From nobody Sat Apr 11 22:44:56 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 43E582BEC23 for ; Sat, 11 Apr 2026 08:57:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775897825; cv=none; b=SO0vxKXYw2/YOtgnozovbdLAGrIouINH24e8S76ma4NmTKeYZEIo6YHCQPjZPfpxykqDcGsZzOiCp7D4KfSPoSPY0rAS2/3Y2kQsC9nCBPmhA4gJnCSO6ncMTY97++UesGBjKF9hfYZXKbZIUZqKei+ArL8zWAS4PRqFTpyoMXM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775897825; c=relaxed/simple; bh=ZLzVcw6W9XYHytoY6GQbhiVjDGxvBZLpIbjUnloA04g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=il07Ox+95nqlVAWzxzcIpp6cEiMSf64HNyfHw2ycnMgZHJEuXKn8ni0WlBAMkR6KDqwc8VeDdNAR/KtbzDTBtDm5yXa+pD35krOiIm3hdjXQBu8Ew5dAXMdffTuaQ43ysy1Vdf9kd8BcftpgQrNnrCVWoQdbpAKS14/aTANZaDw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Ut7Rs8Jq; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Ut7Rs8Jq" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775897822; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QEC5EC1Ixd5niDkLE47Ll/3HWYw5UlAHDCsvV7HJbPc=; b=Ut7Rs8Jqz5D2BiSQTTRsPjKjM9WaRORwsp9XZDOxs9h6bEzQh53X4IkCNO+CdSBEvnR5hs oDE1Eje+WzOgoL4LJzpGizFKScN1iCASJPV+E3P5S/sMadpzqIXG4iIbNdYI6+agWkvsod QDTTtP69XD5b2yAug7mCLxA9osuK8Tg= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-639-jBXGnn3HMlejbsXcOvvRpQ-1; Sat, 11 Apr 2026 04:56:59 -0400 X-MC-Unique: jBXGnn3HMlejbsXcOvvRpQ-1 X-Mimecast-MFC-AGG-ID: jBXGnn3HMlejbsXcOvvRpQ_1775897817 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id AC51A1800365; Sat, 11 Apr 2026 08:56:56 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.48.47]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id D2E711800B7F; Sat, 11 Apr 2026 08:56:52 +0000 (UTC) From: David Howells To: Christian Brauner Cc: David Howells , Paulo Alcantara , netfs@lists.linux.dev, linux-afs@lists.infradead.org, linux-cifs@vger.kernel.org, ceph-devel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Viacheslav Dubeyko , "Paulo Alcantara (Red Hat)" Subject: [PATCH 1/4] netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call Date: Sat, 11 Apr 2026 09:56:39 +0100 Message-ID: <20260411085643.3221565-2-dhowells@redhat.com> In-Reply-To: <20260411085643.3221565-1-dhowells@redhat.com> References: <20260411085643.3221565-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" From: Viacheslav Dubeyko The multiple runs of generic/013 test-case is capable to reproduce a kernel BUG at mm/filemap.c:1504 with probability of 30%. while true; do sudo ./check generic/013 done [ 9849.452376] page: refcount:3 mapcount:0 mapping:00000000e58ff252 index:0= x10781 pfn:0x1c322 [ 9849.452412] memcg:ffff8881a1915800 [ 9849.452417] aops:ceph_aops ino:1000058db9e dentry name(?):"f9XXXXXX" [ 9849.452432] flags: 0x17ffffc0000000(node=3D0|zone=3D2|lastcpupid=3D0x1ff= fff) [ 9849.452441] raw: 0017ffffc0000000 0000000000000000 dead000000000122 ffff= 88816110d248 [ 9849.452445] raw: 0000000000010781 0000000000000000 00000003ffffffff ffff= 8881a1915800 [ 9849.452447] page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(foli= o)) [ 9849.452474] ------------[ cut here ]------------ [ 9849.452476] kernel BUG at mm/filemap.c:1504! [ 9849.478635] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 9849.481772] CPU: 2 UID: 0 PID: 84223 Comm: fsstress Not tainted 7.0.0-rc= 1+ #18 PREEMPT(full) [ 9849.482881] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS = 1.17.0-9.fc43 06/1 0/2025 [ 9849.484539] RIP: 0010:folio_unlock+0x85/0xa0 [ 9849.485076] Code: 89 df 31 f6 e8 1c f3 ff ff 48 8b 5d f8 c9 31 c0 31 d2 = 31 f6 31 ff c3 cc cc cc cc 48 c7 c6 80 6c d9 a7 48 89 df e8 4b b3 10 00 <0f> 0b 48 89 df e8 2= 1 e6 2c 00 eb 9d 0f 1f 40 00 66 66 2e 0f 1f 84 [ 9849.493818] RSP: 0018:ffff8881bb8076b0 EFLAGS: 00010246 [ 9849.495740] RAX: 0000000000000000 RBX: ffffea00070c8980 RCX: 00000000000= 00000 [ 9849.498678] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000= 00000 [ 9849.500559] RBP: ffff8881bb8076b8 R08: 0000000000000000 R09: 00000000000= 00000 [ 9849.501097] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000107= 82000 [ 9849.502108] R13: ffff8881935de738 R14: ffff88816110d010 R15: 00000000000= 01000 [ 9849.502516] FS: 00007e36cbe94740(0000) GS:ffff88824a899000(0000) knlGS:= 0000000000000000 [ 9849.502996] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 9849.503810] CR2: 000000c0002b0000 CR3: 000000011bbf6004 CR4: 00000000007= 72ef0 [ 9849.504459] PKRU: 55555554 [ 9849.504626] Call Trace: [ 9849.505242] [ 9849.505379] netfs_write_begin+0x7c8/0x10a0 [ 9849.505877] ? __kasan_check_read+0x11/0x20 [ 9849.506384] ? __pfx_netfs_write_begin+0x10/0x10 [ 9849.507178] ceph_write_begin+0x8c/0x1c0 [ 9849.507934] generic_perform_write+0x391/0x8f0 [ 9849.508503] ? __pfx_generic_perform_write+0x10/0x10 [ 9849.509062] ? file_update_time_flags+0x19a/0x4b0 [ 9849.509581] ? ceph_get_caps+0x63/0xf0 [ 9849.510259] ? ceph_get_caps+0x63/0xf0 [ 9849.510530] ceph_write_iter+0xe79/0x1ae0 [ 9849.511282] ? __pfx_ceph_write_iter+0x10/0x10 [ 9849.511839] ? lock_acquire+0x1ad/0x310 [ 9849.512334] ? ksys_write+0xf9/0x230 [ 9849.512582] ? lock_is_held_type+0xaa/0x140 [ 9849.513128] vfs_write+0x512/0x1110 [ 9849.513634] ? __fget_files+0x33/0x350 [ 9849.513893] ? __pfx_vfs_write+0x10/0x10 [ 9849.514143] ? mutex_lock_nested+0x1b/0x30 [ 9849.514394] ksys_write+0xf9/0x230 [ 9849.514621] ? __pfx_ksys_write+0x10/0x10 [ 9849.514887] ? do_syscall_64+0x25e/0x1520 [ 9849.515122] ? __kasan_check_read+0x11/0x20 [ 9849.515366] ? trace_hardirqs_on_prepare+0x178/0x1c0 [ 9849.515655] __x64_sys_write+0x72/0xd0 [ 9849.515885] ? trace_hardirqs_on+0x24/0x1c0 [ 9849.516130] x64_sys_call+0x22f/0x2390 [ 9849.516341] do_syscall_64+0x12b/0x1520 [ 9849.516545] ? do_syscall_64+0x27c/0x1520 [ 9849.516783] ? do_syscall_64+0x27c/0x1520 [ 9849.517003] ? lock_release+0x318/0x480 [ 9849.517220] ? __x64_sys_io_getevents+0x143/0x2d0 [ 9849.517479] ? percpu_ref_put_many.constprop.0+0x8f/0x210 [ 9849.517779] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 9849.518073] ? do_syscall_64+0x25e/0x1520 [ 9849.518291] ? __kasan_check_read+0x11/0x20 [ 9849.518519] ? trace_hardirqs_on_prepare+0x178/0x1c0 [ 9849.518799] ? do_syscall_64+0x27c/0x1520 [ 9849.519024] ? local_clock_noinstr+0xf/0x120 [ 9849.519262] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 9849.519544] ? do_syscall_64+0x25e/0x1520 [ 9849.519781] ? __kasan_check_read+0x11/0x20 [ 9849.520008] ? trace_hardirqs_on_prepare+0x178/0x1c0 [ 9849.520273] ? do_syscall_64+0x27c/0x1520 [ 9849.520491] ? trace_hardirqs_on_prepare+0x178/0x1c0 [ 9849.520767] ? irqentry_exit+0x10c/0x6c0 [ 9849.520984] ? trace_hardirqs_off+0x86/0x1b0 [ 9849.521224] ? exc_page_fault+0xab/0x130 [ 9849.521472] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 9849.521766] RIP: 0033:0x7e36cbd14907 [ 9849.521989] Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f = 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48= > 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 [ 9849.523057] RSP: 002b:00007ffff2d2a968 EFLAGS: 00000246 ORIG_RAX: 000000= 0000000001 [ 9849.523484] RAX: ffffffffffffffda RBX: 000000000000e549 RCX: 00007e36cbd= 14907 [ 9849.523885] RDX: 000000000000e549 RSI: 00005bd797ec6370 RDI: 00000000000= 00004 [ 9849.524277] RBP: 0000000000000004 R08: 0000000000000047 R09: 00005bd797e= c6370 [ 9849.524652] R10: 0000000000000078 R11: 0000000000000246 R12: 00000000000= 00049 [ 9849.525062] R13: 0000000010781a37 R14: 00005bd797ec6370 R15: 00000000000= 00000 [ 9849.525447] [ 9849.525574] Modules linked in: intel_rapl_msr intel_rapl_common intel_un= core_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class = intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass ghash_c= lmulni_intel aesni_intel input_leds rapl mac_hid psmouse vga16fb serio_raw = vgastate floppy i2c_piix4 bochs qemu_fw_cfg i2c_smbus pata_acpi sch_fq_code= l rbd msr parport_pc ppdev lp parport efi_pstore [ 9849.529150] ---[ end trace 0000000000000000 ]--- [ 9849.529502] RIP: 0010:folio_unlock+0x85/0xa0 [ 9849.530813] Code: 89 df 31 f6 e8 1c f3 ff ff 48 8b 5d f8 c9 31 c0 31 d2 = 31 f6 31 ff c3 cc cc cc cc 48 c7 c6 80 6c d9 a7 48 89 df e8 4b b3 10 00 <0f= > 0b 48 89 df e8 21 e6 2c 00 eb 9d 0f 1f 40 00 66 66 2e 0f 1f 84 [ 9849.534986] RSP: 0018:ffff8881bb8076b0 EFLAGS: 00010246 [ 9849.536198] RAX: 0000000000000000 RBX: ffffea00070c8980 RCX: 00000000000= 00000 [ 9849.537718] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000= 00000 [ 9849.539321] RBP: ffff8881bb8076b8 R08: 0000000000000000 R09: 00000000000= 00000 [ 9849.540862] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000107= 82000 [ 9849.542438] R13: ffff8881935de738 R14: ffff88816110d010 R15: 00000000000= 01000 [ 9849.543996] FS: 00007e36cbe94740(0000) GS:ffff88824b899000(0000) knlGS:= 0000000000000000 [ 9849.545854] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 9849.547092] CR2: 00007e36cb3ff000 CR3: 000000011bbf6006 CR4: 00000000007= 72ef0 [ 9849.548679] PKRU: 55555554 The race sequence: 1. Read completes -> netfs_read_collection() runs 2. netfs_wake_rreq_flag(rreq, NETFS_RREQ_IN_PROGRESS, ...) 3. netfs_wait_for_read() returns -EFAULT to netfs_write_begin() 4. The netfs_unlock_abandoned_read_pages() unlocks the folio 5. netfs_write_begin() calls folio_unlock(folio) -> VM_BUG_ON_FOLIO() The key reason of the issue that netfs_unlock_abandoned_read_pages() doesn't check the flag NETFS_RREQ_NO_UNLOCK_FOLIO and executes folio_unlock() unconditionally. This patch implements in netfs_unlock_abandoned_read_pages() logic similar to netfs_unlock_read_folio(). Signed-off-by: Viacheslav Dubeyko Signed-off-by: David Howells Reviewed-by: Paulo Alcantara (Red Hat) cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org cc: Ceph Development --- fs/netfs/read_retry.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/fs/netfs/read_retry.c b/fs/netfs/read_retry.c index cca9ac43c077..68fc869513ef 100644 --- a/fs/netfs/read_retry.c +++ b/fs/netfs/read_retry.c @@ -288,8 +288,15 @@ void netfs_unlock_abandoned_read_pages(struct netfs_io= _request *rreq) struct folio *folio =3D folioq_folio(p, slot); =20 if (folio && !folioq_is_marked2(p, slot)) { - trace_netfs_folio(folio, netfs_folio_trace_abandon); - folio_unlock(folio); + if (folio->index =3D=3D rreq->no_unlock_folio && + test_bit(NETFS_RREQ_NO_UNLOCK_FOLIO, + &rreq->flags)) { + _debug("no unlock"); + } else { + trace_netfs_folio(folio, + netfs_folio_trace_abandon); + folio_unlock(folio); + } } } } From nobody Sat Apr 11 22:44:56 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6CD182F4A15 for ; Sat, 11 Apr 2026 