* [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
@ 2025-09-15 3:33 bugzilla-daemon--- via Linux-f2fs-devel
2025-09-15 12:27 ` [f2fs-dev] [Bug 220575] " bugzilla-daemon--- via Linux-f2fs-devel
` (18 more replies)
0 siblings, 19 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-09-15 3:33 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
Bug ID: 220575
Summary: Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000000
Product: File System
Version: 2.5
Kernel Version: 6.12.30-android16
Hardware: ARM
OS: Linux
Status: NEW
Severity: normal
Priority: P3
Component: f2fs
Assignee: filesystem_f2fs@kernel-bugs.kernel.org
Reporter: JY.Ho@mediatek.com
Regression: No
Hi experts,
We encountered an f2fs issue in a Linux 6.12.30 environment. (Android 16)
Linux source code:
https://android.googlesource.com/kernel/common/+/refs/heads/android16-6.12-2025-07
Further analysis confirms that the issue occurs at the following line:
return page_private_gcing(fscrypt_pagecache_page(page));
In this case, the ptr argument passed to page_private_gcing() is NULL.
Does anyone have any idea about this situation?
Thanks.
[ T6790] Unable to handle kernel NULL pointer dereference at virtual address
0000000000000000
[ T6790] Mem abort info:
[ T6790] ESR = 0x0000000096000006
[ T6790] EC = 0x25: DABT (current EL), IL = 32 bits
[ T6790] SET = 0, FnV = 0
[ T6790] EA = 0, S1PTW = 0
[ T6790] FSC = 0x06: level 2 translation fault
[ T6790] Data abort info:
[ T6790] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
[ T6790] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ T6790] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ T6790] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000037b28000
[ T6790] [0000000000000000] pgd=0800000039429003, p4d=0800000039429003,
pud=0800000039429003, pmd=0000000000000000
[ T6790] Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
[ T6790] Kernel Offset: 0x0 from 0xffffffc080000000
[ T6790] PHYS_OFFSET: 0x0
[ T6790] pstate: 20400005 (nzCv daif +PAN -UAO)
[ T6790] pc : [0xffffffe51d249484] f2fs_is_cp_guaranteed+0x70/0x98
[ T6790] lr : [0xffffffe51d24adbc] f2fs_merge_page_bio+0x520/0x6d4
[ T6790] sp : ffffffc08cc13280
[ T6790] x29: ffffffc08cc132a0 x28: fffffffec0bae200
[ T6790] x27: 0000000000000168 x26: dead000000000100
[ T6790] x25: 0000000000000002 x24: 0000000000000000
[ T6790] x23: ffffff8077b65ae8 x22: ffffff802a06a000
[ T6790] x21: fffffffec1fcb240 x20: ffffff802a06a000
[ T6790] x19: ffffffc08cc133d0 x18: 0000000000000000
[ T6790] x17: 000000008c623181 x16: 000000008c623181
[ T6790] x15: 000000000000ba7e x14: ffffff802a7accc0
[ T6790] x13: ffffffc08cc10000 x12: ffffffc08cc14000
[ T6790] x11: 0000000000000000 x10: 0000000000000001
[ T6790] x9 : ffffffe51d24adbc x8 : 0000000000000000
[ T6790] x7 : 0000000000000000 x6 : 0000000000000000
[ T6790] x5 : fffffffebf3448e0 x4 : 0000000000000000
[ T6790] x3 : ffffffc08cc13070 x2 : 0000000000001000
[ T6790] x1 : fffffffec1fcb240 x0 : 0000000000000000
[ T6790] PC: 0xffffffe51d249484:
[ T6790] CPU: 3 UID: 0 PID: 6790 Comm: kworker/u16:3 Tainted: P B W OE
6.12.30-android16-5-maybe-dirty-4k #1
5f7701c9cbf727d1eebe77c89bbbeb3371e895e5
[ T6790] Tainted: [P]=PROPRIETARY_MODULE, [B]=BAD_PAGE, [W]=WARN,
[O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[ T6790] Workqueue: writeback wb_workfn (flush-254:49)
[ T6790] Call trace:
[ T6790] dump_backtrace+0xf4/0x130
[ T6790] show_stack+0x20/0x30
[ T6790] dump_stack_lvl+0x40/0xa0
[ T6790] dump_stack+0x18/0x24
[ T6790] notify_die+0x50/0x8c
[ T6790] die+0x9c/0x310
[ T6790] __do_kernel_fault+0x294/0x2a4
[ T6790] do_page_fault+0xac/0x640
[ T6790] do_translation_fault+0x48/0x11c
[ T6790] do_mem_abort+0x5c/0x108
[ T6790] el1_abort+0x3c/0x5c
[ T6790] el1h_64_sync_handler+0x80/0xcc
[ T6790] el1h_64_sync+0x68/0x6c
[ T6790] f2fs_is_cp_guaranteed+0x70/0x98
[ T6790] f2fs_inplace_write_data+0x174/0x2f4
[ T6790] f2fs_do_write_data_page+0x214/0x81c
[ T6790] f2fs_write_single_data_page+0x28c/0x764
[ T6790] f2fs_write_data_pages+0x78c/0xce4
[ T6790] do_writepages+0xe8/0x2fc
[ T6790] __writeback_single_inode+0x4c/0x4b4
[ T6790] writeback_sb_inodes+0x314/0x540
[ T6790] __writeback_inodes_wb+0xa4/0xf4
[ T6790] wb_writeback+0x160/0x448
[ T6790] wb_workfn+0x2f0/0x5dc
[ T6790] process_scheduled_works+0x1c8/0x458
[ T6790] worker_thread+0x334/0x3f0
[ T6790] kthread+0x118/0x1ac
[ T6790] ret_from_fork+0x10/0x20
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-09-15 12:27 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-16 2:19 ` bugzilla-daemon--- via Linux-f2fs-devel
` (17 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-09-15 12:27 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
Chao Yu (chao@kernel.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |chao@kernel.org
--- Comment #1 from Chao Yu (chao@kernel.org) ---
Hi,
Do you have a ramdump about this issue, if there is, can you please provide
more information about the corrupted page?
Thanks,
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
2025-09-15 12:27 ` [f2fs-dev] [Bug 220575] " bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-09-16 2:19 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-16 2:52 ` bugzilla-daemon--- via Linux-f2fs-devel
` (16 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-09-16 2:19 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #2 from JY (JY.Ho@mediatek.com) ---
(In reply to Chao Yu from comment #1)
> Hi,
>
> Do you have a ramdump about this issue, if there is, can you please provide
> more information about the corrupted page?
>
> Thanks,
Hi Chao,
Do you mean the sysreg dump? or are there some kernel configurations I need to
enable?
