Bug#495611: user-mode-linux: page_mapcount(page) went negative!
Graham Cobb
Version: 2.6.24-1um-1
Severity: normal
I use Debian lenny guest environment in UML to automatically build software
for the Nokia Maemo environment.
The overnight all work fine using UML 2.6.24-1um-1. However, UML
2.6.25-1um-2 and UML 2.6.26-1um-2 both crash, early in each build, with
the kernel panic shown below. I can easily reproduce this with my automated
build system although I have not yet found another stress test (even doing a
kernel build in the guest environment) which reproduces it.
The crash details are:
Eeek! page_mapcount(page) went negative! (-1)
page pfn = 2cc
page->flags = 400
page->count = 1
page->mapping = 00000000
vma->vm_ops = 0x83accc8
vma->vm_ops->fault = special_mapping_fault+0x0/0x60
BUG: failure at mm/rmap.c:669/page_remove_rmap()!
Kernel panic - not syncing: BUG!
EIP: 0073:[<080a407a>] CPU: 0 Not tainted ESP: 007b:bf9ec8fc EFLAGS: 00000246
Not tainted
EAX: ffffffda EBX: 00008000 ECX: 001b6000 EDX: 00000005
ESI: 00000812 EDI: 00000004 EBP: 00000000 DS: 007b ES: 007b
277ebd38: [<0809ec74>] notifier_call_chain+0x34/0x70
277ebd5c: [<08311f2a>] panic+0x71/0xff
277ebd78: [<080cb4e1>] page_remove_rmap+0x151/0x160
277ebd90: [<080c3f99>] unmap_vmas+0x2c9/0x600
277ebda4: [<08060fd3>] flush_tlb_page+0x113/0x1f0
277ebdf8: [<080c7895>] unmap_region+0xa5/0x150
277ebe2c: [<080c8a98>] do_munmap+0x1d8/0x290
277ebe58: [<080c9544>] mmap_region+0xd4/0x590
277ebe90: [<080c7230>] arch_get_unmapped_area+0x0/0x160
277ebeb8: [<080b4870>] generic_file_mmap+0x0/0x60
277ebec4: [<080c9c1a>] do_mmap_pgoff+0x21a/0x300
277ebf00: [<08060846>] sys_mmap2+0x76/0xe0
277ebf30: [<080627aa>] handle_syscall+0x8a/0xc0
277ebf4c: [<080607d0>] sys_mmap2+0x0/0xe0
277ebf78: [<080789ca>] userspace+0x48a/0x510
277ebf90: [<08075675>] os_set_thread_area+0x25/0x50
277ebfec: [<0805f72d>] fork_handler+0x5d/0x70
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (900, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.25-2-686 (SMP w/1 CPU core)
Locale: LANG=en_IE@euro, LC_CTYPE=en_IE@euro (charmap=ISO-8859-15) (ignored: LC_ALL set to en_IE@euro)
Shell: /bin/sh linked to /bin/bash
Versions of packages user-mode-linux depends on:
ii uml-utilities 20070815-1.1 User-mode Linux (utility programs)
user-mode-linux recommends no packages.
Versions of packages user-mode-linux suggests:
ii konsole [x-terminal- 4:3.5.9.dfsg.1-2+b1 X terminal emulator for KDE
pn linux-patch-skas <none> (no description available)
pn rootstrap <none> (no description available)
ii rxvt [x-terminal-emu 1:2.6.4-14 VT102 terminal emulator for the X
pn slirp <none> (no description available)
pn user-mode-linux-doc <none> (no description available)
ii xterm [x-terminal-em 235-1 X terminal emulator
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Mattia Dongili
one more bug report on 2.6.26.2. It looks like .25 is affected as well
are both suffering from it.
> _______________________________________________
> Pkg-uml-pkgs mailing list
> Pkg-um...@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-uml-pkgs
>
--
mattia
:wq!
Jeff Dike
> one more bug report on 2.6.26.2. It looks like .25 is affected as well
> are both suffering from it.
Sigh, I was hoping that this wasn't seen on anything later than 2.6.24.
Any chance it can be bisected? Since this is an overnight test, it
would take a week or two, probably.
Jeff
--
Work email - jdike at linux dot intel dot com
Graham Cobb
versions git-bisect wanted to test would not build UML without tracking down
some additional patches.
The bug seems to have been introduced with git commit
3963333fe6767f15141ab2dc3b933721c636c212 (uml: cover stubs with a VMA).
Note the bisection didn't quite complete: the previous commit (git commit
42a2b54ce8c7b9d4f418995a7950e7e2e15e52ce (uml: clean up TASK_SIZE usage))
also causes a panic but it is different from the one reported in this bug and
occurs immediately init is started so I presume it is not the same problem.
The version before these two commits works.
With hindsight I suppose I could have guessed that would be the commit: the
crash seemed to be when unmapping a VMA. If my reading of the page flags is
correct the problem is that the page has the PG_reserved flag set, so what is
it doing in the VMA which is being unmapped?
Let me know if you want me to run some more tests, for example if you want to
add some printk's in the code to understand more about what is going on.
Jeff Dike
> The bisection is complete. It took longer than I expected as many of the
> versions git-bisect wanted to test would not build UML without tracking down
> some additional patches.
>
> The bug seems to have been introduced with git commit
> 3963333fe6767f15141ab2dc3b933721c636c212 (uml: cover stubs with a VMA).
Excellent, the backtrace now makes a bit of sense. It looks like the
VMAs at the top of the address space are being overmapped by a call to
mmap. The question is why does it look like there's a big enough hole
there, when it ends up unmapping the stubs in order to make room for
the mmap.
> With hindsight I suppose I could have guessed that would be the commit: the
> crash seemed to be when unmapping a VMA. If my reading of the page flags is
> correct the problem is that the page has the PG_reserved flag set, so what is
> it doing in the VMA which is being unmapped?
A page of kernel code is mapped into the process. This page (and all
other pages containing kernel text) is marked reserved during boot.
> Let me know if you want me to run some more tests, for example if you want to
> add some printk's in the code to understand more about what is going on.
I'm going to need some more information. I'll get back to you with a
patch...
Jeff
--
Work email - jdike at linux dot intel dot com
--