Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1404795ybl;
        Thu, 22 Aug 2019 14:05:00 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyV+JOKBvDpn87oqlGfnAkhl0iuEO2VZXMciZTKbr8ZjpWzM6jNNnC3HdpQRD9QanuwbI7E
X-Received: by 2002:a63:e20a:: with SMTP id q10mr1016415pgh.24.1566507900402;
        Thu, 22 Aug 2019 14:05:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1566507900; cv=none;
        d=google.com; s=arc-20160816;
        b=Zgl7hbGXYGFGQRf5v/fI69hlQ6uwPXx83y7vRqjDH1YKlokTxwDD/RalFHtyZFSUb/
         13kKsfpDRm5579fltg8bKYFKRZaxoa8rolnBqTNpN/cF3wnIZjp+GE6mvPaIXgUWquHW
         VXflqX03VFgChy4YM9cazRifV7SM//qMa+6gZKAot4ZXMuJFDz3OR/v9ktyzbhQqRlLn
         3KE9NmL+8fTEF3E4fHHK0rBkGVvEkhSAstttKXre1e3udre5MFXKgzZyLih3nnoogEmi
         /fhU/D4z/ljJ0aPdXFEtN/nqXFGD3YIuRG8S0XKTxWRgS2OpOg/01FeeXxcc/8vtYilw
         MI3w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=eqA5c3EjVG/RCZ+M+necDfHPIgjG1mg5Vh319LaqI7A=;
        b=TXW9u8LkQYo9PbNdApw8qVedP7Zm5nLbTtzvs8WfLUt8Qczka8mxbW5F/KMBLsDTlA
         /2dKSfyQGdQ8WJGob3bb3qDzejjGVOEN2AYLHz9aD5xzsA/x/J+fYnOI94GVRFdnhFEw
         i3buMOiTQQaq1VAFtu6sWan5qQ8PKSbtcTVmYHF2WU1hetbBfNx+qwzhqT6R/VaRQ2LL
         CtZwAojThfP/lvu5ZYsnooZ/kigBss5wacVjYQVGzpUI93GST9O+ubNLmwGYktvWm4Sw
         HUbuCTwHJ4zOpqZUoMtZlE1/SF3uGYvB1bhqjW8RPB1sR81hI9Kar+9JjyyWoYLUo/35
         nBzw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="KxyQr/4v";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m127si320632pgm.100.2019.08.22.14.04.45;
        Thu, 22 Aug 2019 14:05:00 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="KxyQr/4v";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2390274AbfHVRIV (ORCPT <rfc822;zoe.song.ucas@gmail.com>
        + 99 others); Thu, 22 Aug 2019 13:08:21 -0400
Received: from mail.kernel.org ([198.145.29.99]:57750 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2390254AbfHVRIT (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 22 Aug 2019 13:08:19 -0400
Received: from sasha-vm.mshome.net (wsip-184-188-36-2.sd.sd.cox.net [184.188.36.2])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 9A8562341C;
        Thu, 22 Aug 2019 17:08:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1566493698;
        bh=5ruvj0Kl7Jdtk416ercWYo2lT39P6j9MkmjDWCdDYv0=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=KxyQr/4vd3vFm0b+a1nCpKZEKQAFPjuXxuMI0QPPmprYXF7GhGuzwc31ZBG6xMdbo
         oRfQajM5iyKILsdoXpHjfxd/jN1ejdGFW+x9bOMjqWHDNLeohdExGos2saa73ybabX
         d9vEgiu6+plGv71VwMDzpSCYhNHtdKqdzUMKUVV4=
From:   Sasha Levin <sashal@kernel.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Henry Burns <henryburns@google.com>,
        Shakeel Butt <shakeelb@google.com>,
        Jonathan Adams <jwadams@google.com>,
        Vitaly Vul <vitaly.vul@sony.com>,
        Vitaly Wool <vitalywool@gmail.com>,
        David Howells <dhowells@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Henry Burns <henrywolfeburns@gmail.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: [PATCH 5.2 007/135] mm/z3fold.c: fix z3fold_destroy_pool() ordering
Date:   Thu, 22 Aug 2019 13:06:03 -0400
Message-Id: <20190822170811.13303-8-sashal@kernel.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190822170811.13303-1-sashal@kernel.org>
References: <20190822170811.13303-1-sashal@kernel.org>
MIME-Version: 1.0
X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.2.10-rc1.gz
X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
X-KernelTest-Branch: linux-5.2.y
X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git
X-KernelTest-Version: 5.2.10-rc1
X-KernelTest-Deadline: 2019-08-24T17:07+00:00
X-stable: review
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Henry Burns <henryburns@google.com>

commit 6051d3bd3b91e96c59e62b8be2dba1cc2b19ee40 upstream.

The constraint from the zpool use of z3fold_destroy_pool() is there are
no outstanding handles to memory (so no active allocations), but it is
possible for there to be outstanding work on either of the two wqs in
the pool.

If there is work queued on pool->compact_workqueue when it is called,
z3fold_destroy_pool() will do:

   z3fold_destroy_pool()
     destroy_workqueue(pool->release_wq)
     destroy_workqueue(pool->compact_wq)
       drain_workqueue(pool->compact_wq)
         do_compact_page(zhdr)
           kref_put(&zhdr->refcount)
             __release_z3fold_page(zhdr, ...)
               queue_work_on(pool->release_wq, &pool->work) *BOOM*

So compact_wq needs to be destroyed before release_wq.

Link: http://lkml.kernel.org/r/20190726224810.79660-1-henryburns@google.com
Fixes: 5d03a6613957 ("mm/z3fold.c: use kref to prevent page free/compact race")
Signed-off-by: Henry Burns <henryburns@google.com>
Reviewed-by: Shakeel Butt <shakeelb@google.com>
Reviewed-by: Jonathan Adams <jwadams@google.com>
Cc: Vitaly Vul <vitaly.vul@sony.com>
Cc: Vitaly Wool <vitalywool@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Al Viro <viro@zeniv.linux.org.uk
Cc: Henry Burns <henrywolfeburns@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/z3fold.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/mm/z3fold.c b/mm/z3fold.c
index 3b27094dc42e1..d06d7f9560028 100644
--- a/mm/z3fold.c
+++ b/mm/z3fold.c
@@ -820,8 +820,15 @@ static void z3fold_destroy_pool(struct z3fold_pool *pool)
 {
 	kmem_cache_destroy(pool->c_handle);
 	z3fold_unregister_migration(pool);
-	destroy_workqueue(pool->release_wq);
+
+	/*
+	 * We need to destroy pool->compact_wq before pool->release_wq,
+	 * as any pending work on pool->compact_wq will call
+	 * queue_work(pool->release_wq, &pool->work).
+	 */
+
 	destroy_workqueue(pool->compact_wq);
+	destroy_workqueue(pool->release_wq);
 	kfree(pool);
 }
 
-- 
2.20.1