On Mon, May 02, 2016 at 04:15:38PM +0200, Oleg Nesterov wrote: > I am sure I missed the problem, but... > > On 05/02, Kirill A. Shutemov wrote: > > > > Quick look around: > > > > - I don't see any check page_count() around __replace_page() in uprobes, > > so it can easily replace pinned page. > > Why it should? even if it races with get_user_pages_fast()... this doesn't > differ from the case when an application writes to MAP_PRIVATE non-anonymous > region, no? < I know nothing about uprobes or ptrace in general > I think the difference is that the write is initiated by the process itself, but IIUC __replace_page() can be initiated by other process, so it's out of control of the application. So we have pages pinned by a driver and the driver expects the pinned pages to be mapped into userspace, then __replace_page() kicks in and put different page there -- driver's expectation is broken. -- Kirill A. Shutemov -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>