On Wed, Jun 17, 2015 at 01:04:14AM +0200, Oleg Nesterov wrote: > Al, please help. We are trying to backport some aio fixes and I am > absolutely confused by your b2edffdd912b "fix mremap() vs. ioctx_kill() > race". > > > Firstly, I simply can't understand what exactly it tries to fix. OK, > aio_free_ring() can race with kill and we can remap the soon-to-be-killed > ctx. So what? kill_ioctx() will the the correct (already re-mapped) > ctx->mmap_base after it drops mm->ioctx_lock.
Huh? kill_ioctx() picks ctx->mmap_base and passes it to vm_munmap(). Which tries to grab mmap_sem, blocks for mremap() from another thread and waits for it to drop mmap_sem. By that time ctx->mmap_base has nothing whatsoever to the argument we'd passed to vm_munmap(). Sure, it had been recalculated by aio_ring_remap(), but it's too late for us - we'd already fetched the old value. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
