media: video: tegra: sh532u: fix out-of-bounds read
[linux-2.6.git] / mm / swap_state.c
index 581b609..4668046 100644 (file)
@@ -8,6 +8,7 @@
  */
 #include <linux/module.h>
 #include <linux/mm.h>
+#include <linux/gfp.h>
 #include <linux/kernel_stat.h>
 #include <linux/swap.h>
 #include <linux/swapops.h>
 #include <linux/backing-dev.h>
 #include <linux/pagevec.h>
 #include <linux/migrate.h>
-#include <linux/memcontrol.h>
+#include <linux/page_cgroup.h>
 
 #include <asm/pgtable.h>
 
 /*
  * swapper_space is a fiction, retained to simplify the path through
- * vmscan's shrink_page_list, to make sync_page look nicer, and to allow
- * future use of radix_tree tags in the swap cache.
+ * vmscan's shrink_page_list.
  */
 static const struct address_space_operations swap_aops = {
        .writepage      = swap_writepage,
-       .sync_page      = block_sync_page,
        .set_page_dirty = __set_page_dirty_nobuffers,
        .migratepage    = migrate_page,
 };
 
 static struct backing_dev_info swap_backing_dev_info = {
-       .capabilities   = BDI_CAP_NO_ACCT_DIRTY | BDI_CAP_NO_WRITEBACK,
-       .unplug_io_fn   = swap_unplug_io_fn,
+       .name           = "swap",
+       .capabilities   = BDI_CAP_NO_ACCT_AND_WRITEBACK | BDI_CAP_SWAP_BACKED,
 };
 
 struct address_space swapper_space = {
        .page_tree      = RADIX_TREE_INIT(GFP_ATOMIC|__GFP_NOWARN),
-       .tree_lock      = __RW_LOCK_UNLOCKED(swapper_space.tree_lock),
+       .tree_lock      = __SPIN_LOCK_UNLOCKED(swapper_space.tree_lock),
        .a_ops          = &swap_aops,
        .i_mmap_nonlinear = LIST_HEAD_INIT(swapper_space.i_mmap_nonlinear),
        .backing_dev_info = &swap_backing_dev_info,
@@ -57,48 +56,64 @@ static struct {
 
 void show_swap_cache_info(void)
 {
-       printk("Swap cache: add %lu, delete %lu, find %lu/%lu\n",
+       printk("%lu pages in swap cache\n", total_swapcache_pages);
+       printk("Swap cache stats: add %lu, delete %lu, find %lu/%lu\n",
                swap_cache_info.add_total, swap_cache_info.del_total,
                swap_cache_info.find_success, swap_cache_info.find_total);
-       printk("Free swap  = %lukB\n", nr_swap_pages << (PAGE_SHIFT - 10));
+       printk("Free swap  = %ldkB\n", nr_swap_pages << (PAGE_SHIFT - 10));
        printk("Total swap = %lukB\n", total_swap_pages << (PAGE_SHIFT - 10));
 }
 
 /*
- * add_to_swap_cache resembles add_to_page_cache on swapper_space,
+ * __add_to_swap_cache resembles add_to_page_cache_locked on swapper_space,
  * but sets SwapCache flag and private instead of mapping and index.
  */
+static int __add_to_swap_cache(struct page *page, swp_entry_t entry)
+{
+       int error;
+
+       VM_BUG_ON(!PageLocked(page));
+       VM_BUG_ON(PageSwapCache(page));
+       VM_BUG_ON(!PageSwapBacked(page));
+
+       page_cache_get(page);
+       SetPageSwapCache(page);
+       set_page_private(page, entry.val);
+
+       spin_lock_irq(&swapper_space.tree_lock);
+       error = radix_tree_insert(&swapper_space.page_tree, entry.val, page);
+       if (likely(!error)) {
+               total_swapcache_pages++;
+               __inc_zone_page_state(page, NR_FILE_PAGES);
+               INC_CACHE_INFO(add_total);
+       }
+       spin_unlock_irq(&swapper_space.tree_lock);
+
+       if (unlikely(error)) {
+               /*
+                * Only the context which have set SWAP_HAS_CACHE flag
+                * would call add_to_swap_cache().
+                * So add_to_swap_cache() doesn't returns -EEXIST.
+                */
+               VM_BUG_ON(error == -EEXIST);
+               set_page_private(page, 0UL);
+               ClearPageSwapCache(page);
+               page_cache_release(page);
+       }
+
+       return error;
+}
+
+
 int add_to_swap_cache(struct page *page, swp_entry_t entry, gfp_t gfp_mask)
 {
        int error;
 