Thanks
as below:
Unable to handle kernel NULL pointer dereference at virtual address
0000000000000000
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 39-bit VAs, pgdp=0000000037b28000
[0000000000000000] pgd=0800000039429003, p4d=0800000039429003,
pud=0800000039429003, pmd=0000000000000000
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Kernel Offset: 0x0 from 0xffffffc080000000
PHYS_OFFSET: 0x0
pstate: 20400005 (nzCv daif +PAN -UAO)
pc : [0xffffffe51d249484] f2fs_is_cp_guaranteed+0x70/0x98
lr : [0xffffffe51d24adbc] f2fs_merge_page_bio+0x520/0x6d4
sp : ffffffc08cc13280
x29: ffffffc08cc132a0 x28: fffffffec0bae200
x27: 0000000000000168 x26: dead000000000100
x25: 0000000000000002 x24: 0000000000000000
x23: ffffff8077b65ae8 x22: ffffff802a06a000
x21: fffffffec1fcb240 x20: ffffff802a06a000
x19: ffffffc08cc133d0 x18: 0000000000000000
x17: 000000008c623181 x16: 000000008c623181
x15: 000000000000ba7e x14: ffffff802a7accc0
x13: ffffffc08cc10000 x12: ffffffc08cc14000
x11: 0000000000000000 x10: 0000000000000001
x9 : ffffffe51d24adbc x8 : 0000000000000000
x7 : 0000000000000000 x6 : 0000000000000000
x5 : fffffffebf3448e0 x4 : 0000000000000000
x3 : ffffffc08cc13070 x2 : 0000000000001000
x1 : fffffffec1fcb240 x0 : 0000000000000000
PC: 0xffffffe51d249484:
9400: 94037df0 a8c17bfd d50323bf d65f03c0 e9161943 aa1e03e9 d503201f f9400c08
9420: b4000308 f9400108 f9401509 f941c92a f9402109 b945b94b eb0b013f 540001e0
9440: b945b54a eb0a013f 54000180 79400109 12140d29 7140113f 54000100 7140213f
9460: 54000061 39403108 37280088 f9400008 36780128 14000006 52800020 d65f03c0
9480: f9401400 f9400008 36780068 f8428c08 37000068 2a1f03e0 d65f03c0 f9400008
94a0: d3410500 d65f03c0 df7ce677 aa1e03e9 d503201f f940000a b94bec09 aa0003e8
94c0: f9407940 7100093f 540001eb f945f908 91016108 14000004 f1000529 9101a108
94e0: 54000120 b85fc10a 6b0a002a 54ffff63 b940010b 6b01017f 54ffff03 f85b0100
9500: 2a0a03e1 b4000062 d37d7c28 f9000048 d65f03c0 00d09e79 aa1e03e9 d503201f
LR: 0xffffffe51d24adbc:
ad30: 942e9b7a 910022e0 91046282 f9409281 eb02001f 54000820 eb00003f 540007e0
ad50: f9400028 eb02011f 54000781 f9009280 a90086e2 f9000020 9104a280 97eadec0
ad70: 91054280 52800061 2a1f03e2 aa1f03e3 97ea9b97 f9403260 b4000140 f94002a8
ad90: 37300068 aa1f03e8 14000002 394102a8 52820009 aa1503e1 9ac82122 97f8665d
adb0: f9400274 aa1c03e0 97fff997 52800388 7200001f 52800309 9a881128 8b080288
add0: 91196108 d503201f 52800029 b829011f b9401e68 f9403a69 2a1f03e0 f9000128
adf0: f9400be8 f9403669 f9000128 d5384108 f9432508 f85f83a9 eb09011f 540001c1
ae10: a9474ff4 a94657f6 a9455ff8 a94467fa a9436ffc a9427bfd 910203ff d50323bf
ae30: d65f03c0 d1000515 17fffeb0 d1000501 17fffeba 942e77da 97e7411a 17ffffc7
SP: 0xffffffc08cc13280:
3200: 00000100 dead0000 00000168 00000000 c0bae200 fffffffe 8cc132a0 ffffffc0
3220: 1d24adbc ffffffe5 8cc13280 ffffffc0 1d249484 ffffffe5 20400005 00000000
3240: 00000100 dead0000 00000001 00000000 00000000 00000000 77b65ae8 ffffff80
3260: 8cc132a0 ffffffc0 1d249484 ffffffe5 2994b968 ffffff80 00000000 00000000
3280: c1fcb240 fffffffe c0bae200 fffffffe 75c5a700 ffffff80 7572b200 8abc58ea
32a0: 8cc13310 ffffffc0 1d271100 ffffffe5 00000021 00000000 00000000 00000000
32c0: 00000001 00000000 8cc13980 ffffffc0 8cc1357c ffffffc0 00000002 00000000
32e0: 8cc13350 ffffffc0 0018f948 00000000 2a06a000 ffffff80 8cc133d0 ffffffc0
X1: 0xfffffffec1fcb240:
b1c0: 00000000 00000000 c1fcb101 fffffffe 00000122 dead0000 00000400 dead0000
b1e0: 000eb1f2 00000000 00000000 00000000 00000002 00000000 00000000 00000000
b200: 00000000 00000000 00000000 00000000 00000122 dead0000 00000000 00000000
b220: 00015b6f 00000000 00000000 00000000 ffffffff 00000001 00000000 00000000
b240: 00009029 10000000 c2727708 fffffffe c1fce348 fffffffe 35760fc8 ffffff80
b260: 00000021 00000000 00000009 00000000 00000000 00000004 31cb30c0 ffffff80
b280: 00180028 00000000 00000100 dead0000 00000001 dead0000 3364f958 ffffff80
b2a0: 000006c9 00000000 00000000 00000000 00000023 00000025 4c5a6b40 ffffff80
X3: 0xffffffc08cc13070:
2ff0: 00000000 00000000 00000000 00000000 00000000 00000000 8cc13130 ffffffc0
3010: 96000006 00000000 00000000 00000000 00000002 00000000 00002001 00000000
3030: 8cc13090 ffffffc0 1ddf9794 ffffffe5 6c286180 ffffff80 00000168 00000000
3050: 00000100 dead0000 00000002 00000000 00000000 00000000 20400005 00000000
3070: 1de0e0f0 ffffffe5 00000000 00000000 6c286180 ffffff80 96000006 00000000
3090: 8cc130c0 ffffffc0 1cc4bc48 ffffffe5 00000000 00000000 1cc23a24 ffffffe5
30b0: 8cc13130 ffffffc0 96000006 00000000 8cc130f0 ffffffc0 1dde6b98 ffffffe5
30d0: 1d249484 ffffffe5 00000000 00000000 8cc13130 ffffffc0 96000006 00000000
X5: 0xfffffffebf3448e0:
4860: 00000000 00000000 00000004 00000000 00000000 00000000 00321b67 00000000
4880: 00321bcd 00000000 00321b81 00000000 00000000 00000000 0000c1b1 00000000
48a0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
48c0: 00000000 ffffffe3 00000000 00000000 00000000 00000000 00000000 00000000
48e0: 30ffe5a0 ffffff80 30ffb300 ffffff80 00000104 00000000 fffffffc ffffffff
4900: 00000000 00000000 bf33ec40 fffffffe 7d70d000 ffffff80 000014a2 00000000
4920: ffffcb8f ffffffff ffffe033 ffffffff ffffd699 ffffffff 00000004 00000000
4940: 00000000 00000000 00000000 00000000 00002eb7 00000000 00003be9 00000000
X9: 0xffffffe51d24adbc:
ad30: 942e9b7a 910022e0 91046282 f9409281 eb02001f 54000820 eb00003f 540007e0
ad50: f9400028 eb02011f 54000781 f9009280 a90086e2 f9000020 9104a280 97eadec0
ad70: 91054280 52800061 2a1f03e2 aa1f03e3 97ea9b97 f9403260 b4000140 f94002a8
