diff options
| -rw-r--r-- | fs/aio.c | 15 |
1 files changed, 12 insertions, 3 deletions
| @@ -307,16 +307,25 @@ static int aio_setup_ring(struct kioctx *ctx) | |||
| 307 | aio_free_ring(ctx); | 307 | aio_free_ring(ctx); |
| 308 | return -EAGAIN; | 308 | return -EAGAIN; |
| 309 | } | 309 | } |
| 310 | up_write(&mm->mmap_sem); | ||
| 311 | |||
| 312 | mm_populate(ctx->mmap_base, populate); | ||
| 313 | 310 | ||
| 314 | pr_debug("mmap address: 0x%08lx\n", ctx->mmap_base); | 311 | pr_debug("mmap address: 0x%08lx\n", ctx->mmap_base); |
| 312 | |||
| 313 | /* We must do this while still holding mmap_sem for write, as we | ||
| 314 | * need to be protected against userspace attempting to mremap() | ||
| 315 | * or munmap() the ring buffer. | ||
| 316 | */ | ||
| 315 | ctx->nr_pages = get_user_pages(current, mm, ctx->mmap_base, nr_pages, | 317 | ctx->nr_pages = get_user_pages(current, mm, ctx->mmap_base, nr_pages, |
| 316 | 1, 0, ctx->ring_pages, NULL); | 318 | 1, 0, ctx->ring_pages, NULL); |
| 319 | |||
| 320 | /* Dropping the reference here is safe as the page cache will hold | ||
| 321 | * onto the pages for us. It is also required so that page migration | ||
| 322 | * can unmap the pages and get the right reference count. | ||
| 323 | */ | ||
| 317 | for (i = 0; i < ctx->nr_pages; i++) | 324 | for (i = 0; i < ctx->nr_pages; i++) |
| 318 | put_page(ctx->ring_pages[i]); | 325 | put_page(ctx->ring_pages[i]); |
| 319 | 326 | ||
| 327 | up_write(&mm->mmap_sem); | ||
| 328 | |||
| 320 | if (unlikely(ctx->nr_pages != nr_pages)) { | 329 | if (unlikely(ctx->nr_pages != nr_pages)) { |
| 321 | aio_free_ring(ctx); | 330 | aio_free_ring(ctx); |
| 322 | return -EAGAIN; | 331 | return -EAGAIN; |