On arches that do not support this_cpu_cmpxchg_double slab_lock is used
to do atomic cmpxchg() on double word which contains page->_count.
page count can be changed from get_page() or put_page() without taking
slab_lock. That corrupts page counter.
Following patch fixes it by moving page->_count out of cmpxchg_double
data. So that slub does no change it while updating slub meta-data in
struct page.
Reported-by: Amey Bhide <abhide@xxxxxxxxxx>
Signed-off-by: Pravin B Shelar <pshelar@xxxxxxxxxx>
---
include/linux/mm_types.h | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index dad95bd..7f0032f 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -55,7 +55,8 @@ struct page {
pgoff_t index; /* Our offset within mapping. */
void *freelist; /* slub first free object */
};
-
+#if defined(CONFIG_HAVE_CMPXCHG_DOUBLE) && \
+ defined(CONFIG_HAVE_ALIGNED_STRUCT_PAGE)
union {
/* Used for cmpxchg_double in slub */
unsigned long counters;
@@ -90,6 +91,28 @@ struct page {
atomic_t _count; /* Usage count, see below. */
};
};
+#else
+ /* Keep _count separate from slub cmpxchg_double data, As rest
+ * of double word is protected by slab_lock but _count is not */
+ union {
+ /* Used for cmpxchg_double in slub */
+ unsigned int counters;
+
+ struct {
+
+ union {
+ atomic_t _mapcount;
+
+ struct {
+ unsigned inuse:16;
+ unsigned objects:15;
+ unsigned frozen:1;
+ };
+ };
+ };
+ };
+ atomic_t _count;
+#endif
};
/* Third double word block */
--
1.7.10
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>