1 files changed, 23 insertions, 22 deletions
diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c
index 9a611d3a184..862b60822d9 100644
--- a/mm/mmu_notifier.c
+++ b/mm/mmu_notifier.c
@@ -33,6 +33,24 @@
 void __mmu_notifier_release(struct mm_struct *mm)
 {
        struct mmu_notifier *mn;
+        struct hlist_node *n;
+        /*
+         * RCU here will block mmu_notifier_unregister until
+         * ->release returns.
+         */
+        rcu_read_lock();
+        hlist_for_each_entry_rcu(mn, n, &mm->mmu_notifier_mm->list, hlist)
+                /*
+                 * if ->release runs before mmu_notifier_unregister it
+                 * must be handled as it's the only way for the driver
+                 * to flush all existing sptes and stop the driver
+                 * from establishing any more sptes before all the
+                 * pages in the mm are freed.
+                 */
+                if (mn->ops->release)
+                        mn->ops->release(mn, mm);
+        rcu_read_unlock();
        spin_lock(&mm->mmu_notifier_mm->lock);
        while (unlikely(!hlist_empty(&mm->mmu_notifier_mm->list))) {
@@ -46,23 +64,6 @@ void __mmu_notifier_release(struct mm_struct *mm)
                 * mmu_notifier_unregister to return.
                 */
                hlist_del_init_rcu(&mn->hlist);
-                /*
-                 * RCU here will block mmu_notifier_unregister until
-                 * ->release returns.
-                 */
-                rcu_read_lock();
-                spin_unlock(&mm->mmu_notifier_mm->lock);
-                /*
-                 * if ->release runs before mmu_notifier_unregister it
-                 * must be handled as it's the only way for the driver
-                 * to flush all existing sptes and stop the driver
-                 * from establishing any more sptes before all the
-                 * pages in the mm are freed.
-                 */
-                if (mn->ops->release)
-                        mn->ops->release(mn, mm);
-                rcu_read_unlock();
-                spin_lock(&mm->mmu_notifier_mm->lock);
        }
        spin_unlock(&mm->mmu_notifier_mm->lock);
@@ -284,16 +285,13 @@ void mmu_notifier_unregister(struct mmu_notifier *mn, struct mm_struct *mm)
 {
        BUG_ON(atomic_read(&mm->mm_count) <= 0);
-        spin_lock(&mm->mmu_notifier_mm->lock);
        if (!hlist_unhashed(&mn->hlist)) {
-                hlist_del_rcu(&mn->hlist);
                /*
                 * RCU here will force exit_mmap to wait ->release to finish
                 * before freeing the pages.
                 */
                rcu_read_lock();
-                spin_unlock(&mm->mmu_notifier_mm->lock);
                /*
                 * exit_mmap will block in mmu_notifier_release to
                 * guarantee ->release is called before freeing the
@@ -302,8 +300,11 @@ void mmu_notifier_unregister(struct mmu_notifier *mn, struct mm_struct *mm)
                if (mn->ops->release)
                        mn->ops->release(mn, mm);
                rcu_read_unlock();
-        } else
+                spin_lock(&mm->mmu_notifier_mm->lock);
+                hlist_del_rcu(&mn->hlist);
                spin_unlock(&mm->mmu_notifier_mm->lock);
+        }
        /*
         * Wait any running method to finish, of course including

diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c index 9a611d3a184..862b60822d9 100644 --- a/mm/mmu_notifier.c +++ b/mm/mmu_notifier.c
@@ -33,6 +33,24 @@
33	void __mmu_notifier_release(struct mm_struct *mm)	33	void __mmu_notifier_release(struct mm_struct *mm)
34	{	34	{
35	struct mmu_notifier *mn;	35	struct mmu_notifier *mn;
		36	struct hlist_node *n;
		37
		38	/*
		39	* RCU here will block mmu_notifier_unregister until
		40	* ->release returns.
