On Fri, Dec 20, 2013 at 04:45:38AM +0900, Linus Torvalds wrote: > On Fri, Dec 20, 2013 at 4:26 AM, Benjamin LaHaise <bcrl@xxxxxxxxx> wrote: > > > > Okay, I'll rewriting it to use truncate to free the pages. > > It already does that in put_aio_ring_file() afaik. No? Yes, that's what I found when I started looking into this in detail again. I think the page reference counting is actually correct. There are 2 references on each page: the first is from the find_or_create_page() call, and the second is from the get_user_pages() (which also makes sure the page is populated into the page tables). The only place I can see things going off the rails is if the get_user_pages() call fails. It's possible trinity could be arranging things so that the get_user_pages() call is failing somehow. Also, if it were a double free of a page, we should at least get a VM_BUG() occuring when the page's count is 0. Dave -- do you have CONFIG_DEBUG_VM on in your test rig? > Linus -- "Thought is the essence of where you are now." -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>