!f2fs_inode_chksum_verify(sbi, folio)) {
folio_clear_uptodate(folio);
@@ -1565,6 +1577,7 @@ static struct folio *__get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid,
struct folio *folio;
int err;
+ pr_info("f2fs-dbg: GET node_folio: nid=%lu ntype=%d\n", nid, ntype);
if (!nid)
return ERR_PTR(-ENOENT);
if (f2fs_check_nid_range(sbi, nid))
@@ -1574,6 +1587,8 @@ static struct folio *__get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid,
if (IS_ERR(folio))
return folio;
+ pr_info("f2fs-dbg: GET grabbed: nid=%lu uptodate=%d dirty=%d writeback=%d refcount=%d\n",
+ nid,folio_test_uptodate(folio),folio_test_dirty(folio),folio_test_writeback(folio),folio_ref_count(folio));
err = read_node_folio(folio, 0);
if (err < 0)
goto out_put_err;
@@ -1603,6 +1618,8 @@ static struct folio *__get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid,
err = f2fs_sanity_check_node_footer(sbi, folio, nid, ntype, false);
if (!err)
return folio;
+ pr_info("f2fs-dbg: SYNC sanity fail: nid=%lu footer_nid=%u ino=%u err=%d\n",
+ nid,nid_of_node(folio),ino_of_node(folio),err);
out_err:
folio_clear_uptodate(folio);
out_put_err:
--
2.43.0
next prev parent reply other threads:[~2026-05-15 1:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-14 20:19 [syzbot] [f2fs?] kernel BUG in f2fs_write_end_io (2) syzbot
2026-05-14 20:19 ` [f2fs-dev] " syzbot
2026-05-14 23:35 ` Forwarded: [PATCH] f2fs: DEBUG: trace node folio lifecycle to diagnose write_end_io BUG syzbot
2026-05-15 1:00 ` syzbot [this message]
2026-05-15 1:55 ` Forwarded: [PATCH] f2fs: don't BUG on node footer mismatch in f2fs_write_end_io syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a067013.050a0220.2921a.0003.GAE@google.com \
--to=syzbot+4af46ee83100e99bce09@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.