ad90: 37300068 aa1f03e8 14000002 394102a8 52820009 aa1503e1 9ac82122 97f8665d
adb0: f9400274 aa1c03e0 97fff997 52800388 7200001f 52800309 9a881128 8b080288
add0: 91196108 d503201f 52800029 b829011f b9401e68 f9403a69 2a1f03e0 f9000128
adf0: f9400be8 f9403669 f9000128 d5384108 f9432508 f85f83a9 eb09011f 540001c1
ae10: a9474ff4 a94657f6 a9455ff8 a94467fa a9436ffc a9427bfd 910203ff d50323bf
ae30: d65f03c0 d1000515 17fffeb0 d1000501 17fffeba 942e77da 97e7411a 17ffffc7
X12: 0xffffffc08cc14000:
3f80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
3fa0: 00000000 00000000 00000000 00000000 00000000 00000000 00100005 00000000
3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
3fe0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
X13: 0xffffffc08cc10000:
0000: 57ac6e9d 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0020: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0040: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0060: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
X14: 0xffffff802a7accc0:
cc40: 2a7ac780 ffffff80 2a7acfc0 ffffff80 06100ff0 00000000 00000000 00000000
cc60: 06100056 00000000 00000fe8 00000000 00000000 00000000 2a7af000 ffffff80
cc80: 2a7ac000 ffffff80 2a7ace40 ffffff80 06100ff0 00000000 00000000 00000000
cca0: 0610004d 00000000 00000fb8 00000000 00000000 00000000 2a7c1000 ffffff80
ccc0: 2a7ac440 ffffff80 2a7ac580 ffffff80 06100ff0 00000000 00000000 00000000
cce0: 0610005b 00000000 00000000 00000000 00000000 00000000 2a7cd000 ffffff80
cd00: 2a7acbc0 ffffff80 2a7aca40 ffffff80 06100ff0 00000000 00000000 00000000
cd20: 06100051 00000000 00000fd4 00000000 00000000 00000000 2a7b5000 ffffff80
X19: 0xffffffc08cc133d0:
3350: 35760e58 ffffff80 00000000 00000000 00000000 00000000 000037c7 00000021
3370: 00000001 0018f948 7572b200 8abc58ea 8cc13450 ffffffc0 1d250d78 ffffffe5
3390: 35760e58 ffffff80 7572b200 8abc58ea c1fcb240 fffffffe 00004000 00000000
33b0: 2a06a000 ffffff80 8cc135f8 ffffffc0 2e8b5068 ffffff80 0001082a 00000001
33d0: 2a06a000 ffffff80 000037c7 00000000 00000001 00000001 00000000 0018f948
33f0: 0018f948 00000000 c1fcb240 fffffffe c0bae200 fffffffe 00000000 00000000
3410: 00000000 00000000 00000000 00000000 00000000 00100002 00000006 00000000
3430: 8cc13980 ffffffc0 8cc135f8 ffffffc0 8cc135f0 ffffffc0 7572b200 8abc58ea
X20: 0xffffff802a06a000:
9f80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fa0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
a000: 2994a000 ffffff80 32395b40 ffffff80 3056a000 ffffff80 00000000 00000000
a020: 610cce01 ffffff80 00000000 00000000 2a06a030 ffffff80 2a06a030 ffffff80
a040: 00000000 00000000 2a06a048 ffffff80 2a06a048 ffffff80 00000000 00000000
a060: 00000481 00000000 6c286180 ffffff80 00000000 00000000 2a06a078 ffffff80
X21: 0xfffffffec1fcb240:
b1c0: 00000000 00000000 c1fcb101 fffffffe 00000122 dead0000 00000400 dead0000
b1e0: 000eb1f2 00000000 00000000 00000000 00000002 00000000 00000000 00000000
b200: 00000000 00000000 00000000 00000000 00000122 dead0000 00000000 00000000
b220: 00015b6f 00000000 00000000 00000000 ffffffff 00000001 00000000 00000000
b240: 00009029 10000000 c2727708 fffffffe c1fce348 fffffffe 35760fc8 ffffff80
b260: 00000021 00000000 00000009 00000000 00000000 00000004 31cb30c0 ffffff80
b280: 00180028 00000000 00000100 dead0000 00000001 dead0000 3364f958 ffffff80
b2a0: 000006c9 00000000 00000000 00000000 00000023 00000025 4c5a6b40 ffffff80
X22: 0xffffff802a06a000:
9f80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fa0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
a000: 2994a000 ffffff80 32395b40 ffffff80 3056a000 ffffff80 00000000 00000000
a020: 610cce01 ffffff80 00000000 00000000 2a06a030 ffffff80 2a06a030 ffffff80
a040: 00000000 00000000 2a06a048 ffffff80 2a06a048 ffffff80 00000000 00000000
a060: 00000481 00000000 6c286180 ffffff80 00000000 00000000 2a06a078 ffffff80
X23: 0xffffff8077b65ae8:
5a60: 00000122 dead0000 3fe9cf00 ffffff80 910f179f f7531a19 00000122 dead0000
5a80: 45846400 ffffff80 910f1217 0f531a19 00000122 dead0000 4636d500 ffffff80
5aa0: 910f1cbf 27531a19 00000122 dead0000 404ceb00 ffffff80 910f1787 3f531a19
5ac0: 00000122 dead0000 49583900 ffffff80 910f156f 57531a19 00000122 dead0000
5ae0: 75c5a700 ffffff80 910f131f 6f531a19 00000122 dead0000 75c5ab00 ffffff80
5b00: 910f1f67 87521a19 00000122 dead0000 35111e00 ffffff80 910f1ac7 9f521a19
5b20: 00000122 dead0000 9f84b600 ffffff80 910f16cf b7521a19 00000122 dead0000
5b40: 4db47900 ffffff80 910f160f cf521a19 00000122 dead0000 56524400 ffffff80
5b60: 910f155f e7521a19 00000122 dead0000 3e802900 ffffff80 910f1f07 ff521a19
X28: 0xfffffffec0bae200:
e180: 00008038 08000000 c0bae208 fffffffe c0badd08 fffffffe 6cc17430 ffffff80
e1a0: 00000a1a 00000000 00000009 00000000 ffffffff 00000002 2e89f500 ffffff80
e1c0: 00000000 00000000 281e3500 ffffff80 00000122 dead0000 00000000 00000000
e1e0: 00000000 00000000 00100010 00000000 f5000000 00000001 00000000 00000000
e200: 00008038 08000000 c1ecf588 fffffffe c0bae188 fffffffe 6cc17430 ffffff80
e220: 00000a19 00000000 00000009 00000000 ffffffff 00000002 2e89f500 ffffff80
e240: 00008000 00000000 00000000 00000000 00000122 dead0000 00000000 00000000
e260: 000e8683 00000000 2eb89000 00000000 ffffffff 00000001 00000000 00000000
X29: 0xffffffc08cc132a0:
3220: 1d24adbc ffffffe5 8cc13280 ffffffc0 1d249484 ffffffe5 20400005 00000000
3240: 00000100 dead0000 00000001 00000000 00000000 00000000 77b65ae8 ffffff80
3260: 8cc132a0 ffffffc0 1d249484 ffffffe5 2994b968 ffffff80 00000000 00000000
