Oops on 2.6.14 (debian -1-smp pck)

Oops on 2.6.14 (debian -1-smp pck)

[Sandro Tosi]

Hi all,
I hope I'm going do the right think posting here this oops tracing:

Nov  5 00:00:39 morpheus kernel: kernel BUG at mm/rmap.c:487!
Nov  5 00:00:39 morpheus kernel: invalid operand: 0000 [#1]
Nov  5 00:00:39 morpheus kernel: SMP
Nov  5 00:00:39 morpheus kernel: Modules linked in: snd_ca0106
snd_ac97_codec snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd
soundcore snd_ac97_bus snd_page_alloc isofs sd_mod usb_storage
scsi_mod lp ipt_TCPMSS ipt_tcpmss iptable_filter ip_tables pppoe pppox
ipv6 af_packet ppp_generic slhc tsdev floppy pcspkr 8139cp i2c_viapro
via686a i2c_isa i2c_core shpchp pci_hotplug yealink via_agp usbhid
uhci_hcd usbcore pdc202xx_old e100 8139too mii parport_pc parport
agpgart
nls_iso8859_1 nls_cp437 vfat fat ide_cd cdrom unix ext3 jbd mbcache
dm_mod ide_disk ide_generic generic via82cxxx ide_core evdev mousedev
psmouse
Nov  5 00:00:39 morpheus kernel: CPU:    1
Nov  5 00:00:39 morpheus kernel: EIP:    0060:[page_remove_rmap+73/96]
   Not tainted VLI
Nov  5 00:00:39 morpheus kernel: EFLAGS: 00010286   (2.6.14-1-686-smp)
Nov  5 00:00:39 morpheus kernel: EIP is at page_remove_rmap+0x49/0x60
Nov  5 00:00:39 morpheus kernel: eax: ffffffff   ebx: c1630740   ecx:
00000038   edx: c1630740
Nov  5 00:00:39 morpheus kernel: esi: f0b73218   edi: c180e840   ebp:
08086000   esp: f223ddb8
Nov  5 00:00:39 morpheus kernel: ds: 007b   es: 007b   ss: 0068
Nov  5 00:00:39 morpheus kernel: Process metacity (pid: 6915,
threadinfo=f223c000 task=f3e9ba90)
Nov  5 00:00:39 morpheus kernel: Stack: c015245d c1630740 c01572cf
c1630740 00000000 f7b64084 080bd000 080bd000
Nov  5 00:00:39 morpheus kernel:        080bcfff c0157455 c180e840
f7b64080 08048000 080bd000 00000000 00075000
Nov  5 00:00:39 morpheus kernel:        080bd000 f10816a4 0038b000
c0157582 c180e840 f10816a4 08048000 080bd000
Nov  5 00:00:39 morpheus kernel: Call Trace:
Nov  5 00:00:39 morpheus kernel:  [mark_page_accessed+45/64]
mark_page_accessed+0x2d/0x40
Nov  5 00:00:39 morpheus kernel:  [zap_pte_range+415/656]
zap_pte_range+0x19f/0x290
Nov  5 00:00:39 morpheus kernel:  [unmap_page_range+149/208]
unmap_page_range+0x95/0xd0
Nov  5 00:00:39 morpheus kernel:  [unmap_vmas+242/624] unmap_vmas+0xf2/0x270
Nov  5 00:00:39 morpheus kernel:  [exit_mmap+161/400] exit_mmap+0xa1/0x190
Nov  5 00:00:39 morpheus kernel:  [mmput+56/160] mmput+0x38/0xa0
Nov  5 00:00:39 morpheus kernel:  [do_exit+225/1024] do_exit+0xe1/0x400
Nov  5 00:00:39 morpheus kernel:  [do_group_exit+64/176] do_group_exit+0x40/0xb0
Nov  5 00:00:39 morpheus kernel:  [get_signal_to_deliver+546/832]
get_signal_to_deliver+0x222/0x340
Nov  5 00:00:39 morpheus kernel:  [do_signal+109/368] do_signal+0x6d/0x170
Nov  5 00:00:39 morpheus kernel:  [do_pollfd+97/192] do_pollfd+0x61/0xc0
Nov  5 00:00:39 morpheus kernel:  [do_poll+106/208] do_poll+0x6a/0xd0
Nov  5 00:00:39 morpheus kernel:  [do_page_fault+576/1770]
do_page_fault+0x240/0x6ea
Nov  5 00:00:39 morpheus kernel:  [do_page_fault+0/1770] do_page_fault+0x0/0x6ea
Nov  5 00:00:39 morpheus kernel:  [do_notify_resume+40/56]
do_notify_resume+0x28/0x38
Nov  5 00:00:39 morpheus kernel:  [work_notifysig+19/25]
work_notifysig+0x13/0x19
Nov  5 00:00:39 morpheus kernel: Code: 89 f6 8b 42 08 40 78 23 b8 ff
ff ff ff 89 44 24 04 c7 04 24 10 00 00 00 e8 75 e2 fe ff 83 c4 08 c3
0f 0b e4 01 47 da 2e c0 eb c5 <0f> 0b e7 01 47 da 2e c0 eb d3 8d b6 00
00 00 00 8d bc 27 00 00
Nov  5 00:00:39 morpheus kernel:  <1>Fixing recursive fault but reboot
is needed!

