Could you help to add below diff to check debug info?

diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index bc5cea27b512..333285cb14c5 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -241,7 +241,7 @@ static inline void __submit_bio(struct f2fs_sb_info *sbi,
 				struct bio *bio, enum page_type type)
 {
 	if (!is_read_io(bio_op(bio))) {
-		unsigned int start;
+		unsigned int start, ofs;
 
 		if (type != DATA && type != NODE)
 			goto submit_io;
@@ -256,7 +256,7 @@ static inline void __submit_bio(struct f2fs_sb_info *sbi,
 			goto submit_io;
 
 		/* fill dummy pages */
-		for (; start < F2FS_IO_SIZE(sbi); start++) {
+		for (ofs = start; ofs < F2FS_IO_SIZE(sbi); ofs++) {
 			struct page *page =
 				mempool_alloc(sbi->write_io_dummy,
 					      GFP_NOIO | __GFP_NOFAIL);
@@ -266,8 +266,16 @@ static inline void __submit_bio(struct f2fs_sb_info *sbi,
 			SetPagePrivate(page);
 			set_page_private(page, (unsigned long)DUMMY_WRITTEN_PAGE);
 			lock_page(page);
-			if (bio_add_page(bio, page, PAGE_SIZE, 0) < PAGE_SIZE)
-				f2fs_bug_on(sbi, 1);
+			if (bio_add_page(bio, page, PAGE_SIZE, 0) < PAGE_SIZE) {
+				printk("ofs:%u, start:%u, io_size:%u, "
+					"size:%u, vcnt:%u, max_vecs:%u",
+					ofs, start, F2FS_IO_SIZE(sbi),
+					bio->bi_iter.bi_size,
+					bio->bi_vcnt,
+					bio->bi_max_vecs);
+				WARN_ON(1);
+				break;
+			}
 		}
 		/*
 		 * In the NODE case, we lose next block address chain. So, we

(In reply to Chao Yu from comment #1)
> Could you help to add below diff to check debug info?
> 
> diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
> index bc5cea27b512..333285cb14c5 100644
> --- a/fs/f2fs/data.c
> +++ b/fs/f2fs/data.c
> @@ -241,7 +241,7 @@ static inline void __submit_bio(struct f2fs_sb_info *sbi,
>  				struct bio *bio, enum page_type type)
>  {
>  	if (!is_read_io(bio_op(bio))) {
> -		unsigned int start;
> +		unsigned int start, ofs;
>  
>  		if (type != DATA && type != NODE)
>  			goto submit_io;
> @@ -256,7 +256,7 @@ static inline void __submit_bio(struct f2fs_sb_info *sbi,
>  			goto submit_io;
>  
>  		/* fill dummy pages */
> -		for (; start < F2FS_IO_SIZE(sbi); start++) {
> +		for (ofs = start; ofs < F2FS_IO_SIZE(sbi); ofs++) {
>  			struct page *page =
>  				mempool_alloc(sbi->write_io_dummy,
>  					      GFP_NOIO | __GFP_NOFAIL);
> @@ -266,8 +266,16 @@ static inline void __submit_bio(struct f2fs_sb_info
> *sbi,
>  			SetPagePrivate(page);
>  			set_page_private(page, (unsigned long)DUMMY_WRITTEN_PAGE);
>  			lock_page(page);
> -			if (bio_add_page(bio, page, PAGE_SIZE, 0) < PAGE_SIZE)
> -				f2fs_bug_on(sbi, 1);
> +			if (bio_add_page(bio, page, PAGE_SIZE, 0) < PAGE_SIZE) {
> +				printk("ofs:%u, start:%u, io_size:%u, "
> +					"size:%u, vcnt:%u, max_vecs:%u",
> +					ofs, start, F2FS_IO_SIZE(sbi),
> +					bio->bi_iter.bi_size,
> +					bio->bi_vcnt,
> +					bio->bi_max_vecs);
> +				WARN_ON(1);
> +				break;
> +			}
>  		}
>  		/*
>  		 * In the NODE case, we lose next block address chain. So, we

Hi!

