The patch titled Subject: mm/z3fold.c: lock z3fold page before __SetPageMovable() has been added to the -mm tree. Its filename is mm-z3foldc-lock-z3fold-page-before-__setpagemovable.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/mm-z3foldc-lock-z3fold-page-before-__setpagemovable.patch and later at http://ozlabs.org/~akpm/mmotm/broken-out/mm-z3foldc-lock-z3fold-page-before-__setpagemovable.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Henry Burns <henryburns@xxxxxxxxxx> Subject: mm/z3fold.c: lock z3fold page before __SetPageMovable() __SetPageMovable() expects its page to be locked, but z3fold.c doesn't lock the page. This triggers the VM_BUG_ON_PAGE(!PageLocked(page), page) in __SetPageMovable(). Following zsmalloc.c's example we call trylock_page() and unlock_page(). Also make z3fold_page_migrate() assert that newpage is passed in locked, as per the documentation. Link: http://lkml.kernel.org/r/20190702005122.41036-1-henryburns@xxxxxxxxxx Signed-off-by: Henry Burns <henryburns@xxxxxxxxxx> Suggested-by: Vitaly Wool <vitalywool@xxxxxxxxx> Acked-by: Vitaly Wool <vitalywool@xxxxxxxxx> Acked-by: David Rientjes <rientjes@xxxxxxxxxx> Cc: Shakeel Butt <shakeelb@xxxxxxxxxx> Cc: Vitaly Vul <vitaly.vul@xxxxxxxx> Cc: Mike Rapoport <rppt@xxxxxxxxxxxxxxxxxx> Cc: Xidong Wang <wangxidong_97@xxxxxxx> Cc: Jonathan Adams <jwadams@xxxxxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- mm/z3fold.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/mm/z3fold.c~mm-z3foldc-lock-z3fold-page-before-__setpagemovable +++ a/mm/z3fold.c @@ -919,7 +919,10 @@ retry: set_bit(PAGE_HEADLESS, &page->private); goto headless; } - __SetPageMovable(page, pool->inode->i_mapping); + if (!WARN_ON(!trylock_page(page))) { + __SetPageMovable(page, pool->inode->i_mapping); + unlock_page(page); + } z3fold_page_lock(zhdr); found: @@ -1326,6 +1329,7 @@ static int z3fold_page_migrate(struct ad VM_BUG_ON_PAGE(!PageMovable(page), page); VM_BUG_ON_PAGE(!PageIsolated(page), page); + VM_BUG_ON_PAGE(!PageLocked(newpage), newpage); zhdr = page_address(page); pool = zhdr_to_pool(zhdr); _ Patches currently in -mm which might be from henryburns@xxxxxxxxxx are mm-z3fold-fix-z3fold_buddy_slots-use-after-free.patch mm-z3foldc-lock-z3fold-page-before-__setpagemovable.patch