From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 93CD2C433F5 for ; Tue, 7 Dec 2021 22:00:41 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D28336B0071; Tue, 7 Dec 2021 17:00:30 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id CD5D56B0072; Tue, 7 Dec 2021 17:00:30 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B9D556B0073; Tue, 7 Dec 2021 17:00:30 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0215.hostedemail.com [216.40.44.215]) by kanga.kvack.org (Postfix) with ESMTP id A6F9C6B0071 for ; Tue, 7 Dec 2021 17:00:30 -0500 (EST) Received: from smtpin28.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 6587289D4B for ; Tue, 7 Dec 2021 22:00:20 +0000 (UTC) X-FDA: 78892367400.28.4A4FDE1 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf17.hostedemail.com (Postfix) with ESMTP id F053AF0001E9 for ; Tue, 7 Dec 2021 22:00:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=GHEajNctGC/0vOa+hsD34nlStTkJcznyOuhwQaT4q4g=; b=K2Y4wmD4zAtxximZgUNDXpho8L fWTnDiuYs07KfvI3SAraPm1N0ivCZMHZmfSBxvPa/xdIrr8otukEfujBImdOkRNlz0bsfdQ+xZagz BSvSmQYirm+FoXpyQQd6G0lBunqbdYChti0pmG5MBaCzGJmFVFZD+jFs1CMF17qhhNLtjwUIIj+WU eKvz5nVc8QV6XLVcR+kdECZ9Jm+KziR0mZ+IDPpzm/4gVYR+QhAcVco0JQLFYhmLinwD/BSvQyS/f rSbNUzyKy85A/z4uA37+FqUnfmYW5noQ9E9edJ7zeCbTPoguVB0GcxvD2cc0R3sJ6rarsaH/lBtPk UG78sNCA==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1muiVP-007obU-UA; Tue, 07 Dec 2021 22:00:11 +0000 Date: Tue, 7 Dec 2021 22:00:11 +0000 From: Matthew Wilcox To: Jaegeuk Kim Cc: Andrew Morton , syzbot , linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net Subject: Re: [f2fs-dev] [syzbot] BUG: unable to handle kernel NULL pointer dereference in folio_mark_dirty Message-ID: References: <0000000000005f297e05d24f05f6@google.com> <20211206175631.5d0c3caefa96f0479f0fc2e8@linux-foundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=K2Y4wmD4; dmarc=none; spf=none (imf17.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: F053AF0001E9 X-Stat-Signature: rs9sxknrxr8owa7je4685qijn7jkgg14 X-HE-Tag: 1638914417-172860 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Dec 07, 2021 at 01:39:06PM -0800, Jaegeuk Kim wrote: > On 12/07, Matthew Wilcox wrote: > > > > Call Trace: > > > > > > > > folio_mark_dirty+0x136/0x270 mm/page-writeback.c:2639 > > > > if (likely(mapping)) { > > ... > > if (folio_test_reclaim(folio)) > > folio_clear_reclaim(folio); > > return mapping->a_ops->set_page_dirty(&folio->page); > > > > how do we get to a NULL ->set_page_dirty for a metadata page's > > mapping->a_ops? This is definitely an f2fs expert question. > > I can't find anything in f2fs, since that page was got by f2fs_grab_meta_page > along with grab_cache_page() that we never unlocked it. > > 40 struct page *f2fs_grab_meta_page(struct f2fs_sb_info *sbi, pgoff_t index) > 41 { > 42 struct address_space *mapping = META_MAPPING(sbi); > 43 struct page *page; > 44 repeat: > 45 page = f2fs_grab_cache_page(mapping, index, false); > > -> grab_cache_page(mapping, index); > > 46 if (!page) { > 47 cond_resched(); > 48 goto repeat; > 49 } > 50 f2fs_wait_on_page_writeback(page, META, true, true); > 51 if (!PageUptodate(page)) > 52 SetPageUptodate(page); > 53 return page; > 54 } > > > Suspecting something in folio wrt folio_mapping()? > > 81 bool set_page_dirty(struct page *page) > 82 { > 83 return folio_mark_dirty(page_folio(page)); > 84 } ... huh? How could folio_mapping() be getting this wrong? page_folio() does the same thing as compound_head() -- as far as I know you don't use compound pages for f2fs metadata, so this basically just casts the page to a struct folio. folio_mapping() is just like the old page_mapping() (see commit 2f52578f9c64). Unless you've done something like set the swapcache bit on your metadata page, it's just going to return folio->mapping (ie the same as page->mapping).