From: rtm@csail.mit.edu
To: Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Alexandre Ghiti <alex@ghiti.fr>
Cc: linux-riscv@lists.infradead.org
Subject: futex(0x1ffffff81300000) on risc-v -> mm panic
Date: Wed, 18 Jun 2025 07:10:28 -0400 [thread overview]
Message-ID: <77605.1750245028@localhost> (raw)
This program on risc-v:
main(){
futex((void*) 0x1ffffff81300000, FUTEX_WAIT, 0, 0, 0, 0);
}
results in:
BUG: Bad page state in process a.out pfn:81500
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x81500
flags: 0x2000(reserved|zone=0)
raw: 0000000000002000 ff1c000000054008 ff1c000000054008 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
Modules linked in:
CPU: 0 UID: 0 PID: 105 Comm: a.out Not tainted 6.16.0-rc2-00067-gb61aa0e0059b #566 NONE
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80025b62>] dump_backtrace+0x1c/0x24
[<ffffffff800023b8>] show_stack+0x28/0x34
[<ffffffff800205d2>] dump_stack_lvl+0x48/0x66
[<ffffffff80020604>] dump_stack+0x14/0x1c
[<ffffffff80262098>] bad_page+0x118/0x15c
[<ffffffff80264e96>] __free_frozen_pages+0x494/0x650
[<ffffffff80266fe2>] free_frozen_pages+0xe/0x16
[<ffffffff8020926c>] __folio_put+0x60/0xae
[<ffffffff800ec23a>] get_futex_key+0x2da/0x44e
[<ffffffff800f0474>] futex_wait_setup+0x52/0x23a
[<ffffffff800f06da>] __futex_wait+0x7e/0xd8
[<ffffffff800f0782>] futex_wait+0x4e/0xbc
[<ffffffff800ed3a0>] do_futex+0x74/0x100
[<ffffffff800ed4f4>] __riscv_sys_futex+0xc8/0x148
[<ffffffff811e4930>] do_trap_ecall_u+0x84/0x11a
[<ffffffff811f0b0e>] handle_exception+0x146/0x152
Disabling lock debugging due to kernel taint
and after running this program a few more times:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x81500
flags: 0x2000(reserved|zone=0)
raw: 0000000000002000 ff1c000000054008 ff1c000000054008 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
------------[ cut here ]------------
kernel BUG at ./include/linux/mm.h:1034!
Kernel BUG [#1]
Modules linked in:
CPU: 0 UID: 0 PID: 110 Comm: a.out Tainted: G B 6.16.0-rc2-00067-gb61aa0e0059b #566 NONE
Tainted: [B]=BAD_PAGE
Hardware name: riscv-virtio,qemu (DT)
epc : get_futex_key+0x23c/0x44e
ra : get_futex_key+0x23c/0x44e
...
[<ffffffff800ec19c>] get_futex_key+0x23c/0x44e
[<ffffffff800f0474>] futex_wait_setup+0x52/0x23a
[<ffffffff800f06da>] __futex_wait+0x7e/0xd8
[<ffffffff800f0782>] futex_wait+0x4e/0xbc
[<ffffffff800ed3a0>] do_futex+0x74/0x100
[<ffffffff800ed4f4>] __riscv_sys_futex+0xc8/0x148
[<ffffffff811e4930>] do_trap_ecall_u+0x84/0x11a
[<ffffffff811f0b0e>] handle_exception+0x146/0x152
Code: bdad a597 017c 8593 fa65 8526 7097 0014 80e7 a4a0 (9002) 8785
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Fatal exception in interrupt
get_futex_key() calls get_user_pages_fast(), which returns a
PG_reserved page in one of the reserve_bootmem_region() areas. Beyond
that I do not understand the situation.
Robert Morris
rtm@mit.edu
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next reply other threads:[~2025-06-18 12:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-18 11:10 rtm [this message]
2025-06-18 13:25 ` futex(0x1ffffff81300000) on risc-v -> mm panic Nam Cao
2025-06-18 18:27 ` rtm
2025-06-18 19:58 ` Palmer Dabbelt
2025-06-18 21:32 ` Nam Cao
2025-06-19 12:35 ` Alexandre Ghiti
2025-06-19 13:30 ` rtm
2025-06-19 16:02 ` Nam Cao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=77605.1750245028@localhost \
--to=rtm@csail.mit.edu \
--cc=alex@ghiti.fr \
--cc=aou@eecs.berkeley.edu \
--cc=linux-riscv@lists.infradead.org \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox