2.3.47: __free_pages_ok on locked page

From: David Wragg (dpw@doc.ic.ac.uk)
Date: Wed Mar 01 2000 - 13:38:42 EST

Next message: Andrea Arcangeli: "Re: lowlatency-2.2.14-B1 + 2.2.14aa7 fixes crash, but..."
Previous message: Dunlap, Randy: "RE: [PATCH] trivial little Makefile patch (2.3.49-2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The resulting oops is below.

It happens because this comment does not hold:

  /*
   * This will never put the page into the free list, the caller has
   * a reference on the page.
   */
  void delete_from_swap_cache_nolock(struct page *page)

Since in free_page_and_swap_cache we got to the
delete_from_swap_cache_nolock(page) because is_page_shared(page) was
false, page_count(page) must be 1, and so
delete_from_swap_cache_nolock ends up trying to free the locked page.

kernel BUG at page_alloc.c:89!
invalid operand: 0000
CPU: 0
EIP: 0010:[<c012a79b>]
Using defaults from ksymoops -t elf32-i386 -a i386
EFLAGS: 00010296
eax: 0000001f ebx: c10008c0 ecx: 0000002a edx: 00000000
esi: 00000001 edi: c5cdc400 ebp: 00000000 esp: c5c81e48
ds: 0018 es: 0018 ss: 0018
Process tcpdump (pid: 8703, stackpage=c5c81000)
Stack: c01e4647 c01e4813 00000059 c10008c0 00000001 c5cdc400 00000001 0024e500
       00000001 c10008c0 00000001 c012af16 c012af2c c10008c0 c012afa0 c10008c0
       00000300 0006d000 c01212ca c10008c0 c0bf28e0 0806d000 c7fa90e0 07524000
Call Trace: [<c01e4647>] [<c01e4813>] [<c012af16>] [<c012af2c>] [<c012afa0>] [<c01212ca>] [<c0123748>]
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                these first three are bogus
       [<c011647d>] [<c011ba32>] [<c010ae77>] [<c01a9aa3>] [<c0114de2>] [<c010b030>]
Code: 0f 0b 83 c4 0c 8b 73 44 c7 44 24 1c ff ff ff ff 89 e9 d3 64

>>EIP; c012a79b <__free_pages_ok+7b/228> <=====
Trace; c012af2c <delete_from_swap_cache_nolock+44/48>
Trace; c012afa0 <free_page_and_swap_cache+44/7c>
Trace; c01212ca <zap_page_range+176/1f4>
Trace; c0123748 <exit_mmap+b8/11c>
Trace; c011647d <mmput+15/2c>
Trace; c011ba32 <do_exit+14a/340>
Trace; c010ae77 <do_signal+20b/2a0>
Trace; c01a9aa3 <net_rx_action+123/1e8>
Trace; c0114de2 <schedule+2ba/448>
Trace; c010b030 <signal_return+14/18>
Code; c012a79b <__free_pages_ok+7b/228>
00000000 <_EIP>:
Code; c012a79b <__free_pages_ok+7b/228> <=====
   0: 0f 0b ud2a <=====
Code; c012a79d <__free_pages_ok+7d/228>
   2: 83 c4 0c addl $0xc,%esp
Code; c012a7a0 <__free_pages_ok+80/228>
   5: 8b 73 44 movl 0x44(%ebx),%esi
Code; c012a7a3 <__free_pages_ok+83/228>
   8: c7 44 24 1c ff ff ff movl $0xffffffff,0x1c(%esp,1)
Code; c012a7aa <__free_pages_ok+8a/228>
   f: ff
Code; c012a7ab <__free_pages_ok+8b/228>
  10: 89 e9 movl %ebp,%ecx
Code; c012a7ad <__free_pages_ok+8d/228>
  12: d3 64 00 00 shll %cl,0x0(%eax,%eax,1)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrea Arcangeli: "Re: lowlatency-2.2.14-B1 + 2.2.14aa7 fixes crash, but..."
Previous message: Dunlap, Randy: "RE: [PATCH] trivial little Makefile patch (2.3.49-2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Tue Mar 07 2000 - 21:00:10 EST