diff options
author | Mel Gorman <mel@csn.ul.ie> | 2010-10-26 17:21:11 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-10-26 19:52:03 -0400 |
commit | b7f50cfa3630b6e079929ffccfd442d65064ee1f (patch) | |
tree | b6f28ed350055bb864cbe317284eb56fca29cfc3 | |
parent | a75d377686037982cbec320bb770b19fe7be6a5d (diff) |
mm, page-allocator: do not check the state of a non-existant buddy during free
There is a bug in commit 6dda9d55 ("page allocator: reduce fragmentation
in buddy allocator by adding buddies that are merging to the tail of the
free lists") that means a buddy at order MAX_ORDER is checked for merging.
A page of this order never exists so at times, an effectively random
piece of memory is being checked.
Alan Curry has reported that this is causing memory corruption in
userspace data on a PPC32 platform (http://lkml.org/lkml/2010/10/9/32).
It is not clear why this is happening. It could be a cache coherency
problem where pages mapped in both user and kernel space are getting
different cache lines due to the bad read from kernel space
(http://lkml.org/lkml/2010/10/13/179). It could also be that there are
some special registers being io-remapped at the end of the memmap array
and that a read has special meaning on them. Compiler bugs have been
ruled out because the assembly before and after the patch looks relatively
harmless.
This patch fixes the problem by ensuring we are not reading a possibly
invalid location of memory. It's not clear why the read causes corruption
but one way or the other it is a buggy read.
Signed-off-by: Mel Gorman <mel@csn.ul.ie>
Cc: Corrado Zoccolo <czoccolo@gmail.com>
Reported-by: Alan Curry <pacman@kosh.dhis.org>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Christoph Lameter <cl@linux-foundation.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | mm/page_alloc.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 2a362c52fdf4..5faf876cfc3a 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c | |||
@@ -531,7 +531,7 @@ static inline void __free_one_page(struct page *page, | |||
531 | * so it's less likely to be used soon and more likely to be merged | 531 | * so it's less likely to be used soon and more likely to be merged |
532 | * as a higher order page | 532 | * as a higher order page |
533 | */ | 533 | */ |
534 | if ((order < MAX_ORDER-1) && pfn_valid_within(page_to_pfn(buddy))) { | 534 | if ((order < MAX_ORDER-2) && pfn_valid_within(page_to_pfn(buddy))) { |
535 | struct page *higher_page, *higher_buddy; | 535 | struct page *higher_page, *higher_buddy; |
536 | combined_idx = __find_combined_index(page_idx, order); | 536 | combined_idx = __find_combined_index(page_idx, order); |
537 | higher_page = page + combined_idx - page_idx; | 537 | higher_page = page + combined_idx - page_idx; |