public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Ingo Molnar <mingo@elte.hu>
To: Nick Piggin <nickpiggin@yahoo.com.au>
Cc: David Miller <davem@davemloft.net>,
	mpm@selenic.com, rjw@sisk.pl, linux-kernel@vger.kernel.org,
	akpm@linux-foundation.org, torvalds@linux-foundation.org,
	Thomas Gleixner <tglx@linutronix.de>
Subject: [patch] slob: fix memory corruption
Date: Thu, 15 Nov 2007 12:32:04 +0100	[thread overview]
Message-ID: <20071115113204.GA24463@elte.hu> (raw)
In-Reply-To: <20071115112820.GA18228@elte.hu>


* Ingo Molnar <mingo@elte.hu> wrote:

> > I had implemented SLOB in userspace, so I resynched and think I 
> > found your problem. Sorry for the attachment format -- this mailer 
> > isn't the best. I'm really computer illiterate when it comes to 
> > userspace...
> 
> thx, i'll try your fix in a minute.

that did the trick! Nick, find an updated patch below. (reference to the 
bugzilla added.)

	Ingo

-------------------->
Subject: slob: fix memory corruption
From: Nick Piggin <npiggin@suse.de>

Previously, it would be possible for prev->next to point to
&free_slob_pages, and thus we would try to move a list onto itself, and
bad things would happen.

It seems a bit hairy to be doing list operations with the list marker as
an entry, rather than a head, but...

this resolves the following crash:

  http://bugzilla.kernel.org/show_bug.cgi?id=9379

Signed-off-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
---
 mm/slob.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Index: linux/mm/slob.c
===================================================================
--- linux.orig/mm/slob.c
+++ linux/mm/slob.c
@@ -321,7 +321,8 @@ static void *slob_alloc(size_t size, gfp
 		/* Improve fragment distribution and reduce our average
 		 * search time by starting our next search here. (see
 		 * Knuth vol 1, sec 2.5, pg 449) */
-		if (free_slob_pages.next != prev->next)
+		if (prev != free_slob_pages.prev &&
+				free_slob_pages.next != prev->next)
 			list_move_tail(&free_slob_pages, prev->next);
 		break;
 	}

  reply	other threads:[~2007-11-15 11:32 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-11-11 19:58 2.6.24-rc2: Reported regressions from 2.6.23 (updated) Rafael J. Wysocki
2007-11-11 20:09 ` Alan Cox
2007-11-11 20:34   ` Rafael J. Wysocki
2007-11-11 22:22   ` Bartlomiej Zolnierkiewicz
2007-11-11 22:46     ` Alan Cox
2007-11-13  1:11       ` Andrew Morton
2007-11-13 14:09         ` Thomas Lindroth
     [not found]         ` <3d08dbff0711130534k702f66ebj1f8e91d107eff2a1@mail.gmail.com>
2007-11-13 19:52           ` Andrew Morton
2007-11-11 20:30 ` Ingo Molnar
2007-11-11 20:33 ` Francois Romieu
2007-11-14 11:20 ` [bug] SLOB crash, 2.6.24-rc2 Ingo Molnar
2007-11-14 17:36   ` Matt Mackall
2007-11-14 18:39     ` Matt Mackall
2007-11-14 19:05       ` Ingo Molnar
2007-11-14 19:42         ` Matt Mackall
2007-11-14 22:39         ` David Miller
2007-11-14 22:53           ` Matt Mackall
2007-11-14 23:10             ` David Miller
2007-11-14 23:37               ` Matt Mackall
2007-11-14 23:41                 ` David Miller
2007-11-15  0:09                   ` Matt Mackall
2007-11-15 10:43                   ` Ingo Molnar
2007-11-15 10:51                     ` David Miller
2007-11-15 11:03                       ` Ingo Molnar
2007-11-15 11:05                         ` David Miller
2007-11-15 10:57                     ` Nick Piggin
2007-11-15 11:28                       ` Ingo Molnar
2007-11-15 11:32                         ` Ingo Molnar [this message]
2007-11-15 12:48                           ` [patch] slob: fix memory corruption Ingo Molnar
2007-11-15 20:25                             ` Nick Piggin
2007-11-15 16:00                           ` Matt Mackall
2007-11-15 11:39                         ` [bug] SLOB crash, 2.6.24-rc2 Nick Piggin
2007-11-15 12:18                         ` Dave Haywood

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20071115113204.GA24463@elte.hu \
    --to=mingo@elte.hu \
    --cc=akpm@linux-foundation.org \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mpm@selenic.com \
    --cc=nickpiggin@yahoo.com.au \
    --cc=rjw@sisk.pl \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox