slob: fix memory corruption
Previously, it would be possible for prev->next to point to &free_slob_pages, and thus we would try to move a list onto itself, and bad things would happen. It seems a bit hairy to be doing list operations with the list marker as an entry, rather than a head, but... this resolves the following crash: http://bugzilla.kernel.org/show_bug.cgi?id=9379 Signed-off-by: Nick Piggin <npiggin@suse.de> Signed-off-by: Ingo Molnar <mingo@elte.hu> Acked-by: Matt Mackall <mpm@selenic.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
a3474224e6
commit
d32ddd8f20
|
@ -321,7 +321,8 @@ static void *slob_alloc(size_t size, gfp_t gfp, int align, int node)
|
|||
/* Improve fragment distribution and reduce our average
|
||||
* search time by starting our next search here. (see
|
||||
* Knuth vol 1, sec 2.5, pg 449) */
|
||||
if (free_slob_pages.next != prev->next)
|
||||
if (prev != free_slob_pages.prev &&
|
||||
free_slob_pages.next != prev->next)
|
||||
list_move_tail(&free_slob_pages, prev->next);
|
||||
break;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue