On 4/18/19 11:29 AM, Sasha Levin wrote:
> This commit has been processed because it contains a "Fixes:" tag,
> fixing commit: 1de4fa14ee25 x86, mpx: Cleanup unused bound tables.
>
> The bot has tested the following trees: v5.0.8, v4.19.35, v4.14.112, v4.9.169, v4.4.178.
>
> v5.0.8: Build OK!
> v4.19.35: Failed to apply! Possible dependencies:
> dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
I probably should have looked more closely at the state of the code
before dd2283f2605e. A more correct Fixes: would probably have referred
to dd2283f2605e. *It* appears to be the root cause rather than the
original MPX code that I called out.
The pre-dd2283f2605e code does this:
> /*
> * Remove the vma's, and unmap the actual pages
> */
> detach_vmas_to_be_unmapped(mm, vma, prev, end);
> unmap_region(mm, vma, prev, start, end);
>
> arch_unmap(mm, vma, start, end);
>
> /* Fix up all other VM information */
> remove_vma_list(mm, vma);
But, this is actually safe. arch_unmap() can't see 'vma' in the rbtree
because it's been detached, so it can't do anything to 'vma' that might
be unsafe for remove_vma_list()'s use of 'vma'.
The bug in dd2283f2605e was moving unmap_region() to the after arch_unmap().
I confirmed this by running the reproducer on v4.19.35. It did not
trigger anything there, even with a bunch of debugging enabled which
detected the issue in 5.0.
