On (23/01/31 16:44), Andrew Morton wrote: > Currently, there is a race between zs_free() and zs_reclaim_page(): > zs_reclaim_page() finds a handle to an allocated object, but before the > eviction happens, an independent zs_free() call to the same handle could > come in and overwrite the object value stored at the handle with the last > deferred handle. When zs_reclaim_page() finally gets to call the eviction > handler, it will see an invalid object value (i.e the previous deferred > handle instead of the original object value). > > This race happens quite infrequently. We only managed to produce it with > out-of-tree developmental code that triggers zsmalloc writeback with a > much higher frequency than usual. > > This patch fixes this race by storing the deferred handle in the object > header instead. We differentiate the deferred handle from the other two > cases (handle for allocated object, and linkage for free object) with a > new tag. If zspage reclamation succeeds, we will free these deferred > handles by walking through the zspage objects. On the other hand, if > zspage reclamation fails, we reconstruct the zspage freelist (with the > deferred handle tag and allocated tag) before trying again with the > reclamation. > > [arnd@xxxxxxxx: avoid unused-function warning] > Link: https://lkml.kernel.org/r/20230117170507.2651972-1-arnd@xxxxxxxxxx > Link: https://lkml.kernel.org/r/20230110231701.326724-1-nphamcs@xxxxxxxxx > Fixes: 9997bc017549 ("zsmalloc: implement writeback mechanism for zsmalloc") > Signed-off-by: Nhat Pham <nphamcs@xxxxxxxxx> > Signed-off-by: Arnd Bergmann <arnd@xxxxxxxx> > Suggested-by: Johannes Weiner <hannes@xxxxxxxxxxx> > Cc: Dan Streetman <ddstreet@xxxxxxxx> > Cc: Minchan Kim <minchan@xxxxxxxxxx> > Cc: Nitin Gupta <ngupta@xxxxxxxxxx> > Cc: Sergey Senozhatsky <senozhatsky@xxxxxxxxxxxx> > Cc: Seth Jennings <sjenning@xxxxxxxxxx> > Cc: Vitaly Wool <vitaly.wool@xxxxxxxxxxxx> > Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> Reviewed-by: Sergey Senozhatsky <senozhatsky@xxxxxxxxxxxx>
