Re: [BUG] iomap: NULL dereference in iomap_finish_folio_read after deferred failed read

Next message: Manivannan Sadhasivam: "Re: [PATCH v18 00/14] crypto/dmaengine: qce: introduce BAM locking and use DMA for register I/O"
Previous message: Tzung-Bi Shih: "Re: [PATCH v2 4/4] platform/chrome: cros_ec_chardev: Introduce rwsem for protecting ec_dev"
Next in thread: Sam Sun: "Re: [BUG] iomap: NULL dereference in iomap_finish_folio_read after deferred failed read"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Christoph Hellwig

Date: Mon May 25 2026 - 01:43:57 EST

On Sat, May 23, 2026 at 06:58:46PM +0800, Sam Sun wrote:
> Dear developers and maintainers,
>
> We encountered a NULL pointer dereference in the deferred buffered
> read failure path. Unfortunately, no reproducer is available yet.

[snip]

> We analyzed the cause of this report. It seems that failed buffered
> read bios are deferred to a global work item "failed_read_work". The
> deferred worker still owns the bio/folio, but by the time it calls
> `iomap_finish_folio_read()`, the folio may have been truncated,
> invalidated, or otherwise detached from its mapping. In that case,
> `folio->mapping` is NULL, but the error reporting path unconditionally
> dereferences `folio->mapping->host`. This pattern still exists on the
> latest kernel commit.
>
> A possible fix could be avoiding the `folio->mapping->host`

The folio is locked until the folio_end_read() call. So I don't see
what could legitimately clear folio->mapping here. Curiously waiting
for the reproducer to see waht is going wrong here.