Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3903021ybi; Mon, 29 Jul 2019 15:01:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqzIL2Q4v+0hpGUatA6BdvvB0t6MwcuSoW1RR5/VNC4bc6DrCdiC05oPjnNF0y2d5lBJeEpw X-Received: by 2002:a65:5202:: with SMTP id o2mr81922832pgp.29.1564437703304; Mon, 29 Jul 2019 15:01:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564437703; cv=none; d=google.com; s=arc-20160816; b=szn2smd01eQlaKowvmrWhjS8LfHUk1pS7K3Cy+KUWfXGFA9b2Z6XtwRewRoZ/eGvwI Nl43z40Kw9rsFASBepRzgqgPygZ4m+LUyNxvV/9kM8Jv1w/tZRV5q6Yhvo7EyzejoXq+ BB7ksTh3xbTaGU9pZg1eM8Hfi77vY6FV2Ee+sKE0svHMy8oCYJBIs0wi6/knPL+kNnwl qZ9dgxglwCqHFX52jY05FyOjFKPCJG3wqqTPbyhQSsuiKM3VY9pcRE8k2xLKNy59y/3m pz6t9ph52t7lmlCJwJHLiHQxgiEUTKIYIKhIZeH13pxMjMLjWC8Vyd6ozHO8OYsq5F+F M22w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=3tfpxcMIOawO8s0nF6u5AxpRiYOClgINgvc5ma6ttZw=; b=0oq1IHhbfpSg98CRldNLFrgJhbwkKenHtcrXEORmzcTppeXpmzPomJ14Zha7uw84Ro FYf1ZxhQFxVhzlf4OmR8AjWA7lWqQfoP2qiuRVmZUx/YPWQjOKhwSq9Ydc83/DAMEzGI hcRy3RkwgF+AsfdYm8jg0rnNKIpvl/HEeSoEeVxxFyAzp4o74jy8aB4GclVBWUEmRm0A yae6cRrtykiCNaalORzJegsSv13CRRt+NlDzUmzalBFrKCwJqETzIJWixh2ZLmXBM3KX SKPXpzJokUxnESAiIvgTvZqYJmQ/ZBYGY4DFqVT391Da0xzmXaqsW1GCeVmqTF6TNod1 0XYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="IQmmqup/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q15si27554164pfh.284.2019.07.29.15.01.28; Mon, 29 Jul 2019 15:01:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="IQmmqup/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388134AbfG2SmW (ORCPT + 99 others); Mon, 29 Jul 2019 14:42:22 -0400 Received: from mail-io1-f67.google.com ([209.85.166.67]:41161 "EHLO mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387980AbfG2SmW (ORCPT ); Mon, 29 Jul 2019 14:42:22 -0400 Received: by mail-io1-f67.google.com with SMTP id j5so118171266ioj.8 for ; Mon, 29 Jul 2019 11:42:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3tfpxcMIOawO8s0nF6u5AxpRiYOClgINgvc5ma6ttZw=; b=IQmmqup/6r9M4vGzFNJ2eQeqgw7xlIoAUs5jeMBIFXwMw1/6E8KZwGF59gU1R/s1wr od8n0zVv12PnonheCchmyOFja2Rj5CqOQgVE6IuSCXp0atpMNpN4A4t4/7Vf5jI1f1tC bqmDTxp9EjXqdrgmgE7jOAMpjGGp01BzpAfRmS/bOjpScIYhwcfWKhJCbOf4mGM/MuOx kfDC4rfXTjw6TLq0kV/0cEZZi4Hv/UOPJ9FqlF/1RHxu+j97c80UihRGIktDhfVOQUtm u+Knabw655Ohtf9vz38yQiZVVGmgt0OllVIj/2aK5dgiGvZqqDwcxin29m4BabmpHLuu rFwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3tfpxcMIOawO8s0nF6u5AxpRiYOClgINgvc5ma6ttZw=; b=tGaHCJLMBl7hNuGXr4e1dJs7eYUbdo91MJ2igJ0HgW/B/VutQBDDkX+pBPsRTkby6n G1ZHR3+fSZrHAdRJ+Z4aeyUv4Dq03cqPh4S02MkSVd+gz+h1Yfr3zbq9RN69aE3rmX+5 0wyVjDt839dATRkizYAlnpI44c78xIs871iddv8fIqMbULF6el1DKIpXNG9tJeGYCD66 4Lac3uvrRM2wK61HvZxwsXFQEGTYR/jtuCg/0fAp+TPMg8m3q9F+CXLeKSB42k0kXc/g GztbIHdJCmfUvmYZ7MA4bOgG4KUgxMdzBTj0zPIpMVM+sIXs1DljImh4X3COFYpWpooj KJGw== X-Gm-Message-State: APjAAAU4a0y4CPnzxAbcSJ/PcMT1yRWoQ/bw7EbZEtIsAYDynyzoRNdS G/o3ktOBXwRC9fggIQ+AlHtFiR3ljPhujH+MK4GnYw== X-Received: by 2002:a6b:c38b:: with SMTP id t133mr38575856iof.162.1564425741290; Mon, 29 Jul 2019 11:42:21 -0700 (PDT) MIME-Version: 1.0 References: <20190726224810.79660-1-henryburns@google.com> <20190726224810.79660-2-henryburns@google.com> In-Reply-To: From: Henry Burns Date: Mon, 29 Jul 2019 11:41:45 -0700 Message-ID: Subject: Re: [PATCH] mm/z3fold.c: Fix z3fold_destroy_pool() race condition To: Jonathan Adams Cc: Vitaly Vul , Andrew Morton , Shakeel Butt , David Howells , Thomas Gleixner , Al Viro , Linux-MM , LKML , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The constraint from the zpool use of z3fold_destroy_pool() is there are no outstanding handles to memory (so no active allocations), but it is possible for there to be outstanding work on either of the two wqs in the pool. Calling z3fold_deregister_migration() before the workqueues are drained means that there can be allocated pages referencing a freed inode, causing any thread in compaction to be able to trip over the bad pointer in PageMovable(). Fixes: 1f862989b04a ("mm/z3fold.c: support page migration") Signed-off-by: Henry Burns > Reviewed-by: Shakeel Butt > Reviewed-by: Jonathan Adams > > > Cc: > > --- > > mm/z3fold.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/mm/z3fold.c b/mm/z3fold.c > > index 43de92f52961..ed19d98c9dcd 100644 > > --- a/mm/z3fold.c > > +++ b/mm/z3fold.c > > @@ -817,16 +817,19 @@ static struct z3fold_pool *z3fold_create_pool(const char *name, gfp_t gfp, > > static void z3fold_destroy_pool(struct z3fold_pool *pool) > > { > > kmem_cache_destroy(pool->c_handle); > > - z3fold_unregister_migration(pool); > > > > /* > > * We need to destroy pool->compact_wq before pool->release_wq, > > * as any pending work on pool->compact_wq will call > > * queue_work(pool->release_wq, &pool->work). > > + * > > + * There are still outstanding pages until both workqueues are drained, > > + * so we cannot unregister migration until then. > > */ > > > > destroy_workqueue(pool->compact_wq); > > destroy_workqueue(pool->release_wq); > > + z3fold_unregister_migration(pool); > > kfree(pool); > > } > > > > -- > > 2.22.0.709.g102302147b-goog > >