From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756367AbbFQAuT (ORCPT ); Tue, 16 Jun 2015 20:50:19 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:38127 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753042AbbFQAuP (ORCPT ); Tue, 16 Jun 2015 20:50:15 -0400 Date: Wed, 17 Jun 2015 01:50:12 +0100 From: Al Viro To: Oleg Nesterov Cc: Andrew Morton , Benjamin LaHaise , Jeff Moyer , linux-aio@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 0/3] aio: ctx->dead cleanups Message-ID: <20150617005012.GD17109@ZenIV.linux.org.uk> References: <20150616230414.GA15776@redhat.com> <20150617003906.GC17109@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20150617003906.GC17109@ZenIV.linux.org.uk> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 17, 2015 at 01:39:06AM +0100, Al Viro wrote: > Huh? kill_ioctx() picks ctx->mmap_base and passes it to vm_munmap(). > Which tries to grab mmap_sem, blocks for mremap() from another thread > and waits for it to drop mmap_sem. By that time ctx->mmap_base has > nothing whatsoever to the argument we'd passed to vm_munmap(). Sure, > it had been recalculated by aio_ring_remap(), but it's too late for > us - we'd already fetched the old value. And yes, the leak you've spotted is real, but I would very much prefer to avoid that goto - something like this instead: diff --git a/mm/mremap.c b/mm/mremap.c index 034e2d3..b36b530 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -291,7 +291,10 @@ static unsigned long move_vma(struct vm_area_struct *vma, if (err < 0) { move_page_tables(new_vma, new_addr, vma, old_addr, moved_len, true); - return err; + vma = new_vma; + old_len = new_len; + old_addr = new_addr; + new_addr = err; } }