From: Matthew Wilcox <willy@infradead.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: David Airlie <airlied@linux.ie>,
bugzilla-daemon@bugzilla.kernel.org,
dri-devel@lists.freedesktop.org, linux-mm@kvack.org,
Huang Rui <ray.huang@amd.com>,
petr@vandrovec.name, Christian Koenig <christian.koenig@amd.com>
Subject: Re: [Bug 204407] New: Bad page state in process Xorg
Date: Fri, 2 Aug 2019 13:33:44 -0700 [thread overview]
Message-ID: <20190802203344.GD5597@bombadil.infradead.org> (raw)
In-Reply-To: <20190802132306.e945f4420bc2dcddd8d34f75@linux-foundation.org>
On Fri, Aug 02, 2019 at 01:23:06PM -0700, Andrew Morton wrote:
> > [259701.387365] BUG: Bad page state in process Xorg pfn:2a300
> > [259701.393593] page:ffffea0000a8c000 refcount:0 mapcount:-128
> > mapping:0000000000000000 index:0x0
mapcount -128 is PAGE_MAPCOUNT_RESERVE, aka PageBuddy. I think somebody
called put_page() once more than they should have. The one before this
caused it to be freed to the page allocator, which set PageBuddy. Then
this one happened and we got a complaint.
> > [259701.402832] flags: 0x2000000000000000()
> > [259701.407426] raw: 2000000000000000 ffffffff822ab778 ffffea0000a8f208
> > 0000000000000000
> > [259701.415900] raw: 0000000000000000 0000000000000003 00000000ffffff7f
> > 0000000000000000
> > [259701.424373] page dumped because: nonzero mapcount
It occurs to me that when a page is freed, we could record some useful bits
of information in the page from the stack trace to help debug double-free
situations. Even just stashing __builtin_return_address in page->mapping
would be helpful, I think.
> > [259701.549382] Call Trace:
> > [259701.549382] dump_stack+0x46/0x60
> > [259701.549382] bad_page.cold.28+0x81/0xb4
> > [259701.549382] __free_pages_ok+0x236/0x240
> > [259701.549382] __ttm_dma_free_page+0x2f/0x40
> > [259701.549382] ttm_dma_unpopulate+0x29b/0x370
> > [259701.549382] ttm_tt_destroy.part.6+0x44/0x50
> > [259701.549382] ttm_bo_cleanup_memtype_use+0x29/0x70
> > [259701.549382] ttm_bo_put+0x225/0x280
> > [259701.549382] ttm_bo_vm_close+0x10/0x20
> > [259701.549382] remove_vma+0x20/0x40
> > [259701.549382] __do_munmap+0x2da/0x420
> > [259701.549382] __vm_munmap+0x66/0xc0
> > [259701.549382] __x64_sys_munmap+0x22/0x30
> > [259701.549382] do_syscall_64+0x5e/0x1a0
> > [259701.549382] ? prepare_exit_to_usermode+0x75/0xa0
> > [259701.549382] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > [259701.549382] RIP: 0033:0x7f504d0ec1d7
> > [259701.549382] Code: 10 e9 67 ff ff ff 0f 1f 44 00 00 48 8b 15 b1 6c 0c 00 f7
> > d8 64 89 02 48 c7 c0 ff ff ff ff e9 6b ff ff ff b8 0b 00 00 00 0f 05 <48> 3d 01
> > f0 ff ff 73 01 c3 48 8b 0d 89 6c 0c 00 f7 d8 64 89 01 48
> > [259701.549382] RSP: 002b:00007ffe529db138 EFLAGS: 00000206 ORIG_RAX:
> > 000000000000000b
> > [259701.549382] RAX: ffffffffffffffda RBX: 0000564a5eabce70 RCX:
> > 00007f504d0ec1d7
> > [259701.549382] RDX: 00007ffe529db140 RSI: 0000000000400000 RDI:
> > 00007f5044b65000
> > [259701.549382] RBP: 0000564a5eafe460 R08: 000000000000000b R09:
> > 000000010283e000
> > [259701.549382] R10: 0000000000000001 R11: 0000000000000206 R12:
> > 0000564a5e475b08
> > [259701.549382] R13: 0000564a5e475c80 R14: 00007ffe529db190 R15:
> > 0000000000000c80
> > [259701.707238] Disabling lock debugging due to kernel taint
>
> I assume the above is misbehaviour in the DRM code?
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2019-08-02 20:33 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-204407-27@https.bugzilla.kernel.org/>
2019-08-02 20:23 ` [Bug 204407] New: Bad page state in process Xorg Andrew Morton
2019-08-02 20:33 ` Matthew Wilcox [this message]
2019-08-02 21:17 ` Qian Cai
2019-08-02 22:59 ` Matthew Wilcox
[not found] ` <CA+i2_Dc-VrOUk8EVThwAE5HZ1-zFqONuW8Gojv+16UPsAqoM1Q@mail.gmail.com>
2019-08-15 14:32 ` Vlastimil Babka
2019-08-15 19:13 ` Petr Vandrovec
2019-08-16 12:47 ` Vlastimil Babka
2019-08-16 12:52 ` Joerg Roedel
2019-08-17 0:20 ` Petr Vandrovec
2019-08-19 14:44 ` Vlastimil Babka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190802203344.GD5597@bombadil.infradead.org \
--to=willy@infradead.org \
--cc=airlied@linux.ie \
--cc=akpm@linux-foundation.org \
--cc=bugzilla-daemon@bugzilla.kernel.org \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-mm@kvack.org \
--cc=petr@vandrovec.name \
--cc=ray.huang@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).