On Thu, 28 Nov 2024 13:23:15 +0100 David Hildenbrand <david@xxxxxxxxxx> > > Ah, now I get it; at the point int time we check it actually isn't in > the pagecache anymore. We perform a folio_test_locked() check before the > folio_try_get(), which is wrong as the folio can get freed+reallocated > in the meantime. > > The easy fix would be: #syz test --- x/mm/filemap.c +++ y/mm/filemap.c @@ -3502,10 +3502,10 @@ static struct folio *next_uptodate_folio continue; if (xa_is_value(folio)) continue; - if (folio_test_locked(folio)) - continue; if (!folio_try_get(folio)) continue; + if (folio_test_locked(folio)) + goto skip; /* Has the page moved or been split? */ if (unlikely(folio != xas_reload(xas))) goto skip; --
