7e934cf5ac
xas_for_each_marked() is using entry == NULL as a termination condition
of the iteration. When xas_for_each_marked() is used protected only by
RCU, this can however race with xas_store(xas, NULL) in the following
way:
TASK1 TASK2
page_cache_delete() find_get_pages_range_tag()
xas_for_each_marked()
xas_find_marked()
off = xas_find_chunk()
xas_store(&xas, NULL)
xas_init_marks(&xas);
...
rcu_assign_pointer(*slot, NULL);
entry = xa_entry(off);
And thus xas_for_each_marked() terminates prematurely possibly leading
to missed entries in the iteration (translating to missing writeback of
some pages or a similar problem).
If we find a NULL entry that has been marked, skip it (unless we're trying
to allocate an entry).
Reported-by: Jan Kara <jack@suse.cz>
CC: stable@vger.kernel.org
Fixes: ef8e5717db
("page cache: Convert delete_batch to XArray")
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
64 lines
2.4 KiB
C
64 lines
2.4 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#include <linux/gfp.h>
|
|
#include <linux/types.h>
|
|
#include <linux/radix-tree.h>
|
|
#include <linux/rcupdate.h>
|
|
|
|
struct item {
|
|
struct rcu_head rcu_head;
|
|
unsigned long index;
|
|
unsigned int order;
|
|
};
|
|
|
|
struct item *item_create(unsigned long index, unsigned int order);
|
|
int item_insert(struct radix_tree_root *root, unsigned long index);
|
|
void item_sanity(struct item *item, unsigned long index);
|
|
void item_free(struct item *item, unsigned long index);
|
|
int item_delete(struct radix_tree_root *root, unsigned long index);
|
|
int item_delete_rcu(struct xarray *xa, unsigned long index);
|
|
struct item *item_lookup(struct radix_tree_root *root, unsigned long index);
|
|
|
|
void item_check_present(struct radix_tree_root *root, unsigned long index);
|
|
void item_check_absent(struct radix_tree_root *root, unsigned long index);
|
|
void item_gang_check_present(struct radix_tree_root *root,
|
|
unsigned long start, unsigned long nr,
|
|
int chunk, int hop);
|
|
void item_full_scan(struct radix_tree_root *root, unsigned long start,
|
|
unsigned long nr, int chunk);
|
|
void item_kill_tree(struct radix_tree_root *root);
|
|
|
|
int tag_tagged_items(struct xarray *, unsigned long start, unsigned long end,
|
|
unsigned batch, xa_mark_t iftag, xa_mark_t thentag);
|
|
|
|
void xarray_tests(void);
|
|
void tag_check(void);
|
|
void multiorder_checks(void);
|
|
void iteration_test(unsigned order, unsigned duration);
|
|
void iteration_test2(unsigned duration);
|
|
void benchmark(void);
|
|
void idr_checks(void);
|
|
void ida_tests(void);
|
|
|
|
struct item *
|
|
item_tag_set(struct radix_tree_root *root, unsigned long index, int tag);
|
|
struct item *
|
|
item_tag_clear(struct radix_tree_root *root, unsigned long index, int tag);
|
|
int item_tag_get(struct radix_tree_root *root, unsigned long index, int tag);
|
|
void tree_verify_min_height(struct radix_tree_root *root, int maxindex);
|
|
void verify_tag_consistency(struct radix_tree_root *root, unsigned int tag);
|
|
|
|
extern int nr_allocated;
|
|
|
|
/* Normally private parts of lib/radix-tree.c */
|
|
struct radix_tree_node *entry_to_node(void *ptr);
|
|
void radix_tree_dump(struct radix_tree_root *root);
|
|
int root_tag_get(struct radix_tree_root *root, unsigned int tag);
|
|
unsigned long node_maxindex(struct radix_tree_node *);
|
|
unsigned long shift_maxindex(unsigned int shift);
|
|
int radix_tree_cpu_dead(unsigned int cpu);
|
|
struct radix_tree_preload {
|
|
unsigned nr;
|
|
struct radix_tree_node *nodes;
|
|
};
|
|
extern struct radix_tree_preload radix_tree_preloads;
|