https://bugzilla.novell.com/show_bug.cgi?id=811667
https://bugzilla.novell.com/show_bug.cgi?id=811667#c1
Michal Hocko
[28184.985135] BUG: Bad page map in process postgres pte:8000000086f6c067 pmd:84400067 [28184.985143] page:ffffea0001d85fa0 count:2 mapcount:-1 mapping:ffff88008dcfcec0 index:0x6092 [28184.985147] page flags: 0x20000000020038(uptodate|dirty|lru|mappedtodisk) [28184.985160] addr:00007f196bf2c000 vm_flags:000000fb anon_vma: (null) mapping:ffff880117f65ef8 index:17f [28184.985171] vma->vm_ops->fault: shm_fault+0x0/0x20 [28184.985178] vma->vm_file->f_op->mmap: shm_mmap+0x0/0x70
Which is an output from print_bad_pte called during page table tear down. Interesting thing is that the page ref count is still 2. The page is associated with shmem backed memory and it is still on the LRU list. Even more interesting thing is that page->mapping != vma->vm_file->f_mapping (ffff88008dcfcec0 vs ffff880117f65ef8) Later on we tried to remove a shmem file (because the last reference to the file was dropped) and we encountered a mapped page while trying to remove it from the page cache. This shouldn't happen, however, because truncate_inode_page unmaps the page first before it gets down to delete_from_page_cache. It is holding page lock while it is doing that. So somebody much be racing with this removal without holding page lock. [...]
[28185.086803] kernel BUG at /home/abuild/rpmbuild/BUILD/kernel-default-3.7.10/linux-3.7/mm/filemap.c:133! [28185.086854] invalid opcode: 0000 [#1] SMP [28185.086884] Modules linked in: [...] [28185.087306] CPU 0 [28185.087318] Pid: 1792, comm: postgres Tainted: G B 3.7.10-1.1-default #1 HP ProLiant MicroServer [28185.087388] RIP: 0010:[<ffffffff8110a42a>] [<ffffffff8110a42a>] __delete_from_page_cache+0x14a/0x150 [28185.087449] RSP: 0018:ffff8800d79f7c28 EFLAGS: 00010046 [28185.087478] RAX: 0000000000000000 RBX: ffffea0002b85fa0 RCX: 00000000ffffffe8 [28185.087507] RDX: 0000000000000018 RSI: 0000000000000017 RDI: ffff88011ffec6c0 [28185.087536] RBP: ffff880117f65ef8 R08: fec0000000000000 R09: a8000ae17f600000 [28185.087565] R10: 57ffdf1e83585fd8 R11: 0000000000000210 R12: 0000000000000000 [28185.087593] R13: ffff8800d79f7ce8 R14: 0000000000000007 R15: 000000000000017f [28185.087624] FS: 00007f197157a7c0(0000) GS:ffff88011fc00000(0000) knlGS:00000000f73b86c0 [28185.087672] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [28185.087700] CR2: 0000000000b4bfa0 CR3: 00000000d787e000 CR4: 00000000000007f0 [28185.087729] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [28185.087758] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [28185.087788] Process postgres (pid: 1792, threadinfo ffff8800d79f6000, task ffff8801138ec580) [28185.087835] Stack: [28185.087858] 000000000000017f ffffea0002b85fa0 ffff880117f65ef8 ffffffff8110a599 [28185.087913] ffffea0002b85fa0 ffff880117f65ef8 ffffffffffffffff ffffffff81116b95 [28185.087966] ffffea0002b85fd8 ffff8800d79f7d58 0000000000000000 ffffffff81121a4f [28185.088020] Call Trace: [28185.088067] [<ffffffff8110a599>] delete_from_page_cache+0x39/0x80 [28185.088104] [<ffffffff81116b95>] truncate_inode_page+0x55/0x80 [28185.088140] [<ffffffff81121a4f>] shmem_undo_range+0x32f/0x780 [28185.088174] [<ffffffff81121eab>] shmem_truncate_range+0xb/0x30 [28185.088208] [<ffffffff811220c7>] shmem_evict_inode+0xd7/0x130 [28185.088245] [<ffffffff8117f5f3>] evict+0xa3/0x190 [28185.088280] [<ffffffff8117ba48>] d_kill+0xe8/0x140 [28185.088316] [<ffffffff8117c112>] dput+0xd2/0x1b0 [28185.088351] [<ffffffff81168208>] __fput+0x148/0x230 [28185.088385] [<ffffffff81063237>] task_work_run+0x97/0xd0 [28185.088422] [<ffffffff81002d09>] do_notify_resume+0x89/0xc0 [28185.088462] [<ffffffff8154f5aa>] int_signal+0x12/0x17 [28185.088505] [<00007f196f696157>] 0x7f196f696156 [28185.088531] Code: 85 f6 0f 88 22 ff ff ff 48 89 df e8 c1 a3 05 00 e9 15 ff ff ff 0f 1f 40 00 be 17 00 00 00 48 89 df e8 4b be 01 00 e9 34 ff ff ff <0f> 0b 0f 1f 40 00 48 83 ec 28 83 e2 fd 4c 89 6c 24 18 49 89 fd [28185.088718] RIP [<ffffffff8110a42a>] __delete_from_page_cache+0x14a/0x150 [28185.088751] RSP <ffff8800d79f7c28> [28185.089058] ---[ end trace 97ae46d0bbac0f94 ]---
The mapping is in RBP register (from disassemle of __delete_from_page_cache) and this matches vma->vm_file->f_mapping. OK, this all sounds fishy but I would like to know more - what is the page->mapping and who uses that shmem segment. I have recently seen DRM code doing some nasty things about mappings (see bug 807850). This doesn't look like the same issue - at least not now - but who knows. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.