[syzbot] [fs?] [mm?] kernel BUG in __filemap_add_folio

[syzbot] [fs?] [mm?] kernel BUG in __filemap_add_folio

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ac71fabf1567 gcc-15: work around sequence-point warning
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1269b204580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=68d9f79fc685cd4
dashboard link: https://syzkaller.appspot.com/bug?extid=4d3cc33ef7a77041efa6
compiler:       Debian clang version 15.0.6, Debian LLD 15.0.6
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10b2cc70580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14a91ccc580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c03ec6447343/disk-ac71fabf.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e02e7fb54511/vmlinux-ac71fabf.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7d53dcc94699/bzImage-ac71fabf.xz

The issue was bisected to:

commit 47dd67532303803a87f43195e088b3b4bcf0454d
Author: Luis Chamberlain <mcgrof@kernel.org>
Date:   Fri Feb 21 22:38:22 2025 +0000

    block/bdev: lift block size restrictions to 64k

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=11d62c70580000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=13d62c70580000
console output: https://syzkaller.appspot.com/x/log.txt?x=15d62c70580000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4d3cc33ef7a77041efa6@syzkaller.appspotmail.com
Fixes: 47dd67532303 ("block/bdev: lift block size restrictions to 64k")

 __handle_mm_fault mm/memory.c:6140 [inline]
 handle_mm_fault+0x1129/0x1bf0 mm/memory.c:6309
 do_user_addr_fault arch/x86/mm/fault.c:1337 [inline]
 handle_page_fault arch/x86/mm/fault.c:1480 [inline]
 exc_page_fault+0x45b/0x920 arch/x86/mm/fault.c:1538
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
------------[ cut here ]------------
kernel BUG at mm/filemap.c:868!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 5909 Comm: syz-executor413 Not tainted 6.15.0-rc2-syzkaller-00493-gac71fabf1567 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:__filemap_add_folio+0x1554/0x16c0 mm/filemap.c:867
Code: e9 c5 ff 4c 89 e7 48 c7 c6 80 0e 54 8c e8 44 43 12 00 90 0f 0b e8 cc e9 c5 ff 4c 89 e7 48 c7 c6 00 05 54 8c e8 2d 43 12 00 90 <0f> 0b e8 b5 e9 c5 ff 4c 89 e7 48 c7 c6 80 0e 54 8c e8 16 43 12 00
RSP: 0018:ffffc90004087300 EFLAGS: 00010246
RAX: ba56fbab94ec7e00 RBX: 0000000000000004 RCX: ffffffff93686020
RDX: dffffc0000000000 RSI: ffffffff8e6497f7 RDI: 0000000000000001
RBP: ffffc900040874b0 R08: ffffffff905fe577 R09: 1ffffffff20bfcae
R10: dffffc0000000000 R11: fffffbfff20bfcaf R12: ffffea0001ededc0
R13: ffffc90004087400 R14: 0000000000000000 R15: dffffc0000000000
FS:  0000555577940380(0000) GS:ffff88812509a000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb2a265a1f0 CR3: 000000007eb78000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 filemap_add_folio+0x157/0x380 mm/filemap.c:969
 page_cache_ra_unbounded+0x40c/0x820 mm/readahead.c:275
 do_sync_mmap_readahead+0x3e6/0x6c0 mm/filemap.c:-1
 filemap_fault+0x763/0x13d0 mm/filemap.c:3403
 __do_fault+0x137/0x390 mm/memory.c:5098
 do_shared_fault mm/memory.c:5582 [inline]
 do_fault mm/memory.c:5656 [inline]
 do_pte_missing mm/memory.c:4160 [inline]
 handle_pte_fault+0xfcc/0x61c0 mm/memory.c:5997
 __handle_mm_fault mm/memory.c:6140 [inline]
 handle_mm_fault+0x1129/0x1bf0 mm/memory.c:6309
 do_user_addr_fault arch/x86/mm/fault.c:1337 [inline]
 handle_page_fault arch/x86/mm/fault.c:1480 [inline]
 exc_page_fault+0x45b/0x920 arch/x86/mm/fault.c:1538
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fb2a25adba4
Code: 2d 41 b8 13 00 00 00 bf 09 00 00 00 bb 03 00 00 00 e8 b0 14 03 00 ba 71 12 08 40 bf 10 00 00 00 48 b8 00 01 00 00 00 20 00 00 <48> c7 00 00 00 01 00 48 8b 35 1e 95 0a 00 48 89 c1 31 c0 e8 84 14
RSP: 002b:00007ffd9b4d3c20 EFLAGS: 00010217
RAX: 0000200000000100 RBX: 0000000000000003 RCX: 00007fb2a25df059
RDX: 0000000040081271 RSI: 0000000000b36000 RDI: 0000000000000010
RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000000013 R11: 0000000000000216 R12: 00007ffd9b4d3c4c
R13: 00007ffd9b4d3c60 R14: 00007ffd9b4d3ca0 R15: 0000000000000008
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__filemap_add_folio+0x1554/0x16c0 mm/filemap.c:867
Code: e9 c5 ff 4c 89 e7 48 c7 c6 80 0e 54 8c e8 44 43 12 00 90 0f 0b e8 cc e9 c5 ff 4c 89 e7 48 c7 c6 00 05 54 8c e8 2d 43 12 00 90 <0f> 0b e8 b5 e9 c5 ff 4c 89 e7 48 c7 c6 80 0e 54 8c e8 16 43 12 00
RSP: 0018:ffffc90004087300 EFLAGS: 00010246
RAX: ba56fbab94ec7e00 RBX: 0000000000000004 RCX: ffffffff93686020
RDX: dffffc0000000000 RSI: ffffffff8e6497f7 RDI: 0000000000000001
RBP: ffffc900040874b0 R08: ffffffff905fe577 R09: 1ffffffff20bfcae
R10: dffffc0000000000 R11: fffffbfff20bfcaf R12: ffffea0001ededc0
R13: ffffc90004087400 R14: 0000000000000000 R15: dffffc0000000000
FS:  0000555577940380(0000) GS:ffff888124f9a000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb2a265a1f0 CR3: 000000007eb78000 CR4: 0000000000350ef0


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [fs?] [mm?] kernel BUG in __filemap_add_folio

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in mpage_readahead

------------[ cut here ]------------
kernel BUG at ./include/linux/pagemap.h:1398!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 15521 Comm: syz-executor273 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:__readahead_folio include/linux/pagemap.h:1398 [inline]
RIP: 0010:readahead_folio include/linux/pagemap.h:1424 [inline]
RIP: 0010:mpage_readahead+0x399/0x590 fs/mpage.c:367
Code: 24 84 c0 74 08 3c 03 0f 8e 61 01 00 00 44 8b 7b 20 89 ef 44 89 fe e8 f6 a2 72 ff 41 39 ef 0f 83 9f fd ff ff e8 68 a8 72 ff 90 <0f> 0b e8 60 a8 72 ff 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1
RSP: 0018:ffffc9000e897640 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffc9000e897af8 RCX: ffffffff8248e65a
RDX: ffff888078074880 RSI: ffffffff8248e668 RDI: 0000000000000004
RBP: 0000000000000004 R08: 0000000000000004 R09: 0000000000000004
R10: 0000000000000001 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffc9000e897b1c R14: fffff52001d12f63 R15: 0000000000000001
FS:  0000555574632380(0000) GS:ffff8881246b5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbdedf84130 CR3: 00000000697eb000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 read_pages+0x1c4/0xc70 mm/readahead.c:160
 page_cache_ra_unbounded+0x5d2/0x7d0 mm/readahead.c:264
 do_page_cache_ra mm/readahead.c:327 [inline]
 page_cache_ra_order+0xa28/0xd60 mm/readahead.c:532
 do_sync_mmap_readahead mm/filemap.c:3304 [inline]
 filemap_fault+0x152e/0x2930 mm/filemap.c:3445
 __do_fault+0x10d/0x490 mm/memory.c:5152
 do_shared_fault mm/memory.c:5637 [inline]
 do_fault mm/memory.c:5711 [inline]
 do_pte_missing+0x1a6/0x3ba0 mm/memory.c:4234
 handle_pte_fault mm/memory.c:6052 [inline]
 __handle_mm_fault+0x152a/0x2a50 mm/memory.c:6195
 handle_mm_fault+0x589/0xd10 mm/memory.c:6364
 do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x5c/0xb0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fbdeded986d
Code: 03 00 b9 03 10 12 00 45 31 c0 48 ba 80 00 00 00 00 20 00 00 48 b8 2f 64 65 76 2f 6e 75 6c 48 c7 c6 9c ff ff ff bf 01 01 00 00 <48> 89 02 48 b8 88 00 00 00 00 20 00 00 c7 00 6c 62 30 00 31 c0 e8
RSP: 002b:00007ffc828830a0 EFLAGS: 00010246
RAX: 6c756e2f7665642f RBX: 0000000000000000 RCX: 0000000000121003
RDX: 0000200000000080 RSI: ffffffffffffff9c RDI: 0000000000000101
RBP: 00000000000f4240 R08: 0000000000000000 R09: 0000000000002000
R10: 0000000000000013 R11: 0000000000000206 R12: 0000000000078a5d
R13: 00007ffc828830bc R14: 00007ffc828830d0 R15: 00007ffc828830c0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__readahead_folio include/linux/pagemap.h:1398 [inline]
RIP: 0010:readahead_folio include/linux/pagemap.h:1424 [inline]
RIP: 0010:mpage_readahead+0x399/0x590 fs/mpage.c:367
Code: 24 84 c0 74 08 3c 03 0f 8e 61 01 00 00 44 8b 7b 20 89 ef 44 89 fe e8 f6 a2 72 ff 41 39 ef 0f 83 9f fd ff ff e8 68 a8 72 ff 90 <0f> 0b e8 60 a8 72 ff 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1
RSP: 0018:ffffc9000e897640 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffc9000e897af8 RCX: ffffffff8248e65a
RDX: ffff888078074880 RSI: ffffffff8248e668 RDI: 0000000000000004
RBP: 0000000000000004 R08: 0000000000000004 R09: 0000000000000004
R10: 0000000000000001 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffc9000e897b1c R14: fffff52001d12f63 R15: 0000000000000001
FS:  0000555574632380(0000) GS:ffff8881246b5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbdedf84130 CR3: 00000000697eb000 CR4: 00000000003526f0


