Commit 05bf86b4 authored by Hugh Dickins's avatar Hugh Dickins Committed by Linus Torvalds

tmpfs: fix race between swapoff and writepage

Shame on me!  Commit b1dea800 "tmpfs: fix race between umount and
writepage" fixed the advertized race, but introduced another: as even
its comment makes clear, we cannot safely rely on a peek at list_empty()
while holding no lock - until info->swapped is set, shmem_unuse_inode()
may delete any formerly-swapped inode from the shmem_swaplist, which
in this case would leave a swap area impossible to swapoff.

Although I don't relish taking the mutex every time, I don't care much
for the alternatives either; and at least the peek at list_empty() in
shmem_evict_inode() (a hotter path since most inodes would never have
been swapped) remains safe, because we already truncated the whole file.
Signed-off-by: default avatarHugh Dickins <hughd@google.com>
Cc: stable@kernel.org
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent afa49791
...@@ -1037,7 +1037,6 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc) ...@@ -1037,7 +1037,6 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc)
struct address_space *mapping; struct address_space *mapping;
unsigned long index; unsigned long index;
struct inode *inode; struct inode *inode;
bool unlock_mutex = false;
BUG_ON(!PageLocked(page)); BUG_ON(!PageLocked(page));
mapping = page->mapping; mapping = page->mapping;
...@@ -1072,15 +1071,14 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc) ...@@ -1072,15 +1071,14 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc)
* we've taken the spinlock, because shmem_unuse_inode() will * we've taken the spinlock, because shmem_unuse_inode() will
* prune a !swapped inode from the swaplist under both locks. * prune a !swapped inode from the swaplist under both locks.
*/ */
if (swap.val && list_empty(&info->swaplist)) { if (swap.val) {
mutex_lock(&shmem_swaplist_mutex); mutex_lock(&shmem_swaplist_mutex);
/* move instead of add in case we're racing */ if (list_empty(&info->swaplist))
list_move_tail(&info->swaplist, &shmem_swaplist); list_add_tail(&info->swaplist, &shmem_swaplist);
unlock_mutex = true;
} }
spin_lock(&info->lock); spin_lock(&info->lock);
if (unlock_mutex) if (swap.val)
mutex_unlock(&shmem_swaplist_mutex); mutex_unlock(&shmem_swaplist_mutex);
if (index >= info->next_index) { if (index >= info->next_index) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment