[PATCH v2] f2fs: avoid reading already updated pages during GC

[PATCH v2] f2fs: avoid reading already updated pages during GC

[Jianan Huang]

We found the following issue during fuzz testing:

page: refcount:3 mapcount:0 mapping:00000000b6e89c65 index:0x18b2dc pfn:0x161ba9
memcg:f8ffff800e269c00
aops:f2fs_meta_aops ino:2
flags: 0x52880000000080a9(locked|waiters|uptodate|lru|private|zone=1|kasantag=0x4a)
raw: 52880000000080a9 fffffffec6e17588 fffffffec0ccc088 a7ffff8067063618
raw: 000000000018b2dc 0000000000000009 00000003ffffffff f8ffff800e269c00
page dumped because: VM_BUG_ON_FOLIO(folio_test_uptodate(folio))
page_owner tracks the page as allocated
 post_alloc_hook+0x58c/0x5ec
 prep_new_page+0x34/0x284
 get_page_from_freelist+0x2dcc/0x2e8c
 __alloc_pages_noprof+0x280/0x76c
 __folio_alloc_noprof+0x18/0xac
 __filemap_get_folio+0x6bc/0xdc4
 pagecache_get_page+0x3c/0x104
 do_garbage_collect+0x5c78/0x77a4
 f2fs_gc+0xd74/0x25f0
 gc_thread_func+0xb28/0x2930
 kthread+0x464/0x5d8
 ret_from_fork+0x10/0x20
------------[ cut here ]------------
kernel BUG at mm/filemap.c:1563!
 folio_end_read+0x140/0x168
 f2fs_finish_read_bio+0x5c4/0xb80
 f2fs_read_end_io+0x64c/0x708
 bio_endio+0x85c/0x8c0
 blk_update_request+0x690/0x127c
 scsi_end_request+0x9c/0xb8c
 scsi_io_completion+0xf0/0x250
 scsi_finish_command+0x430/0x45c
 scsi_complete+0x178/0x6d4
 blk_mq_complete_request+0xcc/0x104
 scsi_done_internal+0x214/0x454
 scsi_done+0x24/0x34

which is similar to the problem reported by syzbot:
https://syzkaller.appspot.com/bug?extid=3686758660f980b402dc

This case is consistent with the description in commit 9bf1a3f
("f2fs: avoid GC causing encrypted file corrupted"):
Page 1 is moved from blkaddr A to blkaddr B by move_data_block, and after
being written it is marked as uptodate. Then, Page 1 is moved from blkaddr
B to blkaddr C, VM_BUG_ON_FOLIO was triggered in the endio initiated by
ra_data_block.

There is no need to read Page 1 again from blkaddr B, since it has already
been updated. Therefore, avoid initiating I/O in this case.

Fixes: 6aa58d8ad20a ("f2fs: readahead encrypted block during GC")
Signed-off-by: Jianan Huang <huangjianan@xiaomi.com>
Signed-off-by: Sheng Yong <shengyong1@xiaomi.com>
---
Changes since v1:
- Place the uptodate check after the initialization of fio.encrypted_page.

 fs/f2fs/gc.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index f46b2673d31f..ec0680187c0d 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -1230,7 +1230,7 @@ static int ra_data_block(struct inode *inode, pgoff_t index)
 		.encrypted_page = NULL,
 		.in_list = 0,
 	};
-	int err;
+	int err = 0;
 
 	folio = f2fs_grab_cache_folio(mapping, index, true);
 	if (IS_ERR(folio))
@@ -1283,6 +1283,9 @@ static int ra_data_block(struct inode *inode, pgoff_t index)
 
 	fio.encrypted_page = &efolio->page;
 
+	if (folio_test_uptodate(efolio))
+		goto put_encrypted_page;
+
 	err = f2fs_submit_page_bio(&fio);
 	if (err)
 		goto put_encrypted_page;
-- 
2.43.0

Re: [PATCH v2] f2fs: avoid reading already updated pages during GC

[Chao Yu]