Tested on:

commit:         9dd1835e Merge tag 'dma-mapping-6.17-2025-09-09' of gi..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17224dcd980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c53bac41b8ca5327
dashboard link: https://syzkaller.appspot.com/bug?extid=4d3cc33ef7a77041efa6
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=124659e2580000

Re: [syzbot] [fs?] [mm?] kernel BUG in __filemap_add_folio

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in mpage_readahead

------------[ cut here ]------------
kernel BUG at ./include/linux/pagemap.h:1398!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 15896 Comm: syz.2.4490 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:__readahead_folio include/linux/pagemap.h:1398 [inline]
RIP: 0010:readahead_folio include/linux/pagemap.h:1424 [inline]
RIP: 0010:mpage_readahead+0x399/0x590 fs/mpage.c:367
Code: 24 84 c0 74 08 3c 03 0f 8e 61 01 00 00 44 8b 7b 20 89 ef 44 89 fe e8 f6 a2 72 ff 41 39 ef 0f 83 9f fd ff ff e8 68 a8 72 ff 90 <0f> 0b e8 60 a8 72 ff 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1
RSP: 0018:ffffc90010c6f640 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffc90010c6faf8 RCX: ffffffff8248e65a
RDX: ffff888029b1c880 RSI: ffffffff8248e668 RDI: 0000000000000004
RBP: 0000000000000004 R08: 0000000000000004 R09: 0000000000000004
R10: 0000000000000001 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffc90010c6fb1c R14: fffff5200218df63 R15: 0000000000000001
FS:  000055555fc7a500(0000) GS:ffff8881246b5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2dc63fff CR3: 0000000029c5c000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 read_pages+0x1c4/0xc70 mm/readahead.c:160
 page_cache_ra_unbounded+0x5d2/0x7d0 mm/readahead.c:264
 do_page_cache_ra mm/readahead.c:327 [inline]
 page_cache_ra_order+0xa28/0xd60 mm/readahead.c:532
 do_sync_mmap_readahead mm/filemap.c:3304 [inline]
 filemap_fault+0x152e/0x2930 mm/filemap.c:3445
 __do_fault+0x10d/0x490 mm/memory.c:5152
 do_shared_fault mm/memory.c:5637 [inline]
 do_fault mm/memory.c:5711 [inline]
 do_pte_missing+0x1a6/0x3ba0 mm/memory.c:4234
 handle_pte_fault mm/memory.c:6052 [inline]
 __handle_mm_fault+0x152a/0x2a50 mm/memory.c:6195
 handle_mm_fault+0x589/0xd10 mm/memory.c:6364
 do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x5c/0xb0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7ffbdbb58088
Code: 66 89 74 17 02 88 0f c3 c5 fa 6f 06 c5 fa 6f 4c 16 f0 c5 fa 7f 07 c5 fa 7f 4c 17 f0 c3 0f 1f 44 00 00 48 8b 4c 16 f8 48 8b 36 <48> 89 37 48 89 4c 17 f8 c3 62 e1 fe 28 6f 54 16 ff 62 e1 fe 28 6f
RSP: 002b:00007fff9dac8778 EFLAGS: 00010202
RAX: 0000200000000080 RBX: 0000000000000004 RCX: 0030626c6c756e2f
RDX: 000000000000000c RSI: 6c756e2f7665642f RDI: 0000200000000080
RBP: 00007ffbdbdd7da0 R08: 0000001b2eb20000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000009 R12: 00007ffbdbdd5fac
R13: 00007ffbdbdd5fa0 R14: fffffffffffffffe R15: 00007fff9dac8890
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__readahead_folio include/linux/pagemap.h:1398 [inline]
RIP: 0010:readahead_folio include/linux/pagemap.h:1424 [inline]
RIP: 0010:mpage_readahead+0x399/0x590 fs/mpage.c:367
Code: 24 84 c0 74 08 3c 03 0f 8e 61 01 00 00 44 8b 7b 20 89 ef 44 89 fe e8 f6 a2 72 ff 41 39 ef 0f 83 9f fd ff ff e8 68 a8 72 ff 90 <0f> 0b e8 60 a8 72 ff 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1
RSP: 0018:ffffc90010c6f640 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffc90010c6faf8 RCX: ffffffff8248e65a
RDX: ffff888029b1c880 RSI: ffffffff8248e668 RDI: 0000000000000004
RBP: 0000000000000004 R08: 0000000000000004 R09: 0000000000000004
R10: 0000000000000001 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffc90010c6fb1c R14: fffff5200218df63 R15: 0000000000000001
FS:  000055555fc7a500(0000) GS:ffff8881246b5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555704e95c8 CR3: 0000000029c5c000 CR4: 00000000003526f0


Tested on:

commit:         9dd1835e Merge tag 'dma-mapping-6.17-2025-09-09' of gi..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10cdc114580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c53bac41b8ca5327
dashboard link: https://syzkaller.appspot.com/bug?extid=4d3cc33ef7a77041efa6
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=103ee342580000

Re: [syzbot] [fs?] [mm?] kernel BUG in __filemap_add_folio

[shaurya]

[-- Attachment #1: Type: text/plain, Size: 83 bytes --]

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[-- Attachment #2: 0001-mm-readahead-fix-race-between-page_cache_ra_order-an.patch --]
[-- Type: text/x-patch, Size: 3056 bytes --]

From ec7ea9a1f03f36672cf5acb23761cfef6b948f21 Mon Sep 17 00:00:00 2001
From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
Date: Sun, 30 Nov 2025 20:27:25 +0530
Subject: [PATCH] mm/readahead: fix race between page_cache_ra_order and
 set_blocksize

page_cache_ra_order() reads mapping_min_folio_order() before acquiring
the invalidate_lock, creating a time-of-check-time-of-use (TOCTOU) race
with set_blocksize() which can change the mapping's min_folio_order
while holding the invalidate_lock exclusively.

