From: Johannes Weiner <hannes@cmpxchg.org>
To: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@infradead.org>,
Nick Piggin <npiggin@kernel.dk>, Hugh Dickins <hughd@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
xfs@oss.sgi.com, linux-mm@kvack.org
Subject: Re: [PATCH] xfs: flush vmap aliases when mapping fails
Date: Tue, 22 Mar 2011 13:57:36 +0100 [thread overview]
Message-ID: <20110322125736.GZ2140@cmpxchg.org> (raw)
In-Reply-To: <20110321122526.GX2140@cmpxchg.org>
On Mon, Mar 21, 2011 at 01:25:26PM +0100, Johannes Weiner wrote:
> On Fri, Mar 11, 2011 at 09:49:45AM +1100, Dave Chinner wrote:
> > FWIW, while the VM folk might be paying attention about vmap realted
> > stuff, this vmap BUG() also needs triage:
> >
> > https://bugzilla.kernel.org/show_bug.cgi?id=27002
>
> I stared at this bug and the XFS code for a while over the weekend.
> What you are doing in there is really scary!
>
> So xfs_buf_free() does vm_unmap_ram if the buffer has the XBF_MAPPED
> flag set and spans multiple pages (b_page_count > 1).
>
> In xlog_sync() you have that split case where you do XFS_BUF_SET_PTR
> on that in-core log's l_xbuf which changes that buffer to, as far as I
> could understand, linear kernel memory. Later in xlog_dealloc_log you
> call xfs_buf_free() on that buffer.
>
> I was unable to determine if this can ever be more than one page in
> the buffer for the split case. But if this is the case, you end up
> invoking vm_unmap_ram() on something you never vm_map_ram'd, which
> could explain why this triggers the BUG_ON() for the dirty area map.
Blech, that's bogus, please pardon my rashness.
I looked over the vmalloc side several times but could not spot
anything that would explain this crash.
However, when you switched from vunmap to vm_unmap_ram you had to add
the area size parameter.
I am guessing that the base address was always correct, vunmap would
have caught an error with it. But the new size argument could be too
large and crash the kernel when it would reach into the next area that
had already been freed (and marked in the dirty bitmap).
I have given up on verifying that what xlog_sync() does to l_xbuf is
okay. It would be good if you could confirm that it leaves the buffer
in a state so that its b_addr - b_offset, b_page_count are correctly
describing the exact vmap area.
Hannes
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2011-03-22 12:58 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1299713876-7747-1-git-send-email-david@fromorbit.com>
2011-03-10 7:37 ` Christoph Hellwig
2011-03-10 22:49 ` Dave Chinner
2011-03-17 14:24 ` Christoph Hellwig
2011-03-21 12:25 ` Johannes Weiner
2011-03-22 12:57 ` Johannes Weiner [this message]
2011-03-27 23:54 ` Dave Chinner
2011-03-18 14:24 ` Johannes Weiner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110322125736.GZ2140@cmpxchg.org \
--to=hannes@cmpxchg.org \
--cc=akpm@linux-foundation.org \
--cc=david@fromorbit.com \
--cc=hch@infradead.org \
--cc=hughd@google.com \
--cc=linux-mm@kvack.org \
--cc=npiggin@kernel.dk \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox