On 19 Oct 00 at 22:16, Russell King wrote:
> I'm seeing an oops caused by a NULL pointer dereference in mm/filemap.c,
> filemap_write_page. The NULL pointer in question is page->mapping.
> The box on which this is happening is using a root NFS filesystem (in
> fact all but one of its filesystems are NFS).
You do not have to use NFS - look for my postings with
'page->mapping == NULL' in archive. Your code uses shared mmap, isn't
it? Probably shared by couple of processes.
> So the file that was mapped has been deleted... Ok,
> With the following in filemap_sync_pte:
>
> this reveals:
>
> --> page c017e118 mapping NULL - address 40264000
> --> vma->vm_file = c0c8b120
> --> /var/tmp/.nfs0000161300000002 (deleted)
>
> And the stack trace indicates that the kernel execution path came from
> sys_munmap.
... or from sys_exit() if you forget to unmap. Or from anywhere if
swapping code decides to swap such page. I'm trying to hunt it down
for more than month, but I have no idea what's wrong. In my case
way to trigger bug is:
(1) shared map some page
(2) unlink underlying file
(3) fork
(4) from child dirty pages
(5) from parent truncate file
(6) exit both tasks
(7) oops
Just in case you'll not find oops demo code in archive... Last tested
under 2.4.0-test10-pre3. With -pre4 I cannot decide whether to comment
out BUG() in vmscan, or not, so I did not test -pre4 yet... Maybe you
can simplify code even more. During tests (dual PIII/450, 256MB RAM)
system is completely dead for up to 40 secs, so do not panic. It is not
needed to hit reset button, just wait ;-) Any idea welcomed.
Best regards,
Petr Vandrovec
vandrove@vc.cvut.cz
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/shm.h>
#include <sys/ioctl.h>
#include <sys/raw.h>
unsigned char zero;
#define MSIZE 0x0E000000
void x4768(void) {
int fd;
pid_t pid;
int x4778_1[2];
int x4778_2[2];
int x4779_1[2];
int x4779_2[2];
int from4778;
int to4778;
int from4779;
int to4779;
char* mma[65536];
unsigned int mml[65536];
unsigned int mmi = 0;
unsigned int ln = 0;
unsigned int x;
#define MAL2(a,l) ftruncate(fd, ln+l); mml[mmi] = l; mma[mmi++] = mmap(a, l, PROT_READ|PROT_WRITE, MAP_SHARED, fd, ln); ln += l; mma[mmi-1][0] = 99;
#define MAL(l) MAL2(NULL,l)
fd = open("ram0", O_RDWR | O_CREAT, 0600);
unlink("ram0");
MAL(MSIZE);
pipe(x4778_1);
pipe(x4778_2);
pid = fork();
if (!pid) {
int from4768 = x4778_1[0];
int to4768 = x4778_2[1];
close(x4778_1[1]);
close(x4778_2[0]);
close(fd);
read(from4768, &zero, 1);
for (x = 0; x < mml[mmi - 1]; x += 4096)
mma[mmi-1][x] = 98;
write(to4768, &zero, 1);
read(from4768, &zero, 1);
exit(0);
} else if (pid < 0) {
perror("fork failed");
exit(222);
}
to4778 = x4778_1[1];
from4778 = x4778_2[0];
close(x4778_1[0]);
close(x4778_2[1]);
/* so that read/write to this fails... */
from4779 = -1;
to4779 = -1;
{
write(to4778, &zero, 1);
write(to4779, &zero, 1);
read(from4778, &zero, 1);
read(from4779, &zero, 1);
write(to4778, &zero, 1);
write(to4779, &zero, 1);
sleep(5);
ftruncate(fd, 0);
}
close(fd);
while (mmi--) {
munmap(mma[mmi], mml[mmi]);
}
exit(0);
}
int main(int argc, char* argv[]) {
printf("Go\n");
mlockall(MCL_CURRENT);
x4768();
return 0;
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Oct 23 2000 - 21:00:16 EST