Eric Dumazet wrote:

> Peter Staubach a écrit :
>
>> --- linux-2.6.16.i686/mm/msync.c.org
>> +++ linux-2.6.16.i686/mm/msync.c
>> @@ -206,12 +206,16 @@ asmlinkage long sys_msync(unsigned long 
>>          file = vma->vm_file;
>>          start = vma->vm_end;
>>          if ((flags & MS_ASYNC) && file && nr_pages_dirtied) {
>> +            struct address_space *mapping = file->f_mapping;
>> +
>>              get_file(file);
>>              up_read(&current->mm->mmap_sem);
>> -            balance_dirty_pages_ratelimited_nr(file->f_mapping,
>> +            balance_dirty_pages_ratelimited_nr(mapping,
>>                              nr_pages_dirtied);
>>              fput(file);
>
>
> <here>, another thread can perform an munmap(), and the file can be 
> totally dismantled.
>
>>              down_read(&current->mm->mmap_sem);
>
>
> So referencing 'mapping' is *buggy* here.
> I believe that you have to move 'fput(file);' *after* the folloging 
> two lines.
>
>> +            if (test_and_clear_bit(AS_MCTIME, &mapping->flags))
>> +                inode_update_time(mapping->host);
>>              vma = find_vma(current->mm, start);
>>          } else if ((flags & MS_SYNC) && file &&
>>                  (vma->vm_flags & VM_SHARED)) {
>
>
>
> Eric


Yes, sorry, you mentioned that before and I meant to address that.  I almost
reordered those operations originally because I think that it is cleaner
when acquires and releases are done in the opposite order.  However, I was
also trying to change as little as possible too.

Anyway, attached is an updated patch.

    Thanx...

       ps

Signed-off-by: Peter Staubach <staubach@redhat.com>