filemap: Don't release a locked folio

We must hold a reference over the call to filemap_release_folio(),
otherwise the page cache will put the last reference to the folio
before we unlock it, leading to splats like this:

 BUG: Bad page state in process u8:5  pfn:1ab1f4
 page:ffffea0006ac7d00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x28b1de pfn:0x1ab1f4
 flags: 0x17ff80000040001(locked|reclaim|node=0|zone=2|lastcpupid=0xfff)
 raw: 017ff80000040001 dead000000000100 dead000000000122 0000000000000000
 raw: 000000000028b1de 0000000000000000 00000000ffffffff 0000000000000000
 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set

It's an error path, so it doesn't see much testing.
Reported-by: default avatarDarrick J. Wong <djwong@kernel.org>
Fixes: a42634a6 ("readahead: Use a folio in read_pages()")
Signed-off-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
parent 3d9f55c5
...@@ -164,12 +164,14 @@ static void read_pages(struct readahead_control *rac) ...@@ -164,12 +164,14 @@ static void read_pages(struct readahead_control *rac)
while ((folio = readahead_folio(rac)) != NULL) { while ((folio = readahead_folio(rac)) != NULL) {
unsigned long nr = folio_nr_pages(folio); unsigned long nr = folio_nr_pages(folio);
folio_get(folio);
rac->ra->size -= nr; rac->ra->size -= nr;
if (rac->ra->async_size >= nr) { if (rac->ra->async_size >= nr) {
rac->ra->async_size -= nr; rac->ra->async_size -= nr;
filemap_remove_folio(folio); filemap_remove_folio(folio);
} }
folio_unlock(folio); folio_unlock(folio);
folio_put(folio);
} }
} else { } else {
while ((folio = readahead_folio(rac)) != NULL) while ((folio = readahead_folio(rac)) != NULL)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment