Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> writes: > On Thu, 21 Apr 2022 09:21:06 +1000 Alistair Popple <apopple@xxxxxxxxxx> wrote: > >> >> As the wait_event() condition is true it will return immediately. This >> >> can lead to use-after-free type errors if the caller frees the data >> >> structure containing the interval notifier subscription while it is >> >> still on a deferred list. Fix this by taking the appropriate lock when >> >> reading invalidate_seq to ensure proper synchronisation. >> >> >> >> ... >> >> >> >> Fixes: 99cb252f5e68 ("mm/mmu_notifier: add an interval tree notifier") >> > >> > Do you think fix this should be backported into older kernels? >> >> Yes, I forgot to cc stable sorry. > > So we have actually seen these use-after-free errors? I observed them whilst running stress testing during some development. You do have to be pretty unlucky, but it lead to the usual problems of use-after-free (memory corruption, kernel crash, difficult to diagnose WARN_ON, etc) so I think it's worth backporting. > Some description of the end-user visible impact is always helpful when > deciding which trees need a patch. > >> Do you want me to resend with >> 'Cc: stable@xxxxxxxxxxxxxxx'? > > Thanks, I added that. Thanks.