diff options
author | Minchan Kim <minchan.kim@gmail.com> | 2011-02-01 15:52:33 -0800 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-02-02 16:03:18 -0800 |
commit | 48db54ee2f41e8ae2faf330b55db34a9fffb5b3c (patch) | |
tree | 5cdf936bf6996e379784e0b75b982a364f437368 | |
parent | 57fc4a5ee322cde96c33f101d3c2d3b79011c05c (diff) |
mm/migration: fix page corruption during hugepage migration
If migrate_huge_page by memory-failure fails , it calls put_page in itself
to decrease page reference and caller of migrate_huge_page also calls
putback_lru_pages. It can do double free of page so it can make page
corruption on page holder.
In addtion, clean of pages on caller is consistent behavior with
migrate_pages by cf608ac19c ("mm: compaction: fix COMPACTPAGEFAILED
counting").
Signed-off-by: Minchan Kim <minchan.kim@gmail.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Mel Gorman <mel@csn.ul.ie>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | mm/memory-failure.c | 5 | ||||
-rw-r--r-- | mm/migrate.c | 4 |
2 files changed, 4 insertions, 5 deletions
diff --git a/mm/memory-failure.c b/mm/memory-failure.c index 75398b0bfed..237aaa488f4 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -1295,7 +1295,10 @@ static int soft_offline_huge_page(struct page *page, int flags) ret = migrate_huge_pages(&pagelist, new_page, MPOL_MF_MOVE_ALL, 0, true); if (ret) { - putback_lru_pages(&pagelist); + struct page *page1, *page2; + list_for_each_entry_safe(page1, page2, &pagelist, lru) + put_page(page1); + pr_debug("soft offline: %#lx: migration failed %d, type %lx\n", pfn, ret, page->flags); if (ret > 0) diff --git a/mm/migrate.c b/mm/migrate.c index 155a2e9a805..76611525380 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -980,10 +980,6 @@ int migrate_huge_pages(struct list_head *from, } rc = 0; out: - - list_for_each_entry_safe(page, page2, from, lru) - put_page(page); - if (rc) return rc; |