3280: c1fcb240 fffffffe c0bae200 fffffffe 75c5a700 ffffff80 7572b200 8abc58ea
32a0: 8cc13310 ffffffc0 1d271100 ffffffe5 00000021 00000000 00000000 00000000
32c0: 00000001 00000000 8cc13980 ffffffc0 8cc1357c ffffffc0 00000002 00000000
32e0: 8cc13350 ffffffc0 0018f948 00000000 2a06a000 ffffff80 8cc133d0 ffffffc0
3300: 00000001 00000000 7572b200 8abc58ea 8cc13380 ffffffc0 1d250370 ffffffe5
CPU: 3 UID: 0 PID: 6790 Comm: kworker/u16:3 Tainted: P B W OE
6.12.30-android16-5-maybe-dirty-4k #1 5f7701c9cbf727d1eebe77c89bbbeb3371e895e5
Tainted: [P]=PROPRIETARY_MODULE, [B]=BAD_PAGE, [W]=WARN, [O]=OOT_MODULE,
[E]=UNSIGNED_MODULE
Workqueue: writeback wb_workfn (flush-254:49)
Call trace:
dump_backtrace+0xf4/0x130
show_stack+0x20/0x30
dump_stack_lvl+0x40/0xa0
notifier_call_chain+0x90/0x174
notify_die+0x50/0x8c
die+0x9c/0x310
__do_kernel_fault+0x294/0x2a4
do_page_fault+0xac/0x640
do_translation_fault+0x48/0x11c
do_mem_abort+0x5c/0x108
el1_abort+0x3c/0x5c
el1h_64_sync_handler+0x80/0xcc
el1h_64_sync+0x68/0x6c
f2fs_is_cp_guaranteed+0x70/0x98
f2fs_inplace_write_data+0x174/0x2f4
f2fs_do_write_data_page+0x214/0x81c
f2fs_write_single_data_page+0x28c/0x764
f2fs_write_data_pages+0x78c/0xce4
do_writepages+0xe8/0x2fc
__writeback_single_inode+0x4c/0x4b4
writeback_sb_inodes+0x314/0x540
__writeback_inodes_wb+0xa4/0xf4
wb_writeback+0x160/0x448
wb_workfn+0x2f0/0x5dc
process_scheduled_works+0x1c8/0x458
worker_thread+0x334/0x3f0
kthread+0x118/0x1ac
ret_from_fork+0x10/0x20
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
2025-09-15 12:27 ` [f2fs-dev] [Bug 220575] " bugzilla-daemon--- via Linux-f2fs-devel
2025-09-16 2:19 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-09-16 2:52 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-24 6:50 ` bugzilla-daemon--- via Linux-f2fs-devel
` (15 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-09-16 2:52 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #3 from Chao Yu (chao@kernel.org) ---
I meant using trace32 to dump field value of victim page, something like that.
:)
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
` (2 preceding siblings ...)
2025-09-16 2:52 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-09-24 6:50 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-24 8:47 ` bugzilla-daemon--- via Linux-f2fs-devel
` (14 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-09-24 6:50 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #4 from JY (JY.Ho@mediatek.com) ---
(In reply to Chao Yu from comment #3)
> I meant using trace32 to dump field value of victim page, something like
> that. :)
For some reasons, I can't dump the victim page with trace32.
So I'm using 'page_owner' and add new member '_private' to the struct page.
I Modified the function 'set_page_private()' in include/linux/mm_types.h
static inline void set_page_private(...)
{
page->private = private;
+ if (!private)
+ page->_private = private;
}
also modified the function 'f2fs_is_cp_guaranteed'
bool f2fs_is_cp_guaranteed(const struct page *page)
{
struct address_space *mapping = page->mapping;
struct inode *inode;
struct f2fs_sb_info *sbi;
if (fscrypt_is_bounce_page(page)) {
+ pr_crit("bounced_page:0xpx, pp:0x%px,
fscrypt_pagecache_page(page):0x%px\n", page, page->_private,
fscrypt_pagecache_page(page));
+ if (page->_private)
+ dump_page(page->_private, "dump _private page");
+ else
+ dump_page(page, "dump bounce page");
return page_private_gcing(fscrypt_pagecache_page(page));
}
And I got the log as below:
[2025-09-23 12:54:07.401] [ 2223.580361][T18170]
bounced_page:0xfffffffe82282290, pp:0x0000000000000000,
fscrypt_pagecache_page(page):0x0000000000000000
[2025-09-23 12:54:07.522] [ 2223.636124][T18170] page: refcount:1 mapcount:0
mapping:0000000000000000 index:0xc02b7 pfn:0x6e6d5
[2025-09-23 12:54:07.577] [ 2223.656779][T18170] flags: 0x0(zone=0)
[2025-09-23 12:54:07.577] [ 2223.665281][T18170] page_type: f2(table)
[2025-09-23 12:54:07.577] [ 2223.673618][T18170] raw: 0000000000000000
0000000000000000 0000000000000000 0000000000000000
[2025-09-23 12:54:07.577] [ 2223.691017][T18170] raw: 00000000000c02b7
0000000000000000 00000001f2000000 0000000000000000
[2025-09-23 12:54:07.577] [ 2223.709638][T18170] raw: 0000000000000000
0000000000000000
[2025-09-23 12:54:07.633] [ 2223.734520][T18170] page_owner tracks the page as
allocated
[2025-09-23 12:54:07.633] [ 2223.740836][T18170] page last allocated via order
0, migratetype Unmovable, gfp_mask
0x540dc0(GFP_USER|__GFP_COMP|__GFP_ZERO|__GFP_ACCOUNT), pid 23744, tgid 23744
(sync), ts 2223627020157, free_ts 2223626903324
[2025-09-23 12:54:07.690] [ 2223.760701][T18170] post_alloc_hook+0x1d4/0x1ec
[2025-09-23 12:54:07.690] [ 2223.765688][T18170] prep_new_page+0x30/0x154
[2025-09-23 12:54:07.690] [ 2223.770483][T18170]
get_page_from_freelist+0x11e8/0x127c
[2025-09-23 12:54:07.690] [ 2223.776402][T18170]
__alloc_pages_noprof+0x1b0/0x448
[2025-09-23 12:54:07.690] [ 2223.781758][T18170]
pmd_alloc_one_noprof+0x40/0x110
[2025-09-23 12:54:07.690] [ 2223.787714][T18170] __pmd_alloc+0x34/0x1a8
[2025-09-23 12:54:07.690] [ 2223.792274][T18170] move_page_tables+0x868/0x928
[2025-09-23 12:54:07.690] [ 2223.797303][T18170] relocate_vma_down+0x118/0x1f8
[2025-09-23 12:54:07.690] [ 2223.802601][T18170] setup_arg_pages+0x204/0x33c
[2025-09-23 12:54:07.690] [ 2223.807480][T18170] load_elf_binary+0x4f0/0xd68
[2025-09-23 12:54:07.690] [ 2223.822457][T18170] bprm_execve+0x2c8/0x57c
[2025-09-23 12:54:07.745] [ 2223.827615][T18170]
do_execveat_common+0x26c/0x2c4
[2025-09-23 12:54:07.745] [ 2223.832943][T18170]