If set_blocksize() increases the mapping's min_folio_order after
page_cache_ra_order() reads the old value but before it adds folios
to the page cache, the VM_BUG_ON check in __filemap_add_folio() will
trigger:

  VM_BUG_ON_FOLIO(folio_order(folio) < mapping_min_folio_order(mapping),
                  folio);

This can happen because the stale min_order is used to calculate
new_order and constrain the folio order, but filemap_add_folio()
re-reads the (now increased) min_folio_order from the mapping.

Fix this by moving the read of mapping_min_folio_order() and the
new_order calculation to after the invalidate_lock is acquired in
shared mode.

Reported-by: syzbot+4d3cc33ef7a77041efa6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug\?extid\=4d3cc33ef7a77041efa6
Fixes: 47dd67532303 ("block/bdev: lift block size restrictions to 64k")
Cc: stable@vger.kernel.org
Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
---
 mm/readahead.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/mm/readahead.c b/mm/readahead.c
index 3a4b5d58eeb6..95718f87bd43 100644
--- a/mm/readahead.c
+++ b/mm/readahead.c
@@ -467,7 +467,7 @@ void page_cache_ra_order(struct readahead_control *ractl,
 	struct address_space *mapping = ractl->mapping;
 	pgoff_t start = readahead_index(ractl);
 	pgoff_t index = start;
-	unsigned int min_order = mapping_min_folio_order(mapping);
+	unsigned int min_order;
 	pgoff_t limit = (i_size_read(mapping->host) - 1) >> PAGE_SHIFT;
 	pgoff_t mark = index + ra->size - ra->async_size;
 	unsigned int nofs;
@@ -483,15 +483,22 @@ void page_cache_ra_order(struct readahead_control *ractl,
 
 	limit = min(limit, index + ra->size - 1);
 
+	/* See comment in page_cache_ra_unbounded() */
+	nofs = memalloc_nofs_save();
+	filemap_invalidate_lock_shared(mapping);
+
+	/*
+	 * Re-read min_order after acquiring the invalidate_lock to avoid a
+	 * race with set_blocksize() which can change the mapping's min_order
+	 * while holding the invalidate_lock exclusively.
+	 */
+	min_order = mapping_min_folio_order(mapping);
 	new_order = min(mapping_max_folio_order(mapping), new_order);
 	new_order = min_t(unsigned int, new_order, ilog2(ra->size));
 	new_order = max(new_order, min_order);
 
 	ra->order = new_order;
 
-	/* See comment in page_cache_ra_unbounded() */
-	nofs = memalloc_nofs_save();
-	filemap_invalidate_lock_shared(mapping);
 	/*
 	 * If the new_order is greater than min_order and index is
 	 * already aligned to new_order, then this will be noop as index
-- 
2.34.1

