• Hugh Dickins's avatar
    tmpfs: fix race between truncate and writepage · 826267cf
    Hugh Dickins authored
    While running fsx on tmpfs with a memhog then swapoff, swapoff was hanging
    (interruptibly), repeatedly failing to locate the owner of a 0xff entry in
    the swap_map.
    Although shmem_writepage() does abandon when it sees incoming page index
    is beyond eof, there was still a window in which shmem_truncate_range()
    could come in between writepage's dropping lock and updating swap_map,
    find the half-completed swap_map entry, and in trying to free it,
    leave it in a state that swap_shmem_alloc() could not correct.
    Arguably a bug in __swap_duplicate()'s and swap_entry_free()'s handling
    of the different cases, but easiest to fix by moving swap_shmem_alloc()
    under cover of the lock.
    More interesting than the bug: it's been there since 2.6.33, why could
    I not see it with earlier kernels?  The mmotm of two weeks ago seems to
    have some magic for generating races, this is just one of three I found.
    With yesterday's git I first saw this in mainline, bisected in search of
    that magic, but the easy reproducibility evaporated.  Oh well, fix the bug.
    Signed-off-by: default avatarHugh Dickins <hughd@google.com>
    Cc: stable@kernel.org
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
shmem.c 77.2 KB