__arm64_compat_sys_execve+0x48/0x60
[2025-09-23 12:54:07.745] [ 2223.839441][T18170] invoke_syscall+0x60/0x114
[2025-09-23 12:54:07.745] [ 2223.844123][T18170] el0_svc_common+0xb0/0xe4
[2025-09-23 12:54:07.745] [ 2223.850297][T18170] do_el0_svc_compat+0x24/0x30
[2025-09-23 12:54:07.745] [ 2223.856538][T18170] page last free pid 23744 tgid
23744 stack trace:
[2025-09-23 12:54:07.745] [ 2223.865252][T18170] free_unref_page+0x828/0x978
[2025-09-23 12:54:07.801] [ 2223.870493][T18170] __free_pages+0xe4/0x238
[2025-09-23 12:54:07.801] [ 2223.875113][T18170] free_pages+0x80/0x9c
[2025-09-23 12:54:07.801] [ 2223.879228][T18170] pgd_free+0x20/0x30
[2025-09-23 12:54:07.801] [ 2223.883162][T18170] __mmdrop+0x54/0x168
[2025-09-23 12:54:07.801] [ 2223.887624][T18170] __mmput+0x14c/0x170
[2025-09-23 12:54:07.801] [ 2223.891790][T18170] mmput+0x38/0xd8
[2025-09-23 12:54:07.801] [ 2223.895457][T18170] exec_mmap+0x1c4/0x238
[2025-09-23 12:54:07.801] [ 2223.899907][T18170] begin_new_exec+0x3cc/0x654
[2025-09-23 12:54:07.801] [ 2223.905047][T18170] load_elf_binary+0x39c/0xd68
[2025-09-23 12:54:07.801] [ 2223.909934][T18170] bprm_execve+0x2c8/0x57c
[2025-09-23 12:54:07.801] [ 2223.914547][T18170]
do_execveat_common+0x26c/0x2c4
[2025-09-23 12:54:07.801] [ 2223.919902][T18170]
__arm64_compat_sys_execve+0x48/0x60
[2025-09-23 12:54:07.861] [ 2223.925625][T18170] invoke_syscall+0x60/0x114
[2025-09-23 12:54:07.861] [ 2223.930483][T18170] el0_svc_common+0xb0/0xe4
[2025-09-23 12:54:07.861] [ 2223.935095][T18170] do_el0_svc_compat+0x24/0x30
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
` (3 preceding siblings ...)
2025-09-24 6:50 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-09-24 8:47 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-24 9:51 ` bugzilla-daemon--- via Linux-f2fs-devel
` (13 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-09-24 8:47 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #5 from Chao Yu (chao@kernel.org) ---
If this is reproducible, could you check whether we're suffer panic in
f2fs_submit_page_bio()? if it is, could you please have a try w/ below fix:
diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index 82ae31b8ecc4..959614de878f 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -716,7 +716,7 @@ int f2fs_submit_page_bio(struct f2fs_io_info *fio)
wbc_account_cgroup_owner(fio->io_wbc, fio_folio, PAGE_SIZE);
inc_page_count(fio->sbi, is_read_io(fio->op) ?
- __read_io_type(data_folio) : WB_DATA_TYPE(fio->folio,
false));
+ __read_io_type(data_folio) : WB_DATA_TYPE(data_folio,
false));
if (is_read_io(bio_op(bio)))
f2fs_submit_read_bio(fio->sbi, bio, fio->type);
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
` (4 preceding siblings ...)
2025-09-24 8:47 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-09-24 9:51 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-24 13:22 ` bugzilla-daemon--- via Linux-f2fs-devel
` (12 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-09-24 9:51 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #6 from JY (JY.Ho@mediatek.com) ---
(In reply to Chao Yu from comment #5)
> If this is reproducible, could you check whether we're suffer panic in
> f2fs_submit_page_bio()? if it is, could you please have a try w/ below fix:
>
> diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
> index 82ae31b8ecc4..959614de878f 100644
> --- a/fs/f2fs/data.c
> +++ b/fs/f2fs/data.c
> @@ -716,7 +716,7 @@ int f2fs_submit_page_bio(struct f2fs_io_info *fio)
> wbc_account_cgroup_owner(fio->io_wbc, fio_folio, PAGE_SIZE);
>
> inc_page_count(fio->sbi, is_read_io(fio->op) ?
> - __read_io_type(data_folio) :
> WB_DATA_TYPE(fio->folio, false));
> + __read_io_type(data_folio) :
> WB_DATA_TYPE(data_folio, false));
>
> if (is_read_io(bio_op(bio)))
> f2fs_submit_read_bio(fio->sbi, bio, fio->type);
It's reproducible after maybe one day of stress testing, and it panics in
inc_page_count(fio->sbi, WB_DATA_TYPE(page, false));
https://github.com/torvalds/linux/blob/b8fcb8423053adaa27723010260aea90474b431a/fs/f2fs/data.c#L917
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
` (5 preceding siblings ...)
2025-09-24 9:51 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-09-24 13:22 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-25 3:38 ` bugzilla-daemon--- via Linux-f2fs-devel
` (11 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-09-24 13:22 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #7 from Chao Yu (chao@kernel.org) ---
Can you please hook fscrypt_free_bounce_page() to set page private w/ special
value, something as below:
void fscrypt_free_bounce_page(struct page *bounce_page)
{
if (!bounce_page)
return;
set_page_private(bounce_page, (unsigned long)0xF2F52011);
ClearPagePrivate(bounce_page);
mempool_free(bounce_page, fscrypt_bounce_page_pool);
}
And add some check conditions in f2fs_is_cp_guaranteed() to see whether the
page has been freed before inc_page_count().
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
` (6 preceding siblings ...)
2025-09-24 13:22 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-09-25 3:38 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-25 3:41 ` bugzilla-daemon--- via Linux-f2fs-devel
` (10 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-09-25 3:38 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #8 from JY (JY.Ho@mediatek.com) ---
OK, I will try it.
At the last experiment, I used the newly added '_private' to record non-null
value and dump it when fscrypt_is_bounce_page(page) is true.
