Re: [syzbot] [mm?] WARNING in move_to_new_folio

From: Shivank Garg
Date: Tue Apr 15 2025 - 02:19:11 EST

Next message: Kairui Song: "Re: [PATCH RFC 00/28] Eliminate Dying Memory Cgroup"
Previous message: Andy Shevchenko: "Re: [PATCH v1 1/1] dm table: Fix W=1 build warning when mempool_needs_integrity is unused"
In reply to: syzbot: "Re: [syzbot] [mm?] WARNING in move_to_new_folio"
Next in thread: syzbot: "Re: [syzbot] [mm?] WARNING in move_to_new_folio"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4/15/2025 11:10 AM, Shivank Garg wrote:
> I made a mistake in insert_metapage. I hope my revised patch work.
> I'll post it to original list if this pass.
>
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 01c6df60d5d4
>
> Best Regards,
> Shivank
>
> On 4/15/2025 10:54 AM, syzbot wrote:
>> Hello,
>>
>> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
>> unregister_netdevice: waiting for DEV to become free
>>
>> unregister_netdevice: waiting for batadv0 to become free. Usage count = 3
>>
>>
>> Tested on:
>>
>> commit: 01c6df60 Add linux-next specific files for 20250411
>> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1142f0cc580000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=db03cefa26ecf825
>> dashboard link: https://syzkaller.appspot.com/bug?extid=8bb6fd945af4e0ad9299
>> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>> patch: https://syzkaller.appspot.com/x/patch.diff?x=107a60cc580000
>>
>
>

Looks like this error is unrelated and due to a different issue:
https://lore.kernel.org/lkml/20250414-double_hold_fix-v5-1-10e056324cde@xxxxxxxxxxxxx

Retesting with Sven Eckelmann's patch for batman-adv

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 01c6df60d5d4

Best Regards,
Shivank

diff --git a/fs/jfs/jfs_metapage.c b/fs/jfs/jfs_metapage.c
index df575a873ec6..d440537db6fe 100644
--- a/fs/jfs/jfs_metapage.c
+++ b/fs/jfs/jfs_metapage.c
@@ -15,6 +15,7 @@
#include <linux/mempool.h>
#include <linux/seq_file.h>
#include <linux/writeback.h>
+#include <linux/migrate.h>
#include "jfs_incore.h"
#include "jfs_superblock.h"
#include "jfs_filsys.h"
@@ -151,6 +152,54 @@ static inline void dec_io(struct folio *folio, blk_status_t status,
handler(folio, anchor->status);
}

+static int __metapage_migrate_folio(struct address_space *mapping, struct folio *dst,
+ struct folio *src, enum migrate_mode mode)
+{
+ struct meta_anchor *src_anchor = src->private;
+ struct metapage *mps[MPS_PER_PAGE] = {0};
+ struct metapage *mp;
+ int i, rc;
+
+ for (i = 0; i < MPS_PER_PAGE; i++) {
+ mp = src_anchor->mp[i];
+ if (mp && metapage_locked(mp))
+ return -EAGAIN;
+ }
+
+ rc = filemap_migrate_folio(mapping, dst, src, mode);
+ if (rc != MIGRATEPAGE_SUCCESS)
+ return rc;
+
+ for (i = 0; i < MPS_PER_PAGE; i++) {
+ mp = src_anchor->mp[i];
+ if (!mp)
+ continue;
+ if (unlikely(insert_metapage(dst, mp))) {
+ /* If error, roll-back previosly inserted pages */
+ for (int j = 0 ; j < i; j++) {
+ if (mps[j])
+ remove_metapage(dst, mps[j]);
+ }
+ return -EAGAIN;
+ }
+ mps[i] = mp;
+ }
+
+ /* Update the metapage and remove it from src */
+ for (int i = 0; i < MPS_PER_PAGE; i++) {
+ mp = mps[i];
+ if (mp) {
+ int page_offset = mp->data - folio_address(src);
+
+ mp->data = folio_address(dst) + page_offset;
+ mp->folio = dst;
+ remove_metapage(src, mp);
+ }
+ }
+
+ return MIGRATEPAGE_SUCCESS;
+}
+
#else
static inline struct metapage *folio_to_mp(struct folio *folio, int offset)
{
@@ -175,6 +224,32 @@ static inline void remove_metapage(struct folio *folio, struct metapage *mp)
#define inc_io(folio) do {} while(0)
#define dec_io(folio, status, handler) handler(folio, status)

