[PATCH 1/4] pfnmap: fix 2.6.15-rc3 driver breakage

I've not tested any of them, but believe 2.6.15-rc3 will suffer from
premature freeing of pages in the case of the following drivers:

arch/ia64/kernel/perfmon.c
drivers/char/ftape/lowlevel/ftape-ctl.c
drivers/media/video/cpia.c
drivers/media/video/em28xx/em28xx-video.c
drivers/media/video/meye.c
drivers/media/video/planb.c
drivers/media/video/vino.c
drivers/media/video/zoran_driver.c
drivers/media/video/zr36120.c
drivers/usb/class/audio.c
drivers/usb/media/ov511.c
drivers/usb/media/pwc/pwc-if.c
drivers/usb/media/se401.c
drivers/usb/media/sn9c102_core.c
drivers/usb/media/stv680.c
drivers/usb/media/usbvideo.c
drivers/usb/media/vicam.c
drivers/usb/media/w9968cf.c
drivers/video/gbefb.c
drivers/video/sbuslib.c
net/packet/af_packet.c

About twenty drivers fill in their mmap vma by applying remap_pfn_range
repeatedly, many of them using vmalloc_to_pfn: vm_pgoff will match only
the last range or page mapped in, and the others will be considered
normal by vm_normal_page - thus although they were not counted in by
remap_pfn_range, they will be counted out by zap_pte_range, so freed
well before the driver has finished with them (and frees them again).

A temporary hack (checking for PageAnon and ZERO_PAGE) sure to disgust
Linus, but keep those drivers safe until the proper solution arrives.

Signed-off-by: Hugh Dickins <[email protected]>
---

 mm/memory.c |   15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletion(-)

--- 2.6.15-rc3/mm/memory.c	2005-11-29 08:40:07.000000000 +0000
+++ linux/mm/memory.c	2005-11-29 15:59:34.000000000 +0000
@@ -372,6 +372,7 @@ void print_bad_pte(struct vm_area_struct
 struct page *vm_normal_page(struct vm_area_struct *vma, unsigned long addr, pte_t pte)
 {
 	unsigned long pfn = pte_pfn(pte);
+	struct page *page;
 
 	if (vma->vm_flags & VM_PFNMAP) {
 		unsigned long off = (addr - vma->vm_start) >> PAGE_SHIFT;
@@ -399,7 +400,19 @@ struct page *vm_normal_page(struct vm_ar
 	 * The PAGE_ZERO() pages and various VDSO mappings can
 	 * cause them to exist.
 	 */
-	return pfn_to_page(pfn);
+	page = pfn_to_page(pfn);
+
+	/*
+	 * Temporary hack to avoid driver breakage.
+	 * About twenty drivers fill in their mmap vma by applying
+	 * remap_pfn_range repeatedly: vm_pgoff will match only the
+	 * last range mapped; so also check if page is COWed or ZERO.
+	 */
+	if ((vma->vm_flags & VM_PFNMAP) &&
+	    !PageAnon(page) && page != ZERO_PAGE(addr))
+		return NULL;
+
+	return page;
 }
 
 /*
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Follow-Ups:
- [PATCH 4/4] pfnmap: do_no_page BUG_ON again
  - From: Hugh Dickins <[email protected]>
- [PATCH 3/4] pfnmap: remove src_page from do_wp_page
  - From: Hugh Dickins <[email protected]>
- [PATCH 2/4] pfnmap: cow_user_page needs mask
  - From: Hugh Dickins <[email protected]>

Prev by Date: Re: Question: madvise(DONT_SYNC)
Next by Date: [PATCH 2/4] pfnmap: cow_user_page needs mask
Previous by thread: [2.6 patch] dpt_i2o fix for deadlock condition
Next by thread: [PATCH 2/4] pfnmap: cow_user_page needs mask
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]