From: David Hildenbrand <david@redhat.com>
To: Jan Kara <jack@suse.cz>, Ryan Roberts <ryan.roberts@arm.com>
Cc: syzbot <syzbot+263f159eb37a1c4c67a4@syzkaller.appspotmail.com>,
akpm@linux-foundation.org, chaitanyas.prakash@arm.com,
davem@davemloft.net, edumazet@google.com, hdanton@sina.com,
horms@kernel.org, kuba@kernel.org, kuniyu@google.com,
linux-kernel@vger.kernel.org, linux-sound@vger.kernel.org,
netdev@vger.kernel.org, pabeni@redhat.com, perex@perex.cz,
syzkaller-bugs@googlegroups.com, tiwai@suse.com,
willemb@google.com
Subject: Re: [syzbot] [sound?] kernel BUG in filemap_fault (2)
Date: Wed, 17 Sep 2025 09:57:19 +0200 [thread overview]
Message-ID: <7e338491-0c6b-4b65-93b7-df0af8b2fd87@redhat.com> (raw)
In-Reply-To: <lqzgi7abe2onda3faavn5ays6gdw4syiu32hmrfaibrh6cmozs@pjf3llvnnefk>
On 16.09.25 15:05, Jan Kara wrote:
> On Tue 16-09-25 13:50:08, Ryan Roberts wrote:
>> On 14/09/2025 11:51, syzbot wrote:
>>> syzbot suspects this issue was fixed by commit:
>>>
>>> commit bdb86f6b87633cc020f8225ae09d336da7826724
>>> Author: Ryan Roberts <ryan.roberts@arm.com>
>>> Date: Mon Jun 9 09:27:23 2025 +0000
>>>
>>> mm/readahead: honour new_order in page_cache_ra_order()
>>
>> I'm not sure what original bug you are claiming this is fixing? Perhaps this?
>>
>> https://lore.kernel.org/linux-mm/6852b77e.a70a0220.79d0a.0214.GAE@google.com/
>
> I think it was:
>
> https://lore.kernel.org/all/684ffc59.a00a0220.279073.0037.GAE@google.com/
>
> at least that's what the syzbot email replies to... And it doesn't make a
> lot of sense but it isn't totally off either. So I'd just let the syzbot
> bug autoclose after some timeout.
Hm, in the issue we ran into was:
VM_BUG_ON_FOLIO(!folio_contains(folio, index), folio);
in filemap_fault().
Now, that sounds rather bad, especially given that it was reported upstream.
So likely we should figure out what happened and see if it really fixed
it and if so, why it fixed it (stable backports etc)?
Could be that Ryans patch is just making the problem harder to
reproduce, of course (what I assume right now).
Essentially we do a
folio = filemap_get_folio(mapping, index);
followed by
if (!lock_folio_maybe_drop_mmap(vmf, folio, &fpin))
goto out_retry;
/* Did it get truncated? */
if (unlikely(folio->mapping != mapping)) {
folio_unlock(folio);
folio_put(folio);
goto retry_find;
}
VM_BUG_ON_FOLIO(!folio_contains(folio, index), folio);
I would assume that if !folio_contains(folio, index), either the folio
got split in the meantime (filemap_get_folio() returned with a raised
reference, though) or that file pagecache contained something wrong.
In __filemap_get_folio() we perform the same checks after locking the
folio (with FGP_LOCK), and weird enough it didn't trigger yet there.
--
Cheers
David / dhildenb
next prev parent reply other threads:[~2025-09-17 7:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-16 11:13 [syzbot] [sound?] kernel BUG in filemap_fault (2) syzbot
2025-07-03 16:43 ` [syzbot] [net?] " syzbot
2025-09-14 10:51 ` [syzbot] [sound?] " syzbot
2025-09-16 12:50 ` Ryan Roberts
2025-09-16 13:05 ` Jan Kara
2025-09-17 7:57 ` David Hildenbrand [this message]
2025-09-17 8:35 ` Jan Kara
2025-09-17 9:04 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7e338491-0c6b-4b65-93b7-df0af8b2fd87@redhat.com \
--to=david@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=chaitanyas.prakash@arm.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hdanton@sina.com \
--cc=horms@kernel.org \
--cc=jack@suse.cz \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=perex@perex.cz \
--cc=ryan.roberts@arm.com \
--cc=syzbot+263f159eb37a1c4c67a4@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tiwai@suse.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox