decay_va_pool_node() can be invoked concurrently from two paths:
__purge_vmap_area_lazy() when pools are being purged, and the
shrinker via vmap_node_shrink_scan().

However, decay_va_pool_node() is not safe to run concurrently,
and the shrinker path currently lacks serialization, leading
to races and possible leaks.

Protect decay_va_pool_node() by taking vmap_purge_lock in the
shrinker path to ensure serialization with purge users.

Cc: stable@vger.kernel.org
Cc: chenyichong <chenyichong@uniontech.com>
Fixes: 7679ba6b36db ("mm: vmalloc: add a shrinker to drain vmap pools")
Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
---
 mm/vmalloc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index 61caa55a4402..676851d5cfe7 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -5416,6 +5416,7 @@ vmap_node_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
 {
 	struct vmap_node *vn;
 
+	guard(mutex)(&vmap_purge_lock);
 	for_each_vmap_node(vn)
 		decay_va_pool_node(vn, true);
 
-- 
2.47.3