		41	*/
		42	rcu_read_lock();
		43	hlist_for_each_entry_rcu(mn, n, &mm->mmu_notifier_mm->list, hlist)
		44	/*
		45	* if ->release runs before mmu_notifier_unregister it
		46	* must be handled as it's the only way for the driver
		47	* to flush all existing sptes and stop the driver
		48	* from establishing any more sptes before all the
		49	* pages in the mm are freed.
		50	*/
		51	if (mn->ops->release)
		52	mn->ops->release(mn, mm);
		53	rcu_read_unlock();
36		54
37	spin_lock(&mm->mmu_notifier_mm->lock);	55	spin_lock(&mm->mmu_notifier_mm->lock);
38	while (unlikely(!hlist_empty(&mm->mmu_notifier_mm->list))) {	56	while (unlikely(!hlist_empty(&mm->mmu_notifier_mm->list))) {
@@ -46,23 +64,6 @@ void __mmu_notifier_release(struct mm_struct *mm)
46	* mmu_notifier_unregister to return.	64	* mmu_notifier_unregister to return.
47	*/	65	*/
48	hlist_del_init_rcu(&mn->hlist);	66	hlist_del_init_rcu(&mn->hlist);
49	/*
50	* RCU here will block mmu_notifier_unregister until
51	* ->release returns.
52	*/
53	rcu_read_lock();
54	spin_unlock(&mm->mmu_notifier_mm->lock);
55	/*
56	* if ->release runs before mmu_notifier_unregister it
57	* must be handled as it's the only way for the driver
58	* to flush all existing sptes and stop the driver
59	* from establishing any more sptes before all the
60	* pages in the mm are freed.
61	*/
62	if (mn->ops->release)
63	mn->ops->release(mn, mm);
64	rcu_read_unlock();
65	spin_lock(&mm->mmu_notifier_mm->lock);
66	}	67	}
67	spin_unlock(&mm->mmu_notifier_mm->lock);	68	spin_unlock(&mm->mmu_notifier_mm->lock);
68		69
@@ -284,16 +285,13 @@ void mmu_notifier_unregister(struct mmu_notifier mn, struct mm_struct mm)
284	{	285	{
285	BUG_ON(atomic_read(&mm->mm_count) <= 0);	286	BUG_ON(atomic_read(&mm->mm_count) <= 0);
286		287
287	spin_lock(&mm->mmu_notifier_mm->lock);
288	if (!hlist_unhashed(&mn->hlist)) {	288	if (!hlist_unhashed(&mn->hlist)) {
289	hlist_del_rcu(&mn->hlist);
290
291	/*	289	/*
292	* RCU here will force exit_mmap to wait ->release to finish	290	* RCU here will force exit_mmap to wait ->release to finish
293	* before freeing the pages.	291	* before freeing the pages.
294	*/	292	*/
295	rcu_read_lock();	293	rcu_read_lock();
296	spin_unlock(&mm->mmu_notifier_mm->lock);	294
297	/*	295	/*
298	* exit_mmap will block in mmu_notifier_release to	296	* exit_mmap will block in mmu_notifier_release to
299	* guarantee ->release is called before freeing the	297	* guarantee ->release is called before freeing the
@@ -302,8 +300,11 @@ void mmu_notifier_unregister(struct mmu_notifier mn, struct mm_struct mm)
302	if (mn->ops->release)	300	if (mn->ops->release)
303	mn->ops->release(mn, mm);	301	mn->ops->release(mn, mm);
304	rcu_read_unlock();	302	rcu_read_unlock();
305	} else	303
		304	spin_lock(&mm->mmu_notifier_mm->lock);
		305	hlist_del_rcu(&mn->hlist);
306	spin_unlock(&mm->mmu_notifier_mm->lock);	306	spin_unlock(&mm->mmu_notifier_mm->lock);
		307	}
307		308
308	/*	309	/*
309	* Wait any running method to finish, of course including	310	* Wait any running method to finish, of course including