ANDROID: Make file-backed vma teardown synchronous

When a file-backed vma is being released, the userspace can have an expectation that the vma and the file it's pinning will be released synchronously. This does not happen when SPF is enabled because vma and associated file are released asynchronously after RCU grace period. This is done to prevent pagefault handler from stepping on a deleted object. Fix this issue by synchronously waiting for RCU grace period during file-backed vma tear-down. Fixes: 48e35d053f "FROMLIST: mm: rcu safe vma->vm_file freeing" Bug: 231394031 Signed-off-by: Suren Baghdasaryan <surenb@google.com> Change-Id: I9f672d5bd947763c7d180a8c1b1f964600d407f3
2026-06-05 18:41:58 +09:00 · 2022-05-09 17:55:36 -07:00
parent cc81da9a8e
commit fe25fc5375
1 changed files with 6 additions and 2 deletions
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -402,8 +402,12 @@ void vm_area_free(struct vm_area_struct *vma)
 	free_anon_vma_name(vma);
 #ifdef CONFIG_SPECULATIVE_PAGE_FAULT
 	if (atomic_read(&vma->vm_mm->mm_users) > 1) {
-		call_rcu(&vma->vm_rcu, __vm_area_free);
-		return;
+		/* Only anonymous vmas can be torn down asynchronously */
+		if (!vma->vm_file) {
+			call_rcu(&vma->vm_rcu, __vm_area_free);
+			return;
+		}
+		synchronize_rcu();
 	}
 #endif
 	____vm_area_free(vma);