From: Henry Burns Date: Tue, 13 Aug 2019 22:37:21 +0000 (-0700) Subject: mm/z3fold.c: fix z3fold_destroy_pool() ordering X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=6051d3bd3b91e96c59e62b8be2dba1cc2b19ee40;p=linux.git mm/z3fold.c: fix z3fold_destroy_pool() ordering The constraint from the zpool use of z3fold_destroy_pool() is there are no outstanding handles to memory (so no active allocations), but it is possible for there to be outstanding work on either of the two wqs in the pool. If there is work queued on pool->compact_workqueue when it is called, z3fold_destroy_pool() will do: z3fold_destroy_pool() destroy_workqueue(pool->release_wq) destroy_workqueue(pool->compact_wq) drain_workqueue(pool->compact_wq) do_compact_page(zhdr) kref_put(&zhdr->refcount) __release_z3fold_page(zhdr, ...) queue_work_on(pool->release_wq, &pool->work) *BOOM* So compact_wq needs to be destroyed before release_wq. Link: http://lkml.kernel.org/r/20190726224810.79660-1-henryburns@google.com Fixes: 5d03a6613957 ("mm/z3fold.c: use kref to prevent page free/compact race") Signed-off-by: Henry Burns Reviewed-by: Shakeel Butt Reviewed-by: Jonathan Adams Cc: Vitaly Vul Cc: Vitaly Wool Cc: David Howells Cc: Thomas Gleixner Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/mm/z3fold.c b/mm/z3fold.c index 1a029a7432ee5..43de92f529617 100644 --- a/mm/z3fold.c +++ b/mm/z3fold.c @@ -818,8 +818,15 @@ static void z3fold_destroy_pool(struct z3fold_pool *pool) { kmem_cache_destroy(pool->c_handle); z3fold_unregister_migration(pool); - destroy_workqueue(pool->release_wq); + + /* + * We need to destroy pool->compact_wq before pool->release_wq, + * as any pending work on pool->compact_wq will call + * queue_work(pool->release_wq, &pool->work). + */ + destroy_workqueue(pool->compact_wq); + destroy_workqueue(pool->release_wq); kfree(pool); }