6.7-stable patches

added patches:
	mm-zswap-fix-missing-folio-cleanup-in-writeback-race-path.patch

diff --git a/queue-6.7/mm-zswap-fix-missing-folio-cleanup-in-writeback-race-path.patch b/queue-6.7/mm-zswap-fix-missing-folio-cleanup-in-writeback-race-path.patch
new file mode 100644 (file)
index 0000000..dde30fc
--- /dev/null
+++ b/queue-6.7/mm-zswap-fix-missing-folio-cleanup-in-writeback-race-path.patch
@@ -0,0 +1,48 @@
+From e3b63e966cac0bf78aaa1efede1827a252815a1d Mon Sep 17 00:00:00 2001
+From: Yosry Ahmed <yosryahmed@google.com>
+Date: Thu, 25 Jan 2024 08:51:27 +0000
+Subject: mm: zswap: fix missing folio cleanup in writeback race path
+
+From: Yosry Ahmed <yosryahmed@google.com>
+
+commit e3b63e966cac0bf78aaa1efede1827a252815a1d upstream.
+
+In zswap_writeback_entry(), after we get a folio from
+__read_swap_cache_async(), we grab the tree lock again to check that the
+swap entry was not invalidated and recycled.  If it was, we delete the
+folio we just added to the swap cache and exit.
+
+However, __read_swap_cache_async() returns the folio locked when it is
+newly allocated, which is always true for this path, and the folio is
+ref'd.  Make sure to unlock and put the folio before returning.
+
+This was discovered by code inspection, probably because this path handles
+a race condition that should not happen often, and the bug would not crash
+the system, it will only strand the folio indefinitely.
+
+Link: https://lkml.kernel.org/r/20240125085127.1327013-1-yosryahmed@google.com
+Fixes: 04fc7816089c ("mm: fix zswap writeback race condition")
+Signed-off-by: Yosry Ahmed <yosryahmed@google.com>
+Reviewed-by: Chengming Zhou <zhouchengming@bytedance.com>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Reviewed-by: Nhat Pham <nphamcs@gmail.com>
+Cc: Domenico Cerasuolo <cerasuolodomenico@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Yosry Ahmed <yosryahmed@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/zswap.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/zswap.c
++++ b/mm/zswap.c
+@@ -1105,6 +1105,8 @@ static int zswap_writeback_entry(struct
+       if (zswap_rb_search(&tree->rbroot, swp_offset(entry->swpentry)) != entry) {
+               spin_unlock(&tree->lock);
+               delete_from_swap_cache(page_folio(page));
++              unlock_page(page);
++              put_page(page);
+               ret = -ENOMEM;
+               goto fail;
+       }

diff --git a/queue-6.7/series b/queue-6.7/series
index a16b05a361c90e5431097fd461a217fa0be1a06e..fd250318dbaed92f9b8435d82d68a0f4f09003a2 100644 (file)
--- a/queue-6.7/series
+++ b/queue-6.7/series
@@ -327,3 +327,4 @@ drm-amd-display-fix-potential-null-pointer-dereferen.patch
 drm-amd-display-fix-memory-leak-in-dm_sw_fini.patch
 drm-amd-display-fix-null-pointer-dereference-on-edid.patch
 i2c-imx-when-being-a-target-mark-the-last-read-as-pr.patch
+mm-zswap-fix-missing-folio-cleanup-in-writeback-race-path.patch