mm/mmu_notifier.c · b1cee752ee0c04f424cb71ba0c8013c793008296 · Upstream / linux-stable

mm: mmu_notifier: re-fix freed page still mapped in secondary MMU · bfd7610d

Xiao Guangrong authored May 24, 2013

commit d34883d4 upstream.

Commit 751efd86 ("mmu_notifier_unregister NULL Pointer deref and
multiple ->release()") breaks the fix 3ad3d901 ("mm: mmu_notifier:
fix freed page still mapped in secondary MMU").

Since hlist_for_each_entry_rcu() is changed now, we can not revert that
patch directly, so this patch reverts the commit and simply fix the bug
spotted by that patch

This bug spotted by commit 751efd86 is:

    There is a race condition between mmu_notifier_unregister() and
    __mmu_notifier_release().

    Assume two tasks, one calling mmu_notifier_unregister() as a result
    of a filp_close() ->flush() callout (task A), and the other calling
    mmu_notifier_release() from an mmput() (task B).

                        A                               B
    t1                                            srcu_read_lock()
    t2            if (!hlist_unhashed())
    t3                         ...

bfd7610d

mmu_notifier.c 9.79 KB

Replace mmu_notifier.c