On Tue, Aug 20, 2019 at 06:02:38PM +0200, Oleg Nesterov wrote:
> userfaultfd_release() should clear vm_flags/vm_userfaultfd_ctx even
> if mm->core_state != NULL.
>
> Otherwise a page fault can see userfaultfd_missing() == T and use an
> already freed userfaultfd_ctx.
>
> Reported-by: Kefeng Wang <wangkefeng.wang@xxxxxxxxxx>
> Fixes: 04f5866e41fb ("coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Oleg Nesterov <oleg@xxxxxxxxxx>
> ---
> fs/userfaultfd.c | 25 +++++++++++++------------
> 1 file changed, 13 insertions(+), 12 deletions(-)
Reviewed-by: Andrea Arcangeli <aarcange@xxxxxxxxxx>
Thanks,
Andrea
