swap_readpage() sets waiter = bio->bi_private even if synchronous = F,
this means that the caller can get the spurious wakeup after return. This
can be fatal if blk_wake_io_task() does set_current_state(TASK_RUNNING)
after the caller does set_special_state(), in the worst case the kernel
can crash in do_task_dead().

Reported-by: Qian Cai <[email protected]>
Acked-by: Hugh Dickins <[email protected]>
Reviewed-by: Jens Axboe <[email protected]>
Signed-off-by: Oleg Nesterov <[email protected]>
---
 mm/page_io.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/mm/page_io.c b/mm/page_io.c
index 2e8019d..3098895 100644
--- a/mm/page_io.c
+++ b/mm/page_io.c
@@ -140,8 +140,10 @@ static void end_swap_bio_read(struct bio *bio)
        unlock_page(page);
        WRITE_ONCE(bio->bi_private, NULL);
        bio_put(bio);
-       blk_wake_io_task(waiter);
-       put_task_struct(waiter);
+       if (waiter) {
+               blk_wake_io_task(waiter);
+               put_task_struct(waiter);
+       }
 }
 
 int generic_swapfile_activate(struct swap_info_struct *sis,
@@ -398,11 +400,12 @@ int swap_readpage(struct page *page, bool synchronous)
         * Keep this task valid during swap readpage because the oom killer may
         * attempt to access it in the page fault retry time check.
         */
-       get_task_struct(current);
-       bio->bi_private = current;
        bio_set_op_attrs(bio, REQ_OP_READ, 0);
-       if (synchronous)
+       if (synchronous) {
                bio->bi_opf |= REQ_HIPRI;
+               get_task_struct(current);
+               bio->bi_private = current;
+       }
        count_vm_event(PSWPIN);
        bio_get(bio);
        qc = submit_bio(bio);
-- 
2.5.0


Reply via email to