Bug#421804: linux-image-2.6.18-4-xen-686: Can crash at boot w/ >4GB memory
Package: linux-image-2.6.18-4-xen-686
Version: 2.6.18.dfsg.1-12
Severity: normal
Tags: patch
We're seeing some issues with the RHEL5 32b xen kernel that are leading
to frequent XenRT failures. Guests crash during boot when the host has
>4GB of RAM with alarmingly high probability.
The problem is that trying to clear a pte by setting it to PFN 0 can
potentially cause the entry to be temporarily invalid since it writes
the upper word first (i.e. the PTE remains present). It also not correct
to launder the 0 through p2m which set_pte will do. The combination of
these causes a crash when swapper_pg_dir and PFN 0 have MFNs on opposite
sides of the 4G boundary.
The attached patch fixes the problem. This is from:
http://xenbits.xensource.com/xen-unstable.hg?cs=c6efd6c2feaa
The same bug was reported against RHEL5 here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=234375
Thanks,
Ian.
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-amd64
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
# HG changeset patch
# User kfraser@localhost.localdomain
# Date 1163425074 0
# Node ID c6efd6c2feaa3ec851685cc872a1ce989d998220
# Parent 16977bd93dbebe30060e4b4462938f21f5b14275
[LINUX] Fix clear_fixmap().
On i386-PAE, clear_fixmap() results in ill use of set_pte(). In all
contexts, p2m translations shouldn't occur here. Note that this is not
really an issue on native linux, as there is
(a) no pfn-to-mfn translation and
(b) __set_fixmap() takes an unsigned long physical address rather than
a paddr_t, which makes it so that bits 32 and up of the physical
address are always zero, permitting either order store when
clearing the entry.
Signed-off-by: Jan Beulich <jbeulich@novell.com>
diff -r 16977bd93dbe -r c6efd6c2feaa linux-2.6-xen-sparse/arch/i386/mm/pgtable-xen.c
--- a/linux-2.6-xen-sparse/arch/i386/mm/pgtable-xen.c Mon Nov 13 12:06:21 2006 +0000
+++ b/linux-2.6-xen-sparse/arch/i386/mm/pgtable-xen.c Mon Nov 13 13:37:54 2006 +0000
@@ -102,8 +102,11 @@ static void set_pte_pfn(unsigned long va
return;
}
pte = pte_offset_kernel(pmd, vaddr);
- /* <pfn,flags> stored as-is, to permit clearing entries */
- set_pte(pte, pfn_pte(pfn, flags));
+ if (pgprot_val(flags))
+ /* <pfn,flags> stored as-is, to permit clearing entries */
+ set_pte(pte, pfn_pte(pfn, flags));
+ else
+ pte_clear(&init_mm, vaddr, pte);
/*
* It's enough to flush this one mapping.
@@ -140,8 +143,11 @@ static void set_pte_pfn_ma(unsigned long
return;
}
pte = pte_offset_kernel(pmd, vaddr);
- /* <pfn,flags> stored as-is, to permit clearing entries */
- set_pte(pte, pfn_pte_ma(pfn, flags));
+ if (pgprot_val(flags))
+ /* <pfn,flags> stored as-is, to permit clearing entries */
+ set_pte(pte, pfn_pte_ma(pfn, flags));
+ else
+ pte_clear(&init_mm, vaddr, pte);
/*
* It's enough to flush this one mapping.
diff -r 16977bd93dbe -r c6efd6c2feaa linux-2.6-xen-sparse/arch/x86_64/mm/init-xen.c
--- a/linux-2.6-xen-sparse/arch/x86_64/mm/init-xen.c Mon Nov 13 12:06:21 2006 +0000
+++ b/linux-2.6-xen-sparse/arch/x86_64/mm/init-xen.c Mon Nov 13 13:37:54 2006 +0000
@@ -260,7 +260,10 @@ static void set_pte_phys(unsigned long v
return;
}
}
- new_pte = pfn_pte(phys >> PAGE_SHIFT, prot);
+ if (pgprot_val(prot))
+ new_pte = pfn_pte(phys >> PAGE_SHIFT, prot);
+ else
+ new_pte = __pte(0);
pte = pte_offset_kernel(pmd, vaddr);
if (!pte_none(*pte) &&
Reply to: