Hugh Dickins wrote on Wednesday, October 25, 2006 12:41 AM
> On Wed, 25 Oct 2006, David Gibson wrote:
> > 
> > Hugh, I'd like to add a testcase to the libhugetlbfs testsuite which
> > will trigger this bug, but from the description above I'm not sure
> > exactly how to tickle it.  Can you give some more details of what
> > sequence of calls will cause the BUG_ON() to be called.
> > 
> > I've attached the skeleton test I have now, but I'm not sure if it's
> > even close to what's really required for this.
> 
> I'll take a look, or reconstruct my own sequence, later on today and
> send it just to you.  The BUG_ON was not at all what I was expecting,
> and I spent quite a while working out how it came about (v_offset
> wrapped, so vm_start + v_offset less than vm_start, so the huge unmap
> applied to a non-huge vma before it).  Though I'm dubious whether it's
> really worthwhile devising such a test now.

It's fairly easy to reproduce.  I got a test cases that easily trigger
kernel oops and even got a sequence to screw up hugepage_rsvd count.
All I have to do is to place vm_start high enough and combined with large
enough v_offset, the add "vma->vm_start + v_offset" will overflow. It
doesn't even need to be over 4GB.

Hugh, if you haven't got time to reconstruct the bug sequence, don't
bother. I'll give my test cases to David.

- Ken