+ pr_crit("bounced_page:0xpx, pp:0x%px,
fscrypt_pagecache_page(page):0x%px\n", page, page->_private,
fscrypt_pagecache_page(page));
The result is :
bounced_page:0xfffffffe82282290, pp:0x0000000000000000,
fscrypt_pagecache_page(page):0x0000000000000000
(pp is page->_private)
I think the 'pp:0x0000000000000000' proves this page is not a bounce_page. Am I
misunderstanding? :(
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
` (7 preceding siblings ...)
2025-09-25 3:38 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-09-25 3:41 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-25 8:40 ` bugzilla-daemon--- via Linux-f2fs-devel
` (9 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-09-25 3:41 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #9 from JY (JY.Ho@mediatek.com) ---
Oh NO...
I saw my fault...
static inline void set_page_private(...)
{
page->private = private;
+ if (!private) <<<<<<<<<<<<<<<<<<< :(
+ page->_private = private;
}
It should be 'if (private)'
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
` (8 preceding siblings ...)
2025-09-25 3:41 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-09-25 8:40 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-25 9:23 ` bugzilla-daemon--- via Linux-f2fs-devel
` (8 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-09-25 8:40 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #10 from Chao Yu (chao@kernel.org) ---
Your device is using software encryption, right? If so, page will point to
fio->encrypted_page which is a bounced page.
https://android.googlesource.com/kernel/common/+/e0e2f78243385e7188a57fcfceb6a19f723f1dff/fs/f2fs/data.c#890
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
` (9 preceding siblings ...)
2025-09-25 8:40 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-09-25 9:23 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-28 10:30 ` bugzilla-daemon--- via Linux-f2fs-devel
` (7 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-09-25 9:23 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #11 from Chao Yu (chao@kernel.org) ---
(In reply to JY from comment #8)
> OK, I will try it.
>
> At the last experiment, I used the newly added '_private' to record non-null
> value and dump it when fscrypt_is_bounce_page(page) is true.
>
> + pr_crit("bounced_page:0xpx, pp:0x%px,
> fscrypt_pagecache_page(page):0x%px\n", page, page->_private,
> fscrypt_pagecache_page(page));
>
> The result is :
> bounced_page:0xfffffffe82282290, pp:0x0000000000000000,
> fscrypt_pagecache_page(page):0x0000000000000000
> (pp is page->_private)
>
> I think the 'pp:0x0000000000000000' proves this page is not a bounce_page.
> Am I misunderstanding? :(
Can you please try below diff?
---
fs/f2fs/data.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index 1b0050b8421d..13bde4a2f40d 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -884,6 +884,15 @@ void f2fs_submit_merged_ipu_write(struct f2fs_sb_info
*sbi,
}
}
+#define sanity_check_page(sbi, enc_page, page) \
+ do { \
+ if (page && !page->private) { \
+ dump_page(enc_page, "dump enc_page"); \
+ dump_page(page, "dump data page"); \
+ BUG_ON(1); \
+ } \
+ } while (0)
+
int f2fs_merge_page_bio(struct f2fs_io_info *fio)
{
struct bio *bio = *fio->bio;
@@ -896,9 +905,13 @@ int f2fs_merge_page_bio(struct f2fs_io_info *fio)
trace_f2fs_submit_page_bio(page, fio);
+ sanity_check_page(fio->sbi, fio->encrypted_page, fio->page);
+
if (bio && !page_is_mergeable(fio->sbi, bio, *fio->last_block,
fio->new_blkaddr))
f2fs_submit_merged_ipu_write(fio->sbi, &bio, NULL);
+
+ sanity_check_page(fio->sbi, fio->encrypted_page, fio->page);
alloc_new:
if (!bio) {
bio = __bio_alloc(fio, BIO_MAX_VECS);
@@ -906,15 +919,19 @@ int f2fs_merge_page_bio(struct f2fs_io_info *fio)
page_folio(fio->page)->index, fio, GFP_NOIO);
add_bio_entry(fio->sbi, bio, page, fio->temp);
+ sanity_check_page(fio->sbi, fio->encrypted_page, fio->page);
} else {
if (add_ipu_page(fio, &bio, page))
goto alloc_new;
+ sanity_check_page(fio->sbi, fio->encrypted_page, fio->page);
}
if (fio->io_wbc)
wbc_account_cgroup_owner(fio->io_wbc, page_folio(fio->page),
PAGE_SIZE);
+ sanity_check_page(fio->sbi, fio->encrypted_page, fio->page);
+
inc_page_count(fio->sbi, WB_DATA_TYPE(page, false));
*fio->last_block = fio->new_blkaddr;
--
2.40.1
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
` (10 preceding siblings ...)
2025-09-25 9:23 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-09-28 10:30 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-28 13:55 ` bugzilla-daemon--- via Linux-f2fs-devel
` (6 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-09-28 10:30 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
Chao Yu (chao@kernel.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #12 from Chao Yu (chao@kernel.org) ---
Hi JY,
I've figured out a reproducer as below:
1. mkdir /mnt/f2fs/enc & encrypt /mnt/f2fs/enc
2. Run below script in shell #1:
for ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file \
-c "pwrite 0 32k" -c "fdatasync"
3. Run below script in shell #2:
for ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file \
-c "pwrite 0 32k" -c "fdatasync"
Now, testing below fix.
https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=bugfix/syzbot&id=1d024fd4c6fed3767f063db79746bcd2d0be49d1
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
` (11 preceding siblings ...)
2025-09-28 10:30 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-09-28 13:55 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-30 10:45 ` bugzilla-daemon--- via Linux-f2fs-devel
` (5 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-09-28 13:55 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #13 from JY (JY.Ho@mediatek.com) ---
Good news! Thank you :)
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
` (12 preceding siblings ...)
2025-09-28 13:55 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-09-30 10:45 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-10-01 7:51 ` bugzilla-daemon--- via Linux-f2fs-devel
` (4 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-09-30 10:45 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #14 from JY (JY.Ho@mediatek.com) ---
(In reply to Chao Yu from comment #12)
> Hi JY,
>
> I've figured out a reproducer as below:
>
> 1. mkdir /mnt/f2fs/enc & encrypt /mnt/f2fs/enc
>
> 2. Run below script in shell #1:
> for ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file \
> -c "pwrite 0 32k" -c "fdatasync"
>
> 3. Run below script in shell #2:
> for ((i=1;i>0;i++)) do xfs_io -f /mnt/f2fs/enc/file \
> -c "pwrite 0 32k" -c "fdatasync"
>
> Now, testing below fix.
>
> https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/
> ?h=bugfix/syzbot&id=1d024fd4c6fed3767f063db79746bcd2d0be49d1
Hi Chao,
In my kernel version (
https://android.googlesource.com/kernel/common/+/refs/heads/android16-6.12-2025-07/fs/f2fs/data.c#926),
Should I modify:
- inc_page_count(fio->sbi, WB_DATA_TYPE(page, false));
+ inc_page_count(fio->sbi, WB_DATA_TYPE(fio->page, false));
Is that right?
