On Tue 02-07-19 14:13:25, Alastair D'Silva wrote: > On Mon, 2019-07-01 at 12:46 +0200, Michal Hocko wrote: > > On Fri 28-06-19 10:46:28, Alastair D'Silva wrote: > > [...] > > > Given that there is already a VM_BUG_ON in the code, how do you > > > feel > > > about broadening the scope from 'VM_BUG_ON(!root)' to > > > 'VM_BUG_ON(!root > > > > > (root_nr == NR_SECTION_ROOTS))'? > > > > As far as I understand the existing VM_BUG_ON will hit when the > > mem_section tree gets corrupted. This is a different situation to an > > incorrect section given so I wouldn't really mix those two. And I > > still > > do not see much point to protect from unexpected input parameter as > > this > > is internal function as already pointed out. > > > > Hi Michael, > > I was able to hit this problem as the system firmware had assigned the > prototype pmem device an address range above the 128TB limit that we > originally supported. This has since been lifted to 2PB with patch > 4ffe713b7587b14695c9bec26a000fc88ef54895. > > As it stands, we cannot move this range lower as the high bits are > dictated by the location the card is connected. > > Since the physical address of the memory is not controlled by the > kernel, I believe we should catch (or at least make it easy to debug) > the sitution where external firmware allocates physical addresses > beyond that which the kernel supports. Just make it clear, I am not against a sanitization. I am objecting to put it into __section_nr because this is way too late. As already explained, you already must have a bogus mem_section object in hand. Why cannot you add a sanity check right there when the memory is added? Either when the section is registered or even sooner in arch_add_memory. -- Michal Hocko SUSE Labs