[PATCH] order>0 page freeing bug

[David Howells]

Hi Andrew, Linus,

Here's a patch to fix a bug that occurs when an order>0 page allocation is
freed.

The bug can be demonstrated by this example:

 (1) if __alloc_page() returns an order 1 allocation, you get back two pages,
     both with count == 1

 (2) __free_pages() only decrements the counter on the first page

 (3) __free_pages_ok() calls free_pages_check() on both pages

 (4) free_pages_check() complains that the second page is a bad_page because
     its count is not 0 at that point.

David


diff -ur /inst-kernels/linux-2.6.5-rc3/mm/page_alloc.c linux-2.6.5-rc3-new/mm/page_alloc.c
--- /inst-kernels/linux-2.6.5-rc3/mm/page_alloc.c	2004-03-31 14:54:23.000000000 +0100
+++ linux-2.6.5-rc3-new/mm/page_alloc.c	2004-04-08 17:18:13.000000000 +0100
@@ -269,8 +269,12 @@
 	int i;
 
 	mod_page_state(pgfree, 1 << order);
-	for (i = 0 ; i < (1 << order) ; ++i)
+	free_pages_check(__FUNCTION__, page);
+	for (i = 1 ; i < (1 << order) ; ++i) {
+		if (unlikely(!atomic_dec_and_test(&page[i].count)))
+			BUG();
 		free_pages_check(__FUNCTION__, page + i);
+	}
 	list_add(&page->list, &list);
 	kernel_map_pages(page, 1<<order, 0);
 	free_pages_bulk(page_zone(page), 1, &list, order);

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/