mremap aio ring buffer to another smaller vma is legal. For example,
mremap the ring buffer from the begining, though after the mremap, some
ring buffer pages can't be accessed in userspace because vma size is
shrinked. The problem is ctx->mmap_size isn't changed if the new ring
buffer vma size is changed. Latter io_destroy will zap all vmas within
mmap_size, which might zap unrelated vmas.
Cc: Benjamin LaHaise <bcrl@xxxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Shaohua Li <shli@xxxxxx>
---
fs/aio.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/aio.c b/fs/aio.c
index 1b7893e..fa354cf 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -306,6 +306,7 @@ static void aio_ring_remap(struct file *file, struct vm_area_struct *vma)
ctx = table->table[i];
if (ctx && ctx->aio_ring_file == file) {
ctx->user_id = ctx->mmap_base = vma->vm_start;
+ ctx->mmap_size = vma->vm_end - vma->vm_start;
break;
}
}
--
1.8.1
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>