Bug#503821: linux-image-2.6.26-1-xen-amd64: Kernel crash in Dom0 (Eeek! page_mapcount(page) went negative! (-1))

To: Bastian Blank <waldi@debian.org>, 503821-quiet@bugs.debian.org
Cc: 503821-submitter@bugs.debian.org, 503821@bugs.debian.org
Subject: Bug#503821: linux-image-2.6.26-1-xen-amd64: Kernel crash in Dom0 (Eeek! page_mapcount(page) went negative! (-1))
From: Lars Michael Jogback <lm@jogback.se>
Date: Fri, 31 Oct 2008 08:49:42 +0100
Message-id: <[🔎] 20081031074942.GA5782@cleopatra.jogback.se>
Reply-to: Lars Michael Jogback <lm@jogback.se>, 503821@bugs.debian.org
In-reply-to: <[🔎] 20081030095003.GA25175@wavehammer.waldi.eu.org>
References: <[🔎] 20081028104916.6675.56653.reportbug@cleopatra.jogback.se> <[🔎] 20081030095003.GA25175@wavehammer.waldi.eu.org>

* Bastian Blank <waldi@debian.org> [2008-10-30 10:50:03]:

> I comitted a workaround, to be exact an update for a workaround. I was
> not longer able to trigger that under load. Please test the snapshots[1]
> tomorrow (2.6.26-10~snapshot.12362 or higher).

Now I've tested the workaround, and I'm sorry to say that it doesn't help.

[    0.000000] Linux version 2.6.26-1-xen-amd64 (Debian 2.6.26-10~snapshot.12362) (waldi@debian.org) (gcc version 4.1.3 20080623 (prerelease) (Debian 4.1.2-23+1)) #1 SMP Fri Oct 31 03:53:45 UTC 2008

[  200.424526] Eeek! page_mapcount(page) went negative! (-1)
[  200.424637]   page pfn = 4
[  200.424937]   page->flags = 0
[  200.424937]   page->count = 0
[  200.424937]   page->mapping = 0000000000000000
[  200.424937]   vma->vm_ops = 0x0
[  200.424937] ------------[ cut here ]------------
[  200.424937] kernel BUG at mm/rmap.c:673!
[  200.424937] invalid opcode: 0000 [1] SMP
[  200.425856] CPU 0
[  200.425856] Modules linked in: bridge netloop video output ac battery microcode firmware_class nfsd auth_rpcgss exportfs nfs lockd nfs_acl sunrpc ipv6 xfs reiserfs ext2 sha256_generic aes_x86_64 aes_generic cbc dm_crypt crypto_blkcipher raid456 async_xor async_memcpy async_tx xor loop iTCO_wdt serio_raw pcspkr i2c_i801 psmouse rng_core i2c_core container shpchp pci_hotplug button i3000_edac edac_core evdev joydev ext3 jbd mbcache dm_mirror dm_log dm_snapshot dm_mod raid1 md_mod ide_cd_mod cdrom ide_pci_generic usbhid hid ff_memless piix ata_piix ide_core sd_mod floppy ata_generic ehci_hcd uhci_hcd sata_sil24 libata 3w_9xxx dock e1000e scsi_mod thermal processor fan thermal_sys
[  200.429852] Pid: 6332, comm: a.out Not tainted 2.6.26-1-xen-amd64 #1
[  200.429852] RIP: e030:[<ffffffff8027c550>]  [<ffffffff8027c550>] page_remove_rmap+0xfb/0x117
[  200.429852] RSP: e02b:ffff880071aabdc8  EFLAGS: 00010246
[  200.429852] RAX: 0000000000000000 RBX: ffff88000235a0e0 RCX: ffffffff80501fc8
[  200.429852] RDX: ffffffffff5f7000 RSI: 0000000000000001 RDI: ffffffff80501fc0
[  200.429852] RBP: ffff880071a577c8 R08: ffffffff80501fb0 R09: ffff880001b48f08
[  200.429852] R10: ffff880071aaba58 R11: 0000000000015382 R12: ffff88000235a0e0
[  200.429852] R13: ffff880000c010d8 R14: ffff88007d426840 R15: ffff880002384048
[  200.429852] FS:  00007f41ff3e36e0(0000) GS:ffffffff80539000(0000) knlGS:0000000000000000
[  200.429852] CS:  e033 DS: 0000 ES: 0000
[  200.429852] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  200.429852] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  200.429852] Process a.out (pid: 6332, threadinfo ffff880071aaa000, task ffff880071ad8500)
[  200.429852] Stack:  ffff8800717f08d0 0000000000004800 000000322061b000 ffffffff80273239
[  200.429852]  0000000000000206 0000000000000000 ffff880071aabec8 ffffffffffffffff
[  200.429852]  0000000000000000 ffff880071a577c8 ffff880071aabed0 000000000003628e
[  200.429852] Call Trace:
[  200.429852]  [<ffffffff80273239>] ? unmap_vmas+0x744/0xa49
[  200.429852]  [<ffffffff80278567>] ? exit_mmap+0x7b/0xf7
[  200.429852]  [<ffffffff8022a73d>] ? mmput+0x2c/0xc0
[  200.429852]  [<ffffffff8022fef8>] ? do_exit+0x25a/0x6ce
[  200.429852]  [<ffffffff80230412>] ? do_group_exit+0xa6/0xdc
[  200.429852]  [<ffffffff8020b528>] ? system_call+0x68/0x6d
[  200.429852]  [<ffffffff8020b4c0>] ? system_call+0x0/0x6d
[  200.429852]
[  200.429852]
[  200.429852] Code: 80 e8 18 0c fd ff 48 8b 85 90 00 00 00 48 85 c0 74 19 48 8b 40 20 48 85 c0 74 10 48 8b 70 58 48 c7 c7 e1 52 4b 80 e8 f3 0b fd ff <0f> 0b eb fe 8b 77 18 41 58 5b 5d 83 e6 01 f7 de 83 c6 04 e9 64
[  200.429852] RIP  [<ffffffff8027c550>] page_remove_rmap+0xfb/0x117
[  200.429852]  RSP <ffff880071aabdc8>
[  200.439529] ---[ end trace 10482cbe68c8d062 ]---
[  200.439619] Fixing recursive fault but reboot is needed!

My ugly testprogram crashed directly on this one aswell.

Best Regards,
/LM

Reply to:

Follow-Ups:
- Bug#503821: linux-image-2.6.26-1-xen-amd64: Kernel crash in Dom0 (Eeek! page_mapcount(page) went negative! (-1))
  - From: Bastian Blank <waldi@debian.org>

References:
- Bug#503821: linux-image-2.6.26-1-xen-amd64: Kernel crash in Dom0 (Eeek! page_mapcount(page) went negative! (-1))
  - From: Lars Michael Jogback <lm@jogback.se>
- Bug#503821: linux-image-2.6.26-1-xen-amd64: Kernel crash in Dom0 (Eeek! page_mapcount(page) went negative! (-1))
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: Bug#503821: Snapshot fails to solve the issue
Next by Date: Bug#504093: drbd8-modules-2.6.26-1-xen-686: module doesn't load
Previous by thread: Bug#503821: linux-image-2.6.26-1-xen-amd64: Kernel crash in Dom0 (Eeek! page_mapcount(page) went negative! (-1))
Next by thread: Bug#503821: linux-image-2.6.26-1-xen-amd64: Kernel crash in Dom0 (Eeek! page_mapcount(page) went negative! (-1))
Index(es):
- Date
- Thread