Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1457432ybl;
        Thu, 22 Aug 2019 15:06:43 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxE8LsxieTqk5bYkzSghlIHxMGm+seFjJ4lIv4ph0Jx9eLB2qLEyraVNYjfKQUfy6oqba9C
X-Received: by 2002:a63:e807:: with SMTP id s7mr1166433pgh.194.1566511603120;
        Thu, 22 Aug 2019 15:06:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1566511603; cv=none;
        d=google.com; s=arc-20160816;
        b=JtUmoZSWsv0+9NE6j9YUznVGbMNe0329ULNsIjMfer0iIKyNGTvh7tQYYe+lXHssTY
         9w8qY0kXxCHWeHvkE+SEXOJOaXcl7OaDpbuO4lzNjjJAOQRid2wYIFi3M0haS2qGkiJn
         rAUHe2h36cnHm4CdNXRGafZoZsJf2jxgXj4Wrpm9yczPPxHls2vFTabwVPvS3BDqdM4u
         nNTCrxRuQseJU21m6jJBvAjXofTDKkL89Kp7s6roJkOeXjOyWMul+DWmVuPscUNewRQ/
         +32qzMy/QEwBWnD1XLAPwfHPK4TzCGUYiQERg7SQwJPy+147l0lQCrAdxxBoC25oWMAI
         kRyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=44p+eyjqjN2TTOasl6wJYyZxTcMCHC69Bka0Bcefyxo=;
        b=otmDsN/lnCjsEftX4bE+lT8nDnENYAQWjEofbKFI5P4STPt60Y+k6/lXiA3WXeM7Zp
         TKUETF6dCfxzt2/XoH+ak6QQWlvuneL5aOTYE61vEv+jFnh0W3XGomNnDYIviNmYB/4z
         t77BBtAeVMXm05pljQXOJq/L1sw40H1dPAEaTaeQ6O782ZZ2xIIQgJ3aMYOesfxqaVgQ
         Nfl3ZWliRvUqRsLUaMw6t1XMshTSwo5FJ4JC7t5kDTCjjJbVUW0DYjrMPe7L1r/FJges
         Pbe7G24LZ4g/OkOm3QgrAFA0xsXf3iBPqbJqE/Ijy28n7GuqvnB9w2lbzFMjh3ie451Z
         U7VA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=WnwzNUkT;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f131si396483pgc.265.2019.08.22.15.06.26;
        Thu, 22 Aug 2019 15:06:43 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=WnwzNUkT;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2390287AbfHVRIW (ORCPT <rfc822;zoe.song.ucas@gmail.com>
        + 99 others); Thu, 22 Aug 2019 13:08:22 -0400
Received: from mail.kernel.org ([198.145.29.99]:57774 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2390262AbfHVRIT (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 22 Aug 2019 13:08:19 -0400
Received: from sasha-vm.mshome.net (wsip-184-188-36-2.sd.sd.cox.net [184.188.36.2])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 6EE0E2341B;
        Thu, 22 Aug 2019 17:08:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1566493699;
        bh=6o1NOPLZe31bDQ/tQaqmdQYyapJSNNIVBkL+DSK1RA8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=WnwzNUkT/ko0dm6ATD/gmOj5DRVU7Fu/02KHiQKzTjnqarHJy1jTmXeFgGiq8DMdg
         DhGpy6BwyYHwtQLud1Q+HZHYCGYMONOu97MhATfxwUjum2/XIgoR0UD2VtPK1Znq3B
         JBlBcSFgZiVulLpICoHn2R9Yywb5opzkc0gBTZ/M=
From:   Sasha Levin <sashal@kernel.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Henry Burns <henryburns@google.com>,
        Shakeel Butt <shakeelb@google.com>,
        Jonathan Adams <jwadams@google.com>,
        Vitaly Vul <vitaly.vul@sony.com>,
        Vitaly Wool <vitalywool@gmail.com>,
        David Howells <dhowells@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Henry Burns <henrywolfeburns@gmail.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: [PATCH 5.2 008/135] mm/z3fold.c: fix z3fold_destroy_pool() race condition
Date:   Thu, 22 Aug 2019 13:06:04 -0400
Message-Id: <20190822170811.13303-9-sashal@kernel.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190822170811.13303-1-sashal@kernel.org>
References: <20190822170811.13303-1-sashal@kernel.org>
MIME-Version: 1.0
X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.2.10-rc1.gz
X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
X-KernelTest-Branch: linux-5.2.y
X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git
X-KernelTest-Version: 5.2.10-rc1
X-KernelTest-Deadline: 2019-08-24T17:07+00:00
X-stable: review
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Henry Burns <henryburns@google.com>

commit b997052bc3ac444a0bceab1093aff7ae71ed419e upstream.

The constraint from the zpool use of z3fold_destroy_pool() is there are
no outstanding handles to memory (so no active allocations), but it is
possible for there to be outstanding work on either of the two wqs in
the pool.

Calling z3fold_deregister_migration() before the workqueues are drained
means that there can be allocated pages referencing a freed inode,
causing any thread in compaction to be able to trip over the bad pointer
in PageMovable().

Link: http://lkml.kernel.org/r/20190726224810.79660-2-henryburns@google.com
Fixes: 1f862989b04a ("mm/z3fold.c: support page migration")
Signed-off-by: Henry Burns <henryburns@google.com>
Reviewed-by: Shakeel Butt <shakeelb@google.com>
Reviewed-by: Jonathan Adams <jwadams@google.com>
Cc: Vitaly Vul <vitaly.vul@sony.com>
Cc: Vitaly Wool <vitalywool@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Henry Burns <henrywolfeburns@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/z3fold.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/mm/z3fold.c b/mm/z3fold.c
index d06d7f9560028..c4debbe683eba 100644
--- a/mm/z3fold.c
+++ b/mm/z3fold.c
@@ -819,16 +819,19 @@ static struct z3fold_pool *z3fold_create_pool(const char *name, gfp_t gfp,
 static void z3fold_destroy_pool(struct z3fold_pool *pool)
 {
 	kmem_cache_destroy(pool->c_handle);
-	z3fold_unregister_migration(pool);
 
 	/*
 	 * We need to destroy pool->compact_wq before pool->release_wq,
 	 * as any pending work on pool->compact_wq will call
 	 * queue_work(pool->release_wq, &pool->work).
+	 *
+	 * There are still outstanding pages until both workqueues are drained,
+	 * so we cannot unregister migration until then.
 	 */
 
 	destroy_workqueue(pool->compact_wq);
 	destroy_workqueue(pool->release_wq);
+	z3fold_unregister_migration(pool);
 	kfree(pool);
 }
 
-- 
2.20.1