Problems with remap_pfn_range & 2.6.15 & up?


I currently have a module for a PCI device that maps system memory to
user space with remap_pfn_range(). The system memory is acquired
through dma_alloc_coherent (i.e. _get_free_pages). The driver works
fine on all 2.4 kernels and has been tested on 2.6 kernels up to
2.6.12. The failure only occurs on 2.6.15 & 2.6.16.

The issue occurs when the application exists and/or the file descriptor
is closed. Sometimes kernel log messages appear regarding a page count
being invalid (-1). So, it must be when the VM attempts to release
page mappings.

I've tested with removing the VM_RESERVED flag, but I think
remap_pfn_range sets that anyway. I've tested with setting & not
setting PG_reserved on the allocated pages. I've verified the
parameters to remap_pfn_range. The size is 64k, the physical address
is page shifted, etc.

There obviously was a change in 2.6.15 with remap_pfn_range, even in
the rc releases. I've read through the logs regarding the changes and
about the new vm_insert_page() function. My driver simply maps
contiguous system pages to user space.

Has anyone else run into issues with using remap_pfn_range?

Here is some more info:
Line 555 in rmap.c is where the kernel panic is:;file=mm/rmap.c

<0>Eeek! page_mapcount(page) went negative! (-1)
<0> page->flags = 80000404
<0> page->count = 1
<0> page->mapping = 00000000
<0>------------[ cut here ]------------
<0>kernel BUG at mm/rmap.c:560!
<0>invalid opcode: 0000 [#1]
<1>last sysfs file: /devices/system/cpu/cpu0/cpufreq/scaling_setspeed
<4>Modules linked in: Pci9656_dbg(U) autofs4 hidp rfcomm l2cap
bluetooth sunrpc
dm_mirror dm_mod video button battery ac ipv6 lp parport_pc parport
floppy nvram
ehci_hcd uhci_hcd sky2 snd_via82xx gameport snd_ac97_codec
snd_ac97_bus snd_seq
_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_pcm_oss snd_mixer_oss
snd_timer snd_page_alloc snd_mpu401_uart snd_rawmidi snd_seq_device
i2c_viapro s
nd i2c_core soundcore ext3 jbd
<0>CPU: 0
<4>EIP: 0060:[<c014852d>] Not tainted VLI
<4>EFLAGS: 00010286 (2.6.15-1.2054_FC5 #1)
<0>EIP is at page_remove_rmap+0x63/0x7b
<0>eax: ffffffff ebx: c15e7a00 ecx: ef1fcee8 edx: c02fbeaf
<0>esi: b7f97000 edi: ee564e5c ebp: 00000020 esp: ef1fcef4
<0>ds: 007b es: 007b ss: 0068
<0>Process Test (pid: 3493, threadinfo=ef1fc000 task=f7ca5000)
<0>Stack: <0>c15e7a00 c0142db5 00000000 f6b12cd4 ef1fcf60 00340efa
00000000 0000
<0> b7fa7000 ef49bb7c f6af1500 c03e022c 00000000 ffffffff
f6af1554 ef49bb7
<0> b7fa7000 00000000 ef1fcf60 f6af690c f6af1500 ef1fcfa0
c0145644 fffffff
<0>Call Trace:
<0> [<c0142db5>] unmap_vmas+0x285/0x48d [<c0145644>]
<0> [<c01184bd>] mmput+0x1c/0x8f [<c011d012>] do_exit+0x1a5/0x6c8
<0> [<c011d5b9>] sys_exit_group+0x0/0xd [<c0102bc1>]


Relevant Pages

  • Using remap_pfn_range causes system hang on app close in 2.6.15 & up
    ... I currently have a module for a PCI device that maps system memory to user space with remap_pfn_range. ... The issue occurs when the application exists and/or the file descriptor is closed if the application maps the RAM buffer. ... Generally, the system hangs and sometimes, after a moment or two, a kernel panic message arises. ...
  • Re: Checkpoint/restart (was Re: [PATCH 0/4] - v2 - Object creation with a specified id)
    ... kernel representation. ... If the state can be inferred from user space it is visible to user ... In the worst case today we can restore a checkpoint by replaying all of ... Checkpoints coordinated between multiple containers or real ...
  • Re: [OT] ALSA userspace API complexity
    ... Why we have X servers in user space (and only some supporting code is in the kernel) then? ... Can you do this with ALSA way? ... comercial OSS have ALSA emulation and ALSA have OSS emulation. ...
  • Re: Things that Longhorn seems to be doing right
    ... Updating a user space database every time ... >is just as bad as putting an SQL optimizer into the kernel. ... Well, since I don't think that SQL belongs in the filesystem, and I ...
  • Re: syscalls implementation
    ... In user space, the system calls are stubs in a library that traps into ... the vector code generated from syscalls.master in the kernel. ... stack, and then a trap is issued by ... argument pointer are passed to the system call. ...