slob: fix memory corruption
Previously, it would be possible for prev->next to point to &free_slob_pages, and thus we would try to move a list onto itself, and bad things would happen. It seems a bit hairy to be doing list operations with the list marker as an entry, rather than a head, but... this resolves the following crash: http://bugzilla.kernel.org/show_bug.cgi?id=9379 Signed-off-by: Nick Piggin <npiggin@suse.de> Signed-off-by: Ingo Molnar <mingo@elte.hu> Acked-by: Matt Mackall <mpm@selenic.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
a3474224e6
commit
d32ddd8f20
1 changed files with 2 additions and 1 deletions
|
@ -321,7 +321,8 @@ static void *slob_alloc(size_t size, gfp_t gfp, int align, int node)
|
||||||
/* Improve fragment distribution and reduce our average
|
/* Improve fragment distribution and reduce our average
|
||||||
* search time by starting our next search here. (see
|
* search time by starting our next search here. (see
|
||||||
* Knuth vol 1, sec 2.5, pg 449) */
|
* Knuth vol 1, sec 2.5, pg 449) */
|
||||||
if (free_slob_pages.next != prev->next)
|
if (prev != free_slob_pages.prev &&
|
||||||
|
free_slob_pages.next != prev->next)
|
||||||
list_move_tail(&free_slob_pages, prev->next);
|
list_move_tail(&free_slob_pages, prev->next);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue