From: Johannes Weiner <hannes@saeurebad.de>
To: Mikulas Patocka <mpatocka@redhat.com>
Cc: David Miller <davem@davemloft.net>,
sparclinux@vger.kernel.org, linux-kernel@vger.kernel.org,
akpm@linux-foundation.org, torvalds@linux-foundation.org
Subject: Re: Bootmem allocator broken
Date: Thu, 14 Aug 2008 23:40:38 +0000 [thread overview]
Message-ID: <8763q3xj0p.fsf@skyscraper.fehenstaub.lan> (raw)
In-Reply-To: <Pine.LNX.4.64.0808141855500.15262@hs20-bc2-1.build.redhat.com> (Mikulas Patocka's message of "Thu, 14 Aug 2008 19:11:19 -0400 (EDT)")
Hi Mikulas,
Mikulas Patocka <mpatocka@redhat.com> writes:
> Examining the problem further, it turned out that Johannes Weiner
> committed new bootmem allocator to 2.6.27-rc1 and the allocator is broken.
>
> This is the minimal sequence that jams the allocator:
>
> void *p, *q, *r;
> p = alloc_bootmem(PAGE_SIZE);
> q = alloc_bootmem(64);
> free_bootmem(p, PAGE_SIZE);
> p = alloc_bootmem(PAGE_SIZE);
> r = alloc_bootmem(64);
>
> --- after this sequence (assuming that the allocator was empty or
> page-aligned before), pointer "q" will be equal to pointer "r".
>
> What's hapenning inside the allocator:
> p = alloc_bootmem(PAGE_SIZE);
> in allocator: last_end_off = PAGE_SIZE, bitmap contains bits 10000...
> q = alloc_bootmem(64);
> in allocator: last_end_off = PAGE_SIZE + 64, bitmap contains 11000...
> free_bootmem(p, PAGE_SIZE);
> in allocator: last_end_off = PAGE_SIZE + 64, bitmap contains 01000...
> p = alloc_bootmem(PAGE_SIZE);
> in allocator: last_end_off = PAGE_SIZE, bitmap contains 11000...
> r = alloc_bootmem(64);
> and now:
> it finds bit "2", as a place where to allocate (sidx)
> it hits the condition
> if (bdata->last_end_off && PFN_DOWN(bdata->last_end_off) + 1 = sidx))
> start_off = ALIGN(bdata->last_end_off, align);
> --- you can see that the condition is true, so it assigns start_off =
> ALIGN(bdata->last_end_off, align); --- that is PAGE_SIZE --- and allocates
> over already allocated block.
>
> This patch fixes it (kernels 2.6.27-rc2 and 2.6.27-rc3 boot ok after the
> patch). Johannes, please review the patch and submit it to Linus.
>
> With the patch it tries to continue at the end of previous allocation only
> if the previous allocation ended in the middle of the page.
Yes, taking last_end_off into account when it's page-aligned is bogus as
the whole merging thing is about partial pages.
Cool spot and nice fix!
> Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Johannes Weiner <hannes@saeurebad.de>
Hannes
> ---
> mm/bootmem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Index: linux-2.6.27-rc2-orig/mm/bootmem.c
> =================================> --- linux-2.6.27-rc2-orig.orig/mm/bootmem.c 2008-08-15 00:10:38.000000000 +0200
> +++ linux-2.6.27-rc2-orig/mm/bootmem.c 2008-08-15 00:10:53.000000000 +0200
> @@ -473,7 +473,7 @@ find_block:
> goto find_block;
> }
>
> - if (bdata->last_end_off &&
> + if (bdata->last_end_off & (PAGE_SIZE - 1) &&
> PFN_DOWN(bdata->last_end_off) + 1 = sidx)
> start_off = ALIGN(bdata->last_end_off, align);
> else
WARNING: multiple messages have this Message-ID (diff)
From: Johannes Weiner <hannes@saeurebad.de>
To: Mikulas Patocka <mpatocka@redhat.com>
Cc: David Miller <davem@davemloft.net>,
sparclinux@vger.kernel.org, linux-kernel@vger.kernel.org,
akpm@linux-foundation.org, torvalds@linux-foundation.org
Subject: Re: Bootmem allocator broken
Date: Fri, 15 Aug 2008 01:40:38 +0200 [thread overview]
Message-ID: <8763q3xj0p.fsf@skyscraper.fehenstaub.lan> (raw)
In-Reply-To: <Pine.LNX.4.64.0808141855500.15262@hs20-bc2-1.build.redhat.com> (Mikulas Patocka's message of "Thu, 14 Aug 2008 19:11:19 -0400 (EDT)")
Hi Mikulas,
Mikulas Patocka <mpatocka@redhat.com> writes:
> Examining the problem further, it turned out that Johannes Weiner
> committed new bootmem allocator to 2.6.27-rc1 and the allocator is broken.
