On Sat, Mar 02, 2019 at 08:27:44AM -0800, Todd Kjos wrote:
> On Fri, Mar 1, 2019 at 11:57 PM Greg KH wrote:
> >
> > On Fri, Mar 01, 2019 at 03:06:06PM -0800, Todd Kjos wrote:
> > > An munmap() on a binder device causes binder_vma_close() to be called
> > > which clears the alloc->vma pointer.
> >
On Fri, Mar 01, 2019 at 03:06:06PM -0800, Todd Kjos wrote:
> An munmap() on a binder device causes binder_vma_close() to be called
> which clears the alloc->vma pointer.
>
> If direct reclaim causes binder_alloc_free_page() to be called, there
> is a race where alloc->vma is read into a local vma
An munmap() on a binder device causes binder_vma_close() to be called
which clears the alloc->vma pointer.
If direct reclaim causes binder_alloc_free_page() to be called, there
is a race where alloc->vma is read into a local vma pointer and then
used later after the mm->mmap_sem is acquired. This
