Hi,
On Sun, Apr 13, 2025 at 11:08:58AM +0300, Mike Rapoport wrote:
> From: "Mike Rapoport (Microsoft)" <rppt@xxxxxxxxxx>
>
> Dave Hansen reports the following crash on a 32-bit system with
> CONFIG_HIGHMEM=y and CONFIG_X86_PAE=y:
>
> > 0xf75fe000 is the mem_map[] entry for the first page >4GB. It
> > obviously wasn't allocated, thus the oops.
>
> BUG: unable to handle page fault for address: f75fe000
> #PF: supervisor write access in kernel mode
> #PF: error_code(0x0002) - not-present page
> *pdpt = 0000000002da2001 *pde = 000000000300c067 *pte = 0000000000000000
> Oops: Oops: 0002 [#1] SMP NOPTI
> CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.15.0-rc1-00288-ge618ee89561b-dirty #311 PREEMPT(undef)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> EIP: __free_pages_core+0x3c/0x74
> Code: c3 d3 e6 83 ec 10 89 44 24 08 89 74 24 04 c7 04 24 c6 32 3a c2 89 55 f4 e8 a9 11 45 fe 85 f6 8b 55 f4 74 19 89 d8 31 c9 66 90 <0f> ba 30 0d c7 40 1c 00 00 00 00 41 83 c0 28 39 ce 75 ed 8b
>
> EAX: f75fe000 EBX: f75fe000 ECX: 00000000 EDX: 0000000a
> ESI: 00000400 EDI: 00500000 EBP: c247becc ESP: c247beb4
> DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00210046
> CR0: 80050033 CR2: f75fe000 CR3: 02da6000 CR4: 000000b0
> Call Trace:
> memblock_free_pages+0x11/0x2c
> memblock_free_all+0x2ce/0x3a0
> mm_core_init+0xf5/0x320
> start_kernel+0x296/0x79c
> ? set_init_arg+0x70/0x70
> ? load_ucode_bsp+0x13c/0x1a8
> i386_start_kernel+0xad/0xb0
> startup_32_smp+0x151/0x154
> Modules linked in:
> CR2: 00000000f75fe000
>
> The mem_map[] is allocated up to the end of ZONE_HIGHMEM which is defined
> by max_pfn.
>
> Before 6faea3422e3b ("arch, mm: streamline HIGHMEM freeing") freeing of
> high memory was also clamped to the end of ZONE_HIGHMEM but after
> 6faea3422e3b memblock_free_all() tries to free memory above the of
> ZONE_HIGHMEM as well and that causes access to mem_map[] entries beyond
> the end of the memory map.
>
> Discard the memory after max_pfn from memblock on 32-bit systems so that
> core MM would be aware only of actually usable memory.
>
> Reported-by: Dave Hansen <dave.hansen@xxxxxxxxx>
> Tested-by: Arnd Bergmann <arnd@xxxxxxxxxx>
> Signed-off-by: Mike Rapoport (Microsoft) <rppt@xxxxxxxxxx>
With this patch in pending-fixes ( v6.15-rc2-434-g93ced5296772),
all my i386 test runs crash.
[ 0.020893] Kernel panic - not syncing: ioapic_setup_resources: Failed to allocate 0x0000002b bytes
[ 0.021248] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.15.0-rc2-00434-g93ced5296772 #1 PREEMPT(undef)
[ 0.021373] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 0.021549] Call Trace:
[ 0.021711] dump_stack_lvl+0x20/0x104
[ 0.022023] dump_stack+0x12/0x18
[ 0.022064] panic+0x2c1/0x2d8
[ 0.022116] ? vprintk_default+0x29/0x30
[ 0.022163] __memblock_alloc_or_panic+0x57/0x58
[ 0.022221] io_apic_init_mappings+0x2e/0x1a8
[ 0.022284] setup_arch+0x909/0xdac
[ 0.022338] ? vprintk_default+0x29/0x30
[ 0.022410] start_kernel+0x63/0x760
[ 0.022457] ? load_ucode_bsp+0x12c/0x198
[ 0.022507] i386_start_kernel+0x74/0x74
[ 0.022548] startup_32_smp+0x151/0x154
[ 0.023089] ---[ end Kernel panic - not syncing: ioapic_setup_resources: Failed to allocate 0x0000002b bytes ]---
Reverting this patch fixes the problem. Bisect log is attached for reference.
Guenter
---
# bad: [93ced5296772b7b704f48e4bad9fcfdf0633c780] Merge branch 'for-linux-next-fixes' of https://gitlab.freedesktop.org/drm/misc/kernel.git
# good: [8ffd015db85fea3e15a77027fda6c02ced4d2444] Linux 6.15-rc2
git bisect start 'HEAD' 'v6.15-rc2'
# good: [5d6f363fc974e32dd9930fecaae63958b68a1df4] Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap.git
git bisect good 5d6f363fc974e32dd9930fecaae63958b68a1df4
# good: [1790b4a242fe119fead08fccc5bf923423c7449a] Merge branch 'dma-mapping-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mszyprowski/linux.git
git bisect good 1790b4a242fe119fead08fccc5bf923423c7449a
# good: [5d37ee8a1d6455968ea3134d78223090d487c7f4] Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git
git bisect good 5d37ee8a1d6455968ea3134d78223090d487c7f4
# good: [9d4de5ae5208548eb9c6a490ac454601f4fbf00b] Merge branch 'i2c/i2c-host-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux.git
git bisect good 9d4de5ae5208548eb9c6a490ac454601f4fbf00b
# bad: [f737ab93945fb8f0213e1cccc39d028eb5d880e0] Merge branch into tip/master: 'x86/urgent'
git bisect bad f737ab93945fb8f0213e1cccc39d028eb5d880e0
# good: [2e7a2843d0de7677b7bb908ca006dc435e52c416] Merge branch into tip/master: 'irq/urgent'
git bisect good 2e7a2843d0de7677b7bb908ca006dc435e52c416
# good: [d466304c4322ad391797437cd84cca7ce1660de0] x86/cpu: Add CPU model number for Bartlett Lake CPUs with Raptor Cove cores
git bisect good d466304c4322ad391797437cd84cca7ce1660de0
# good: [39893b1e4ad7c4380abe4cfddaa58b34c4363bf4] Merge branch into tip/master: 'timers/urgent'
git bisect good 39893b1e4ad7c4380abe4cfddaa58b34c4363bf4
# bad: [1e07b9fad022e0e02215150ca1e20912e78e8ec1] x86/e820: Discard high memory that can't be addressed by 32-bit systems
git bisect bad 1e07b9fad022e0e02215150ca1e20912e78e8ec1
# first bad commit: [1e07b9fad022e0e02215150ca1e20912e78e8ec1] x86/e820: Discard high memory that can't be addressed by 32-bit systems