Re: [syzbot] [fs?] [mm?] kernel BUG in __filemap_add_folio

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in mpage_readahead

------------[ cut here ]------------
kernel BUG at ./include/linux/pagemap.h:1408!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 18176 Comm: syz-executor317 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:__readahead_folio include/linux/pagemap.h:1408 [inline]
RIP: 0010:readahead_folio include/linux/pagemap.h:1434 [inline]
RIP: 0010:mpage_readahead+0x4ad/0x5a0 fs/mpage.c:367
Code: 5e 41 5f c3 cc cc cc cc e8 b0 19 70 ff 48 89 ef e8 48 06 ad ff e9 54 fe ff ff 4c 8b 6c 24 18 e9 43 ff ff ff e8 94 19 70 ff 90 <0f> 0b e8 8c 19 70 ff 48 c7 c6 00 b6 80 8b 48 89 ef e8 1d 39 ba ff
RSP: 0018:ffffc9000d92f620 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffc9000d92fae8 RCX: ffffffff824c7d14
RDX: ffff88802fe68000 RSI: ffffffff824c809c RDI: 0000000000000004
RBP: 0000000000000004 R08: 0000000000000004 R09: 0000000000000004
R10: 0000000000000001 R11: 0000000000000000 R12: dffffc0000000000
R13: fffff52001b25f61 R14: 0000000000000001 R15: 1ffff92001b25f61
FS:  0000555564bcd380(0000) GS:ffff888124f53000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f08297b0130 CR3: 0000000030a16000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 read_pages+0x1c4/0xc70 mm/readahead.c:163
 page_cache_ra_unbounded+0x66a/0xa10 mm/readahead.c:269
 do_page_cache_ra mm/readahead.c:332 [inline]
 page_cache_ra_order+0xc0b/0xf20 mm/readahead.c:542
 do_sync_mmap_readahead mm/filemap.c:3340 [inline]
 filemap_fault+0x1583/0x29a0 mm/filemap.c:3489
 __do_fault+0x10d/0x490 mm/memory.c:5281
 do_shared_fault mm/memory.c:5780 [inline]
 do_fault mm/memory.c:5854 [inline]
 do_pte_missing+0x1a6/0x3ba0 mm/memory.c:4362
 handle_pte_fault mm/memory.c:6195 [inline]
 __handle_mm_fault+0x1556/0x2aa0 mm/memory.c:6336
 handle_mm_fault+0x589/0xd10 mm/memory.c:6505
 do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x64/0xc0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x7f082970586d
Code: 03 00 b9 03 10 12 00 45 31 c0 48 ba 80 00 00 00 00 20 00 00 48 b8 2f 64 65 76 2f 6e 75 6c 48 c7 c6 9c ff ff ff bf 01 01 00 00 <48> 89 02 48 b8 88 00 00 00 00 20 00 00 c7 00 6c 62 30 00 31 c0 e8
RSP: 002b:00007ffff735c180 EFLAGS: 00010246
RAX: 6c756e2f7665642f RBX: 0000000000000000 RCX: 0000000000121003
RDX: 0000200000000080 RSI: ffffffffffffff9c RDI: 0000000000000101
RBP: 00000000000f4240 R08: 0000000000000000 R09: 0000000000002000
R10: 0000000000000013 R11: 0000000000000206 R12: 0000000000079470
R13: 00007ffff735c19c R14: 00007ffff735c1b0 R15: 00007ffff735c1a0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__readahead_folio include/linux/pagemap.h:1408 [inline]
RIP: 0010:readahead_folio include/linux/pagemap.h:1434 [inline]
RIP: 0010:mpage_readahead+0x4ad/0x5a0 fs/mpage.c:367
Code: 5e 41 5f c3 cc cc cc cc e8 b0 19 70 ff 48 89 ef e8 48 06 ad ff e9 54 fe ff ff 4c 8b 6c 24 18 e9 43 ff ff ff e8 94 19 70 ff 90 <0f> 0b e8 8c 19 70 ff 48 c7 c6 00 b6 80 8b 48 89 ef e8 1d 39 ba ff
RSP: 0018:ffffc9000d92f620 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffc9000d92fae8 RCX: ffffffff824c7d14
RDX: ffff88802fe68000 RSI: ffffffff824c809c RDI: 0000000000000004
RBP: 0000000000000004 R08: 0000000000000004 R09: 0000000000000004
R10: 0000000000000001 R11: 0000000000000000 R12: dffffc0000000000
R13: fffff52001b25f61 R14: 0000000000000001 R15: 1ffff92001b25f61
FS:  0000555564bcd380(0000) GS:ffff888124f53000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f08297b0130 CR3: 0000000030a16000 CR4: 00000000003526f0


Tested on:

commit:         6bda50f4 Merge tag 'mips-fixes_6.18_2' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11857514580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f4a1ecf59be91960
dashboard link: https://syzkaller.appspot.com/bug?extid=4d3cc33ef7a77041efa6
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10dc7cb4580000

Re: [syzbot] [fs?] [mm?] kernel BUG in __filemap_add_folio

[Dileep Sankhla]

[-- Attachment #1: Type: text/plain, Size: 83 bytes --]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

[-- Attachment #2: my_patch.patch --]
[-- Type: text/x-patch, Size: 2419 bytes --]

diff --git a/mm/readahead.c b/mm/readahead.c
index b415c9969176..8462e744a890 100644
--- a/mm/readahead.c
+++ b/mm/readahead.c
@@ -467,7 +467,7 @@ void page_cache_ra_order(struct readahead_control *ractl,
 	struct address_space *mapping = ractl->mapping;
 	pgoff_t start = readahead_index(ractl);
 	pgoff_t index = start;
-	unsigned int min_order = mapping_min_folio_order(mapping);
+	unsigned int min_order;
 	pgoff_t limit = (i_size_read(mapping->host) - 1) >> PAGE_SHIFT;
 	pgoff_t mark = index + ra->size - ra->async_size;
 	unsigned int nofs;
@@ -475,6 +475,10 @@ void page_cache_ra_order(struct readahead_control *ractl,
 	gfp_t gfp = readahead_gfp_mask(mapping);
 	unsigned int new_order = ra->order;
 
+	/* See comment in page_cache_ra_unbounded() */
+	nofs = memalloc_nofs_save();
+	filemap_invalidate_lock_shared(mapping);
+
 	trace_page_cache_ra_order(mapping->host, start, ra);
 	if (!mapping_large_folio_support(mapping)) {
 		ra->order = 0;
@@ -483,15 +487,14 @@ void page_cache_ra_order(struct readahead_control *ractl,
 
 	limit = min(limit, index + ra->size - 1);
 
+	min_order = mapping_min_folio_order(mapping);
+
 	new_order = min(mapping_max_folio_order(mapping), new_order);
 	new_order = min_t(unsigned int, new_order, ilog2(ra->size));
 	new_order = max(new_order, min_order);
 
 	ra->order = new_order;
 
-	/* See comment in page_cache_ra_unbounded() */
-	nofs = memalloc_nofs_save();
-	filemap_invalidate_lock_shared(mapping);
 	/*
 	 * If the new_order is greater than min_order and index is
 	 * already aligned to new_order, then this will be noop as index
@@ -516,8 +519,6 @@ void page_cache_ra_order(struct readahead_control *ractl,
 	}
 
 	read_pages(ractl);
-	filemap_invalidate_unlock_shared(mapping);
-	memalloc_nofs_restore(nofs);
 
