Re: [patch] slob: fix memory corruption

[Matt Mackall <mpm@selenic.com>]

On Thu, Nov 15, 2007 at 12:32:04PM +0100, Ingo Molnar wrote:
> 
> * Ingo Molnar <mingo@elte.hu> wrote:
> 
> > > I had implemented SLOB in userspace, so I resynched and think I 
> > > found your problem. Sorry for the attachment format -- this mailer 
> > > isn't the best. I'm really computer illiterate when it comes to 
> > > userspace...
> > 
> > thx, i'll try your fix in a minute.
> 
> that did the trick! Nick, find an updated patch below. (reference to the 
> bugzilla added.)

Yes, good catch, Nick!
 
> 	Ingo
> 
> -------------------->
> Subject: slob: fix memory corruption
> From: Nick Piggin <npiggin@suse.de>
> 
> Previously, it would be possible for prev->next to point to
> &free_slob_pages, and thus we would try to move a list onto itself, and
> bad things would happen.
> 
> It seems a bit hairy to be doing list operations with the list marker as
> an entry, rather than a head, but...
>
> this resolves the following crash:
> 
>   http://bugzilla.kernel.org/show_bug.cgi?id=9379
> 
> Signed-off-by: Nick Piggin <npiggin@suse.de>
> Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Matt Mackall <mpm@selenic.com>

Andrew, please cue this for 2.6.24 and -stable.

> ---
>  mm/slob.c |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> Index: linux/mm/slob.c
> ===================================================================
> --- linux.orig/mm/slob.c
> +++ linux/mm/slob.c
> @@ -321,7 +321,8 @@ static void *slob_alloc(size_t size, gfp
>  		/* Improve fragment distribution and reduce our average
>  		 * search time by starting our next search here. (see
>  		 * Knuth vol 1, sec 2.5, pg 449) */
> -		if (free_slob_pages.next != prev->next)
> +		if (prev != free_slob_pages.prev &&
> +				free_slob_pages.next != prev->next)
>  			list_move_tail(&free_slob_pages, prev->next);
>  		break;
>  	}

-- 
Mathematics is the supreme nostalgia of our time.