On 2026/3/5 09:18, Jianan Huang wrote:
> We found the following issue during fuzz testing:
> 
> page: refcount:3 mapcount:0 mapping:00000000b6e89c65 index:0x18b2dc pfn:0x161ba9
> memcg:f8ffff800e269c00
> aops:f2fs_meta_aops ino:2
> flags: 0x52880000000080a9(locked|waiters|uptodate|lru|private|zone=1|kasantag=0x4a)
> raw: 52880000000080a9 fffffffec6e17588 fffffffec0ccc088 a7ffff8067063618
> raw: 000000000018b2dc 0000000000000009 00000003ffffffff f8ffff800e269c00
> page dumped because: VM_BUG_ON_FOLIO(folio_test_uptodate(folio))
> page_owner tracks the page as allocated
>   post_alloc_hook+0x58c/0x5ec
>   prep_new_page+0x34/0x284
>   get_page_from_freelist+0x2dcc/0x2e8c
>   __alloc_pages_noprof+0x280/0x76c
>   __folio_alloc_noprof+0x18/0xac
>   __filemap_get_folio+0x6bc/0xdc4
>   pagecache_get_page+0x3c/0x104
>   do_garbage_collect+0x5c78/0x77a4
>   f2fs_gc+0xd74/0x25f0
>   gc_thread_func+0xb28/0x2930
>   kthread+0x464/0x5d8
>   ret_from_fork+0x10/0x20
> ------------[ cut here ]------------
> kernel BUG at mm/filemap.c:1563!
>   folio_end_read+0x140/0x168
>   f2fs_finish_read_bio+0x5c4/0xb80
>   f2fs_read_end_io+0x64c/0x708
>   bio_endio+0x85c/0x8c0
>   blk_update_request+0x690/0x127c
>   scsi_end_request+0x9c/0xb8c
>   scsi_io_completion+0xf0/0x250
>   scsi_finish_command+0x430/0x45c
>   scsi_complete+0x178/0x6d4
>   blk_mq_complete_request+0xcc/0x104
>   scsi_done_internal+0x214/0x454
>   scsi_done+0x24/0x34
> 
> which is similar to the problem reported by syzbot:
> https://syzkaller.appspot.com/bug?extid=3686758660f980b402dc
> 
> This case is consistent with the description in commit 9bf1a3f
> ("f2fs: avoid GC causing encrypted file corrupted"):
> Page 1 is moved from blkaddr A to blkaddr B by move_data_block, and after
> being written it is marked as uptodate. Then, Page 1 is moved from blkaddr
> B to blkaddr C, VM_BUG_ON_FOLIO was triggered in the endio initiated by
> ra_data_block.
> 
> There is no need to read Page 1 again from blkaddr B, since it has already
> been updated. Therefore, avoid initiating I/O in this case.
> 
> Fixes: 6aa58d8ad20a ("f2fs: readahead encrypted block during GC")
> Signed-off-by: Jianan Huang <huangjianan@xiaomi.com>
> Signed-off-by: Sheng Yong <shengyong1@xiaomi.com>

Reviewed-by: Chao Yu <chao@kernel.org>

Thanks,

Re: [f2fs-dev] [PATCH v2] f2fs: avoid reading already updated pages during GC

[patchwork-bot+f2fs]

Hello:

This patch was applied to jaegeuk/f2fs.git (dev)
by Jaegeuk Kim <jaegeuk@kernel.org>:

On Thu, 5 Mar 2026 09:18:10 +0800 you wrote:
> We found the following issue during fuzz testing:
> 
> page: refcount:3 mapcount:0 mapping:00000000b6e89c65 index:0x18b2dc pfn:0x161ba9
> memcg:f8ffff800e269c00
> aops:f2fs_meta_aops ino:2
> flags: 0x52880000000080a9(locked|waiters|uptodate|lru|private|zone=1|kasantag=0x4a)
> raw: 52880000000080a9 fffffffec6e17588 fffffffec0ccc088 a7ffff8067063618
> raw: 000000000018b2dc 0000000000000009 00000003ffffffff f8ffff800e269c00
> page dumped because: VM_BUG_ON_FOLIO(folio_test_uptodate(folio))
> page_owner tracks the page as allocated
>  post_alloc_hook+0x58c/0x5ec
>  prep_new_page+0x34/0x284
>  get_page_from_freelist+0x2dcc/0x2e8c
>  __alloc_pages_noprof+0x280/0x76c
>  __folio_alloc_noprof+0x18/0xac
>  __filemap_get_folio+0x6bc/0xdc4
>  pagecache_get_page+0x3c/0x104
>  do_garbage_collect+0x5c78/0x77a4
>  f2fs_gc+0xd74/0x25f0
>  gc_thread_func+0xb28/0x2930
>  kthread+0x464/0x5d8
>  ret_from_fork+0x10/0x20
> 
> [...]

Here is the summary with links:
  - [f2fs-dev,v2] f2fs: avoid reading already updated pages during GC
    https://git.kernel.org/jaegeuk/f2fs/c/5d143972155e

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html