| Message ID | 20230304193949.296391-2-sj@kernel.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | mm/damon/paddr: Fix folio-use-after-put bugs | expand |
On Sat, Mar 04, 2023 at 07:39:48PM +0000, SeongJae Park wrote: > damon_pa_young() is accessing a folio via folio_size() after folio_put() > for the folio has invoked. Fix it. > > Fixes: 397b0c3a584b ("mm/damon/paddr: remove folio_sz field from damon_pa_access_chk_result") > Cc: <stable@vger.kernel.org> # 6.3.x > Signed-off-by: SeongJae Park <sj@kernel.org> Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
On 2023/3/5 3:39, SeongJae Park wrote: > damon_pa_young() is accessing a folio via folio_size() after folio_put() > for the folio has invoked. Fix it. > Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com> > Fixes: 397b0c3a584b ("mm/damon/paddr: remove folio_sz field from damon_pa_access_chk_result") > Cc: <stable@vger.kernel.org> # 6.3.x > Signed-off-by: SeongJae Park <sj@kernel.org> > --- > mm/damon/paddr.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/mm/damon/paddr.c b/mm/damon/paddr.c > index 3fda00a0f786..10f159b315ea 100644 > --- a/mm/damon/paddr.c > +++ b/mm/damon/paddr.c > @@ -130,7 +130,6 @@ static bool damon_pa_young(unsigned long paddr, unsigned long *folio_sz) > accessed = false; > else > accessed = true; > - folio_put(folio); > goto out; > } > > @@ -144,10 +143,10 @@ static bool damon_pa_young(unsigned long paddr, unsigned long *folio_sz) > > if (need_lock) > folio_unlock(folio); > - folio_put(folio); > > out: > *folio_sz = folio_size(folio); > + folio_put(folio); > return accessed; > } >
diff --git a/mm/damon/paddr.c b/mm/damon/paddr.c index 3fda00a0f786..10f159b315ea 100644 --- a/mm/damon/paddr.c +++ b/mm/damon/paddr.c @@ -130,7 +130,6 @@ static bool damon_pa_young(unsigned long paddr, unsigned long *folio_sz) accessed = false; else accessed = true; - folio_put(folio); goto out; } @@ -144,10 +143,10 @@ static bool damon_pa_young(unsigned long paddr, unsigned long *folio_sz) if (need_lock) folio_unlock(folio); - folio_put(folio); out: *folio_sz = folio_size(folio); + folio_put(folio); return accessed; }
damon_pa_young() is accessing a folio via folio_size() after folio_put() for the folio has invoked. Fix it. Fixes: 397b0c3a584b ("mm/damon/paddr: remove folio_sz field from damon_pa_access_chk_result") Cc: <stable@vger.kernel.org> # 6.3.x Signed-off-by: SeongJae Park <sj@kernel.org> --- mm/damon/paddr.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)