-       BUG_ON(!PageLocked(page));
-       BUG_ON(PageSwapCache(page));
-       BUG_ON(PagePrivate(page));
        error = radix_tree_preload(gfp_mask);
        if (!error) {
-
-               error = mem_cgroup_cache_charge(page, current->mm, gfp_mask);
-               if (error)
-                       goto out;
-
-               write_lock_irq(&swapper_space.tree_lock);
-               error = radix_tree_insert(&swapper_space.page_tree,
-                                               entry.val, page);
-               if (!error) {
-                       page_cache_get(page);
-                       SetPageSwapCache(page);
-                       set_page_private(page, entry.val);
-                       total_swapcache_pages++;
-                       __inc_zone_page_state(page, NR_FILE_PAGES);
-                       INC_CACHE_INFO(add_total);
-               } else {
-                       mem_cgroup_uncharge_page(page);
-               }
-               write_unlock_irq(&swapper_space.tree_lock);
+               error = __add_to_swap_cache(page, entry);
                radix_tree_preload_end();
        }
-out:
        return error;
 }
 
@@ -108,12 +123,10 @@ out:
  */
 void __delete_from_swap_cache(struct page *page)
 {
-       BUG_ON(!PageLocked(page));
-       BUG_ON(!PageSwapCache(page));
-       BUG_ON(PageWriteback(page));
-       BUG_ON(PagePrivate(page));
+       VM_BUG_ON(!PageLocked(page));
+       VM_BUG_ON(!PageSwapCache(page));
+       VM_BUG_ON(PageWriteback(page));
 
-       mem_cgroup_uncharge_page(page);
        radix_tree_delete(&swapper_space.page_tree, page_private(page));
        set_page_private(page, 0);
        ClearPageSwapCache(page);
@@ -129,46 +142,48 @@ void __delete_from_swap_cache(struct page *page)
  * Allocate swap space for the page and add the page to the
  * swap cache.  Caller needs to hold the page lock. 
  */
-int add_to_swap(struct page * page, gfp_t gfp_mask)
+int add_to_swap(struct page *page)
 {
        swp_entry_t entry;
        int err;
 
-       BUG_ON(!PageLocked(page));
-       BUG_ON(!PageUptodate(page));
+       VM_BUG_ON(!PageLocked(page));
+       VM_BUG_ON(!PageUptodate(page));
 
-       for (;;) {
-               entry = get_swap_page();
-               if (!entry.val)
+       entry = get_swap_page();
+       if (!entry.val)
+               return 0;
+
+       if (unlikely(PageTransHuge(page)))
+               if (unlikely(split_huge_page(page))) {
+                       swapcache_free(entry, NULL);
                        return 0;
+               }
 
+       /*
+        * Radix-tree node allocations from PF_MEMALLOC contexts could
+        * completely exhaust the page allocator. __GFP_NOMEMALLOC
+        * stops emergency reserves from being allocated.
+        *
+        * TODO: this could cause a theoretical memory reclaim
+        * deadlock in the swap out path.
+        */
+       /*
+        * Add it to the swap cache and mark it dirty
+        */
+       err = add_to_swap_cache(page, entry,
+                       __GFP_HIGH|__GFP_NOMEMALLOC|__GFP_NOWARN);
+
+       if (!err) {     /* Success */
+               SetPageDirty(page);
+               return 1;
+       } else {        /* -ENOMEM radix-tree allocation failure */
                /*
-                * Radix-tree node allocations from PF_MEMALLOC contexts could
-                * completely exhaust the page allocator. __GFP_NOMEMALLOC
-                * stops emergency reserves from being allocated.
-                *
-                * TODO: this could cause a theoretical memory reclaim
-                * deadlock in the swap out path.
-                */
-               /*
-                * Add it to the swap cache and mark it dirty
+                * add_to_swap_cache() doesn't return -EEXIST, so we can safely
+                * clear SWAP_HAS_CACHE flag.
                 */
-               err = add_to_swap_cache(page, entry,
-                               gfp_mask|__GFP_NOMEMALLOC|__GFP_NOWARN);
-
-               switch (err) {
-               case 0:                         /* Success */
-                       SetPageDirty(page);
-                       return 1;
-               case -EEXIST:
-                       /* Raced with "speculative" read_swap_cache_async */
-                       swap_free(entry);
-                       continue;
-               default:
-                       /* -ENOMEM radix-tree allocation failure */
-                       swap_free(entry);
-                       return 0;
-               }
+               swapcache_free(entry, NULL);
+               return 0;
        }
 }
 