 	/*
 	 * If there were already pages in the page cache, then we may have
@@ -525,7 +526,7 @@ void page_cache_ra_order(struct readahead_control *ractl,
 	 * situation below.
 	 */
 	if (!err)
-		return;
+		goto end;
 fallback:
 	/*
 	 * ->readahead() may have updated readahead window size so we have to
@@ -534,6 +535,9 @@ void page_cache_ra_order(struct readahead_control *ractl,
 	if (ra->size > index - start)
 		do_page_cache_ra(ractl, ra->size - (index - start),
 				 ra->async_size);
+end:
+	filemap_invalidate_unlock_shared(mapping);
+	memalloc_nofs_restore(nofs);
 }
 
 static unsigned long ractl_max_pages(struct readahead_control *ractl,

Re: [syzbot] [fs?] [mm?] kernel BUG in __filemap_add_folio

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in set_blocksize

INFO: task syz.0.1117:9015 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.1117      state:D stack:27296 pid:9015  tgid:9012  ppid:6400   task_flags:0x400140 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5256 [inline]
 __schedule+0x1139/0x6150 kernel/sched/core.c:6863
 __schedule_loop kernel/sched/core.c:6945 [inline]
 schedule+0xe7/0x3a0 kernel/sched/core.c:6960
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7017
 rwsem_down_write_slowpath+0x521/0x1310 kernel/locking/rwsem.c:1185
 __down_write_common kernel/locking/rwsem.c:1317 [inline]
 __down_write kernel/locking/rwsem.c:1326 [inline]
 down_write+0x1d6/0x200 kernel/locking/rwsem.c:1591
 filemap_invalidate_lock include/linux/fs.h:1082 [inline]
 set_blocksize+0x20f/0x500 block/bdev.c:204
 blkdev_bszset+0x19b/0x240 block/ioctl.c:634
 blkdev_ioctl+0x2ef/0x6e0 block/ioctl.c:773
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl fs/ioctl.c:583 [inline]
 __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f939698eba9
RSP: 002b:00007f93978b0038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f9396bd5fa0 RCX: 00007f939698eba9
RDX: 0000200000000980 RSI: 0000000040081271 RDI: 0000000000000005
RBP: 00007f9396a11e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9396bd6038 R14: 00007f9396bd5fa0 R15: 00007ffd57bc7cc8
 </TASK>
INFO: task syz.1.1118:9013 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.1118      state:D stack:27536 pid:9013  tgid:9013  ppid:6399   task_flags:0x440040 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5256 [inline]
 __schedule+0x1139/0x6150 kernel/sched/core.c:6863
 __schedule_loop kernel/sched/core.c:6945 [inline]
 schedule+0xe7/0x3a0 kernel/sched/core.c:6960
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7017
 rwsem_down_read_slowpath+0x64b/0xbf0 kernel/locking/rwsem.c:1086
 __down_read_common kernel/locking/rwsem.c:1261 [inline]
 __down_read kernel/locking/rwsem.c:1274 [inline]
 down_read+0xef/0x460 kernel/locking/rwsem.c:1539
 filemap_invalidate_lock_shared include/linux/fs.h:1092 [inline]
 page_cache_ra_unbounded+0x20c/0x9e0 mm/readahead.c:233
 do_page_cache_ra mm/readahead.c:332 [inline]
 page_cache_ra_order+0x9c8/0xd80 mm/readahead.c:536
 do_sync_mmap_readahead mm/filemap.c:3400 [inline]
 filemap_fault+0x16ac/0x29d0 mm/filemap.c:3549
 __do_fault+0x10d/0x490 mm/memory.c:5320
 do_shared_fault mm/memory.c:5819 [inline]
 do_fault+0x302/0x1ad0 mm/memory.c:5893
 do_pte_missing mm/memory.c:4401 [inline]
 handle_pte_fault mm/memory.c:6273 [inline]
 __handle_mm_fault+0x1919/0x2bb0 mm/memory.c:6411
 handle_mm_fault+0x3fe/0xad0 mm/memory.c:6580
 do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x64/0xc0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x7f55be158088
RSP: 002b:00007ffe04457bf8 EFLAGS: 00010202
RAX: 0000200000000080 RBX: 0000000000000004 RCX: 0030626c6c756e2f
RDX: 000000000000000c RSI: 6c756e2f7665642f RDI: 0000200000000080
RBP: 00007f55be3d7da0 R08: 0000001b33920000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000009 R12: 00007f55be3d5fac
R13: 00007f55be3d5fa0 R14: fffffffffffffffe R15: 00007ffe04457d10
 </TASK>
INFO: lockdep is turned off.
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 31 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
 __sys_info lib/sys_info.c:157 [inline]
 sys_info+0x133/0x180 lib/sys_info.c:165
 check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
 watchdog+0xe66/0x1180 kernel/hung_task.c:515
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:82
Code: 86 6c 02 c3 cc cc cc cc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 13 69 1f 00 fb f4 <e9> cc 35 03 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90
RSP: 0018:ffffc90000197de8 EFLAGS: 000002c6
RAX: 000000000003249c RBX: 0000000000000001 RCX: ffffffff8b6af6d9
RDX: ffffed10170a673e RSI: ffffffff8bf29c80 RDI: ffffffff819335dd
RBP: ffffed1003b56498 R08: 0000000000000000 R09: ffffed10170a673d
R10: ffff8880b85339eb R11: 0000000000005e25 R12: 0000000000000001
R13: ffff88801dab24c0 R14: ffffffff908653d0 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888124a4e000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555cc735c8 CR3: 000000005dfbe000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 default_idle+0x13/0x20 arch/x86/kernel/process.c:767
 default_idle_call+0x6c/0xb0 kernel/sched/idle.c:122
 cpuidle_idle_call kernel/sched/idle.c:191 [inline]
 do_idle+0x38d/0x510 kernel/sched/idle.c:332
 cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430
 start_secondary+0x21d/0x2d0 arch/x86/kernel/smpboot.c:312
 common_startup_64+0x13e/0x148
 </TASK>


