On (25/03/05 09:49), ffhgfv wrote:
> Hello, I found a bug titled " BUG: corrupted list in fix_fullness_group "
> with modified syzkaller in the lasted upstream related to ZSMALLOC.
[..]
> static int fix_fullness_group(struct size_class *class, struct zspage *zspage)
> {
> int newfg;
>
> newfg = get_fullness_group(class, zspage);
> if (newfg == zspage->fullness)
> goto out;
> ++ spin_lock(&class->lock);
> remove_zspage(class, zspage);
> insert_zspage(class, zspage, newfg);
> ++ spin_unlock(&class->lock);
> out:
> return newfg;
> }
fix_fullness_group() is *always* called under class->lock.
zs_malloc() calls it under class->lock, so does zs_free().
