Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> writes:
> On Thu, 21 Apr 2022 09:21:06 +1000 Alistair Popple <apopple@xxxxxxxxxx> wrote:
>
>> >> As the wait_event() condition is true it will return immediately. This
>> >> can lead to use-after-free type errors if the caller frees the data
>> >> structure containing the interval notifier subscription while it is
>> >> still on a deferred list. Fix this by taking the appropriate lock when
>> >> reading invalidate_seq to ensure proper synchronisation.
>> >>
>> >> ...
>> >>
>> >> Fixes: 99cb252f5e68 ("mm/mmu_notifier: add an interval tree notifier")
>> >
>> > Do you think fix this should be backported into older kernels?
>>
>> Yes, I forgot to cc stable sorry.
>
> So we have actually seen these use-after-free errors?
I observed them whilst running stress testing during some development. You do
have to be pretty unlucky, but it lead to the usual problems of use-after-free
(memory corruption, kernel crash, difficult to diagnose WARN_ON, etc) so I think
it's worth backporting.
> Some description of the end-user visible impact is always helpful when
> deciding which trees need a patch.
>
>> Do you want me to resend with
>> 'Cc: stable@xxxxxxxxxxxxxxx'?
>
> Thanks, I added that.
Thanks.
