From fe25fc53752307faeb8ebb382ef6cb8d2728cf90 Mon Sep 17 00:00:00 2001 From: Suren Baghdasaryan Date: Mon, 9 May 2022 17:55:36 -0700 Subject: [PATCH] ANDROID: Make file-backed vma teardown synchronous When a file-backed vma is being released, the userspace can have an expectation that the vma and the file it's pinning will be released synchronously. This does not happen when SPF is enabled because vma and associated file are released asynchronously after RCU grace period. This is done to prevent pagefault handler from stepping on a deleted object. Fix this issue by synchronously waiting for RCU grace period during file-backed vma tear-down. Fixes: 48e35d053f92 "FROMLIST: mm: rcu safe vma->vm_file freeing" Bug: 231394031 Signed-off-by: Suren Baghdasaryan Change-Id: I9f672d5bd947763c7d180a8c1b1f964600d407f3 --- kernel/fork.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index 2c92ccbfe449..a897ae226475 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -402,8 +402,12 @@ void vm_area_free(struct vm_area_struct *vma) free_anon_vma_name(vma); #ifdef CONFIG_SPECULATIVE_PAGE_FAULT if (atomic_read(&vma->vm_mm->mm_users) > 1) { - call_rcu(&vma->vm_rcu, __vm_area_free); - return; + /* Only anonymous vmas can be torn down asynchronously */ + if (!vma->vm_file) { + call_rcu(&vma->vm_rcu, __vm_area_free); + return; + } + synchronize_rcu(); } #endif ____vm_area_free(vma);