diff options
| author | Hugh Dickins <hughd@google.com> | 2011-05-14 15:06:42 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-05-14 15:18:55 -0400 |
| commit | 05bf86b4ccfd0f197da61c67bd372111d15a6620 (patch) | |
| tree | 23db61517fad9b68b19fdbe044fa3dbe8fc2bd19 /mm | |
| parent | afa49791caae70cc3fd665a182eea61250795265 (diff) | |
tmpfs: fix race between swapoff and writepage
Shame on me! Commit b1dea800ac39 "tmpfs: fix race between umount and
writepage" fixed the advertized race, but introduced another: as even
its comment makes clear, we cannot safely rely on a peek at list_empty()
while holding no lock - until info->swapped is set, shmem_unuse_inode()
may delete any formerly-swapped inode from the shmem_swaplist, which
in this case would leave a swap area impossible to swapoff.
Although I don't relish taking the mutex every time, I don't care much
for the alternatives either; and at least the peek at list_empty() in
shmem_evict_inode() (a hotter path since most inodes would never have
been swapped) remains safe, because we already truncated the whole file.
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm')
| -rw-r--r-- | mm/shmem.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/mm/shmem.c b/mm/shmem.c index 9e755c166cc5..dfc7069102ee 100644 --- a/mm/shmem.c +++ b/mm/shmem.c | |||
| @@ -1037,7 +1037,6 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc) | |||
| 1037 | struct address_space *mapping; | 1037 | struct address_space *mapping; |
| 1038 | unsigned long index; | 1038 | unsigned long index; |
| 1039 | struct inode *inode; | 1039 | struct inode *inode; |
| 1040 | bool unlock_mutex = false; | ||
| 1041 | 1040 | ||
| 1042 | BUG_ON(!PageLocked(page)); | 1041 | BUG_ON(!PageLocked(page)); |
| 1043 | mapping = page->mapping; | 1042 | mapping = page->mapping; |
| @@ -1072,15 +1071,14 @@ static int shmem_writepage(struct page *page, struct writeback_control *wbc) | |||
| 1072 | * we've taken the spinlock, because shmem_unuse_inode() will | 1071 | * we've taken the spinlock, because shmem_unuse_inode() will |
| 1073 | * prune a !swapped inode from the swaplist under both locks. | 1072 | * prune a !swapped inode from the swaplist under both locks. |
| 1074 | */ | 1073 | */ |
| 1075 | if (swap.val && list_empty(&info->swaplist)) { | 1074 | if (swap.val) { |
| 1076 | mutex_lock(&shmem_swaplist_mutex); | 1075 | mutex_lock(&shmem_swaplist_mutex); |
| 1077 | /* move instead of add in case we're racing */ | 1076 | if (list_empty(&info->swaplist)) |
| 1078 | list_move_tail(&info->swaplist, &shmem_swaplist); | 1077 | list_add_tail(&info->swaplist, &shmem_swaplist); |
| 1079 | unlock_mutex = true; | ||
| 1080 | } | 1078 | } |
| 1081 | 1079 | ||
| 1082 | spin_lock(&info->lock); | 1080 | spin_lock(&info->lock); |
| 1083 | if (unlock_mutex) | 1081 | if (swap.val) |
| 1084 | mutex_unlock(&shmem_swaplist_mutex); | 1082 | mutex_unlock(&shmem_swaplist_mutex); |
| 1085 | 1083 | ||
| 1086 | if (index >= info->next_index) { | 1084 | if (index >= info->next_index) { |