Bug#529567: linux-image-2.6.26-1-486: kernel BUG at mm/mmap.c:2075

[Frans Pop]

Package: linux-2.6
Version: 2.6.26-13lenny2

I got the following BUG in my logs. This is on a system with very
little memory.

kernel: [4205017.800545] sed[4196]: segfault at 13b0f4 ip b7e7c013 sp bfe7eb70 
error 4 in libc-2.7.so[b7e21000+138000]
kernel: [4205017.801686] ------------[ cut here ]------------
kernel: [4205017.801780] kernel BUG at mm/mmap.c:2075!
kernel: [4205017.801852] invalid opcode: 0000 [#1]
kernel: [4205017.801923] Modules linked in: apm ip6t_REJECT ip6table_filter 
ip6_tables iptable_nat nf_nat ipt_REJECT 
xt_tcpudpipt_LOG xt_limit nf_conntrack_ipv4 xt_state nf_conntrack 
iptable_filter ip_tables x_tables 3c509 ipv6 parport_pc 
parport snd_pcm snd_timer snd soundcore snd_page_alloc evdev psmouse pcspkr 
ext3 jbd mbcache ide_cd_mod cdrom ide_disk 
ata_generic libata scsi_mod dock piix ide_pci_generic ide_core floppy 
thermal_sys
kernel: [4205017.802631]
kernel: [4205017.802696] Pid: 4196, comm: sed Not tainted (2.6.26-1-486 #1)
kernel: [4205017.802796] EIP: 0060:[<c0157dde>] EFLAGS: 00010202 CPU: 0
kernel: [4205017.802920] EIP is at exit_mmap+0xae/0xb8
kernel: [4205017.802920] EAX: 00000000 EBX: c0e0de84 ECX: c1409da0 EDX: c18fc56c
kernel: [4205017.802920] ESI: c1e49220 EDI: 00000000 EBP: c0e0df10 ESP: c0e0de80
kernel: [4205017.802920]  DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
kernel: [4205017.802920] Process sed (pid: 4196, ti=c0e0c000 task=c1fb3640 
task.ti=c0e0c000)
kernel: [4205017.802920] Stack: 00000048 c03c9008 c1e49220 c1fb3640 c1d3ab6c 
c0119e4b 0000000b c011e052
kernel: [4205017.802920]        00000001 c0e0dea4 c0e0dea4 c0122a3f 0000000b 
0000000b c1d3ab6c c0e0df10
kernel: [4205017.802920]        c011e471 000000dc c0124b9f c0e0dfb8 c0e0df90 
c1d3aaa0 c1cdfc20 b7f5aff4
kernel: [4205017.802920] Call Trace:
kernel: [4205017.802920]  [<c0119e4b>] mmput+0x1b/0x67
kernel: [4205017.802920]  [<c011e052>] do_exit+0x1c7/0x594
kernel: [4205017.802920]  [<c0122a3f>] recalc_sigpending+0xa/0x29
kernel: [4205017.802920]  [<c011e471>] do_group_exit+0x52/0x78
kernel: [4205017.802920]  [<c0124b9f>] get_signal_to_deliver+0x2d0/0x2e9
kernel: [4205017.802920]  [<c011388e>] do_page_fault+0x0/0x5ea
kernel: [4205017.802920]  [<c0102f08>] do_notify_resume+0x7b/0x61b
kernel: [4205017.802920]  [<c014e89d>] free_hot_cold_page+0xfe/0x118
kernel: [4205017.802920]  [<c0116c02>] __dequeue_entity+0x1f/0x71
kernel: [4205017.802920]  [<c01028ef>] __switch_to+0x84/0xf7
kernel: [4205017.802920]  [<c02a5dce>] schedule+0x338/0x351
kernel: [4205017.802920]  [<c011388e>] do_page_fault+0x0/0x5ea
kernel: [4205017.802920]  [<c0103890>] work_notifysig+0x13/0x23
kernel: [4205017.802920]  =======================
kernel: [4205017.802920] Code: 8b 00 8b 15 00 e0 33 c0 3b 82 f0 00 00 00 75 11 
e8 5c af fb ff 90 eb 09 89 f8 e8 1b ff ff 
ff 89 c7 85 ff 75 f3 83 7e 78 00 74 04 <0f> 0b eb fe 58 5a 5b 5e 5f c3 55 57 89 
c7 56 89 ce 53 83 ec 04
kernel: [4205017.802920] EIP: [<c0157dde>] exit_mmap+0xae/0xb8 SS:ESP 
0068:c0e0de80
kernel: [4205017.807853] ---[ end trace 90ff29e315afb858 ]---

Line 2075 is a BUG_ON in exit_mmap():
        BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);

After looking at the commit log for mmap.c, I suspect that the BUG may
have been caused by the following issue fixed in later kernels (but please
check if I'm correct or not):

commit dcd4a049b9751828c516c59709f3fdf50436df85
Author: Johannes Weiner <han...@cmpxchg.org>
Date:   Tue Jan 6 14:40:31 2009 -0800

    mm: check for no mmaps in exit_mmap()

    When dup_mmap() ooms we can end up with mm->mmap == NULL.  The error
    path does mmput() and unmap_vmas() gets a NULL vma which it
    dereferences.

    In exit_mmap() there is nothing to do at all for this case, we can
    cancel the callpath right there.

This patch was also included in a 2.6.27 stable update.



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org