I patched the kernel, and after I run the test case about 7 times, a warning occurred:

[   78.460040] F2FS-fs (loop0): Test dummy encryption mount option ignored
[   78.464621] F2FS-fs (loop0): Found nat_bits in checkpoint
[   78.479864] F2FS-fs (loop0): Mounted with checkpoint version = aaca8fb
[   78.482474] F2FS-fs (loop0): Test dummy encryption mount option ignored
[   78.483451] F2FS-fs (loop0): switch extent_cache option is not allowed
[   78.691092] ofs:1, start:1, io_size:8, size:1085440, vcnt:256, max_vecs:256
[   78.691161] WARNING: CPU: 1 PID: 1072 at fs/f2fs/data.c:323 __submit_merged_bio.cold+0x74/0x7c
[   78.693234] Modules linked in:
[   78.693579] CPU: 1 PID: 1072 Comm: kworker/u4:3 Not tainted 5.1.3 #8
[   78.694330] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   78.695523] Workqueue: writeback wb_workfn (flush-7:0)
[   78.696109] RIP: 0010:__submit_merged_bio.cold+0x74/0x7c
[   78.696762] Code: 00 00 00 45 89 e1 41 89 e8 41 8b 8d bc 04 00 00 41 57 48 c7 c7 80 6f dd 8c 8b 54 24 3c 8b 74 24 10 d3 e0 89 c1 e8 50 01 68 ff <0f> 0b 58 e9 15 c3 fe ff e8 9a 4f 73 ff 49 8d 7c 24 5a e8 60 89 89
[   78.699018] RSP: 0018:ffff888117fa7140 EFLAGS: 00010282
[   78.699620] RAX: 000000000000003f RBX: ffff88810828bb40 RCX: 0000000000000000
[   78.700530] RDX: 0000000000000000 RSI: 0000000000000278 RDI: ffffed1022ff4e1a
[   78.701337] RBP: 0000000000109000 R08: 000000000000003f R09: fffffbfff1c7766c
[   78.702027] R10: fffffbfff1c7766b R11: ffffffff8e3bb35e R12: 0000000000000100
[   78.702874] R13: ffff888107a1a200 R14: ffff888108101500 R15: 0000000000000100
[   78.703735] FS:  0000000000000000(0000) GS:ffff88811b500000(0000) knlGS:0000000000000000
[   78.704722] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   78.705383] CR2: 00005615108e12d8 CR3: 0000000107c58000 CR4: 00000000000006e0
[   78.706229] Call Trace:
[   78.706498]  f2fs_submit_page_write+0x3cd/0xdd0
[   78.707014]  do_write_page+0x15d/0x360
[   78.707453]  f2fs_outplace_write_data+0xd7/0x210
[   78.707985]  ? f2fs_do_write_node_page+0x190/0x190
[   78.708549]  ? __enqueue_entity+0xae/0xe0
[   78.709047]  f2fs_do_write_data_page+0x43b/0xf30
[   78.709590]  ? f2fs_should_update_outplace+0x1c0/0x1c0
[   78.710177]  ? __switch_to_asm+0x34/0x70
[   78.710602]  ? __switch_to_asm+0x40/0x70
[   78.711067]  ? __switch_to_asm+0x34/0x70
[   78.711534]  ? finish_task_switch+0x145/0x370
[   78.712048]  ? __switch_to_asm+0x34/0x70
[   78.712497]  ? __switch_to_asm+0x40/0x70
[   78.712959]  __write_data_page+0xcf6/0x1140
[   78.713461]  ? page_mapped+0xf8/0x1f0
[   78.713870]  ? f2fs_do_write_data_page+0xf30/0xf30
[   78.714462]  ? page_referenced+0x3d0/0x3d0
[   78.714909]  ? _raw_write_unlock_irqrestore+0x20/0x20
[   78.715533]  f2fs_write_cache_pages+0x3ba/0xb40
[   78.716032]  ? __write_data_page+0x1140/0x1140
[   78.716492]  ? f2fs_fsync_node_pages+0xf90/0xf90
[   78.717021]  ? xas_start+0xbf/0x1c0
[   78.717451]  ? __mutex_lock_slowpath+0x10/0x10
[   78.717995]  f2fs_write_data_pages+0x3dd/0x8b0
[   78.718506]  ? f2fs_write_cache_pages+0xb40/0xb40
[   78.719052]  ? f2fs_set_node_page_dirty+0x175/0x3a0
[   78.719618]  ? f2fs_inode_synced+0x1c7/0x200
[   78.720069]  ? memset+0x20/0x40
[   78.720447]  ? f2fs_write_cache_pages+0xb40/0xb40
[   78.721006]  do_writepages+0xbb/0x1e0
[   78.721444]  ? page_writeback_cpu_online+0x10/0x10
[   78.721964]  ? _raw_spin_lock+0x75/0xd0
[   78.722409]  ? _raw_spin_lock_irq+0xd0/0xd0
[   78.722891]  ? __wake_up_bit+0x84/0xe0
[   78.723331]  __writeback_single_inode+0xb6/0x800
[   78.723861]  ? inode_add_lru+0xd9/0x110
[   78.724273]  writeback_sb_inodes+0x441/0x910
[   78.724756]  ? sync_inode_metadata+0x100/0x100
[   78.725263]  ? queue_io+0x16b/0x220
[   78.725674]  wb_writeback+0x261/0x650
[   78.726129]  ? __switch_to_asm+0x34/0x70
[   78.726641]  ? __writeback_inodes_wb+0x170/0x170
[   78.727361]  ? cwt_wakefn+0x60/0x60
[   78.728104]  ? _raw_spin_lock_bh+0x80/0xd0
[   78.728827]  ? _raw_read_unlock_irqrestore+0x20/0x20
[   78.729542]  ? __switch_to_asm+0x34/0x70
[   78.730121]  ? wb_workfn+0xc4/0x7a0
[   78.730643]  wb_workfn+0x1f9/0x7a0
[   78.731161]  ? inode_wait_for_writeback+0x40/0x40
[   78.731868]  ? __schedule+0x481/0xc80
[   78.732417]  ? _raw_spin_lock_irq+0x76/0xd0
[   78.733046]  ? read_word_at_a_time+0xe/0x20
[   78.733668]  ? strscpy+0xb2/0x180
[   78.734168]  process_one_work+0x503/0x970
[   78.734770]  worker_thread+0x7d/0x820
[   78.735322]  kthread+0x1ad/0x210
[   78.735821]  ? process_one_work+0x970/0x970
[   78.736443]  ? kthread_park+0x130/0x130
[   78.737020]  ret_from_fork+0x35/0x40
[   78.737555] ---[ end trace 5a4cea2bd5b6d207 ]---

