diff options
| author | Miaohe Lin <[email protected]> | 2021-11-05 13:45:03 -0700 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2021-11-06 13:30:43 -0700 |
| commit | afe8605ca45424629fdddfd85984b442c763dc47 (patch) | |
| tree | f2c1c82517c75a7d2e0f619a7027475553d81afb /lib/test_fortify/write_overflow-strlcpy.c | |
| parent | 3d88705c10677d1fc3f14786361aee649839aa7e (diff) | |
mm/zsmalloc.c: close race window between zs_pool_dec_isolated() and zs_unregister_migration()
There is one possible race window between zs_pool_dec_isolated() and
zs_unregister_migration() because wait_for_isolated_drain() checks the
isolated count without holding class->lock and there is no order inside
zs_pool_dec_isolated(). Thus the below race window could be possible:
zs_pool_dec_isolated zs_unregister_migration
check pool->destroying != 0
pool->destroying = true;
smp_mb();
wait_for_isolated_drain()
wait for pool->isolated_pages == 0
atomic_long_dec(&pool->isolated_pages);
atomic_long_read(&pool->isolated_pages) == 0
Since we observe the pool->destroying (false) before atomic_long_dec()
for pool->isolated_pages, waking pool->migration_wait up is missed.
Fix this by ensure checking pool->destroying happens after the
atomic_long_dec(&pool->isolated_pages).
Link: https://lkml.kernel.org/r/[email protected]
Fixes: 701d678599d0 ("mm/zsmalloc.c: fix race condition in zs_destroy_pool")
Signed-off-by: Miaohe Lin <[email protected]>
Cc: Minchan Kim <[email protected]>
Cc: Sergey Senozhatsky <[email protected]>
Cc: Henry Burns <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Diffstat (limited to 'lib/test_fortify/write_overflow-strlcpy.c')
0 files changed, 0 insertions, 0 deletions