Re: Unmapping of UIO logical memory causing a trace

From: Greg Kroah-Hartman
Date: Tue Aug 11 2015 - 17:45:50 EST

On Tue, Aug 11, 2015 at 04:39:08PM +0530, Ankit Jindal wrote:
> Hi,
> We have observed an issue where kmalloc of a small sized memory causes
> an occasional trace when unmapping the mmaped memory via UIO framework
> This trace is coming when kernel sees a negative value in
> page->_mapcount. Trace is pasted at the end of the mail.
> After debugging this issue further, we realized following sequence
> occurs when kmalloc is used to allocate small memory using slub
> allocator:
> 1. Frozen bit (msb) of the page from which memory has been allocated
> is set (which is an union with _mapcount).
> 2. If there are free objects in the the same page then this frozen bit
> remains set even after kernel boots completely.
> 3. When user space calls unmap of this memory, vma_unmap_single()
> treats the _mapcount as a negative (as frozen bit is set), causing a
> trace.
> We are not sure whether exposing kernel memory of size
> less than PAGE_SIZE via UIO is a valid use case ? In case this is an invalid
> use case then shouldn't the UIO framework restrict mapping of non
> PAGE_SIZE aligned memory and size not in order of PAGE_SIZE.

We've had a few discussions about this in the past, and one proposed
patch which had to be reverted because it broke some working systems, so
it's a messy thing.

What UIO driver are you using that causes this behavior?


greg k-h
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at