foo

Author: akpm00

patches/mm-z3fold-always-clear-page_claimed-under-z3fold-page-lock.patch

@@ -0,0 +1,65 @@
+From: Miaohe Lin <[email protected]>
+Subject: mm/z3fold: always clear PAGE_CLAIMED under z3fold page lock
+
+Think about the below race window:
+
+CPU1				CPU2
+z3fold_reclaim_page		z3fold_free
+ test_and_set_bit PAGE_CLAIMED
+ failed to reclaim page
+ z3fold_page_lock(zhdr);
+ add back to the lru list;
+ z3fold_page_unlock(zhdr);
+				 get_z3fold_header
+				 page_claimed=test_and_set_bit PAGE_CLAIMED
+
+ clear_bit(PAGE_CLAIMED, &page->private);
+
+				 if (!page_claimed) /* it's false true */
+				  free_handle is not called
+
+free_handle won't be called in this case. So z3fold_buddy_slots will leak.
+Fix it by always clear PAGE_CLAIMED under z3fold page lock.
+
+Link: https://lkml.kernel.org/r/[email protected]
+Signed-off-by: Miaohe Lin <[email protected]>
+Cc: Vitaly Wool <[email protected]>
+Signed-off-by: Andrew Morton <[email protected]>
+---
+
+ mm/z3fold.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/mm/z3fold.c~mm-z3fold-always-clear-page_claimed-under-z3fold-page-lock
++++ a/mm/z3fold.c
+@@ -1221,8 +1221,8 @@ static void z3fold_free(struct z3fold_po
+ 		return;
+ 	}
+ 	if (test_and_set_bit(NEEDS_COMPACTING, &page->private)) {
+-		put_z3fold_header(zhdr);
+ 		clear_bit(PAGE_CLAIMED, &page->private);
++		put_z3fold_header(zhdr);
+ 		return;
+ 	}
+ 	if (zhdr->cpu < 0 || !cpu_online(zhdr->cpu)) {
+@@ -1424,8 +1424,8 @@ next:
+ 			spin_unlock(&pool->lock);
+ 			if (list_empty(&zhdr->buddy))
+ 				add_to_unbuddied(pool, zhdr);
+-			z3fold_page_unlock(zhdr);
+ 			clear_bit(PAGE_CLAIMED, &page->private);
++			z3fold_page_unlock(zhdr);
+ 		}
+ 
+ 		/* We started off locked to we need to lock the pool back */
+@@ -1577,8 +1577,8 @@ static int z3fold_page_migrate(struct ad
+ 	if (!z3fold_page_trylock(zhdr))
+ 		return -EAGAIN;
+ 	if (zhdr->mapped_count != 0 || zhdr->foreign_handles != 0) {
+-		z3fold_page_unlock(zhdr);
+ 		clear_bit(PAGE_CLAIMED, &page->private);
++		z3fold_page_unlock(zhdr);
+ 		return -EBUSY;
+ 	}
+ 	if (work_pending(&zhdr->work)) {
+_

patches/mm-z3fold-fix-possible-null-pointer-dereferencing.patch

@@ -0,0 +1,41 @@
+From: Miaohe Lin <[email protected]>
+Subject: mm/z3fold: fix possible null pointer dereferencing
+
+alloc_slots could fail to allocate memory under heavy memory pressure.  So
+we should check zhdr->slots against NULL to avoid future null pointer
+dereferencing.
+
+Link: https://lkml.kernel.org/r/[email protected]
+Fixes: fc5488651c7d ("z3fold: simplify freeing slots")
+Signed-off-by: Miaohe Lin <[email protected]>
+Cc: Vitaly Wool <[email protected]>
+Signed-off-by: Andrew Morton <[email protected]>
+---
+
+ mm/z3fold.c |   12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/mm/z3fold.c~mm-z3fold-fix-possible-null-pointer-dereferencing
++++ a/mm/z3fold.c
+@@ -940,9 +940,19 @@ lookup:
+ 		}
+ 	}
+ 
+-	if (zhdr && !zhdr->slots)
++	if (zhdr && !zhdr->slots) {
+ 		zhdr->slots = alloc_slots(pool, GFP_ATOMIC);
++		if (!zhdr->slots)
++			goto out_fail;
++	}
+ 	return zhdr;
++
++out_fail:
++	if (!kref_put(&zhdr->refcount, release_z3fold_page_locked)) {
++		add_to_unbuddied(pool, zhdr);
++		z3fold_page_unlock(zhdr);
++	}
++	return NULL;
+ }
+ 
+ /*
+_

