From: Jack Steiner <steiner@sgi.com>
To: linux-ia64@vger.kernel.org
Subject: [PATCH] - deleting huge pages
Date: Sun, 02 May 2004 12:30:28 +0000 [thread overview]
Message-ID: <20040502123028.GA13812@sgi.com> (raw)
I found this problem in 2.4,21, but AFAICT, the same problem
exists in 2.6.5.
If you attempt to allocate a LOT more huge pages than are physically available,
the kernel may reference invalid PGDs or PMDs.
Here is the 2.4 backtrace of a failure. If the mmap fails, do_mmap_pgoff attempts to
unmap the vma range it was mapping. Depending on where it failed during
the mmap, some of the higher level PGD/PMDs may not have been assigned.
The bug (at least in 2.4) exists on all platforms but on our platform
attempts to dereference NULL pointers usually cause MCAs. (If a platform
has zeros in page 0, you may be lucky & the code would appear to work,
but it is still a bug).
Stack traceback for pid 6817
0xe00025307ba50000 6817 6663 0 148 D 0xe00025307ba50420 toy
0xe00000000445e180 unmap_hugepage_range+0x160 << mca surfaced here
0xe00000000445e300 zap_hugepage_range+0x80
0xe00000000452dbc0 do_mmap_pgoff+0xea0
0xe000000004432910 sys_mmap+0x210
0xe00000000440e2a0 ia64_ret_from_syscall
The MCA was caused by the NULL pmd dereference in huge_pte_offset. The
MCA doesnt surface until the bad data is consumed.
A patch against 2.6.5:
Index: linux/arch/ia64/mm/hugetlbpage.c
=================================--- linux.orig/arch/ia64/mm/hugetlbpage.c 2004-05-01 20:51:52.000000000 -0500
+++ linux/arch/ia64/mm/hugetlbpage.c 2004-05-01 20:51:54.000000000 -0500
@@ -111,9 +111,16 @@
pte_t *pte = NULL;
pgd = pgd_offset(mm, taddr);
+ if (pgd_none(*pgd) || pgd_bad(*pgd))
+ goto out;
pmd = pmd_offset(pgd, taddr);
+ if (pmd_none(*pmd) || pmd_bad(*pmd))
+ goto out;
pte = pte_offset_map(pmd, taddr);
return pte;
+
+out:
+ return 0;
}
#define mk_pte_huge(entry) { pte_val(entry) |= _PAGE_P; }
@@ -331,7 +338,7 @@
for (address = start; address < end; address += HPAGE_SIZE) {
pte = huge_pte_offset(mm, address);
- if (pte_none(*pte))
+ if (!pte || pte_none(*pte))
continue;
page = pte_page(*pte);
huge_page_release(page);
--
Thanks
Jack Steiner (steiner@sgi.com) 651-683-5302
Principal Engineer SGI - Silicon Graphics, Inc.
next reply other threads:[~2004-05-02 12:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-05-02 12:30 Jack Steiner [this message]
2004-05-02 18:33 ` [PATCH] - deleting huge pages Chen, Kenneth W
2004-05-03 14:53 ` Jack Steiner
2004-05-03 17:12 ` Chen, Kenneth W
2004-05-03 19:47 ` Jack Steiner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040502123028.GA13812@sgi.com \
--to=steiner@sgi.com \
--cc=linux-ia64@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.