diff options
| author | Robin Holt <[email protected]> | 2013-02-22 16:35:34 -0800 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2013-02-23 17:50:21 -0800 |
| commit | 751efd8610d3d7d67b7bdf7f62646edea7365dd7 (patch) | |
| tree | 1703264d0c128a5d2e602b389cce35de88c06039 /drivers/scsi/mpt3sas/mpi/mpi2_raid.h | |
| parent | c1f19495277c34b01fe1ac9f781bbeefafaa0d02 (diff) | |
mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts
There is a race condition between mmu_notifier_unregister() and
__mmu_notifier_release().
Assume two tasks, one calling mmu_notifier_unregister() as a result of a
filp_close() ->flush() callout (task A), and the other calling
mmu_notifier_release() from an mmput() (task B).
A B
t1 srcu_read_lock()
t2 if (!hlist_unhashed())
t3 srcu_read_unlock()
t4 srcu_read_lock()
t5 hlist_del_init_rcu()
t6 synchronize_srcu()
t7 srcu_read_unlock()
t8 hlist_del_rcu() <--- NULL pointer deref.
Additionally, the list traversal in __mmu_notifier_release() is not
protected by the by the mmu_notifier_mm->hlist_lock which can result in
callouts to the ->release() notifier from both mmu_notifier_unregister()
and __mmu_notifier_release().
-stable suggestions:
The stable trees prior to 3.7.y need commits 21a92735f660 and
70400303ce0c cherry-picked in that order prior to cherry-picking this
commit. The 3.7.y tree already has those two commits.
Signed-off-by: Robin Holt <[email protected]>
Cc: Andrea Arcangeli <[email protected]>
Cc: Wanpeng Li <[email protected]>
Cc: Xiao Guangrong <[email protected]>
Cc: Avi Kivity <[email protected]>
Cc: Hugh Dickins <[email protected]>
Cc: Marcelo Tosatti <[email protected]>
Cc: Sagi Grimberg <[email protected]>
Cc: Haggai Eran <[email protected]>
Cc: <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Diffstat (limited to 'drivers/scsi/mpt3sas/mpi/mpi2_raid.h')
0 files changed, 0 insertions, 0 deletions