On Thu, Oct 24, 2019 at 10:41:15AM -0700, Matthew Wilcox wrote:
On Thu, Oct 24, 2019 at 11:03:20PM +0800, zhong jiang wrote:
By reviewing the code, I find that there is an race between iterate
the radix_tree and radix_tree_insert/delete. Because the former just
access its slot in rcu protected period. but it fails to prevent the
radix_tree from being changed.
Reviewed-by: Matthew Wilcox (Oracle) <willy@xxxxxxxxxxxxx>
The locking here now matches the locking in memfd_tag_pins() that
was changed in ef3038a573aa8bf2f3797b110f7244b55a0e519c (part of 4.20-rc1).
I didn't notice that I was fixing a bug when I changed the locking.
This bug has been present since 05f65b5c70909ef686f865f0a85406d74d75f70f
(part of 3.17) so backports will need to go further back. This code has
moved around a bit (mm/shmem.c) and the APIs have changed, so it will
take some effort.
I've queued this up for 4.19. Patches for older branches are more than
welcome.
--
Thanks,
Sasha
