From fe2d5398ef297c70aa61501224f900baae3b6166 Mon Sep 17 00:00:00 2001
From: Izik Eidus <ieidus@redhat.com>
Date: Tue, 2 Jun 2009 01:11:47 +0300
Subject: [PATCH 10/10] KSM: avoid usage of free slabed memory. (triggered with slab debugging enabled)
This avoid crashing with slab debugging enabled by removing a window
for memory corruption if freed slab entries are reused before we read
the next pointer. For both rhev/master and rhel5/master.
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Izik Eidus <ieidus@redhat.com>
Message-Id: <1243894307-17932-6-git-send-email-ieidus@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
RH-Upstream-status: not-applicable
Obsoletes: <20090530160728.GD22104@random.random>
Acked-by: Andrea Arcangeli <aarcange@redhat.com>
Bugzilla: 504237
Acked-by: Marcelo Tosatti <mtosatti@redhat.com>
Message-Id: <1244142579-3405-5-git-send-email-ieidus@redhat.com>
Acked-by: john cooper <john.cooper@redhat.com>
---
kernel/ksm/ksm_main.c | 16 ++++++++++------
1 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/kernel/ksm/ksm_main.c b/kernel/ksm/ksm_main.c
index 40a0258..f9edc4f 100644
--- a/kernel/ksm/ksm_main.c
+++ b/kernel/ksm/ksm_main.c
@@ -697,7 +697,7 @@ static struct rmap_item *stable_tree_search(struct page *page,
{
struct rb_node *node = root_stable_tree.rb_node;
struct tree_item *tree_item;
- struct rmap_item *found_rmap_item;
+ struct rmap_item *found_rmap_item, *next_rmap_item;
while (node) {
int ret;
@@ -712,9 +712,11 @@ static struct rmap_item *stable_tree_search(struct page *page,
found_rmap_item->address == rmap_item->address)) {
if (!is_zapped_item(found_rmap_item, page2))
break;
+ next_rmap_item = found_rmap_item->next;
remove_rmap_item_from_tree(found_rmap_item);
- }
- found_rmap_item = found_rmap_item->next;
+ found_rmap_item = next_rmap_item;
+ } else
+ found_rmap_item = found_rmap_item->next;
}
if (!found_rmap_item)
goto out_didnt_find;
@@ -753,7 +755,7 @@ static int stable_tree_insert(struct page *page,
while (*new) {
int ret;
- struct rmap_item *insert_rmap_item;
+ struct rmap_item *insert_rmap_item, *next_rmap_item;
tree_item = rb_entry(*new, struct tree_item, node);
BUG_ON(!tree_item);
@@ -768,9 +770,11 @@ static int stable_tree_insert(struct page *page,
insert_rmap_item->address == rmap_item->address)) {
if (!is_zapped_item(insert_rmap_item, page2))
break;
+ next_rmap_item = insert_rmap_item->next;
remove_rmap_item_from_tree(insert_rmap_item);
- }
- insert_rmap_item = insert_rmap_item->next;
+ insert_rmap_item = next_rmap_item;
+ } else
+ insert_rmap_item = insert_rmap_item->next;
}
if (!insert_rmap_item)
return 1;
--
1.6.3.rc4.29.g8146
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
340e01248478ba8b78a6d4d1809b1eff
>
files
>
168
