media: video: tegra: sh532u: fix out-of-bounds read
[linux-2.6.git] / mm / swap_state.c
index b076a1a..4668046 100644 (file)
@@ -8,6 +8,7 @@
  */
 #include <linux/module.h>
 #include <linux/mm.h>
+#include <linux/gfp.h>
 #include <linux/kernel_stat.h>
 #include <linux/swap.h>
 #include <linux/swapops.h>
 
 /*
  * swapper_space is a fiction, retained to simplify the path through
- * vmscan's shrink_page_list, to make sync_page look nicer, and to allow
- * future use of radix_tree tags in the swap cache.
+ * vmscan's shrink_page_list.
  */
 static const struct address_space_operations swap_aops = {
        .writepage      = swap_writepage,
-       .sync_page      = block_sync_page,
        .set_page_dirty = __set_page_dirty_nobuffers,
        .migratepage    = migrate_page,
 };
@@ -36,7 +35,6 @@ static const struct address_space_operations swap_aops = {
 static struct backing_dev_info swap_backing_dev_info = {
        .name           = "swap",
        .capabilities   = BDI_CAP_NO_ACCT_AND_WRITEBACK | BDI_CAP_SWAP_BACKED,
-       .unplug_io_fn   = swap_unplug_io_fn,
 };
 
 struct address_space swapper_space = {
@@ -92,6 +90,12 @@ static int __add_to_swap_cache(struct page *page, swp_entry_t entry)
        spin_unlock_irq(&swapper_space.tree_lock);
 
        if (unlikely(error)) {
+               /*
+                * Only the context which have set SWAP_HAS_CACHE flag
+                * would call add_to_swap_cache().
+                * So add_to_swap_cache() doesn't returns -EEXIST.
+                */
+               VM_BUG_ON(error == -EEXIST);
                set_page_private(page, 0UL);
                ClearPageSwapCache(page);
                page_cache_release(page);
@@ -146,38 +150,40 @@ int add_to_swap(struct page *page)
        VM_BUG_ON(!PageLocked(page));
        VM_BUG_ON(!PageUptodate(page));
 
-       for (;;) {
-               entry = get_swap_page();
-               if (!entry.val)
-                       return 0;
+       entry = get_swap_page();
+       if (!entry.val)
+               return 0;
 
-               /*
-                * Radix-tree node allocations from PF_MEMALLOC contexts could
-                * completely exhaust the page allocator. __GFP_NOMEMALLOC
-                * stops emergency reserves from being allocated.
-                *
-                * TODO: this could cause a theoretical memory reclaim
-                * deadlock in the swap out path.
-                */
-               /*
-                * Add it to the swap cache and mark it dirty
-                */
-               err = add_to_swap_cache(page, entry,
-                               __GFP_HIGH|__GFP_NOMEMALLOC|__GFP_NOWARN);
-
-               switch (err) {
-               case 0:                         /* Success */
-                       SetPageDirty(page);
-                       return 1;
-               case -EEXIST:
-                       /* Raced with "speculative" read_swap_cache_async */
-                       swapcache_free(entry, NULL);
-                       continue;
-               default:
-                       /* -ENOMEM radix-tree allocation failure */
+       if (unlikely(PageTransHuge(page)))
+               if (unlikely(split_huge_page(page))) {
                        swapcache_free(entry, NULL);
                        return 0;
                }
+
+       /*
+        * Radix-tree node allocations from PF_MEMALLOC contexts could
+        * completely exhaust the page allocator. __GFP_NOMEMALLOC
+        * stops emergency reserves from being allocated.
+        *
+        * TODO: this could cause a theoretical memory reclaim
+        * deadlock in the swap out path.
+        */
+       /*
+        * Add it to the swap cache and mark it dirty
+        */
+       err = add_to_swap_cache(page, entry,
+                       __GFP_HIGH|__GFP_NOMEMALLOC|__GFP_NOWARN);
+
+       if (!err) {     /* Success */
+               SetPageDirty(page);
+               return 1;
+       } else {        /* -ENOMEM radix-tree allocation failure */
+               /*
+                * add_to_swap_cache() doesn't return -EEXIST, so we can safely
+                * clear SWAP_HAS_CACHE flag.
+                */
+               swapcache_free(entry, NULL);
+               return 0;
        }
 }
 
@@ -318,14 +324,7 @@ struct page *read_swap_cache_async(swp_entry_t entry, gfp_t gfp_mask,
                        break;
                }
 
-               /*
-                * Associate the page with swap entry in the swap cache.
-                * May fail (-EEXIST) if there is already a page associated
-                * with this entry in the swap cache: added by a racing
-                * read_swap_cache_async, or add_to_swap or shmem_writepage
-                * re-using the just freed swap entry for an existing page.
-                * May fail (-ENOMEM) if radix-tree node allocation failed.
-                */
+               /* May fail (-ENOMEM) if radix-tree node allocation failed. */
                __set_page_locked(new_page);
                SetPageSwapBacked(new_page);
                err = __add_to_swap_cache(new_page, entry);
@@ -341,6 +340,10 @@ struct page *read_swap_cache_async(swp_entry_t entry, gfp_t gfp_mask,
                radix_tree_preload_end();
                ClearPageSwapBacked(new_page);
                __clear_page_locked(new_page);
+               /*
+                * add_to_swap_cache() doesn't return -EEXIST, so we can safely
+                * clear SWAP_HAS_CACHE flag.
+                */
                swapcache_free(entry, NULL);
        } while (err != -ENOMEM);