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
` (13 preceding siblings ...)
2025-09-30 10:45 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-10-01 7:51 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-10-01 8:01 ` bugzilla-daemon--- via Linux-f2fs-devel
` (3 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-10-01 7:51 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #15 from JY (JY.Ho@mediatek.com) ---
(In reply to Chao Yu from comment #7)
> Can you please hook fscrypt_free_bounce_page() to set page private w/
> special value, something as below:
>
> void fscrypt_free_bounce_page(struct page *bounce_page)
> {
> if (!bounce_page)
> return;
> set_page_private(bounce_page, (unsigned long)0xF2F52011);
> ClearPagePrivate(bounce_page);
> mempool_free(bounce_page, fscrypt_bounce_page_pool);
> }
>
> And add some check conditions in f2fs_is_cp_guaranteed() to see whether the
> page has been freed before inc_page_count().
By the way, this is my test result. Is that another issue?
[27024.604851] JY f2fs_is_cp_guaranteed 65 bounced_page:0xfffffffe81338410,
_private:0xfffffffe813c54f0, fscrypt_pagecache_page(page):0x000000005566f2f5
[27024.620405] JYJY :fffffffe813c54f0 is the PAGE
[27024.626388] page: refcount:4 mapcount:1 mapping:000000008cdd016b index:0x1d
pfn:0x3f443
[27024.636025] memcg:ffffff8031bd0000
[27024.641269] flags:
0x1000000000009029(locked|uptodate|lru|owner_2|private|zone=0)
[27024.650060] raw: 1000000000009029 fffffffe813c54a8 fffffffe813bc588
ffffff806b096f68
[27024.660600] raw: 000000000000001d 0000000000000009 0000000400000000
ffffff8031bd0000
[27024.669271] raw: 000000003f443000 0000000000000000
[27024.675745] page dumped because: JY got the BUG!
[27024.683789] page_owner tracks the page as allocated
[27024.690777] page last allocated via order 0, migratetype Movable, gfp_mask
0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE),
pid 30372, tgid 30372 (android.vending), ts 27014734256272, free_ts
27002686350166
[27024.724435] post_alloc_hook+0x1d0/0x1e8
[27024.730550] prep_new_page+0x30/0x150
[27024.735185] get_page_from_freelist+0x11e8/0x127c
[27024.744799] __alloc_pages_noprof+0x1b0/0x448
[27024.753649] __folio_alloc_noprof+0x1c/0x64
[27024.759063] page_cache_ra_unbounded+0x1a4/0x36c
[27024.767626] page_cache_ra_order+0x358/0x434
[27024.774150] do_sync_mmap_readahead+0x20c/0x280
[27024.780541] filemap_fault+0x1e0/0x868
[27024.785950] f2fs_filemap_fault+0x34/0xec
[27024.792392] __do_fault+0x70/0x110
[27024.797172] do_pte_missing+0x300/0x12f0
[27024.802556] handle_mm_fault+0x4d4/0x818
[27024.808201] do_page_fault+0x210/0x640
[27024.813143] do_translation_fault+0x48/0x11c
[27024.818658] do_mem_abort+0x5c/0x108
[27024.824631] page last free pid 55 tgid 55 stack trace:
[27024.831407] free_unref_page+0x828/0x978
[27024.837039] __folio_put+0xac/0xdc
[27024.842449] migrate_pages_batch+0x127c/0x1894
[27024.849239] migrate_pages+0x3f0/0x798
[27024.856057] compact_zone+0xca8/0x12ec
[27024.861241] compact_node+0xc0/0x190
[27024.865955] kcompactd+0x3b8/0x978
[27024.872656] kthread+0x118/0x1ac
[27024.878257] ret_from_fork+0x10/0x20[27024.604851] JY f2fs_is_cp_guaranteed
65 bounced_page:0xfffffffe81338410, _private:0xfffffffe813c54f0,
fscrypt_pagecache_page(page):0x000000005566f2f5
[27024.620405] JYJY :fffffffe813c54f0 is the PAGE
[27024.626388] page: refcount:4 mapcount:1 mapping:000000008cdd016b index:0x1d
pfn:0x3f443
[27024.636025] memcg:ffffff8031bd0000
[27024.641269] flags:
0x1000000000009029(locked|uptodate|lru|owner_2|private|zone=0)
[27024.650060] raw: 1000000000009029 fffffffe813c54a8 fffffffe813bc588
ffffff806b096f68
[27024.660600] raw: 000000000000001d 0000000000000009 0000000400000000
ffffff8031bd0000
[27024.669271] raw: 000000003f443000 0000000000000000
[27024.675745] page dumped because: JY got the BUG!
[27024.683789] page_owner tracks the page as allocated
[27024.690777] page last allocated via order 0, migratetype Movable, gfp_mask
0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE),
pid 30372, tgid 30372 (android.vending), ts 27014734256272, free_ts
27002686350166
[27024.724435] post_alloc_hook+0x1d0/0x1e8
[27024.730550] prep_new_page+0x30/0x150
[27024.735185] get_page_from_freelist+0x11e8/0x127c
[27024.744799] __alloc_pages_noprof+0x1b0/0x448
[27024.753649] __folio_alloc_noprof+0x1c/0x64
[27024.759063] page_cache_ra_unbounded+0x1a4/0x36c
[27024.767626] page_cache_ra_order+0x358/0x434
[27024.774150] do_sync_mmap_readahead+0x20c/0x280
[27024.780541] filemap_fault+0x1e0/0x868
[27024.785950] f2fs_filemap_fault+0x34/0xec
[27024.792392] __do_fault+0x70/0x110
[27024.797172] do_pte_missing+0x300/0x12f0
[27024.802556] handle_mm_fault+0x4d4/0x818
[27024.808201] do_page_fault+0x210/0x640
[27024.813143] do_translation_fault+0x48/0x11c
[27024.818658] do_mem_abort+0x5c/0x108
[27024.824631] page last free pid 55 tgid 55 stack trace:
[27024.831407] free_unref_page+0x828/0x978
[27024.837039] __folio_put+0xac/0xdc
[27024.842449] migrate_pages_batch+0x127c/0x1894
[27024.849239] migrate_pages+0x3f0/0x798
[27024.856057] compact_zone+0xca8/0x12ec
[27024.861241] compact_node+0xc0/0x190
[27024.865955] kcompactd+0x3b8/0x978
[27024.872656] kthread+0x118/0x1ac
[27024.878257] ret_from_fork+0x10/0x20
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
` (14 preceding siblings ...)
2025-10-01 7:51 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-10-01 8:01 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-10-03 2:33 ` bugzilla-daemon--- via Linux-f2fs-devel
` (2 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-10-01 8:01 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #16 from JY (JY.Ho@mediatek.com) ---
(In reply to Chao Yu from comment #7)
> Can you please hook fscrypt_free_bounce_page() to set page private w/
> special value, something as below:
>
> void fscrypt_free_bounce_page(struct page *bounce_page)
> {
> if (!bounce_page)
> return;
> set_page_private(bounce_page, (unsigned long)0xF2F52011);
> ClearPagePrivate(bounce_page);
> mempool_free(bounce_page, fscrypt_bounce_page_pool);
> }
>
> And add some check conditions in f2fs_is_cp_guaranteed() to see whether the
> page has been freed before inc_page_count().