Tested on:

commit:         0048fbb4 Merge tag 'locking-futex-2025-12-10' of git:/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12b6deb4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=219582171d92591c
dashboard link: https://syzkaller.appspot.com/bug?extid=4d3cc33ef7a77041efa6
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=163fda1a580000

Re: [syzbot] [fs?] [mm?] kernel BUG in __filemap_add_folio

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in __filemap_add_folio

 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0x7df/0x1170 mm/page_alloc.c:2943
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core+0x79c/0x15f0 kernel/rcu/tree.c:2857
 handle_softirqs+0x219/0x950 kernel/softirq.c:622
 run_ksoftirqd kernel/softirq.c:1063 [inline]
 run_ksoftirqd+0x3a/0x60 kernel/softirq.c:1055
 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
------------[ cut here ]------------
kernel BUG at mm/filemap.c:858!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 6821 Comm: syz.1.76 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:__filemap_add_folio+0xf29/0x11b0 mm/filemap.c:858
Code: 9b c6 ff 48 c7 c6 c0 e9 99 8b 4c 89 ef e8 0f 74 11 00 90 0f 0b e8 47 9b c6 ff 48 c7 c6 20 ea 99 8b 4c 89 ef e8 f8 73 11 00 90 <0f> 0b e8 30 9b c6 ff 90 0f 0b 90 e9 1c fc ff ff e8 22 9b c6 ff 48
RSP: 0018:ffffc900033af840 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff8880737fc980 RSI: ffffffff81f7ebf8 RDI: ffff8880737fce04
RBP: 0000000000112cc0 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff908689d7 R11: 0000000000000000 R12: 0000000000000002
R13: ffffea0001ce4980 R14: 0000000000000000 R15: 0000000000000000
FS:  000055557770b500(0000) GS:ffff888124a48000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9aef15c000 CR3: 000000002ee4c000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 filemap_add_folio+0x19a/0x610 mm/filemap.c:966
 ra_alloc_folio mm/readahead.c:453 [inline]
 page_cache_ra_order+0x637/0xed0 mm/readahead.c:512
 do_sync_mmap_readahead mm/filemap.c:3400 [inline]
 filemap_fault+0x16ac/0x29d0 mm/filemap.c:3549
 __do_fault+0x10d/0x490 mm/memory.c:5320
 do_shared_fault mm/memory.c:5819 [inline]
 do_fault+0x302/0x1ad0 mm/memory.c:5893
 do_pte_missing mm/memory.c:4401 [inline]
 handle_pte_fault mm/memory.c:6273 [inline]
 __handle_mm_fault+0x1919/0x2bb0 mm/memory.c:6411
 handle_mm_fault+0x3fe/0xad0 mm/memory.c:6580
 do_user_addr_fault+0x60c/0x1370 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x64/0xc0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x7f8af1a55171
Code: 48 8b 54 24 08 48 85 d2 74 17 8b 44 24 18 0f c8 89 c0 48 89 44 24 18 48 83 fa 01 0f 85 b3 01 00 00 48 8b 44 24 10 8b 54 24 18 <89> 10 e9 15 fd ff ff 48 8b 44 24 10 8b 10 48 8b 44 24 08 48 85 c0
RSP: 002b:00007ffc7d678bf0 EFLAGS: 00010246
RAX: 0000200000000980 RBX: 0000000000000004 RCX: 0000000000000000
RDX: 0000000000004000 RSI: 0000000000000000 RDI: 000055557770b3c8
RBP: 00007ffc7d678cf8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000002 R12: 00007f8af1dd5fac
R13: 00007f8af1dd5fa0 R14: fffffffffffffffe R15: 00007ffc7d678d40
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__filemap_add_folio+0xf29/0x11b0 mm/filemap.c:858
Code: 9b c6 ff 48 c7 c6 c0 e9 99 8b 4c 89 ef e8 0f 74 11 00 90 0f 0b e8 47 9b c6 ff 48 c7 c6 20 ea 99 8b 4c 89 ef e8 f8 73 11 00 90 <0f> 0b e8 30 9b c6 ff 90 0f 0b 90 e9 1c fc ff ff e8 22 9b c6 ff 48
RSP: 0018:ffffc900033af840 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff8880737fc980 RSI: ffffffff81f7ebf8 RDI: ffff8880737fce04
RBP: 0000000000112cc0 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff908689d7 R11: 0000000000000000 R12: 0000000000000002
R13: ffffea0001ce4980 R14: 0000000000000000 R15: 0000000000000000
FS:  000055557770b500(0000) GS:ffff888124a48000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f772b5d7dac CR3: 000000002ee4c000 CR4: 00000000003526f0


