On 09/13/2011 12:37 PM, Dan Magenheimer wrote:
> Hi Greg --
>
> Please revert the following commit, hopefully before 3.1 is released.
> Although it fixes a crash in 32-bit systems with high memory,
> the fix apparently *causes* crashes on 64-bit systems. Not sure why
> my testing didn't catch it before but it has now been observed in
> the wild in 3.1-rc4 and I can reproduce it now fairly easily.
> 3.1-rc3 works fine, 3.1-rc4 fails, and 3.1-rc3 plus only this
> commit fails. Let's revert it before 3.1 and Seth and Nitin and I
> will sort out a better fix later.
>
I found it:
------------[ cut here ]------------
[ 203.889026] kernel BUG at arch/x86/mm/physaddr.c:20!
[ 203.889026] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
[ 203.889026] CPU 0
[ 203.889026] Modules linked in:
[ 203.889026]
[ 203.889026] Pid: 1170, comm: cat Not tainted 3.1.0-rc3+ #25 Bochs Bochs
[ 203.889026] RIP: 0010:[<ffffffff810686bf>] [<ffffffff810686bf>] __phys_addr+0x5f/0x70
[ 203.889026] RSP: 0018:ffff8800091ab7e8 EFLAGS: 00010002
[ 203.889026] RAX: 0000620000237680 RBX: ffff880008c4b078 RCX: 0000000000000028
[ 203.889026] RDX: 0000000000000062 RSI: ffff8800091ab900 RDI: ffffea0000237680
[ 203.889026] RBP: ffff8800091ab7e8 R08: ffff880009680000 R09: ffff8800091ab8e8
[ 203.889026] R10: 0000000000000000 R11: 0000000000000001 R12: ffff880009680000
[ 203.889026] R13: 0000000000001397 R14: ffff880008c4b078 R15: 0000000000000001
[ 203.889026] FS: 00007f3ae749e700(0000) GS:ffff88000fc00000(0000) knlGS:0000000000000000
[ 203.889026] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 203.889026] CR2: 00007fe7bc3e8cd1 CR3: 00000000091fb000 CR4: 00000000000006f0
[ 203.889026] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 203.889026] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 203.889026] Process cat (pid: 1170, threadinfo ffff8800091aa000, task ffff880009582040)
[ 203.889026] Stack:
[ 203.889026] ffff8800091ab838 ffffffff81352d2f 0000000000000001 0000000000000001
[ 203.889026] ffff8800091ab838 ffff8800091ab8e8 ffff880009680000 0000000000001397
[ 203.889026] ffff880008c4b078 0000000000000001 ffff8800091ab8c8 ffffffff81353ab2
[ 203.889026] Call Trace:
[ 203.889026] [<ffffffff81352d2f>] zcache_pampd_get_data_and_free+0x2f/0x150
[ 203.889026] [<ffffffff81353ab2>] tmem_get+0x152/0x210
[ 203.889026] [<ffffffff81352044>] zcache_cleancache_get_page+0xa4/0xc0
...
Missed a virt_to_page() in zcache_pampd_get_data_and_free(). I only exercised frontswap
and this path is only called with cleancache. I'll remember this.
Standby for patch...
> Reported-by: Francis Moreau <francis.moro@xxxxxxxxx>
> Reproduced-by: Dan Magenheimer <dan.magenheimer@xxxxxxxxxx>
>
> Thanks,
> Dan
>
> commit c5f5c4db393837ebb2ae47bf061d70e498f48f8c
> Author: Seth Jennings <sjenning@xxxxxxxxxxxxxxxxxx>
> Date: Wed Aug 10 12:56:49 2011 -0500
>
> staging: zcache: fix crash on high memory swap
>
> zcache_put_page() was modified to pass page_address(page) instead of the
> actual page structure. In combination with the function signature changes
> to tmem_put() and zcache_pampd_create(), zcache_pampd_create() tries to
> (re)derive the page structure from the virtual address. However, if the
> original page is a high memory page (or any unmapped page), this
> virt_to_page() fails because the page_address() in zcache_put_page()
> returned NULL.
>
> This patch changes zcache_put_page() and zcache_get_page() to pass
> the page structure instead of the page's virtual address, which
> may or may not exist.
>
> Signed-off-by: Seth Jennings <sjenning@xxxxxxxxxxxxxxxxxx>
> Acked-by: Dan Magenheimer <dan.magenheimer@xxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
>
> diff --git a/drivers/staging/zcache/zcache-main.c b/drivers/staging/zcache/zcache-main.c
> index 855a5bb..a3f5162 100644
> --- a/drivers/staging/zcache/zcache-main.c
> +++ b/drivers/staging/zcache/zcache-main.c
> @@ -1158,7 +1158,7 @@ static void *zcache_pampd_create(char *data, size_t size, bool raw, int eph,
> size_t clen;
> int ret;
> unsigned long count;
> - struct page *page = virt_to_page(data);
> + struct page *page = (struct page *)(data);
> struct zcache_client *cli = pool->client;
> uint16_t client_id = get_client_id_from_client(cli);
> unsigned long zv_mean_zsize;
> @@ -1227,7 +1227,7 @@ static int zcache_pampd_get_data(char *data, size_t *bufsize, bool raw,
> int ret = 0;
>
> BUG_ON(is_ephemeral(pool));
> - zv_decompress(virt_to_page(data), pampd);
> + zv_decompress((struct page *)(data), pampd);
> return ret;
> }
>
> @@ -1539,7 +1539,7 @@ static int zcache_put_page(int cli_id, int pool_id, struct tmem_oid *oidp,
> goto out;
> if (!zcache_freeze && zcache_do_preload(pool) == 0) {
> /* preload does preempt_disable on success */
> - ret = tmem_put(pool, oidp, index, page_address(page),
> + ret = tmem_put(pool, oidp, index, (char *)(page),
> PAGE_SIZE, 0, is_ephemeral(pool));
> if (ret < 0) {
> if (is_ephemeral(pool))
> @@ -1572,7 +1572,7 @@ static int zcache_get_page(int cli_id, int pool_id, struct tmem_oid *oidp,
> pool = zcache_get_pool_by_id(cli_id, pool_id);
> if (likely(pool != NULL)) {
> if (atomic_read(&pool->obj_count) > 0)
> - ret = tmem_get(pool, oidp, index, page_address(page),
> + ret = tmem_get(pool, oidp, index, (char *)(page),
> &size, 0, is_ephemeral(pool));
> zcache_put_pool(pool);
> }
>
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in
> the body to majordomo@xxxxxxxxx. For more info on Linux MM,
> see: http://www.linux-mm.org/ .
> Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
> Don't email: <a href=ilto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>
>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>