+static int __metapage_migrate_folio(struct address_space *mapping, struct folio *dst,
+ struct folio *src, enum migrate_mode mode)
+{
+ struct metapage *mp;
+ int page_offset;
+ int rc;
+
+ mp = folio_to_mp(src, 0);
+ if (mp && metapage_locked(mp))
+ return -EAGAIN;
+
+ rc = filemap_migrate_folio(mapping, dst, src, mode);
+ if (rc != MIGRATEPAGE_SUCCESS)
+ return rc;
+
+ if (unlikely(insert_metapage(dst, mp)))
+ return -EAGAIN;
+
+ page_offset = mp->data - folio_address(src);
+ mp->data = folio_address(dst) + page_offset;
+ mp->folio = dst;
+ remove_metapage(src, mp);
+
+ return MIGRATEPAGE_SUCCESS;
+}
+
#endif

static inline struct metapage *alloc_metapage(gfp_t gfp_mask)
@@ -554,6 +629,24 @@ static bool metapage_release_folio(struct folio *folio, gfp_t gfp_mask)
return ret;
}

+/**
+ * metapage_migrate_folio - Migration function for JFS metapages
+ */
+static int metapage_migrate_folio(struct address_space *mapping, struct folio *dst,
+ struct folio *src, enum migrate_mode mode)
+{
+ int expected_count;
+
+ if (!src->private)
+ return filemap_migrate_folio(mapping, dst, src, mode);
+
+ /* Check whether page does not have extra refs before we do more work */
+ expected_count = folio_expected_refs(mapping, src);
+ if (folio_ref_count(src) != expected_count)
+ return -EAGAIN;
+ return __metapage_migrate_folio(mapping, dst, src, mode);
+}
+
static void metapage_invalidate_folio(struct folio *folio, size_t offset,
size_t length)
{
@@ -570,6 +663,7 @@ const struct address_space_operations jfs_metapage_aops = {
.release_folio = metapage_release_folio,
.invalidate_folio = metapage_invalidate_folio,
.dirty_folio = filemap_dirty_folio,
+ .migrate_folio = metapage_migrate_folio,
};

struct metapage *__get_metapage(struct inode *inode, unsigned long lblock,
diff --git a/include/linux/migrate.h b/include/linux/migrate.h
index aaa2114498d6..cb31c5b1eb6a 100644
--- a/include/linux/migrate.h
+++ b/include/linux/migrate.h
@@ -60,6 +60,7 @@ struct movable_operations {
/* Defined in mm/debug.c: */
extern const char *migrate_reason_names[MR_TYPES];

+int folio_expected_refs(struct address_space *mapping, struct folio *folio);
#ifdef CONFIG_MIGRATION

void putback_movable_pages(struct list_head *l);
diff --git a/mm/migrate.c b/mm/migrate.c
index 6e2488e5dbe4..0f01b8a87dec 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -445,7 +445,7 @@ void pmd_migration_entry_wait(struct mm_struct *mm, pmd_t *pmd)
}
#endif

-static int folio_expected_refs(struct address_space *mapping,
+int folio_expected_refs(struct address_space *mapping,
struct folio *folio)
{
int refs = 1;
@@ -458,6 +458,7 @@ static int folio_expected_refs(struct address_space *mapping,

return refs;
}
+EXPORT_SYMBOL_GPL(folio_expected_refs);

/*
* Replace the folio in the mapping.
diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
index f145f9662653..7cd4bdcee439 100644
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -725,7 +725,6 @@ int batadv_hardif_enable_interface(struct batadv_hard_iface *hard_iface,

kref_get(&hard_iface->refcount);

- dev_hold(mesh_iface);
netdev_hold(mesh_iface, &hard_iface->meshif_dev_tracker, GFP_ATOMIC);
hard_iface->mesh_iface = mesh_iface;
bat_priv = netdev_priv(hard_iface->mesh_iface);

Next message: Kairui Song: "Re: [PATCH RFC 00/28] Eliminate Dying Memory Cgroup"
Previous message: Andy Shevchenko: "Re: [PATCH v1 1/1] dm table: Fix W=1 build warning when mempool_needs_integrity is unused"
In reply to: syzbot: "Re: [syzbot] [mm?] WARNING in move_to_new_folio"
Next in thread: syzbot: "Re: [syzbot] [mm?] WARNING in move_to_new_folio"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]