patches/mm-z3fold-fix-sheduling-while-atomic.patch

@@ -0,0 +1,39 @@
+From: Miaohe Lin <[email protected]>
+Subject: mm/z3fold: fix sheduling while atomic
+
+Patch series "A few fixup patches for z3fold".
+
+This series contains a few fixup patches to fix sheduling while atomic,
+fix possible null pointer dereferencing, fix various race conditions and
+so on. More details can be found in the respective changelogs.
+
+
+This patch (of 9):
+
+z3fold's page_lock is always held when calling alloc_slots.  So gfp should
+be GFP_ATOMIC to avoid "scheduling while atomic" bug.
+
+Link: https://lkml.kernel.org/r/[email protected]
+Link: https://lkml.kernel.org/r/[email protected]
+Fixes: fc5488651c7d ("z3fold: simplify freeing slots")
+Signed-off-by: Miaohe Lin <[email protected]>
+Cc: Vitaly Wool <[email protected]>
+Signed-off-by: Andrew Morton <[email protected]>
+---
+
+ mm/z3fold.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/mm/z3fold.c~mm-z3fold-fix-sheduling-while-atomic
++++ a/mm/z3fold.c
+@@ -941,8 +941,7 @@ lookup:
+ 	}
+ 
+ 	if (zhdr && !zhdr->slots)
+-		zhdr->slots = alloc_slots(pool,
+-					can_sleep ? GFP_NOIO : GFP_ATOMIC);
++		zhdr->slots = alloc_slots(pool, GFP_ATOMIC);
+ 	return zhdr;
+ }
+ 
+_

