From: Christoph Lameter <clameter@sgi.com>

The problem is that in some circumstances a page may be freed that is
mlocked (if one is marking a page as mlocked early). The page allocator
will not touch the PG_mlocked bit and thus a newly allocated page may have
PG_mlocked set. If we then try to put it on the lru then the VM_BUG_ONs
are triggered.

The following patch detects these conditions in the page allocator and
does the proper checks and cleanup.

Signed-off-by: Christoph Lameter <clameter@sgi.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 include/linux/page-flags.h |    1 +
 mm/page_alloc.c            |    7 +++++++
 2 files changed, 8 insertions(+)

diff -puN include/linux/page-flags.h~add-pagemlocked-page-state-bit-and-lru-infrastructure-fix include/linux/page-flags.h
--- a/include/linux/page-flags.h~add-pagemlocked-page-state-bit-and-lru-infrastructure-fix
+++ a/include/linux/page-flags.h
@@ -261,6 +261,7 @@ static inline void SetPageUptodate(struc
 #define PageMlocked(page)	test_bit(PG_mlocked, &(page)->flags)
 #define SetPageMlocked(page)	set_bit(PG_mlocked, &(page)->flags)
 #define ClearPageMlocked(page)	clear_bit(PG_mlocked, &(page)->flags)
+#define __ClearPageMlocked(page) __clear_bit(PG_mlocked, &(page)->flags)
 
 struct page;	/* forward declaration */
 
diff -puN mm/page_alloc.c~add-pagemlocked-page-state-bit-and-lru-infrastructure-fix mm/page_alloc.c
--- a/mm/page_alloc.c~add-pagemlocked-page-state-bit-and-lru-infrastructure-fix
+++ a/mm/page_alloc.c
@@ -203,6 +203,7 @@ static void bad_page(struct page *page)
 			1 << PG_slab    |
 			1 << PG_swapcache |
 			1 << PG_writeback |
+			1 << PG_mlocked |
 			1 << PG_buddy );
 	set_page_count(page, 0);
 	reset_page_mapcount(page);
@@ -442,6 +443,11 @@ static inline int free_pages_check(struc
 		bad_page(page);
 	if (PageDirty(page))
 		__ClearPageDirty(page);
+	if (PageMlocked(page)) {
+		/* Page is unused so no need to take the lru lock */
+		__ClearPageMlocked(page);
+		dec_zone_page_state(page, NR_MLOCK);
+	}
 	/*
 	 * For now, we report if PG_reserved was found set, but do not
 	 * clear it, and do not free the page.  But we shall soon need
@@ -588,6 +594,7 @@ static int prep_new_page(struct page *pa
 			1 << PG_swapcache |
 			1 << PG_writeback |
 			1 << PG_reserved |
+			1 << PG_mlocked |
 			1 << PG_buddy ))))
 		bad_page(page);
 
_