review.tizen.org Git - platform/kernel/linux-starfive.git/commit

author	Miaohe Lin <linmiaohe@huawei.com>
	Fri, 29 Apr 2022 06:40:43 +0000 (14:40 +0800)
committer	akpm <akpm@linux-foundation.org>
	Fri, 27 May 2022 16:33:44 +0000 (09:33 -0700)
commit	943fb61dd66f475c25b1ef5dddb647070f2e89a1
tree	0f867eb3f6ae071634813a1284fa8833eb2eec4d	tree \| snapshot
parent	04094226d6ce8c0cb590891e13872109aa6722f1	commit \| diff

mm/z3fold: fix z3fold_page_migrate races with z3fold_map

Think about the below scenario:

CPU1 CPU2
z3fold_page_migrate z3fold_map
  z3fold_page_trylock
  ...
  z3fold_page_unlock
  /* slots still points to old zhdr*/
get_z3fold_header
  get slots from handle
  get old zhdr from slots
  z3fold_page_trylock
  return *old* zhdr
  encode_handle(new_zhdr, FIRST|LAST|MIDDLE)
  put_page(page) /* zhdr is freed! */
but zhdr is still used by caller!

z3fold_map can map freed z3fold page and lead to use-after-free bug.  To
fix it, we add PAGE_MIGRATED to indicate z3fold page is migrated and soon
to be released.  So get_z3fold_header won't return such page.

Link: https://lkml.kernel.org/r/20220429064051.61552-10-linmiaohe@huawei.com
Fixes: 1f862989b04a ("mm/z3fold.c: support page migration")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Reviewed-by: Vitaly Wool <vitaly.wool@konsulko.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>