patches/mm-z3fold-fix-z3fold_page_migrate-races-with-z3fold_map.patch

@@ -0,0 +1,88 @@
+From: Miaohe Lin <[email protected]>
+Subject: mm/z3fold: fix z3fold_page_migrate races with z3fold_map
+
+Think about the below scenario:
+
+CPU1				CPU2
+ z3fold_page_migrate		z3fold_map
+  z3fold_page_trylock
+  ...
+  z3fold_page_unlock
+  /* slots still points to old zhdr*/
+				 get_z3fold_header
+				  get slots from handle
+				  get old zhdr from slots
+				  z3fold_page_trylock
+				  return *old* zhdr
+  encode_handle(new_zhdr, FIRST|LAST|MIDDLE)
+  put_page(page) /* zhdr is freed! */
+				 but zhdr is still used by caller!
+
+z3fold_map can map freed z3fold page and lead to use-after-free bug.  To
+fix it, we add PAGE_MIGRATED to indicate z3fold page is migrated and soon
+to be released.  So get_z3fold_header won't return such page.
+
+Link: https://lkml.kernel.org/r/[email protected]
+Fixes: 1f862989b04a ("mm/z3fold.c: support page migration")
+Signed-off-by: Miaohe Lin <[email protected]>
+Cc: Vitaly Wool <[email protected]>
+Signed-off-by: Andrew Morton <[email protected]>
+---
+
+ mm/z3fold.c |   16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/mm/z3fold.c~mm-z3fold-fix-z3fold_page_migrate-races-with-z3fold_map
++++ a/mm/z3fold.c
+@@ -181,6 +181,7 @@ enum z3fold_page_flags {
+ 	NEEDS_COMPACTING,
+ 	PAGE_STALE,
+ 	PAGE_CLAIMED, /* by either reclaim or free */
++	PAGE_MIGRATED, /* page is migrated and soon to be released */
+ };
+ 
+ /*
+@@ -270,8 +271,13 @@ static inline struct z3fold_header *get_
+ 			zhdr = (struct z3fold_header *)(addr & PAGE_MASK);
+ 			locked = z3fold_page_trylock(zhdr);
+ 			read_unlock(&slots->lock);
+-			if (locked)
+-				break;
++			if (locked) {
++				struct page *page = virt_to_page(zhdr);
++
++				if (!test_bit(PAGE_MIGRATED, &page->private))
++					break;
++				z3fold_page_unlock(zhdr);
++			}
+ 			cpu_relax();
+ 		} while (true);
+ 	} else {
+@@ -389,6 +395,7 @@ static struct z3fold_header *init_z3fold
+ 	clear_bit(NEEDS_COMPACTING, &page->private);
+ 	clear_bit(PAGE_STALE, &page->private);
+ 	clear_bit(PAGE_CLAIMED, &page->private);
++	clear_bit(PAGE_MIGRATED, &page->private);
+ 	if (headless)
+ 		return zhdr;
+ 
+@@ -1576,7 +1583,7 @@ static int z3fold_page_migrate(struct ad
+ 	new_zhdr = page_address(newpage);
+ 	memcpy(new_zhdr, zhdr, PAGE_SIZE);
+ 	newpage->private = page->private;
+-	page->private = 0;
++	set_bit(PAGE_MIGRATED, &page->private);
+ 	z3fold_page_unlock(zhdr);
+ 	spin_lock_init(&new_zhdr->page_lock);
+ 	INIT_WORK(&new_zhdr->work, compact_page_work);
+@@ -1606,7 +1613,8 @@ static int z3fold_page_migrate(struct ad
+ 
+ 	queue_work_on(new_zhdr->cpu, pool->compact_wq, &new_zhdr->work);
+ 
+-	clear_bit(PAGE_CLAIMED, &page->private);
++	/* PAGE_CLAIMED and PAGE_MIGRATED are cleared now. */
++	page->private = 0;
+ 	put_page(page);
+ 	return 0;
+ }
+_

