On Thu, Oct 10, 2024 at 09:59:23AM +0100, Fuad Tabba wrote:
> +out:
> + if (ret != VM_FAULT_LOCKED) {
> + folio_put(folio);
> + folio_unlock(folio);
Hm. Here and in few other places you return reference before unlocking.
I think it is safe because nobody can (or can they?) remove the page from
pagecache while the page is locked so we have at least one refcount on the
folie, but it *looks* like a use-after-free bug.
Please follow the usual pattern: _unlock() then _put().
--
Kiryl Shutsemau / Kirill A. Shutemov