>
> This is the minimal sequence that jams the allocator:
>
> void *p, *q, *r;
> p = alloc_bootmem(PAGE_SIZE);
> q = alloc_bootmem(64);
> free_bootmem(p, PAGE_SIZE);
> p = alloc_bootmem(PAGE_SIZE);
> r = alloc_bootmem(64);
>
> --- after this sequence (assuming that the allocator was empty or
> page-aligned before), pointer "q" will be equal to pointer "r".
>
> What's hapenning inside the allocator:
> p = alloc_bootmem(PAGE_SIZE);
> in allocator: last_end_off == PAGE_SIZE, bitmap contains bits 10000...
> q = alloc_bootmem(64);
> in allocator: last_end_off == PAGE_SIZE + 64, bitmap contains 11000...
> free_bootmem(p, PAGE_SIZE);
> in allocator: last_end_off == PAGE_SIZE + 64, bitmap contains 01000...
> p = alloc_bootmem(PAGE_SIZE);
> in allocator: last_end_off == PAGE_SIZE, bitmap contains 11000...
> r = alloc_bootmem(64);
> and now:
> it finds bit "2", as a place where to allocate (sidx)
> it hits the condition
> if (bdata->last_end_off && PFN_DOWN(bdata->last_end_off) + 1 == sidx))
> start_off = ALIGN(bdata->last_end_off, align);
> --- you can see that the condition is true, so it assigns start_off =
> ALIGN(bdata->last_end_off, align); --- that is PAGE_SIZE --- and allocates
> over already allocated block.
>
> This patch fixes it (kernels 2.6.27-rc2 and 2.6.27-rc3 boot ok after the
> patch). Johannes, please review the patch and submit it to Linus.
>
> With the patch it tries to continue at the end of previous allocation only
> if the previous allocation ended in the middle of the page.
Yes, taking last_end_off into account when it's page-aligned is bogus as
the whole merging thing is about partial pages.
Cool spot and nice fix!
> Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Johannes Weiner <hannes@saeurebad.de>
Hannes
> ---
> mm/bootmem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Index: linux-2.6.27-rc2-orig/mm/bootmem.c
> ===================================================================
> --- linux-2.6.27-rc2-orig.orig/mm/bootmem.c 2008-08-15 00:10:38.000000000 +0200
> +++ linux-2.6.27-rc2-orig/mm/bootmem.c 2008-08-15 00:10:53.000000000 +0200
> @@ -473,7 +473,7 @@ find_block:
> goto find_block;
> }
>
> - if (bdata->last_end_off &&
> + if (bdata->last_end_off & (PAGE_SIZE - 1) &&
> PFN_DOWN(bdata->last_end_off) + 1 == sidx)
> start_off = ALIGN(bdata->last_end_off, align);
> else
next prev parent reply other threads:[~2008-08-14 23:40 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-18 0:47 stack overflow on Sparc64 Mikulas Patocka
2008-06-18 0:47 ` Mikulas Patocka
2008-06-18 4:01 ` David Miller
2008-06-18 4:01 ` David Miller
2008-06-19 3:24 ` Mikulas Patocka
2008-06-19 3:24 ` Mikulas Patocka
2008-06-19 3:59 ` David Miller
2008-06-19 3:59 ` David Miller
2008-06-19 5:17 ` Mikulas Patocka
2008-06-19 5:17 ` Mikulas Patocka
2008-06-19 6:37 ` David Miller
2008-06-19 6:37 ` David Miller
2008-06-19 13:01 ` Mikulas Patocka