And yes, a reboot was needed to give me control back to ws. I was
coping a file with nautilus when that error happens.

I'm using

# uname -a
Linux morpheus 2.6.14-1-686-smp #1 SMP Fri Oct 28 17:07:07 JST 2005
i686 GNU/Linux

kernel version, from the debian package linux-image-2.6.14-1-686-smp

If you need some more informations, I'll try to provide them...

Thanks & regards

--
Sandro Tosi (aka Morpheus, matrixhasu)
My (little) site: http://matrixhasu.altervista.org/

Re: Oops on 2.6.14 (debian -1-smp pck)

[Hugh Dickins]

On Sat, 5 Nov 2005, Sandro Tosi wrote:
> I hope I'm going do the right think posting here this oops tracing:

You are, thanks for the report.

> Nov  5 00:00:39 morpheus kernel: kernel BUG at mm/rmap.c:487!
> Nov  5 00:00:39 morpheus kernel: EIP:    0060:[page_remove_rmap+73/96]
> Nov  5 00:00:39 morpheus kernel: Process metacity (pid: 6915,
> threadinfo=f223c000 task=f3e9ba90)
> 
> And yes, a reboot was needed to give me control back to ws. I was
> coping a file with nautilus when that error happens.

A dozen or more people have reported this rmap.c BUG over the last
year.  About half the cases get resolved as bad memory (try memtest86
overnight) or overheating or something like that; and half unresolved.

I've updated my usual debug patch to 2.6.14, here it is below.  If you'd
like to apply that patch, rebuild and run with the new kernel, it will
give us a little more information if it happens again (and may well
allow you to continue working, gathering more messages, without reboot).
If it does trigger, please send me any "Bad rmap" or "Bad page state"
messages logged, and I'll try to see if they shed any light.

If you can reproduce the problem at will, that would be very helpful;
but few have been able to do so.

Thanks,
Hugh

--- 2.6.14/arch/ia64/lib/swiotlb.c	2005-10-28 01:02:08.000000000 +0100
+++ linux/arch/ia64/lib/swiotlb.c	2005-11-05 19:32:12.000000000 +0000
@@ -449,6 +449,7 @@ swiotlb_map_single(struct device *hwdev,
 static void
 mark_clean(void *addr, size_t size)
 {
+#ifndef CONFIG_X86_64	/* Yes, arch/x86_64 builds this too */
 	unsigned long pg_addr, end;
 
 	pg_addr = PAGE_ALIGN((unsigned long) addr);
@@ -458,6 +459,7 @@ mark_clean(void *addr, size_t size)
 		set_bit(PG_arch_1, &page->flags);
 		pg_addr += PAGE_SIZE;
 	}
+#endif
 }
 
