From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51EAEC41514 for ; Thu, 22 Aug 2019 17:08:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 290322341D for ; Thu, 22 Aug 2019 17:08:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1566493704; bh=6o1NOPLZe31bDQ/tQaqmdQYyapJSNNIVBkL+DSK1RA8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=ixryg3/LkBFDrlwoGtwLFSyg6AXEnp3HJeWk2/XLSKAWRJ3Yjoq8IAoMqUeuCWh7m Enu4wTBTVDSJxv9VwcGxIeg8tNLPrVwSF0JOJGU02p9c4+SVIKWpQWAkvKBB+28hUF dr8O9VmiFbCnYn3A90MGbhP54uaoNZZjSYGryq7Y= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390294AbfHVRIX (ORCPT ); Thu, 22 Aug 2019 13:08:23 -0400 Received: from mail.kernel.org ([198.145.29.99]:57774 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390262AbfHVRIT (ORCPT ); Thu, 22 Aug 2019 13:08:19 -0400 Received: from sasha-vm.mshome.net (wsip-184-188-36-2.sd.sd.cox.net [184.188.36.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6EE0E2341B; Thu, 22 Aug 2019 17:08:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1566493699; bh=6o1NOPLZe31bDQ/tQaqmdQYyapJSNNIVBkL+DSK1RA8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WnwzNUkT/ko0dm6ATD/gmOj5DRVU7Fu/02KHiQKzTjnqarHJy1jTmXeFgGiq8DMdg DhGpy6BwyYHwtQLud1Q+HZHYCGYMONOu97MhATfxwUjum2/XIgoR0UD2VtPK1Znq3B JBlBcSFgZiVulLpICoHn2R9Yywb5opzkc0gBTZ/M= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Henry Burns , Shakeel Butt , Jonathan Adams , Vitaly Vul , Vitaly Wool , David Howells , Thomas Gleixner , Al Viro , Henry Burns , Andrew Morton , Linus Torvalds , Greg Kroah-Hartman Subject: [PATCH 5.2 008/135] mm/z3fold.c: fix z3fold_destroy_pool() race condition Date: Thu, 22 Aug 2019 13:06:04 -0400 Message-Id: <20190822170811.13303-9-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190822170811.13303-1-sashal@kernel.org> References: <20190822170811.13303-1-sashal@kernel.org> MIME-Version: 1.0 X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.2.10-rc1.gz X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git X-KernelTest-Branch: linux-5.2.y X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git X-KernelTest-Version: 5.2.10-rc1 X-KernelTest-Deadline: 2019-08-24T17:07+00:00 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Henry Burns commit b997052bc3ac444a0bceab1093aff7ae71ed419e upstream. The constraint from the zpool use of z3fold_destroy_pool() is there are no outstanding handles to memory (so no active allocations), but it is possible for there to be outstanding work on either of the two wqs in the pool. Calling z3fold_deregister_migration() before the workqueues are drained means that there can be allocated pages referencing a freed inode, causing any thread in compaction to be able to trip over the bad pointer in PageMovable(). Link: http://lkml.kernel.org/r/20190726224810.79660-2-henryburns@google.com Fixes: 1f862989b04a ("mm/z3fold.c: support page migration") Signed-off-by: Henry Burns Reviewed-by: Shakeel Butt Reviewed-by: Jonathan Adams Cc: Vitaly Vul Cc: Vitaly Wool Cc: David Howells Cc: Thomas Gleixner Cc: Al Viro Cc: Henry Burns Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- mm/z3fold.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mm/z3fold.c b/mm/z3fold.c index d06d7f9560028..c4debbe683eba 100644 --- a/mm/z3fold.c +++ b/mm/z3fold.c @@ -819,16 +819,19 @@ static struct z3fold_pool *z3fold_create_pool(const char *name, gfp_t gfp, static void z3fold_destroy_pool(struct z3fold_pool *pool) { kmem_cache_destroy(pool->c_handle); - z3fold_unregister_migration(pool); /* * We need to destroy pool->compact_wq before pool->release_wq, * as any pending work on pool->compact_wq will call * queue_work(pool->release_wq, &pool->work). + * + * There are still outstanding pages until both workqueues are drained, + * so we cannot unregister migration until then. */ destroy_workqueue(pool->compact_wq); destroy_workqueue(pool->release_wq); + z3fold_unregister_migration(pool); kfree(pool); } -- 2.20.1