08:57:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775897830; cv=none; b=tJe7E+10OZdnkRpHQ87txwNI2h7BojeuZS4NIBPSfSRqw3Q1RbsmXt1GjdaZ+ZCO047814Zb1WuX/h0mnXFwe5PWPMWEN4iQxSpi30K2yfSgr+c/5b91ZsRHDBKmFTklvif57en3H9ogxfkM08T1nmipoxEPMv0mvQoIfq7uzVU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775897830; c=relaxed/simple; bh=S62t+upgojIYhz1p6dALu+kyrentByS35lQhzLSLXbY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TNvaah73f1mpUi5AQF2D2/BVKAL+adzqIS32Qd72Lhj1O6eL8vgMBZFKcr6wOXewkIgTqpEo/wLEB/3GWu0g4IzRCFbObUFV+EwSDbYXbFI01cIqn+KjSNQvmBfJNdlJ6p7gPnbKAcuWZZSdEy493kkPR53XuhrCdRfbaP2fs84= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=KRsfDmVP; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="KRsfDmVP" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775897827; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0M8NeyGOtxqcK9n3lFvZBV03uT/fzw4I/4MxBJJ99Zo=; b=KRsfDmVPWBonH1ozX0MndaoOKBoVtN3sCTb4IjXm5nhc21V+tpdCR3JV9aliiZHURn9Ja4 d9Adz86aOCwdJuUyvkKOIVxonQWI7RK4eCVYePYMz7MdCPAcO8lnaJs4673TCSffrU1A4I Udda8O5LhtprUveVNEl6Y3qwZJFjIac= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-335-dmUAf5kmOlS93i-o0tjmrA-1; Sat, 11 Apr 2026 04:57:04 -0400 X-MC-Unique: dmUAf5kmOlS93i-o0tjmrA-1 X-Mimecast-MFC-AGG-ID: dmUAf5kmOlS93i-o0tjmrA_1775897822 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 92B2F18002CA; Sat, 11 Apr 2026 08:57:02 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.48.47]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 89B153000C1F; Sat, 11 Apr 2026 08:56:58 +0000 (UTC) From: David Howells To: Christian Brauner Cc: David Howells , Paulo Alcantara , netfs@lists.linux.dev, linux-afs@lists.infradead.org, linux-cifs@vger.kernel.org, ceph-devel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Paulo Alcantara , Xiaoli Feng , stable@vger.kernel.org Subject: [PATCH 2/4] netfs: fix error handling in netfs_extract_user_iter() Date: Sat, 11 Apr 2026 09:56:40 +0100 Message-ID: <20260411085643.3221565-3-dhowells@redhat.com> In-Reply-To: <20260411085643.3221565-1-dhowells@redhat.com> References: <20260411085643.3221565-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Content-Type: text/plain; charset="utf-8" From: Paulo Alcantara In netfs_extract_user_iter(), if iov_iter_extract_pages() failed to extract user pages, bail out on -ENOMEM, otherwise return the error code only if @npages =3D=3D 0, allowing short DIO reads and writes to be issued. This fixes mmapstress02 from LTP tests against CIFS. Fixes: 85dd2c8ff368 ("netfs: Add a function to extract a UBUF or IOVEC into= a BVEC iterator") Reported-by: Xiaoli Feng Signed-off-by: Paulo Alcantara (Red Hat) Signed-off-by: David Howells Cc: netfs@lists.linux.dev Cc: stable@vger.kernel.org Cc: linux-cifs@vger.kernel.org Cc: linux-fsdevel@vger.kernel.org --- fs/netfs/iterator.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/fs/netfs/iterator.c b/fs/netfs/iterator.c index 154a14bb2d7f..adca78747f23 100644 --- a/fs/netfs/iterator.c +++ b/fs/netfs/iterator.c @@ -22,7 +22,7 @@ * * Extract the page fragments from the given amount of the source iterator= and * build up a second iterator that refers to all of those bits. This allo= ws - * the original iterator to disposed of. + * the original iterator to be disposed of. * * @extraction_flags can have ITER_ALLOW_P2PDMA set to request peer-to-pee= r DMA be * allowed on the pages extracted. @@ -67,8 +67,8 @@ ssize_t netfs_extract_user_iter(struct iov_iter *orig, si= ze_t orig_len, ret =3D iov_iter_extract_pages(orig, &pages, count, max_pages - npages, extraction_flags, &offset); - if (ret < 0) { - pr_err("Couldn't get user pages (rc=3D%zd)\n", ret); + if (unlikely(ret <=3D 0)) { + ret =3D ret ?: -EIO; break; } =20 @@ -97,6 +97,13 @@ ssize_t netfs_extract_user_iter(struct iov_iter *orig, s= ize_t orig_len, npages +=3D cur_npages; } =20 + if (ret < 0 && (ret =3D=3D -ENOMEM || npages =3D=3D 0)) { + for (i =3D 0; i < npages; i++) + unpin_user_page(bv[i].bv_page); + kvfree(bv); + return ret; + } + iov_iter_bvec(new, orig->data_source, bv, npages, orig_len - count); return npages; } From nobody Sat Apr 11 22:44:56 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1AEF833438F for ; Sat, 11 Apr 2026 08:57:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775897838; cv=none; b=mMdl4BCVP0AFAfzOq0jRxHVgnKG0s0OMLJBYzXNUQfAVZOGx74rrmTg9Cq+V1ZI1mULKM1kbimdo17nX9yWwD8UlzD2aABMITW4JbhHYIRXTMgA0rtr/3ODoc5/3fmwQxYnq7vVewz0ppEzLJz5ZerpcR2/eUcoJ/5kNCY8BqLs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775897838; c=relaxed/simple; bh=Va5ic3j+XPVGHImNKjNKAB4SnRGmH/mONtJLhCgEHPk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZyT51zTNMENxZ+8SmMycT/cCaVbhvjic4CTQxo/Q1KHjiAaoeU+FQBOuDrZB+gIzUoiEGz5AXAt8jpfOhPUajTBKG8VS4f//+Evk2bAiFALZbuqg8Hy2RDTQChIE3cWBPVpahH4JdC+hn3rYtZMjjBZwXLwS6uzOX8xA1ALfHaI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=KL74Zc38; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="KL74Zc38" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775897836; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wyv45w2ugH74c2VSCb7J4MMwtcNcSvmG464mF8qh4Dc=; b=KL74Zc38d+p6IV0qsyXAszC+iJVkkuQFLKAqWB5FEDv4jg2NrlTlnuMbAJ7lb1HkrD8DAl ZdNKsluoEh/JOtYivVfXJYSQBVP5gdURHTkUdyEtLbmU6nFRxCI6A86lyA2WB+DLGn1uMv lNeqhi6Bdm46WcClwRSvgUZNc1mnUaU= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-465-lpn6ZtJpNsCHJ9bBcnhvXg-1; Sat, 11 Apr 2026 04:57:10 -0400 X-MC-Unique: lpn6ZtJpNsCHJ9bBcnhvXg-1 X-Mimecast-MFC-AGG-ID: lpn6ZtJpNsCHJ9bBcnhvXg_1775897829 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id B0C901956061; Sat, 11 Apr 2026 08:57:08 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.48.47]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8B19219560AB; Sat, 11 Apr 2026 08:57:04 +0000 (UTC) From: David Howells To: Christian Brauner Cc: David Howells , Paulo Alcantara , netfs@lists.linux.dev, linux-afs@lists.infradead.org, linux-cifs@vger.kernel.org, ceph-devel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, NeilBrown , Marc Dionne , NeilBrown , "Paulo Alcantara (Red Hat)" Subject: [PATCH 3/4] cachefiles: fix incorrect dentry refcount in cachefiles_cull() Date: Sat, 11 Apr 2026 09:56:41 +0100 Message-ID: <20260411085643.3221565-4-dhowells@redhat.com> In-Reply-To: <20260411085643.3221565-1-dhowells@redhat.com> References: <20260411085643.3221565-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Content-Type: text/plain; charset="utf-8" From: NeilBrown The patch mentioned below changed cachefiles_bury_object() to expect 2 references to the 'rep' dentry. Three of the callers were changed to use start_removing_dentry() which takes an extra reference so in those cases the call gets the expected references. However there is another call to cachefiles_bury_object() in cachefiles_cull() which did not need to be changed to use start_removing_dentry() and so was not properly considered. It still passed the dentry with just one reference so the net result is that a reference is lost. To meet the expectations of cachefiles_bury_object(), cachefiles_cull() must take an extra reference before the call. It will be dropped by cachefiles_bury_object(). Reported-by: Marc Dionne Fixes: 7bb1eb45e43c ("VFS: introduce start_removing_dentry()") Signed-off-by: NeilBrown Signed-off-by: David Howells Acked-by: Paulo Alcantara (Red Hat) cc: netfs@lists.linux.dev cc: linux-afs@lists.infradead.org cc: linux-fsdevel@vger.kernel.org --- fs/cachefiles/namei.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c index e5ec90dccc27..eb9eb7683e3c 100644 --- a/fs/cachefiles/namei.c +++ b/fs/cachefiles/namei.c @@ -810,6 +810,11 @@ int cachefiles_cull(struct cachefiles_cache *cache, st= ruct dentry *dir, if (ret < 0) goto error_unlock; =20 + /* + * cachefiles_bury_object() expects 2 references to 'victim', + * and drops one. + */ + dget(victim); ret =3D cachefiles_bury_object(cache, NULL, dir, victim, FSCACHE_OBJECT_WAS_CULLED); dput(victim); From nobody Sat Apr 11 22:44:56 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6845F33438F for ; Sat, 11 Apr 2026 08:57:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775897844; cv=none; b=ut2DAafriMIkklMriwaAeH4dN3ohVjtujTquHvqXRDFi75rj3lMX7bZkSYm0YAVr5IrQy/cM4UKc7wdEndJfXVN9PvEVYjYwGCE8ATdzV43gcinWHNZmgzSruX6S6etCvewJzdiMg6w5Js7AkvXrShBHCoNq5skyWHo9O3eLfcM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775897844; c=relaxed/simple; bh=Ysw+0v2QMxySbx347DtfHjbHKop4ioYtzWactI42FLU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rKMMLBDxaxdAlxztCQALky8tEZNyQQdUf+ICUXo84KjS+HDyQ1EAhGZ2FDgl7amDXWLXWHFolnKoP1S3ocjHBo5L/59a+Hdg9B/WkWUHMMBrpYrC53/XsFqErdG2Kcx/XJyWepNLNLvNj4lhopBpDB1UVz5hsSawKhPU3RNdw0Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=ZptxJDPT; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="ZptxJDPT" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775897842; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=X397l0CU5nIL2ooMDVBSVen1USL5XU13r/GdYHGDVL8=; b=ZptxJDPTYCWr+Fx0PyMS8LsrGShV3p+c42CYoX8To6bge3oxvEt+CB0zIRsjppDMoVmD0W 86h1v95+fs8aw/isQUldL3HTAG3lGBiRy6ghEdpi1RZnskLBKnVE4bshko0mRKL5KCtP4P 5HZOCcRSaB05y6+oEs5Iv6cSmFkT4QU= Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-204-s7j74AqoM9e1zZ8ujLleew-1; Sat, 11 Apr 2026 04:57:17 -0400 X-MC-Unique: s7j74AqoM9e1zZ8ujLleew-1 X-Mimecast-MFC-AGG-ID: s7j74AqoM9e1zZ8ujLleew_1775897835 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id CD696195608B; Sat, 11 Apr 2026 08:57:14 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.44.48.47]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 98E4C180049F; Sat, 11 Apr 2026 08:57:10 +0000 (UTC) From: David Howells To: Christian Brauner Cc: David Howells , Paulo Alcantara , netfs@lists.linux.dev, linux-afs@lists.infradead.org, linux-cifs@vger.kernel.org, ceph-devel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Dionne , Paulo Alcantara , Matthew Wilcox Subject: [PATCH 4/4] netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes gone Date: Sat, 11 Apr 2026 09:56:42 +0100 Message-ID: <20260411085643.3221565-5-dhowells@redhat.com> In-Reply-To: <20260411085643.3221565-1-dhowells@redhat.com> References: <20260411085643.3221565-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" If a streaming write is made, this will leave the relevant modified folio in a not-uptodate, but dirty state with a netfs_folio struct hung off of folio->private indicating the dirty range. Subsequently truncating the file such that the dirty data in the folio is removed, but the first part of the folio theoretically remains will cause the netfs_folio struct to be discarded... but will leave the dirty flag set. If the folio is then read via mmap(), netfs_read_folio() will see that the page is dirty and jump to netfs_read_gaps() to fill in the missing bits. netfs_read_gaps(), however, expects there to be a netfs_folio struct present and can oops because truncate removed it. Fix this by calling folio_cancel_dirty() in netfs_invalidate_folio() in the event that all the dirty data in the folio is erased (as nfs does). Also add some tracepoints to log modifications to a dirty page. This can be reproduced with something like: dd if=3D/dev/zero of=3D/xfstest.test/foo bs=3D1M count=3D1 umount /xfstest.test mount /xfstest.test xfs_io -c "w 0xbbbf 0xf96c" \ -c "truncate 0xbbbf" \ -c "mmap -r 0xb000 0x11000" \ -c "mr 0xb000 0x11000" \ /xfstest.test/foo with fscaching disabled (otherwise streaming writes are suppressed) and a change to netfs_perform_write() to disallow streaming writes if the fd is open O_RDWR: if (//(file->f_mode & FMODE_READ) || <--- comment this out netfs_is_cache_enabled(ctx)) { It should be reproducible even without this change, but if prevents the above trivial xfs_io command from reproducing it. Note that the initial dd is important: the file must start out sufficiently large that the zero-point logic doesn't just clear the gaps because it knows there's nothing in the file to read yet. Unmounting and mounting is needed= to clear the pagecache (there are other ways to do that that may also work). This was initially reproduced with the generic/522 xfstest on some patches that remove the FMODE_READ restriction. Reported-by: Marc Dionne Signed-off-by: David Howells cc: Paulo Alcantara cc: Matthew Wilcox cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org --- fs/netfs/misc.c | 6 +++++- include/trace/events/netfs.h | 4 ++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/netfs/misc.c b/fs/netfs/misc.c index 6df89c92b10b..d8e8a4b59768 100644 --- a/fs/netfs/misc.c +++ b/fs/netfs/misc.c @@ -256,6 +256,7 @@ void netfs_invalidate_folio(struct folio *folio, size_t= offset, size_t length) /* Move the start of the data. */ finfo->dirty_len =3D fend - iend; finfo->dirty_offset =3D offset; + trace_netfs_folio(folio, netfs_folio_trace_invalidate_front); return; } =20 @@ -264,12 +265,14 @@ void netfs_invalidate_folio(struct folio *folio, size= _t offset, size_t length) */ if (iend >=3D fend) { finfo->dirty_len =3D offset - fstart; + trace_netfs_folio(folio, netfs_folio_trace_invalidate_tail); return; } =20 /* A partial write was split. The caller has already zeroed * it, so just absorb the hole. */ + trace_netfs_folio(folio, netfs_folio_trace_invalidate_middle); } return; =20 @@ -277,8 +280,9 @@ void netfs_invalidate_folio(struct folio *folio, size_t= offset, size_t length) netfs_put_group(netfs_folio_group(folio)); folio_detach_private(folio); folio_clear_uptodate(folio); + folio_cancel_dirty(folio); kfree(finfo); - return; + trace_netfs_folio(folio, netfs_folio_trace_invalidate_all); } EXPORT_SYMBOL(netfs_invalidate_folio); =20 diff --git a/include/trace/events/netfs.h b/include/trace/events/netfs.h index cbe28211106c..88d814ba1e69 100644 --- a/include/trace/events/netfs.h +++ b/include/trace/events/netfs.h @@ -194,6 +194,10 @@ EM(netfs_folio_trace_copy_to_cache, "mark-copy") \ EM(netfs_folio_trace_end_copy, "end-copy") \ EM(netfs_folio_trace_filled_gaps, "filled-gaps") \ + EM(netfs_folio_trace_invalidate_all, "inval-all") \ + EM(netfs_folio_trace_invalidate_front, "inval-front") \ + EM(netfs_folio_trace_invalidate_middle, "inval-mid") \ + EM(netfs_folio_trace_invalidate_tail, "inval-tail") \ EM(netfs_folio_trace_kill, "kill") \ EM(netfs_folio_trace_kill_cc, "kill-cc") \ EM(netfs_folio_trace_kill_g, "kill-g") \