From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=gk25=WJ=vger.kernel.org=stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8D18BC433FF
	for <stable@archiver.kernel.org>; Tue, 13 Aug 2019 22:37:23 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 5658D20843
	for <stable@archiver.kernel.org>; Tue, 13 Aug 2019 22:37:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1565735843;
	bh=XmpC7a09KE1qs7IYoEHjXAF1VKGkcSaF837WQi6J6gg=;
	h=Date:From:To:Subject:List-ID:From;
	b=aRALnDhFnWa4NfA5bQ1DELlUfMujDIJLr35RP/nqXfVOmo13S+vgmDfgawBmu+vHh
	 RFeeawqLq2xnpLIQ8nH1FZO8iTtY6a2BSXaCHC7eBAOITqStyPZBNMFuGKdxOOVw+b
	 LvkAghqwpjPODA/LXh+/kvCo2II4mjxh8XCFJ8T8=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727338AbfHMWhX (ORCPT <rfc822;stable@archiver.kernel.org>);
        Tue, 13 Aug 2019 18:37:23 -0400
Received: from mail.kernel.org ([198.145.29.99]:48818 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726698AbfHMWhW (ORCPT <rfc822;stable@vger.kernel.org>);
        Tue, 13 Aug 2019 18:37:22 -0400
Received: from akpm3.svl.corp.google.com (unknown [104.133.8.65])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 249542063F;
        Tue, 13 Aug 2019 22:37:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1565735842;
        bh=XmpC7a09KE1qs7IYoEHjXAF1VKGkcSaF837WQi6J6gg=;
        h=Date:From:To:Subject:From;
        b=EftPmTylXbODmRj1NGh2d+nFthN6qKE7nkinTUhUxqc/enuJy/XxifSTYtIQktHKX
         GzEEfCCVoAyP4cAnKSAuV0jkZxBE290h5J/bRtaT26hxvdJcxDZ1fLcgnMSDwbznm+
         RdPYZlxc4OF5YiZaIqroqGoDKqGyHbeimNLIPTyY=
Date:   Tue, 13 Aug 2019 15:37:21 -0700
From:   akpm@linux-foundation.org
To:     vitalywool@gmail.com, vitaly.vul@sony.com, viro@zeniv.linux.org.uk,
        tglx@linutronix.de, stable@vger.kernel.org, shakeelb@google.com,
        jwadams@google.com, henrywolfeburns@gmail.com, dhowells@redhat.com,
        henryburns@google.com, akpm@linux-foundation.org,
        mm-commits@vger.kernel.org, torvalds@linux-foundation.org
Subject:  [patch 06/18] mm/z3fold.c: fix z3fold_destroy_pool()
 ordering
Message-ID: <20190813223721.WboTL%akpm@linux-foundation.org>
User-Agent: s-nail v14.9.10
Sender: stable-owner@vger.kernel.org
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

From: Henry Burns <henryburns@google.com>
Subject: mm/z3fold.c: fix z3fold_destroy_pool() ordering

The constraint from the zpool use of z3fold_destroy_pool() is there are
no outstanding handles to memory (so no active allocations), but it is
possible for there to be outstanding work on either of the two wqs in
the pool.

If there is work queued on pool->compact_workqueue when it is called,
z3fold_destroy_pool() will do:

   z3fold_destroy_pool()
     destroy_workqueue(pool->release_wq)
     destroy_workqueue(pool->compact_wq)
       drain_workqueue(pool->compact_wq)
         do_compact_page(zhdr)
           kref_put(&zhdr->refcount)
             __release_z3fold_page(zhdr, ...)
               queue_work_on(pool->release_wq, &pool->work) *BOOM*

So compact_wq needs to be destroyed before release_wq.

Link: http://lkml.kernel.org/r/20190726224810.79660-1-henryburns@google.com
Fixes: 5d03a6613957 ("mm/z3fold.c: use kref to prevent page free/compact race")
Signed-off-by: Henry Burns <henryburns@google.com>
Reviewed-by: Shakeel Butt <shakeelb@google.com>
Reviewed-by: Jonathan Adams <jwadams@google.com>
Cc: Vitaly Vul <vitaly.vul@sony.com>
Cc: Vitaly Wool <vitalywool@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Al Viro <viro@zeniv.linux.org.uk
Cc: Henry Burns <henrywolfeburns@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 mm/z3fold.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/mm/z3fold.c~mm-z3foldc-fix-z3fold_destroy_pool-ordering
+++ a/mm/z3fold.c
@@ -818,8 +818,15 @@ static void z3fold_destroy_pool(struct z
 {
 	kmem_cache_destroy(pool->c_handle);
 	z3fold_unregister_migration(pool);
-	destroy_workqueue(pool->release_wq);
+
+	/*
+	 * We need to destroy pool->compact_wq before pool->release_wq,
+	 * as any pending work on pool->compact_wq will call
+	 * queue_work(pool->release_wq, &pool->work).
+	 */
+
 	destroy_workqueue(pool->compact_wq);
+	destroy_workqueue(pool->release_wq);
 	kfree(pool);
 }
 
_