 /*
--- 2.6.14/arch/x86_64/ia32/syscall32.c	2005-10-28 01:02:08.000000000 +0100
+++ linux/arch/x86_64/ia32/syscall32.c	2005-11-05 19:32:12.000000000 +0000
@@ -25,7 +25,7 @@ static struct page *
 syscall32_nopage(struct vm_area_struct *vma, unsigned long adr, int *type)
 {
 	struct page *p = virt_to_page(adr - vma->vm_start + syscall32_page);
-	get_page(p);
+	SetPageReserved(p);
 	return p;
 }
 
--- 2.6.14/include/linux/rmap.h	2005-08-29 00:41:01.000000000 +0100
+++ linux/include/linux/rmap.h	2005-11-05 19:32:12.000000000 +0000
@@ -72,7 +72,7 @@ void __anon_vma_link(struct vm_area_stru
  */
 void page_add_anon_rmap(struct page *, struct vm_area_struct *, unsigned long);
 void page_add_file_rmap(struct page *);
-void page_remove_rmap(struct page *);
+void page_remove_rmap(struct page *, struct vm_area_struct *, unsigned long);
 
 /**
  * page_dup_rmap - duplicate pte mapping to a page
--- 2.6.14/mm/fremap.c	2005-10-28 01:02:08.000000000 +0100
+++ linux/mm/fremap.c	2005-11-05 19:32:12.000000000 +0000
@@ -37,7 +37,7 @@ static inline void zap_pte(struct mm_str
 			if (!PageReserved(page)) {
 				if (pte_dirty(pte))
 					set_page_dirty(page);
-				page_remove_rmap(page);
+				page_remove_rmap(page, vma, addr);
 				page_cache_release(page);
 				dec_mm_counter(mm, rss);
 			}
--- 2.6.14/mm/memory.c	2005-10-28 01:02:08.000000000 +0100
+++ linux/mm/memory.c	2005-11-05 19:32:12.000000000 +0000
@@ -526,6 +526,7 @@ int copy_page_range(struct mm_struct *ds
 }
 
 static void zap_pte_range(struct mmu_gather *tlb, pmd_t *pmd,
+				struct vm_area_struct *vma,
 				unsigned long addr, unsigned long end,
 				struct zap_details *details)
 {
@@ -579,7 +580,7 @@ static void zap_pte_range(struct mmu_gat
 			else if (pte_young(ptent))
 				mark_page_accessed(page);
 			tlb->freed++;
-			page_remove_rmap(page);
+			page_remove_rmap(page, vma, addr);
 			tlb_remove_page(tlb, page);
 			continue;
 		}
@@ -597,6 +598,7 @@ static void zap_pte_range(struct mmu_gat
 }
 
 static inline void zap_pmd_range(struct mmu_gather *tlb, pud_t *pud,
+				struct vm_area_struct *vma,
 				unsigned long addr, unsigned long end,
 				struct zap_details *details)
 {
@@ -608,11 +610,12 @@ static inline void zap_pmd_range(struct 
 		next = pmd_addr_end(addr, end);
 		if (pmd_none_or_clear_bad(pmd))
 			continue;
-		zap_pte_range(tlb, pmd, addr, next, details);
+		zap_pte_range(tlb, pmd, vma, addr, next, details);
 	} while (pmd++, addr = next, addr != end);
 }
 
 static inline void zap_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
+				struct vm_area_struct *vma,
 				unsigned long addr, unsigned long end,
 				struct zap_details *details)
 {
@@ -624,7 +627,7 @@ static inline void zap_pud_range(struct 
 		next = pud_addr_end(addr, end);
 		if (pud_none_or_clear_bad(pud))
 			continue;
-		zap_pmd_range(tlb, pud, addr, next, details);
+		zap_pmd_range(tlb, pud, vma, addr, next, details);
 	} while (pud++, addr = next, addr != end);
 }
 
