On Thu, 14 Jul 2022 20:17:43 +0530 Charan Teja Kalla <quic_charante@xxxxxxxxxxx> wrote:
> The below is one path where race between page_ext and offline of the
> respective memory blocks will cause use-after-free on the access of
> page_ext structure.
>
> ...
>
> --- a/include/linux/page_ext.h
> +++ b/include/linux/page_ext.h
> @@ -64,6 +64,25 @@ static inline struct page_ext *page_ext_next(struct page_ext *curr)
> return next;
> }
>
> +static inline struct page_ext *get_page_ext(struct page *page)
> +{
> + struct page_ext *page_ext;
> +
> + rcu_read_lock();
If page_ext.h is to call rcu functions then it will need to include
appropriate header files.
> + page_ext = lookup_page_ext(page);
> + if (!page_ext) {
> + rcu_read_unlock();
> + return NULL;
> + }
> +
> + return page_ext;
> +}
> +
> +static inline void put_page_ext(void)
> +{
> + rcu_read_unlock();
> +}
Better names would be page_ext_get() and page_ext_put(). The rest of
the page_ext API appears to have got this right, so let's not mess that
up.
Also, these aren't really get and put functions - page_ext doesn't have
a refcount. But I can't immediately think of a name that better
communicates what we're doing here so I guess get and put will do.
And are we able to add some comments here explaining why these
functions exist and what they do?
> #else /* !CONFIG_PAGE_EXTENSION */
> struct page_ext;
Are you sure we didn't need CONFIG_PAGE_EXTENSION=n stubs for these two
functions?