2008-06-19 13:01 ` Mikulas Patocka
2008-06-20 15:47 ` Mikulas Patocka
2008-06-20 15:47 ` Mikulas Patocka
2008-06-20 17:26 ` David Miller
2008-06-20 17:26 ` David Miller
2008-06-20 20:34 ` Mikulas Patocka
2008-06-20 20:34 ` Mikulas Patocka
2008-06-20 20:37 ` David Miller
2008-06-20 20:37 ` David Miller
2008-06-20 21:26 ` Mikulas Patocka
2008-06-20 21:26 ` Mikulas Patocka
2008-06-20 21:41 ` David Miller
2008-06-20 21:41 ` David Miller
2008-06-21 4:51 ` David Miller
2008-06-21 4:51 ` David Miller
2008-06-21 19:42 ` Mikulas Patocka
2008-06-21 19:42 ` Mikulas Patocka
2008-06-22 7:03 ` David Miller
2008-06-22 7:03 ` David Miller
2008-06-22 13:48 ` Mikulas Patocka
2008-06-22 13:48 ` Mikulas Patocka
2008-08-12 6:30 ` David Miller
2008-08-12 6:30 ` David Miller
2008-08-12 8:22 ` David Miller
2008-08-12 8:22 ` David Miller
2008-08-13 0:53 ` Mikulas Patocka
2008-08-13 0:53 ` Mikulas Patocka
2008-08-13 0:59 ` David Miller
2008-08-13 0:59 ` David Miller
2008-08-13 1:11 ` console handover badness [was: stack overflow on Sparc64] Mikulas Patocka
2008-08-13 1:11 ` Mikulas Patocka
2008-08-13 1:22 ` console handover badness David Miller
2008-08-13 1:22 ` David Miller
2008-08-13 1:40 ` David Miller
2008-08-13 1:40 ` David Miller
2008-08-13 8:50 ` David Miller
2008-08-13 8:50 ` David Miller
2008-08-13 12:46 ` Mikulas Patocka
2008-08-13 12:46 ` Mikulas Patocka
2008-08-14 3:25 ` David Miller
2008-08-14 3:25 ` David Miller
2008-08-14 23:11 ` Bootmem allocator broken [was: console handover badness] Mikulas Patocka
2008-08-14 23:11 ` Mikulas Patocka
2008-08-14 23:25 ` Bootmem allocator broken David Miller
2008-08-14 23:25 ` David Miller
2008-08-15 11:09 ` Alexander Beregalov
2008-08-15 11:09 ` Alexander Beregalov
2008-08-15 21:13 ` David Miller
2008-08-15 21:13 ` David Miller
2008-08-14 23:40 ` Johannes Weiner [this message]
2008-08-14 23:40 ` Johannes Weiner
2008-06-20 21:14 ` stack overflow on Sparc64 Mikulas Patocka
2008-06-20 21:14 ` Mikulas Patocka
2008-06-20 21:20 ` David Miller
2008-06-20 21:20 ` David Miller
2008-06-20 21:25 ` Mikulas Patocka
2008-06-20 21:25 ` Mikulas Patocka
2008-06-20 21:44 ` David Miller
2008-06-20 21:44 ` David Miller
2008-06-20 21:47 ` David Miller
2008-06-20 21:47 ` David Miller
2008-06-20 22:22 ` Mikulas Patocka
2008-06-20 22:22 ` Mikulas Patocka
2008-06-20 22:28 ` David Miller
2008-06-20 22:28 ` David Miller
2008-06-20 22:36 ` Mikulas Patocka
2008-06-20 22:36 ` Mikulas Patocka
2008-06-20 22:47 ` David Miller
2008-06-20 22:47 ` David Miller
2008-06-21 0:37 ` Mikulas Patocka
2008-06-21 0:37 ` Mikulas Patocka
2008-06-20 22:33 ` Mikulas Patocka
2008-06-20 22:33 ` Mikulas Patocka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8763q3xj0p.fsf@skyscraper.fehenstaub.lan \
--to=hannes@saeurebad.de \
--cc=akpm@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mpatocka@redhat.com \
--cc=sparclinux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.