From fe2d5398ef297c70aa61501224f900baae3b6166 Mon Sep 17 00:00:00 2001 From: Izik Eidus <ieidus@redhat.com> Date: Tue, 2 Jun 2009 01:11:47 +0300 Subject: [PATCH 10/10] KSM: avoid usage of free slabed memory. (triggered with slab debugging enabled) This avoid crashing with slab debugging enabled by removing a window for memory corruption if freed slab entries are reused before we read the next pointer. For both rhev/master and rhel5/master. Signed-off-by: Andrea Arcangeli <aarcange@redhat.com> Signed-off-by: Izik Eidus <ieidus@redhat.com> Message-Id: <1243894307-17932-6-git-send-email-ieidus@redhat.com> Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> RH-Upstream-status: not-applicable Obsoletes: <20090530160728.GD22104@random.random> Acked-by: Andrea Arcangeli <aarcange@redhat.com> Bugzilla: 504237 Acked-by: Marcelo Tosatti <mtosatti@redhat.com> Message-Id: <1244142579-3405-5-git-send-email-ieidus@redhat.com> Acked-by: john cooper <john.cooper@redhat.com> --- kernel/ksm/ksm_main.c | 16 ++++++++++------ 1 files changed, 10 insertions(+), 6 deletions(-) diff --git a/kernel/ksm/ksm_main.c b/kernel/ksm/ksm_main.c index 40a0258..f9edc4f 100644 --- a/kernel/ksm/ksm_main.c +++ b/kernel/ksm/ksm_main.c @@ -697,7 +697,7 @@ static struct rmap_item *stable_tree_search(struct page *page, { struct rb_node *node = root_stable_tree.rb_node; struct tree_item *tree_item; - struct rmap_item *found_rmap_item; + struct rmap_item *found_rmap_item, *next_rmap_item; while (node) { int ret; @@ -712,9 +712,11 @@ static struct rmap_item *stable_tree_search(struct page *page, found_rmap_item->address == rmap_item->address)) { if (!is_zapped_item(found_rmap_item, page2)) break; + next_rmap_item = found_rmap_item->next; remove_rmap_item_from_tree(found_rmap_item); - } - found_rmap_item = found_rmap_item->next; + found_rmap_item = next_rmap_item; + } else + found_rmap_item = found_rmap_item->next; } if (!found_rmap_item) goto out_didnt_find; @@ -753,7 +755,7 @@ static int stable_tree_insert(struct page *page, while (*new) { int ret; - struct rmap_item *insert_rmap_item; + struct rmap_item *insert_rmap_item, *next_rmap_item; tree_item = rb_entry(*new, struct tree_item, node); BUG_ON(!tree_item); @@ -768,9 +770,11 @@ static int stable_tree_insert(struct page *page, insert_rmap_item->address == rmap_item->address)) { if (!is_zapped_item(insert_rmap_item, page2)) break; + next_rmap_item = insert_rmap_item->next; remove_rmap_item_from_tree(insert_rmap_item); - } - insert_rmap_item = insert_rmap_item->next; + insert_rmap_item = next_rmap_item; + } else + insert_rmap_item = insert_rmap_item->next; } if (!insert_rmap_item) return 1; -- 1.6.3.rc4.29.g8146