I'm trying to implement a fault handler to map memory allocated with
__get_free_pages() to userspace. In module init, I'm allocating 64k by
calling __get_free_pages(GFP_KERNEL, get_order(size)), where size = 64
<< 10.
I've also added an ioctl so that userspace can obtain the size and
virtual address of allocated block, to for example mmap() a smaller
portion of the allocated memory, like so:
void *p = mmap(0, size / 2, PROT_READ | PROT_WRITE, MAP_SHARED, fd, addr
+ size / 2);
Mmap is implemented as follows:
int my_mmap(struct file *filp, struct vm_area_struct *vma)
{
vma->vm_ops = &my_vm_ops;
return 0;
}
and the fault handler like this:
int my_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
{
vmf->page = virt_to_page(vmf->pgoff << PAGE_SHIFT);
get_page(vmf->page);
return 0;
}
This seems to work, mmap returns virtual address and memory can be read
& written without problems.
However, when I unload the module, there's an error due to bad page
state when calling free_pages() to free the memory:
BUG: Bad page state in process rmmod pfn:01648
page:c102c900 flags:40040000 count:0 mapcount:0 mapping:(null) index:0
(Not tainted)
Pid: 2412, comm: rmmod Not tainted 2.6.29.3-140.fc11.i586 #1
Call Trace:
[<c047c727>] bad_page+0xdf/0xf4
[<c047cdef>] free_pages_check+0xac/0xc9
[<c047ce3e>] __free_pages_ok+0x32/0x13b
[<c047d352>] __free_pages+0x23/0x25
[<c047d376>] free_pages+0x22/0x24
[<d081a124>] my_exit+0x78/0x7a [my_mod]
[<c044fc90>] sys_delete_module+0x17b/0x1cd
[<c046587f>] ? audit_syscall_entry+0x163/0x185
[<c0403f72>] syscall_call+0x7/0xb
So what's special about doing allocation by __get_free_pages()? If I use
vmalloc() & vfree() and call vmalloc_to_page() in fault handler instead
of virt_to_page(), it works just fine.