Tested on:

commit:         40fbbd64 Merge tag 'pull-fixes' of git://git.kernel.or..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10715dc2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=495547a782e37c4f
dashboard link: https://syzkaller.appspot.com/bug?extid=4d3cc33ef7a77041efa6
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [fs?] [mm?] kernel BUG in __filemap_add_folio

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in __filemap_add_folio

 sock_alloc_send_pskb+0x801/0x980 net/core/sock.c:2995
 unix_dgram_sendmsg+0x3c7/0x1820 net/unix/af_unix.c:2127
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg net/socket.c:742 [inline]
 __sys_sendto+0x468/0x4b0 net/socket.c:2206
 __do_sys_sendto net/socket.c:2213 [inline]
 __se_sys_sendto net/socket.c:2209 [inline]
 __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2209
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
------------[ cut here ]------------
kernel BUG at mm/filemap.c:858!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 6671 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:__filemap_add_folio+0xfcf/0x1280 mm/filemap.c:858
Code: 33 c5 ff 48 c7 c6 e0 16 ba 8b 4c 89 ef e8 e9 3f 12 00 90 0f 0b e8 e1 33 c5 ff 48 c7 c6 40 17 ba 8b 4c 89 ef e8 d2 3f 12 00 90 <0f> 0b e8 ca 33 c5 ff 90 0f 0b 90 e9 4b fe ff ff e8 bc 33 c5 ff 90
RSP: 0018:ffffc900037c7428 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000112cc0 RCX: 0000000000000000
RDX: ffff888031ce24c0 RSI: ffffffff82558dc8 RDI: ffff888031ce2984
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000002
R13: ffffea000142ef40 R14: 0000000000000000 R15: 1ffff920006f8eaf
FS:  00007efde0ba96c0(0000) GS:ffff888124728000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f155571a286 CR3: 000000006b1d7000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 filemap_add_folio+0x1d8/0x690 mm/filemap.c:966
 ra_alloc_folio mm/readahead.c:456 [inline]
 page_cache_ra_order+0x614/0xf30 mm/readahead.c:515
 do_sync_mmap_readahead mm/filemap.c:3405 [inline]
 filemap_fault+0x191a/0x2eb0 mm/filemap.c:3554
 __do_fault+0x10d/0x550 mm/memory.c:5364
 do_shared_fault mm/memory.c:5863 [inline]
 do_fault+0x2db/0x1990 mm/memory.c:5937
 do_pte_missing mm/memory.c:4477 [inline]
 handle_pte_fault mm/memory.c:6317 [inline]
 __handle_mm_fault+0x180f/0x2b60 mm/memory.c:6455
 handle_mm_fault+0x36d/0xa20 mm/memory.c:6624
 faultin_page mm/gup.c:1126 [inline]
 __get_user_pages+0xf9c/0x34d0 mm/gup.c:1428
 __get_user_pages_locked mm/gup.c:1692 [inline]
 faultin_page_range+0x1f1/0x9e0 mm/gup.c:1912
 madvise_populate mm/madvise.c:974 [inline]
 madvise_do_behavior+0x354/0x510 mm/madvise.c:1933
 do_madvise+0x195/0x240 mm/madvise.c:2028
 __do_sys_madvise mm/madvise.c:2037 [inline]
 __se_sys_madvise mm/madvise.c:2035 [inline]
 __x64_sys_madvise+0xa9/0x110 mm/madvise.c:2035
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efddfd9aef9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007efde0ba9028 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007efde0005fa0 RCX: 00007efddfd9aef9
RDX: 0000000000000017 RSI: 0000000000c00000 RDI: 0000200000000000
RBP: 00007efddfe2fee0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007efde0006038 R14: 00007efde0005fa0 R15: 00007ffccbb43488
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__filemap_add_folio+0xfcf/0x1280 mm/filemap.c:858
Code: 33 c5 ff 48 c7 c6 e0 16 ba 8b 4c 89 ef e8 e9 3f 12 00 90 0f 0b e8 e1 33 c5 ff 48 c7 c6 40 17 ba 8b 4c 89 ef e8 d2 3f 12 00 90 <0f> 0b e8 ca 33 c5 ff 90 0f 0b 90 e9 4b fe ff ff e8 bc 33 c5 ff 90
RSP: 0018:ffffc900037c7428 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000112cc0 RCX: 0000000000000000
RDX: ffff888031ce24c0 RSI: ffffffff82558dc8 RDI: ffff888031ce2984
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000002
R13: ffffea000142ef40 R14: 0000000000000000 R15: 1ffff920006f8eaf
FS:  00007efde0ba96c0(0000) GS:ffff888124628000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f577493d9e8 CR3: 000000006b1d7000 CR4: 00000000003526f0


Tested on:

commit:         e3c33bc7 Merge tag 'mm-hotfixes-stable-2026-03-23-17-5..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13e4d6da580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=75b16ce1bc745e05
dashboard link: https://syzkaller.appspot.com/bug?extid=4d3cc33ef7a77041efa6
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

Note: no patches were applied.