patches/mm-z3fold-fix-z3fold_reclaim_page-races-with-z3fold_free.patch

@@ -0,0 +1,80 @@
+From: Miaohe Lin <[email protected]>
+Subject: mm/z3fold: fix z3fold_reclaim_page races with z3fold_free
+
+Think about the below scenario:
+
+CPU1				CPU2
+z3fold_reclaim_page		z3fold_free
+ spin_lock(&pool->lock)		 get_z3fold_header -- hold page_lock
+ kref_get_unless_zero
+				 kref_put--zhdr->refcount can be 1 now
+ !z3fold_page_trylock
+  kref_put -- zhdr->refcount is 0 now
+   release_z3fold_page
+    WARN_ON(!list_empty(&zhdr->buddy)); -- we're on buddy now!
+    spin_lock(&pool->lock); -- deadlock here!
+
+z3fold_reclaim_page might race with z3fold_free and will lead to pool lock
+deadlock and zhdr buddy non-empty warning.  To fix this, defer getting the
+refcount until page_lock is held just like what __z3fold_alloc does.  Note
+this has the side effect that we won't break the reclaim if we meet a soon
+to be released z3fold page now.
+
+Link: https://lkml.kernel.org/r/[email protected]
+Fixes: dcf5aedb24f8 ("z3fold: stricter locking and more careful reclaim")
+Signed-off-by: Miaohe Lin <[email protected]>
+Cc: Vitaly Wool <[email protected]>
+Signed-off-by: Andrew Morton <[email protected]>
+---
+
+ mm/z3fold.c |   18 +++---------------
+ 1 file changed, 3 insertions(+), 15 deletions(-)
+
+--- a/mm/z3fold.c~mm-z3fold-fix-z3fold_reclaim_page-races-with-z3fold_free
++++ a/mm/z3fold.c
+@@ -519,13 +519,6 @@ static void __release_z3fold_page(struct
+ 	atomic64_dec(&pool->pages_nr);
+ }
+ 
+-static void release_z3fold_page(struct kref *ref)
+-{
+-	struct z3fold_header *zhdr = container_of(ref, struct z3fold_header,
+-						refcount);
+-	__release_z3fold_page(zhdr, false);
+-}
+-
+ static void release_z3fold_page_locked(struct kref *ref)
+ {
+ 	struct z3fold_header *zhdr = container_of(ref, struct z3fold_header,
+@@ -1317,12 +1310,7 @@ static int z3fold_reclaim_page(struct z3
+ 				break;
+ 			}
+ 
+-			if (kref_get_unless_zero(&zhdr->refcount) == 0) {
+-				zhdr = NULL;
+-				break;
+-			}
+ 			if (!z3fold_page_trylock(zhdr)) {
+-				kref_put(&zhdr->refcount, release_z3fold_page);
+ 				zhdr = NULL;
+ 				continue; /* can't evict at this point */
+ 			}
+@@ -1333,14 +1321,14 @@ static int z3fold_reclaim_page(struct z3
+ 			 */
+ 			if (zhdr->foreign_handles ||
+ 			    test_and_set_bit(PAGE_CLAIMED, &page->private)) {
+-				if (!kref_put(&zhdr->refcount,
+-						release_z3fold_page_locked))
+-					z3fold_page_unlock(zhdr);
++				z3fold_page_unlock(zhdr);
+ 				zhdr = NULL;
+ 				continue; /* can't evict such page */
+ 			}
+ 			list_del_init(&zhdr->buddy);
+ 			zhdr->cpu = -1;
++			/* See comment in __z3fold_alloc. */
++			kref_get(&zhdr->refcount);
+ 			break;
+ 		}
+ 
+_

patches/mm-z3fold-put-z3fold-page-back-into-unbuddied-list-when-reclaim-or-migration-fails.patch

@@ -0,0 +1,39 @@
+From: Miaohe Lin <[email protected]>
+Subject: mm/z3fold: put z3fold page back into unbuddied list when reclaim or migration fails
+
+When doing z3fold page reclaim or migration, the page is removed from
+unbuddied list.  If reclaim or migration succeeds, it's fine as page is
+released.  But in case it fails, the page is not put back into unbuddied
+list now.  The page will be leaked until next compaction work, reclaim or
+migration is done.
+
+Link: https://lkml.kernel.org/r/[email protected]
+Signed-off-by: Miaohe Lin <[email protected]>
+Cc: Vitaly Wool <[email protected]>
+Signed-off-by: Andrew Morton <[email protected]>
+---
+
+ mm/z3fold.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/mm/z3fold.c~mm-z3fold-put-z3fold-page-back-into-unbuddied-list-when-reclaim-or-migration-fails
++++ a/mm/z3fold.c
+@@ -1422,6 +1422,8 @@ next:
+ 			spin_lock(&pool->lock);
+ 			list_add(&page->lru, &pool->lru);
+ 			spin_unlock(&pool->lock);
++			if (list_empty(&zhdr->buddy))
++				add_to_unbuddied(pool, zhdr);
+ 			z3fold_page_unlock(zhdr);
+ 			clear_bit(PAGE_CLAIMED, &page->private);
+ 		}
+@@ -1638,6 +1640,8 @@ static void z3fold_page_putback(struct p
+ 	spin_lock(&pool->lock);
+ 	list_add(&page->lru, &pool->lru);
+ 	spin_unlock(&pool->lock);
++	if (list_empty(&zhdr->buddy))
++		add_to_unbuddied(pool, zhdr);
+ 	clear_bit(PAGE_CLAIMED, &page->private);
+ 	z3fold_page_unlock(zhdr);
+ }
+_