On Mon, Jul 17, 2017 at 09:18:13AM +0300, Mike Rapoport wrote: > When mremap is called with MREMAP_FIXED it unmaps memory at the destination > address without notifying userfaultfd monitor. If the destination were > registered with userfaultfd, the monitor has no way to distinguish between > the old and new ranges and to properly relate the page faults that would > occur in the destination region. > > Cc: stable@xxxxxxxxxxxxxxx > Fixes: 897ab3e0c49e ("userfaultfd: non-cooperative: add event for memory > unmaps") > > Signed-off-by: Mike Rapoport <rppt@xxxxxxxxxxxxxxxxxx> > --- Please discard this patch. I completely missed that userfaultfd_unmap_complete releases mmap_sem :( > mm/mremap.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/mm/mremap.c b/mm/mremap.c > index cd8a1b199ef9..eb36ef9410e4 100644 > --- a/mm/mremap.c > +++ b/mm/mremap.c > @@ -446,9 +446,14 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len, > if (addr + old_len > new_addr && new_addr + new_len > addr) > goto out; > > - ret = do_munmap(mm, new_addr, new_len, NULL); > + /* > + * We presume the uf_unmap list is empty by this point and it > + * will be cleared again in userfaultfd_unmap_complete. > + */ > + ret = do_munmap(mm, new_addr, new_len, uf_unmap); > if (ret) > goto out; > + userfaultfd_unmap_complete(mm, uf_unmap); > > if (old_len >= new_len) { > ret = do_munmap(mm, addr+new_len, old_len - new_len, uf_unmap); > -- > 2.7.4 > -- Sincerely yours, Mike.