2.4.18 + 2.4.20 bigmem iounmap bug

2.4.18 + 2.4.20 bigmem iounmap bug

[Rob Murphy]

[-- Attachment #1: Type: text/plain, Size: 2437 bytes --]

Hello all.

I have been having problems using ioremap and iounmap on systems with more
than 1Gb of memory.
My current machine has an athlon processor and 1.5Gb of memory.

I created a driver with the following code:

#define MAXHM 0x1000000 // 16 Mb
int init_module(void)
{
    void *kHighMem;

    printk(KERN_ERR"before ioremap\n");
    kHighMem = ioremap(__pa(high_memory), MAXHM);
    printk(KERN_ERR"ioremap ret: %x\n",kHighMem);
    iounmap(kHighMem);
    printk(KERN_ERR"iounmap passed\n");

    return 0;
}

void cleanup_module(void) {
    printk(KERN_ERR,"module successfully unloaded.\n");
}

I have compiled the code into a module named "test.o" and have added the
append="mem=1280" to lilo for both kernels.
Under 2.4.18:
If I run "insmod test.o" , I get a Segmentation fault (see attached messages
file).

Under 2.4.20:
 I can run "insmod test.o" and "rmmod test" without a problem.  But then it
seems if I run any program that accesses memory (a simple user mode program
that malloc's multiple buffers for example) I get a Kernel Panic and the
computer locks up.  The panic I get is:
Unable to handle kernel NULL pointer dereference at virtual address 00000004
 printing eip:
c012ca6e
*pde = 00000000
Oops: 0002
CPU:    0
EIP:    0010:[<c012ca6e>]    Not tainted
EFLAGS: 00010092
eax:   ebx:   ecx:    edx: esi:   edi:   ebp:    esp:  ds:  es:  ss: ...
Process init (pid: 521, stackpage=f6ed1000)
Stack: ...
Call Trace:    ...
Code: 89 50 04 89 02 c7 43 04 00 00 00 00 c7 03 00 00 00 00 d1 6c

I have not yet to tried to trace into the 2.4.20 lockup.

If append="mem=768" or less the problem doesn't happen, but ioremap is
unable to map the entire amount of remaining memory above the kernel and a
boundary is reached of kernel memory + ioremaped memory <= 1Gb (i.e. if
append="mem=384" ioremap can only map up to 640mb).

>From what I can guess, it looks like ioremap may be corrupting the page
tables when the highmem functionality is being used.  I noticed that my
PAGE_OFFSET is still at 0xc0000000 which according to <include/page.h> means
that I will always have only 950MB of virtual address space.  I would have
thought that setting CONFIG_HIGHMEM4G=y would have changed the PAGE_OFFSET
value.
Has anyone experienced similar problems?  Does anyone know a different way
of allocating large contiguous amounts of DMA capable memory other than
using ioremap or vmalloc?

Any help would be appreciated.
Robert Murphy



[-- Attachment #2: messages --]
[-- Type: application/octet-stream, Size: 1411 bytes --]

before ioremap
ioremap ret: f894a000
------------[ cut here ]------------
kernel BUG at page_alloc.c:145!
invalid operand: 0000
test fbusmod autofs ne2k-pci 8390 iptable_filter ip_tables ext3 jbd  
CPU:    0
EIP:    0010:[<c0136ba9>]    Tainted: GF
EFLAGS: 00010286

EIP is at __free_pages_ok [kernel] 0xb9 (2.4.18-14)
eax: 00000000   ebx: c1c5c110   ecx: c1000030   edx: f7985a00
esi: 00000000   edi: 00000000   ebp: f9000000   esp: f64ade64
ds: 0018   es: 0018   ss: 0018
Process insmod.old (pid: 766, stackpage=f64ad000)
Stack: 00000000 00000000 c00b99a0 c03037e0 00000016 c037e069 f64adf18 c011ad0f 
       c03037e0 c037e07f 0014f000 f65f753c 00400000 f9000000 c0133a32 00001cdf 
       00001cdf 00000282 33000007 00400000 c0101f94 00400000 c0133453 c0101f90 
Call Trace:
[<c011ad0f>] __call_console_drivers [kernel] 0x5f (0xf64ade80))
[<c0133a32>] free_area_pte [kernel] 0xf2 (0xf64ade9c))
[<c0133453>] vmfree_area_pages [kernel] 0x83 (0xf64adebc))
[<c011b041>] printk [kernel] 0x111 (0xf64adecc))
[<c01335d8>] vfree [kernel] 0x88 (0xf64adee8))
[<f893a0a2>] init_module [test] 0x42 (0xf64adefc))
[<c011bee9>] sys_init_module [kernel] 0x4d9 (0xf64adf1c))
[<f893a060>] init_module [test] 0x0 (0xf64adf20))
[<f893a060>] init_module [test] 0x0 (0xf64adf58))
[<c01090ff>] system_call [kernel] 0x33 (0xf64adfc0))

Code: 0f 0b 91 00 47 5d 25 c0 c6 43 24 05 8b 43 18 89 f9 89 de 83