From: Vitaly Wool <vitalywool@xxxxxxxxx> Subject: z3fold: fix potential race in z3fold_reclaim_page It is possible that on a (partially) unsuccessful page reclaim, kref_put() called in z3fold_reclaim_page() does not yield page release, but the page is released shortly afterwards by another thread. Then z3fold_reclaim_page() would try to list_add() that (released) page again which is obviously a bug. To avoid that, spin_lock() has to be taken earlier, before the kref_put() call mentioned earlier. Link: http://lkml.kernel.org/r/20170913162937.bfff21c7d12b12a5f47639fd@xxxxxxxxx Signed-off-by: Vitaly Wool <vitalywool@xxxxxxxxx> Cc: Dan Streetman <ddstreet@xxxxxxxx> Cc: <Oleksiy.Avramchenko@xxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- mm/z3fold.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff -puN mm/z3fold.c~z3fold-fix-potential-race-in-z3fold_reclaim_page mm/z3fold.c --- a/mm/z3fold.c~z3fold-fix-potential-race-in-z3fold_reclaim_page +++ a/mm/z3fold.c @@ -875,16 +875,18 @@ static int z3fold_reclaim_page(struct z3 goto next; } next: + spin_lock(&pool->lock); if (test_bit(PAGE_HEADLESS, &page->private)) { if (ret == 0) { + spin_unlock(&pool->lock); free_z3fold_page(page); return 0; } } else if (kref_put(&zhdr->refcount, release_z3fold_page)) { atomic64_dec(&pool->pages_nr); + spin_unlock(&pool->lock); return 0; } - spin_lock(&pool->lock); /* * Add to the beginning of LRU. _ -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