@@ -184,11 +199,11 @@ void delete_from_swap_cache(struct page *page)
 
        entry.val = page_private(page);
 
-       write_lock_irq(&swapper_space.tree_lock);
+       spin_lock_irq(&swapper_space.tree_lock);
        __delete_from_swap_cache(page);
-       write_unlock_irq(&swapper_space.tree_lock);
+       spin_unlock_irq(&swapper_space.tree_lock);
 
-       swap_free(entry);
+       swapcache_free(entry, page);
        page_cache_release(page);
 }
 
@@ -196,14 +211,14 @@ void delete_from_swap_cache(struct page *page)
  * If we are the only user, then try to free up the swap cache. 
  * 
  * Its ok to check for PageSwapCache without the page lock
- * here because we are going to recheck again inside 
- * exclusive_swap_page() _with_ the lock. 
+ * here because we are going to recheck again inside
+ * try_to_free_swap() _with_ the lock.
  *                                     - Marcelo
  */
 static inline void free_swap_cache(struct page *page)
 {
-       if (PageSwapCache(page) && !TestSetPageLocked(page)) {
-               remove_exclusive_swap_page(page);
+       if (PageSwapCache(page) && !page_mapped(page) && trylock_page(page)) {
+               try_to_free_swap(page);
                unlock_page(page);
        }
 }
@@ -290,31 +305,46 @@ struct page *read_swap_cache_async(swp_entry_t entry, gfp_t gfp_mask,
                }
 
                /*
-                * Swap entry may have been freed since our caller observed it.
+                * call radix_tree_preload() while we can wait.
                 */
-               if (!swap_duplicate(entry))
+               err = radix_tree_preload(gfp_mask & GFP_KERNEL);
+               if (err)
                        break;
 
                /*
-                * Associate the page with swap entry in the swap cache.
-                * May fail (-EEXIST) if there is already a page associated
-                * with this entry in the swap cache: added by a racing
-                * read_swap_cache_async, or add_to_swap or shmem_writepage
-                * re-using the just freed swap entry for an existing page.
-                * May fail (-ENOMEM) if radix-tree node allocation failed.
+                * Swap entry may have been freed since our caller observed it.
                 */
-               SetPageLocked(new_page);
-               err = add_to_swap_cache(new_page, entry, gfp_mask & GFP_KERNEL);
-               if (!err) {
+               err = swapcache_prepare(entry);
+               if (err == -EEXIST) {   /* seems racy */
+                       radix_tree_preload_end();
+                       continue;
+               }
+               if (err) {              /* swp entry is obsolete ? */
+                       radix_tree_preload_end();
+                       break;
+               }
+
+               /* May fail (-ENOMEM) if radix-tree node allocation failed. */
+               __set_page_locked(new_page);
+               SetPageSwapBacked(new_page);
+               err = __add_to_swap_cache(new_page, entry);
+               if (likely(!err)) {
+                       radix_tree_preload_end();
                        /*
                         * Initiate read into locked page and return.
                         */
-                       lru_cache_add_active(new_page);
-                       swap_readpage(NULL, new_page);
+                       lru_cache_add_anon(new_page);
+                       swap_readpage(new_page);
                        return new_page;
                }
-               ClearPageLocked(new_page);
-               swap_free(entry);
+               radix_tree_preload_end();
+               ClearPageSwapBacked(new_page);
+               __clear_page_locked(new_page);
+               /*
+                * add_to_swap_cache() doesn't return -EEXIST, so we can safely
+                * clear SWAP_HAS_CACHE flag.
+                */
+               swapcache_free(entry, NULL);
        } while (err != -ENOMEM);
 
        if (new_page)
@@ -325,6 +355,7 @@ struct page *read_swap_cache_async(swp_entry_t entry, gfp_t gfp_mask,
 /**
  * swapin_readahead - swap in pages in hope we need them soon
  * @entry: swap entry of this memory
+ * @gfp_mask: memory allocation flags
  * @vma: user vma this address belongs to
  * @addr: target address for mempolicy
  *