Could you help to test below two commits?

f2fs: introduce {page,io}_is_mergeable() for readability
f2fs: fix panic of IO alignment feature

https://lore.kernel.org/linux-f2fs-devel/1562841517-77910-1-git-send-email-yuchao0@huawei.com/T/#t

https://lore.kernel.org/linux-f2fs-devel/1562841517-77910-2-git-send-email-yuchao0@huawei.com/T/#u

Sorry, previous version is broken... I've updated them.

https://lore.kernel.org/linux-f2fs-devel/20190712085542.4068-1-yuchao0@huawei.com/T/#u

(In reply to Chao Yu from comment #4)
> Sorry, previous version is broken... I've updated them.
> 
> https://lore.kernel.org/linux-f2fs-devel/20190712085542.4068-1-
> yuchao0@huawei.com/T/#u

Sorry! I have not tested these patches yet. :(

I have just tried the updated patch but failed.
It seems inconsistent with kernel-5.1.3?

You mean it failed when you apply those patches to kernel 5.1.3?

I made patches based on last dev branch below:

https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git/log/?h=dev

Could you download last code for test? Last code should has issues you reported.

(In reply to Chao Yu from comment #6)
> You mean it failed when you apply those patches to kernel 5.1.3?
> 
> I made patches based on last dev branch below:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git/log/?h=dev
> 
> Could you download last code for test? Last code should has issues you
> reported.

Hi! I cloned the repo and patched the latest dev branch.
The aforementioned kernel bug does not manifest again with the provided script.

But my original(complex/long) script triggers another bug; I'm not sure whether this bug was introduced by the patch.

