[47/71] tmpfs: fix race between swapoff and writepage

From: Greg KH
Date: Thu May 19 2011 - 14:14:52 EST

Next message: Greg KH: "[50/71] libata: fix oops when LPM is used with PMP"
Previous message: Greg KH: "[51/71] drm/radeon/kms: fix extended lvds info parsing"
In reply to: Greg KH: "[51/71] drm/radeon/kms: fix extended lvds info parsing"
Next in thread: Greg KH: "[50/71] libata: fix oops when LPM is used with PMP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2.6.38-stable review patch. If anyone has any objections, please let us know.

------------------

From: Hugh Dickins <hughd@xxxxxxxxxx>

commit 05bf86b4ccfd0f197da61c67bd372111d15a6620 upstream.

Shame on me! Commit b1dea800ac39 "tmpfs: fix race between umount and
writepage" fixed the advertized race, but introduced another: as even
its comment makes clear, we cannot safely rely on a peek at list_empty()
while holding no lock - until info->swapped is set, shmem_unuse_inode()
may delete any formerly-swapped inode from the shmem_swaplist, which
in this case would leave a swap area impossible to swapoff.

Although I don't relish taking the mutex every time, I don't care much
for the alternatives either; and at least the peek at list_empty() in
shmem_evict_inode() (a hotter path since most inodes would never have
been swapped) remains safe, because we already truncated the whole file.

Signed-off-by: Hugh Dickins <hughd@xxxxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1037,7 +1037,6 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc)
struct address_space *mapping;
unsigned long index;
struct inode *inode;
- bool unlock_mutex = false;

BUG_ON(!PageLocked(page));
mapping = page->mapping;
@@ -1072,15 +1071,14 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc)
* we've taken the spinlock, because shmem_unuse_inode() will
* prune a !swapped inode from the swaplist under both locks.
*/
- if (swap.val && list_empty(&info->swaplist)) {
+ if (swap.val) {
mutex_lock(&shmem_swaplist_mutex);
- /* move instead of add in case we're racing */
- list_move_tail(&info->swaplist, &shmem_swaplist);
- unlock_mutex = true;
+ if (list_empty(&info->swaplist))
+ list_add_tail(&info->swaplist, &shmem_swaplist);
}

spin_lock(&info->lock);
- if (unlock_mutex)
+ if (swap.val)
mutex_unlock(&shmem_swaplist_mutex);

if (index >= info->next_index) {

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[50/71] libata: fix oops when LPM is used with PMP"
Previous message: Greg KH: "[51/71] drm/radeon/kms: fix extended lvds info parsing"
In reply to: Greg KH: "[51/71] drm/radeon/kms: fix extended lvds info parsing"
Next in thread: Greg KH: "[50/71] libata: fix oops when LPM is used with PMP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]