On 4/18/19 11:29 AM, Sasha Levin wrote: > This commit has been processed because it contains a "Fixes:" tag, > fixing commit: 1de4fa14ee25 x86, mpx: Cleanup unused bound tables. > > The bot has tested the following trees: v5.0.8, v4.19.35, v4.14.112, v4.9.169, v4.4.178. > > v5.0.8: Build OK! > v4.19.35: Failed to apply! Possible dependencies: > dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") I probably should have looked more closely at the state of the code before dd2283f2605e. A more correct Fixes: would probably have referred to dd2283f2605e. *It* appears to be the root cause rather than the original MPX code that I called out. The pre-dd2283f2605e code does this: > /* > * Remove the vma's, and unmap the actual pages > */ > detach_vmas_to_be_unmapped(mm, vma, prev, end); > unmap_region(mm, vma, prev, start, end); > > arch_unmap(mm, vma, start, end); > > /* Fix up all other VM information */ > remove_vma_list(mm, vma); But, this is actually safe. arch_unmap() can't see 'vma' in the rbtree because it's been detached, so it can't do anything to 'vma' that might be unsafe for remove_vma_list()'s use of 'vma'. The bug in dd2283f2605e was moving unmap_region() to the after arch_unmap(). I confirmed this by running the reproducer on v4.19.35. It did not trigger anything there, even with a bunch of debugging enabled which detected the issue in 5.0.