On Sat, Dec 16, 2023 at 09:58:03PM +0800, Kairui Song wrote:
> > @@ -888,14 +887,14 @@ struct page *swapin_readahead(swp_entry_t entry, gfp_t gfp_mask,
> > {
> > struct mempolicy *mpol;
> > pgoff_t ilx;
> > - struct page *page;
> > + struct folio *folio;
> >
> > mpol = get_vma_policy(vmf->vma, vmf->address, 0, &ilx);
> > - page = swap_use_vma_readahead() ?
> > + folio = swap_use_vma_readahead() ?
> > swap_vma_readahead(entry, gfp_mask, mpol, ilx, vmf) :
> > swap_cluster_readahead(entry, gfp_mask, mpol, ilx);
> > mpol_cond_put(mpol);
> > - return page;
> > + return folio_file_page(folio, swp_offset(entry));
>
> Hi Matthew,
>
> There is a bug here, folio could be NULL, and cause NULL dereference.
Andrew, syzbot has also picked up on this. Please add this -fix patch?
diff --git a/mm/swap_state.c b/mm/swap_state.c
index 793b5b9e4f96..8a3a8f1ab20a 100644
--- a/mm/swap_state.c
+++ b/mm/swap_state.c
@@ -894,6 +894,9 @@ struct page *swapin_readahead(swp_entry_t entry, gfp_t gfp_mask,
swap_vma_readahead(entry, gfp_mask, mpol, ilx, vmf) :
swap_cluster_readahead(entry, gfp_mask, mpol, ilx);
mpol_cond_put(mpol);
+
+ if (!folio)
+ return NULL;
return folio_file_page(folio, swp_offset(entry));
}