I tried to modified:
+ set_page_private(bounce_page, (unsigned long)0x5566F2F5);
But I got two results from different panics.
fscrypt_pagecache_page(page):0x000000005566f2f5 and
fscrypt_pagecache_page(page):0x0000000000000000 (As shown below)
[38417.862874] JY f2fs_is_cp_guaranteed 65 bounced_page:0xfffffffe81cd6760,
_private:0xfffffffe824723c0, fscrypt_pagecache_page(page):0x0000000000000000
[38417.921850] JYJY :fffffffe824723c0 is the PAGE
[38417.968256] page: refcount:4 mapcount:1 mapping:000000000615ef5b index:0x6c
pfn:0x74a0c
[38417.998050] memcg:ffffff804c331380
[38418.018203] flags:
0x800000000009029(locked|uptodate|lru|owner_2|private|zone=0)
[38418.046079] raw: 0800000000009029 fffffffe82475618 fffffffe82484fc8
ffffff806b25c460
[38418.100286] raw: 000000000000006c 0000000000000009 0000000400000000
ffffff804c331380
[38418.143969] raw: ffffff8064457540 0000000000000000
[38418.162562] page dumped because: JY got the BUG!
[38418.199250] page_owner tracks the page as allocated
[38418.225840] page last allocated via order 0, migratetype Movable, gfp_mask
0x152c4a(GFP_NOFS|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE),
pid 20039, tgid 19537 (NetworkService), ts 38403893384078, free_ts
38403858760495
[38418.310128] post_alloc_hook+0x1d0/0x1e8
[38418.330509] prep_new_page+0x30/0x150
[38418.358836] get_page_from_freelist+0x11e8/0x127c
[38418.375352] __alloc_pages_noprof+0x1b0/0x448
[38418.399171] __folio_alloc_noprof+0x1c/0x64
[38418.430498] page_cache_ra_unbounded+0x1a4/0x36c
[38418.440402] page_cache_ra_order+0x358/0x434
[38418.446579] page_cache_async_ra+0x128/0x17c
[38418.454399] filemap_fault+0x14c/0x868
[38418.467818] f2fs_filemap_fault+0x34/0xec
[38418.475253] __do_fault+0x70/0x110
[38418.484117] do_pte_missing+0x424/0x12f0
[38418.489691] handle_mm_fault+0x4d4/0x818
[38418.499341] do_page_fault+0x210/0x640
[38418.504888] do_translation_fault+0x48/0x11c
[38418.510476] do_mem_abort+0x5c/0x108
[38418.515795] page last free pid 64 tgid 64 stack trace:
[38418.527744] free_unref_folios+0x944/0xe94
[38418.534456] shrink_folio_list+0x8c8/0x1304
[38418.543434] evict_folios+0x12ec/0x1818
[38418.550869] try_to_shrink_lruvec+0x1fc/0x3c8
[38418.561221] shrink_one+0xa4/0x230
[38418.574348] shrink_node+0xbe0/0xfc4
[38418.599077] balance_pgdat+0x7bc/0xce4
[38418.630024] kswapd+0x298/0x4d8
[38418.650979] kthread+0x118/0x1ac
[38418.670266] ret_from_fork+0x10/0x20
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
` (15 preceding siblings ...)
2025-10-01 8:01 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-10-03 2:33 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-10-03 2:44 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-10-03 3:13 ` bugzilla-daemon--- via Linux-f2fs-devel
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-10-03 2:33 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #17 from Chao Yu (chao@kernel.org) ---
(In reply to JY from comment #14)
> - inc_page_count(fio->sbi, WB_DATA_TYPE(page, false));
> + inc_page_count(fio->sbi, WB_DATA_TYPE(fio->page, false));
> Is that right?
Yes, I think so.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
` (16 preceding siblings ...)
2025-10-03 2:33 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-10-03 2:44 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-10-03 3:13 ` bugzilla-daemon--- via Linux-f2fs-devel
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-10-03 2:44 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #18 from Chao Yu (chao@kernel.org) ---
(In reply to JY from comment #16)
> I tried to modified:
> + set_page_private(bounce_page, (unsigned long)0x5566F2F5);
>
> But I got two results from different panics.
> fscrypt_pagecache_page(page):0x000000005566f2f5 and
>
> fscrypt_pagecache_page(page):0x0000000000000000 (As shown below)
I think this is the same issue, actually, value of page->private should be
unpredictable, because this is a UAF issue, we don't know how system changes
the page after we freed it.
So, can you please test the fix to check whether it can solve your problem or
not? Thanks a lot. :)
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* [f2fs-dev] [Bug 220575] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
` (17 preceding siblings ...)
2025-10-03 2:44 ` bugzilla-daemon--- via Linux-f2fs-devel
@ 2025-10-03 3:13 ` bugzilla-daemon--- via Linux-f2fs-devel
18 siblings, 0 replies; 20+ messages in thread
From: bugzilla-daemon--- via Linux-f2fs-devel @ 2025-10-03 3:13 UTC (permalink / raw)
To: linux-f2fs-devel
https://bugzilla.kernel.org/show_bug.cgi?id=220575
--- Comment #19 from JY (JY.Ho@mediatek.com) ---
(In reply to Chao Yu from comment #18)
> (In reply to JY from comment #16)
> > I tried to modified:
> > + set_page_private(bounce_page, (unsigned long)0x5566F2F5);
> >
> > But I got two results from different panics.
> > fscrypt_pagecache_page(page):0x000000005566f2f5 and
> >
> > fscrypt_pagecache_page(page):0x0000000000000000 (As shown below)
>
> I think this is the same issue, actually, value of page->private should be
> unpredictable, because this is a UAF issue, we don't know how system changes
> the page after we freed it.
>
> So, can you please test the fix to check whether it can solve your problem
> or not? Thanks a lot. :)
No problem, it's my pleasure. :)
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2025-10-03 3:13 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-15 3:33 [f2fs-dev] [Bug 220575] New: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 bugzilla-daemon--- via Linux-f2fs-devel
2025-09-15 12:27 ` [f2fs-dev] [Bug 220575] " bugzilla-daemon--- via Linux-f2fs-devel
2025-09-16 2:19 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-16 2:52 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-24 6:50 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-24 8:47 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-24 9:51 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-24 13:22 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-25 3:38 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-25 3:41 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-25 8:40 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-25 9:23 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-28 10:30 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-28 13:55 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-09-30 10:45 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-10-01 7:51 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-10-01 8:01 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-10-03 2:33 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-10-03 2:44 ` bugzilla-daemon--- via Linux-f2fs-devel
2025-10-03 3:13 ` bugzilla-daemon--- via Linux-f2fs-devel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).