Testing today revealed a rather annoying bug where we can free an
initialised node back to the slab cache without zeroing it first.
That ends up creating a corrupted XArray ... whichever XArray
happens to allocate that node next.
>From c53d4d2690db946f5710a39e6a6f67c5a46ff9a4 Mon Sep 17 00:00:00 2001
From: "Matthew Wilcox (Oracle)" <willy@xxxxxxxxxxxxx>
Date: Thu, 1 Oct 2020 18:22:35 -0400
Subject: [PATCH] fix xarray
---
lib/xarray.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/lib/xarray.c b/lib/xarray.c
index b573db455c43..eedb4b51c59f 100644
--- a/lib/xarray.c
+++ b/lib/xarray.c
@@ -271,8 +271,7 @@ static void xas_destroy(struct xa_state *xas)
while (node) {
XA_NODE_BUG_ON(node, !list_empty(&node->private_list));
next = rcu_dereference_raw(node->parent);
- /* XXX: need to free children */
- kmem_cache_free(radix_tree_node_cachep, node);
+ radix_tree_node_rcu_free(&node->rcu_head);
xas->xa_alloc = node = next;
}
}
--
2.28.0