--- Core dump ---
[   17.678583] ------------[ cut here ]------------
[   17.679405] kernel BUG at fs/f2fs/segment.c:2391!
[   17.680654] invalid opcode: 0000 [#1] SMP KASAN PTI
[   17.681394] CPU: 0 PID: 461 Comm: runner-1 Not tainted 5.2.0+ #5
[   17.682279] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   17.683674] RIP: 0010:new_curseg+0xbb5/0xf10
[   17.684309] Code: 14 11 84 d2 74 09 80 fa 03 0f 8e 19 03 00 00 44 0f af ad 00 04 00 00 44 39 e8 0f 83 7f f7 ff ff e9 45 fa ff ff e8 8b 61 80 ff <0f> 0b e8 84 61 80 ff 44 89 e8 31 d2 f7 74 24 08 89 c3 e9 5a f6 ff
[   17.687001] RSP: 0018:ffff888110c0f360 EFLAGS: 00010293
[   17.687772] RAX: ffff88811514b400 RBX: 0000000000000000 RCX: ffffffffb93585b5
[   17.688792] RDX: 0000000000000000 RSI: 0000000000000048 RDI: ffff88810f9fe900
[   17.689771] RBP: ffff888112b2aa80 R08: 0000000000000000 R09: ffffed1022181e62
[   17.690804] R10: ffffed1022181e61 R11: 0000000000000003 R12: ffff888111f4ff30
[   17.691852] R13: 0000000000000048 R14: ffff88810f9fe900 R15: 0000000000000048
[   17.692894] FS:  00005555571fe8c0(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000
[   17.694066] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   17.694926] CR2: 0000555557302000 CR3: 0000000110406000 CR4: 00000000000006f0
[   17.695981] Call Trace:
[   17.696372]  ? f2fs_need_SSR+0x4fe/0x670
[   17.696973]  allocate_segment_by_default+0x222/0x440
[   17.697717]  f2fs_allocate_data_block+0x649/0x2720
[   17.698409]  ? f2fs_submit_page_write+0xc25/0x19c0
[   17.699035]  do_write_page+0x1c1/0x590
[   17.699628]  f2fs_outplace_write_data+0x157/0x3d0
[   17.700439]  ? f2fs_do_write_node_page+0x280/0x280
[   17.701188]  ? f2fs_is_valid_blkaddr+0x1f8/0xe70
[   17.701807]  f2fs_do_write_data_page+0xa60/0x13f0
[   17.702353]  ? f2fs_should_update_outplace+0x330/0x330
[   17.703017]  ? _raw_spin_lock+0x75/0xd0
[   17.703556]  ? percpu_counter_add_batch+0xc1/0x110
[   17.704215]  ? f2fs_remove_dirty_inode+0x191/0x520
[   17.704873]  move_data_page+0x5bc/0x990
[   17.705405]  ? get_victim_by_default+0x21d0/0x21d0
[   17.705986]  ? down_read_trylock+0x170/0x170
[   17.706402]  ? __radix_tree_lookup+0x1a9/0x220
[   17.706834]  do_garbage_collect+0x14cd/0x4020
[   17.707339]  ? __switch_to_asm+0x40/0x70
[   17.707797]  ? mutex_lock+0x89/0xd0
[   17.708167]  ? mutex_unlock+0x18/0x40
[   17.708555]  ? move_data_block+0x2500/0x2500
[   17.709004]  ? preempt_schedule_common+0x36/0x50
[   17.709488]  ? down_read+0x1f0/0x1f0
[   17.709869]  f2fs_gc+0x69b/0x37e0
[   17.710224]  ? f2fs_start_bidx_of_node+0x40/0x40
[   17.710709]  ? delete_node+0x1ef/0x820
[   17.711114]  ? node_tag_clear+0x8a/0x1b0
[   17.711530]  ? mutex_lock+0x89/0xd0
[   17.711901]  ? __mutex_lock_slowpath+0x10/0x10
[   17.712368]  ? f2fs_balance_fs+0x5ae/0x19c0
[   17.712809]  f2fs_balance_fs+0x5ae/0x19c0
[   17.713232]  ? __d_instantiate+0x320/0x430
[   17.713664]  f2fs_mkdir+0x40a/0x5e0
[   17.714034]  ? security_inode_mkdir+0xca/0x100
[   17.714501]  vfs_mkdir+0x351/0x560
[   17.714864]  do_mkdirat+0x11b/0x210
[   17.715242]  ? __ia32_sys_mknod+0xb0/0xb0
[   17.715687]  ? schedule+0x9c/0x230
[   17.716051]  do_syscall_64+0x9a/0x330
[   17.716440]  ? prepare_exit_to_usermode+0x142/0x1d0
[   17.716953]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   17.717485] RIP: 0033:0x50eaf7
[   17.717813] Code: 1f 40 00 b8 89 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 2d f5 f8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 0d f5 f8 ff c3 66 2e 0f 1f 84 00 00 00 00
[   17.719740] RSP: 002b:00007ffff7965da8 EFLAGS: 00000202 ORIG_RAX: 0000000000000053
[   17.720531] RAX: ffffffffffffffda RBX: 0000000000400328 RCX: 000000000050eaf7
[   17.721273] RDX: 0000555557337f90 RSI: 00000000000001fd RDI: 0000555557337f90
[   17.722015] RBP: 00007ffff7965de0 R08: 0000000000000000 R09: 000000000000003e
[   17.722963] R10: 0000000000000035 R11: 0000000000000202 R12: 000000000049e490
[   17.723941] R13: 000000000049e520 R14: 0000000000000000 R15: 0000000000000000
[   17.724914] Modules linked in:
[   17.725343] Dumping ftrace buffer:
[   17.725816]    (ftrace buffer empty)
[   17.726356] ---[ end trace 110112c63ed78316 ]---

This bug was reported by you in another track...

So could you confirm the issue in this track again?

BTW, to avoid panic in new_curseg(), you'd better to expand image size.

(In reply to Chao Yu from comment #8)
> This bug was reported by you in another track...
> 
> So could you confirm the issue in this track again?

Sorry! I forgot that bug.

I have tested the patch with the triggering script several times, and the issue in this track does not happen again (though another bug occurs).

Thank you! :-P

Thanks for confirming that! Let me close this track. :)