@@ -645,7 +648,7 @@ static void unmap_page_range(struct mmu_
 		next = pgd_addr_end(addr, end);
 		if (pgd_none_or_clear_bad(pgd))
 			continue;
-		zap_pud_range(tlb, pgd, addr, next, details);
+		zap_pud_range(tlb, pgd, vma, addr, next, details);
 	} while (pgd++, addr = next, addr != end);
 	tlb_end_vma(tlb, vma);
 }
@@ -1313,7 +1316,7 @@ static int do_wp_page(struct mm_struct *
 		if (PageReserved(old_page))
 			inc_mm_counter(mm, rss);
 		else
-			page_remove_rmap(old_page);
+			page_remove_rmap(old_page, vma, address);
 		flush_cache_page(vma, address, pfn);
 		break_cow(vma, new_page, address, page_table);
 		lru_cache_add_active(new_page);
--- 2.6.14/mm/rmap.c	2005-10-28 01:02:08.000000000 +0100
+++ linux/mm/rmap.c	2005-11-05 19:32:12.000000000 +0000
@@ -466,8 +466,12 @@ void page_add_anon_rmap(struct page *pag
 void page_add_file_rmap(struct page *page)
 {
 	BUG_ON(PageAnon(page));
-	if (!pfn_valid(page_to_pfn(page)) || PageReserved(page))
+	if (!pfn_valid(page_to_pfn(page)))
 		return;
+	if (PageReserved(page)) {
+		set_bit(PG_arch_1, &page->flags);
+		return;
+	}
 
 	if (atomic_inc_and_test(&page->_mapcount))
 		inc_page_state(nr_mapped);
@@ -479,12 +483,43 @@ void page_add_file_rmap(struct page *pag
  *
  * Caller needs to hold the mm->page_table_lock.
  */
-void page_remove_rmap(struct page *page)
+void page_remove_rmap(struct page *page,
+	struct vm_area_struct *vma, unsigned long address)
 {
+	struct address_space *mapping = NULL;
+	unsigned long index;
+
 	BUG_ON(PageReserved(page));
 
+	index = (address - vma->vm_start) >> PAGE_SHIFT;
+	index += vma->vm_pgoff;
+
+	if (PageAnon(page))
+		mapping = (void *) vma->anon_vma + PAGE_MAPPING_ANON;
+	else if (!(vma->vm_flags & (VM_IO|VM_RESERVED)))
+		mapping = vma->vm_file? vma->vm_file->f_mapping: (void *)(-1);
+
+	if (page_mapcount(page) <= 0 || page_count(page) <= 0 ||
+	    (mapping && (mapping != page->mapping || index != page->index)) ||
+	    test_bit(PG_arch_1, &page->flags) /* was PageReserved before */) {
+		pgd_t *pgd = pgd_offset(vma->vm_mm, address);
+		pud_t *pud = pud_offset(pgd, address);
+		pmd_t *pmd = pmd_offset(pud, address);
+		unsigned long ptpfn = pmd_val(*pmd) >> PAGE_SHIFT;
+
+		printk(KERN_ERR "Bad rmap: "
+			"page %p flags %lx count %d mapcount %d\n",
+			page, (unsigned long)page->flags,
+			page_count(page), page_mapcount(page));
+		printk(KERN_ERR "  %s addr %lx ptpfn %lx vm_flags %lx\n",
+			current->comm, address, ptpfn, vma->vm_flags);
+		printk(KERN_ERR "  page mapping %p %lx vma mapping %p %lx\n",
+			page->mapping, page->index, mapping, index);
+		get_page(page);	/* corrupt, so leak rather than free it */
+		return;
+	}
+
 	if (atomic_add_negative(-1, &page->_mapcount)) {
-		BUG_ON(page_mapcount(page) < 0);
 		/*
 		 * It would be tidy to reset the PageAnon mapping here,
 		 * but that might overwrite a racing page_add_anon_rmap
@@ -560,7 +595,7 @@ static int try_to_unmap_one(struct page 
 	}
 
 	dec_mm_counter(mm, rss);
-	page_remove_rmap(page);
+	page_remove_rmap(page, vma, address);
 	page_cache_release(page);
 
 out_unmap:
@@ -661,7 +696,7 @@ static void try_to_unmap_cluster(unsigne
 		if (pte_dirty(pteval))
 			set_page_dirty(page);
 
-		page_remove_rmap(page);
+		page_remove_rmap(page, vma, address);
 		page_cache_release(page);
 		dec_mm_counter(mm, rss);
 		(*mapcount)--;