On 09/13/2011 12:37 PM, Dan Magenheimer wrote: > Hi Greg -- > > Please revert the following commit, hopefully before 3.1 is released. > Although it fixes a crash in 32-bit systems with high memory, > the fix apparently *causes* crashes on 64-bit systems. Not sure why > my testing didn't catch it before but it has now been observed in > the wild in 3.1-rc4 and I can reproduce it now fairly easily. > 3.1-rc3 works fine, 3.1-rc4 fails, and 3.1-rc3 plus only this > commit fails. Let's revert it before 3.1 and Seth and Nitin and I > will sort out a better fix later. >
I found it: ------------[ cut here ]------------ [ 203.889026] kernel BUG at arch/x86/mm/physaddr.c:20! [ 203.889026] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC [ 203.889026] CPU 0 [ 203.889026] Modules linked in: [ 203.889026] [ 203.889026] Pid: 1170, comm: cat Not tainted 3.1.0-rc3+ #25 Bochs Bochs [ 203.889026] RIP: 0010:[<ffffffff810686bf>] [<ffffffff810686bf>] __phys_addr+0x5f/0x70 [ 203.889026] RSP: 0018:ffff8800091ab7e8 EFLAGS: 00010002 [ 203.889026] RAX: 0000620000237680 RBX: ffff880008c4b078 RCX: 0000000000000028 [ 203.889026] RDX: 0000000000000062 RSI: ffff8800091ab900 RDI: ffffea0000237680 [ 203.889026] RBP: ffff8800091ab7e8 R08: ffff880009680000 R09: ffff8800091ab8e8 [ 203.889026] R10: 0000000000000000 R11: 0000000000000001 R12: ffff880009680000 [ 203.889026] R13: 0000000000001397 R14: ffff880008c4b078 R15: 0000000000000001 [ 203.889026] FS: 00007f3ae749e700(0000) GS:ffff88000fc00000(0000) knlGS:0000000000000000 [ 203.889026] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 203.889026] CR2: 00007fe7bc3e8cd1 CR3: 00000000091fb000 CR4: 00000000000006f0 [ 203.889026] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 203.889026] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 203.889026] Process cat (pid: 1170, threadinfo ffff8800091aa000, task ffff880009582040) [ 203.889026] Stack: [ 203.889026] ffff8800091ab838 ffffffff81352d2f 0000000000000001 0000000000000001 [ 203.889026] ffff8800091ab838 ffff8800091ab8e8 ffff880009680000 0000000000001397 [ 203.889026] ffff880008c4b078 0000000000000001 ffff8800091ab8c8 ffffffff81353ab2 [ 203.889026] Call Trace: [ 203.889026] [<ffffffff81352d2f>] zcache_pampd_get_data_and_free+0x2f/0x150 [ 203.889026] [<ffffffff81353ab2>] tmem_get+0x152/0x210 [ 203.889026] [<ffffffff81352044>] zcache_cleancache_get_page+0xa4/0xc0 ... Missed a virt_to_page() in zcache_pampd_get_data_and_free(). I only exercised frontswap and this path is only called with cleancache. I'll remember this. Standby for patch... > Reported-by: Francis Moreau <[email protected]> > Reproduced-by: Dan Magenheimer <[email protected]> > > Thanks, > Dan > > commit c5f5c4db393837ebb2ae47bf061d70e498f48f8c > Author: Seth Jennings <[email protected]> > Date: Wed Aug 10 12:56:49 2011 -0500 > > staging: zcache: fix crash on high memory swap > > zcache_put_page() was modified to pass page_address(page) instead of the > actual page structure. In combination with the function signature changes > to tmem_put() and zcache_pampd_create(), zcache_pampd_create() tries to > (re)derive the page structure from the virtual address. However, if the > original page is a high memory page (or any unmapped page), this > virt_to_page() fails because the page_address() in zcache_put_page() > returned NULL. > > This patch changes zcache_put_page() and zcache_get_page() to pass > the page structure instead of the page's virtual address, which > may or may not exist. > > Signed-off-by: Seth Jennings <[email protected]> > Acked-by: Dan Magenheimer <[email protected]> > Signed-off-by: Greg Kroah-Hartman <[email protected]> > > diff --git a/drivers/staging/zcache/zcache-main.c > b/drivers/staging/zcache/zcache-main.c > index 855a5bb..a3f5162 100644 > --- a/drivers/staging/zcache/zcache-main.c > +++ b/drivers/staging/zcache/zcache-main.c > @@ -1158,7 +1158,7 @@ static void *zcache_pampd_create(char *data, size_t > size, bool raw, int eph, > size_t clen; > int ret; > unsigned long count; > - struct page *page = virt_to_page(data); > + struct page *page = (struct page *)(data); > struct zcache_client *cli = pool->client; > uint16_t client_id = get_client_id_from_client(cli); > unsigned long zv_mean_zsize; > @@ -1227,7 +1227,7 @@ static int zcache_pampd_get_data(char *data, size_t > *bufsize, bool raw, > int ret = 0; > > BUG_ON(is_ephemeral(pool)); > - zv_decompress(virt_to_page(data), pampd); > + zv_decompress((struct page *)(data), pampd); > return ret; > } > > @@ -1539,7 +1539,7 @@ static int zcache_put_page(int cli_id, int pool_id, > struct tmem_oid *oidp, > goto out; > if (!zcache_freeze && zcache_do_preload(pool) == 0) { > /* preload does preempt_disable on success */ > - ret = tmem_put(pool, oidp, index, page_address(page), > + ret = tmem_put(pool, oidp, index, (char *)(page), > PAGE_SIZE, 0, is_ephemeral(pool)); > if (ret < 0) { > if (is_ephemeral(pool)) > @@ -1572,7 +1572,7 @@ static int zcache_get_page(int cli_id, int pool_id, > struct tmem_oid *oidp, > pool = zcache_get_pool_by_id(cli_id, pool_id); > if (likely(pool != NULL)) { > if (atomic_read(&pool->obj_count) > 0) > - ret = tmem_get(pool, oidp, index, page_address(page), > + ret = tmem_get(pool, oidp, index, (char *)(page), > &size, 0, is_ephemeral(pool)); > zcache_put_pool(pool); > } > > -- > To unsubscribe, send a message with 'unsubscribe linux-mm' in > the body to [email protected]. For more info on Linux MM, > see: http://www.linux-mm.org/ . > Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/ > Don't email: <a href=ilto:"[email protected]"> [email protected] </a> > _______________________________________________ devel mailing list [email protected] http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
