Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp631810ybi; Fri, 26 Jul 2019 16:24:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqxV++yiQe6k1kbrhp+2VgCK6FEaGLupuw2Rtg9YV4X84K5fHuh9OVANzmI8EpBTqpjhOw93 X-Received: by 2002:a17:902:9b94:: with SMTP id y20mr98530713plp.260.1564183460260; Fri, 26 Jul 2019 16:24:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564183460; cv=none; d=google.com; s=arc-20160816; b=opeDEZhXxn5jrh0Fi79atHR4fJFMXrMgwoQznvZ84VsswHMJs/xkAVrWVMQ4w9v0hO F5JZ9+k9FtqeJWfig4uulKq9agbKI0ewwc/sTBkqCbJ2mG6EBXT5D6BkwPVocH1clcgT WuaPX60fFDvJgRXb4DzqnOQyQAzP+w+uCeiH/yVGZ4uIjuolsD3DJUNpznUQKmF3qRew agt3LTyArpY3bydSCRpibIVYJoVJ18maBWYc4o7Cq/wlaIuxRR8F280+G8s8GDfxQo5L WzKgJLdp+2s+rZ9I0AgZjULR6xrGSrEgRp9Ku0YRZjU2Hg3PeGBtxU/+HaJaTIBbOYvA RbXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=vrtRmk0oRnuWgbrd0YoseM/P5P8a271SeH+Gw2pTm2Y=; b=pQ87ubYQnGyhnYOihnzX0kWmWWbQNUTvPBj0j2fqvonRDxm8vaFitZdns9i536zJSk jOCg4JZpYGxbvhJrVvBtpK+b3uCXqmJna50RRlbfKZRS5F291stfqO8oWdoUpIqCcngG Qj6Y17nWFwQib28UFDHdGHzbkcEsEUwLQXyyGCzAp3hPwbhGM4sqscYYhwin2+o7HhOx h3VefHhj3Esh5bZPLMjumfwWB59Dc/NWZSBNyDb0PLpY+5eh5ZKyv5D8J+d0Ve8gXUCu 3PddUjwLTMa5sx2/tm7UBlj4+Nn1a8pkz8fSfENXi4Lh3Icl4LP4fEQd83q0q8kIjFPJ hWkg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=JRm10WCL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z13si22413501pjr.76.2019.07.26.16.24.05; Fri, 26 Jul 2019 16:24:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=JRm10WCL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728332AbfGZXHT (ORCPT + 99 others); Fri, 26 Jul 2019 19:07:19 -0400 Received: from mail-yb1-f196.google.com ([209.85.219.196]:39334 "EHLO mail-yb1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726347AbfGZXHT (ORCPT ); Fri, 26 Jul 2019 19:07:19 -0400 Received: by mail-yb1-f196.google.com with SMTP id z128so16736726yba.6 for ; Fri, 26 Jul 2019 16:07:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vrtRmk0oRnuWgbrd0YoseM/P5P8a271SeH+Gw2pTm2Y=; b=JRm10WCLRxh/551IVqtkLiXtX0KmaUMMzhAGaHZ8CHTo4OqCH9YulZg+eNaCbCFaF1 vHRFjJO6MDfWaNaZZwaPqvQXUI1Mo/YoDwzlG67phmmya2ja/Xk0HJ08MV0+tZ77bDwU 9RJzYEjTwEn5yB+01dszHApaV8BWH2CEwbBdnWAPnSlPOUV48oWhAZIYEncndioYLBod ndL/W9NkkiNTeZJSW8GnFZNdOrFvCY0uG7b3OqrGKUR5EOmrrwxcquwNi2zTGceGAMBu U2p4ZLJRoUXCQQUz3Hh6bOgWd9HI0SQwncXmupXj9UvnvPvIwT8418a8vFEdcsH0D3fs yVFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vrtRmk0oRnuWgbrd0YoseM/P5P8a271SeH+Gw2pTm2Y=; b=TYUX5ujhRfi3nq4AZLNzhOyM8FpwU5+98vaLTG7Z1wMn4fxLwqkl5wY8gIkMAGsJv7 0tS/GPpiVZmEvyqKxhs7W1RXYLhCKwFOzID0CzQ18ABVdT5sE+BBwbhMHYSsF9uYCJAl zwWBWPKUgSksrddf3cKpMBr1lAANv1V5C8EET4GYgEtGLozWSu0J9C5SXnR24MErtuul nX48HFyCN6ZsqLpDWULbezk7fG4642DGHmmVkNuXFmVE6iLlqopfLM31Q/UW7sW+sRiA eN2br720AW0EEx93UAkkNcVjASKIfWia3VKPTMZ5Nm9VOHf1uLtKgPBEpUyDaoeYms21 Qh5Q== X-Gm-Message-State: APjAAAW+4JJwLeWM5/QDBlp90sIDSvzGgUEdtQU2Wyl6xo49m1Dllpv1 O7vBYqgu3QO6A2UBlEn+UalvxSfEEAfdiDZzTqwvTg== X-Received: by 2002:a25:9903:: with SMTP id z3mr59762121ybn.293.1564182438043; Fri, 26 Jul 2019 16:07:18 -0700 (PDT) MIME-Version: 1.0 References: <20190726224810.79660-1-henryburns@google.com> <20190726224810.79660-2-henryburns@google.com> In-Reply-To: <20190726224810.79660-2-henryburns@google.com> From: Shakeel Butt Date: Fri, 26 Jul 2019 16:07:07 -0700 Message-ID: Subject: Re: [PATCH] mm/z3fold.c: Fix z3fold_destroy_pool() race condition To: Henry Burns Cc: Vitaly Vul , Andrew Morton , Jonathan Adams , David Howells , Thomas Gleixner , Al Viro , Linux MM , LKML , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 26, 2019 at 3:48 PM Henry Burns wrote: > > The constraint from the zpool use of z3fold_destroy_pool() is there are no > outstanding handles to memory (so no active allocations), but it is possible > for there to be outstanding work on either of the two wqs in the pool. > > Calling z3fold_deregister_migration() before the workqueues are drained > means that there can be allocated pages referencing a freed inode, > causing any thread in compaction to be able to trip over the bad > pointer in PageMovable(). > > Fixes: 1f862989b04a ("mm/z3fold.c: support page migration") > > Signed-off-by: Henry Burns Reviewed-by: Shakeel Butt > Cc: > --- > mm/z3fold.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/mm/z3fold.c b/mm/z3fold.c > index 43de92f52961..ed19d98c9dcd 100644 > --- a/mm/z3fold.c > +++ b/mm/z3fold.c > @@ -817,16 +817,19 @@ static struct z3fold_pool *z3fold_create_pool(const char *name, gfp_t gfp, > static void z3fold_destroy_pool(struct z3fold_pool *pool) > { > kmem_cache_destroy(pool->c_handle); > - z3fold_unregister_migration(pool); > > /* > * We need to destroy pool->compact_wq before pool->release_wq, > * as any pending work on pool->compact_wq will call > * queue_work(pool->release_wq, &pool->work). > + * > + * There are still outstanding pages until both workqueues are drained, > + * so we cannot unregister migration until then. > */ > > destroy_workqueue(pool->compact_wq); > destroy_workqueue(pool->release_wq); > + z3fold_unregister_migration(pool); > kfree(pool); > } > > -- > 2.22.0.709.g102302147b-goog >