From: "Vishal Moola (Oracle)" <vishal.moola@gmail.com>
To: kernel test robot <oliver.sang@intel.com>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>,
oe-lkp@lists.linux.dev, lkp@intel.com, linux-mm@kvack.org,
Andrew Morton <akpm@linux-foundation.org>,
David Hildenbrand <david@kernel.org>
Subject: Re: [PATCH 1/4] mm: Use frozen pages for page tables
Date: Mon, 17 Nov 2025 16:44:29 -0800 [thread overview]
Message-ID: <aRvBbYmCz-jkIzo1@fedora> (raw)
In-Reply-To: <202511172257.ffd96dab-lkp@intel.com>
On Mon, Nov 17, 2025 at 10:38:09PM +0800, kernel test robot wrote:
>
>
> Hello,
>
> kernel test robot noticed "BUG:Bad_page_state_in_process" on:
>
> commit: ffb870b766822062b6c71211c80342c85a7ffcd8 ("[PATCH 1/4] mm: Use frozen pages for page tables")
> url: https://github.com/intel-lab-lkp/linux/commits/Matthew-Wilcox-Oracle/mm-Use-frozen-pages-for-page-tables/20251113-222907
> base: https://git.kernel.org/cgit/linux/kernel/git/akpm/mm.git mm-everything
> patch link: https://lore.kernel.org/all/20251113140448.1814860-2-willy@infradead.org/
> patch subject: [PATCH 1/4] mm: Use frozen pages for page tables
>
> in testcase: rcutorture
> version:
> with following parameters:
>
> runtime: 300s
> test: cpuhotplug
> torture_type: trivial
>
>
>
> config: x86_64-randconfig-101-20251114
> compiler: clang-20
> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 32G
>
> (please refer to attached dmesg/kmsg for entire log/backtrace)
>
>
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <oliver.sang@intel.com>
> | Closes: https://lore.kernel.org/oe-lkp/202511172257.ffd96dab-lkp@intel.com
>
>
> [ 19.289760][ T422] BUG: Bad page state in process modprobe pfn:1618b2
> [ 19.290414][ T422] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1618b2
> [ 19.291313][ T422] flags: 0x8000000000000000(zone=2)
> [ 19.291714][ T422] raw: 8000000000000000 dead000000000100 dead000000000122 0000000000000000
> [ 19.292382][ T422] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
> [ 19.293020][ T422] page dumped because: nonzero _refcount
> [ 19.293444][ T422] Modules linked in:
> [ 19.293804][ T422] CPU: 0 UID: 0 PID: 422 Comm: modprobe Not tainted 6.18.0-rc5-00422-gffb870b76682 #1 PREEMPT(none) 65c9d11eede624b36533d4efe2c3c7798fc76b60
> [ 19.293811][ T422] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> [ 19.293814][ T422] Call Trace:
> [ 19.293817][ T422] <TASK>
> [ 19.293820][ T422] dump_stack_lvl (lib/dump_stack.c:123)
> [ 19.293834][ T422] ? show_regs_print_info (lib/dump_stack.c:104)
> [ 19.293842][ T422] ? smp_call_function_many (kernel/smp.c:784)
> [ 19.293847][ T422] ? find_held_lock (kernel/locking/lockdep.c:5350)
> [ 19.293854][ T422] bad_page (mm/page_alloc.c:?)
> [ 19.293860][ T422] __free_frozen_pages (mm/page_alloc.c:?)
> [ 19.293870][ T422] change_page_attr_set_clr (include/linux/list.h:372)
> [ 19.293878][ T422] ? __set_memory_prot (arch/x86/mm/pat/set_memory.c:2041)
> [ 19.293884][ T422] ? __set_memory_prot (arch/x86/mm/pat/set_memory.c:2041)
> [ 19.293889][ T422] ? trace_contention_end (include/trace/events/lock.h:122)
> [ 19.293897][ T422] ? do_raw_spin_lock (arch/x86/include/asm/atomic.h:107)
> [ 19.293904][ T422] set_memory_rox (arch/x86/mm/pat/set_memory.c:2327)
> [ 19.293910][ T422] ? set_memory_nx (arch/x86/mm/pat/set_memory.c:2123 arch/x86/mm/pat/set_memory.c:2312)
> [ 19.293915][ T422] ? set_memory_ro (arch/x86/mm/pat/set_memory.c:2321)
> [ 19.293921][ T422] ? _raw_spin_unlock (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:143 kernel/locking/spinlock.c:186)
> [ 19.293929][ T422] ? find_vmap_area (mm/vmalloc.c:2507)
> [ 19.293935][ T422] module_enable_text_rox (kernel/module/strict_rwx.c:40)
> [ 19.293943][ T422] complete_formation (kernel/module/main.c:3258)
> [ 19.293952][ T422] ? post_relocation (kernel/module/main.c:3237)
> [ 19.293959][ T422] ? init_build_id (kernel/module/kallsyms.c:?)
> [ 19.293967][ T422] load_module (kernel/module/main.c:3468)
> [ 19.293979][ T422] __se_sys_finit_module (kernel/module/main.c:? kernel/module/main.c:3713 kernel/module/main.c:3739 kernel/module/main.c:3723)
> [ 19.293987][ T422] ? __x64_sys_finit_module (kernel/module/main.c:3723)
> [ 19.293998][ T422] ? exc_page_fault (arch/x86/mm/fault.c:?)
> [ 19.294007][ T422] ? __ia32_sys_write (fs/read_write.c:754)
> [ 19.294015][ T422] ? do_sys_open (fs/open.c:1452)
> [ 19.294022][ T422] ? entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> [ 19.294026][ T422] do_syscall_64 (arch/x86/entry/syscall_64.c:?)
> [ 19.294034][ T422] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> [ 19.294038][ T422] RIP: 0033:0x7f8d36fda779
> [ 19.294042][ T422] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4f 86 0d 00 f7 d8 64 89 01 48
> All code
> ========
> 0: ff c3 inc %ebx
> 2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
> 9: 00 00 00
> c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
> 11: 48 89 f8 mov %rdi,%rax
> 14: 48 89 f7 mov %rsi,%rdi
> 17: 48 89 d6 mov %rdx,%rsi
> 1a: 48 89 ca mov %rcx,%rdx
> 1d: 4d 89 c2 mov %r8,%r10
> 20: 4d 89 c8 mov %r9,%r8
> 23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
> 28: 0f 05 syscall
> 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
> 30: 73 01 jae 0x33
> 32: c3 ret
> 33: 48 8b 0d 4f 86 0d 00 mov 0xd864f(%rip),%rcx # 0xd8689
> 3a: f7 d8 neg %eax
> 3c: 64 89 01 mov %eax,%fs:(%rcx)
> 3f: 48 rex.W
>
> Code starting with the faulting instruction
> ===========================================
> 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
> 6: 73 01 jae 0x9
> 8: c3 ret
> 9: 48 8b 0d 4f 86 0d 00 mov 0xd864f(%rip),%rcx # 0xd865f
> 10: f7 d8 neg %eax
> 12: 64 89 01 mov %eax,%fs:(%rcx)
> 15: 48 rex.W
> [ 19.294046][ T422] RSP: 002b:00007ffe07ac3298 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
> [ 19.294051][ T422] RAX: ffffffffffffffda RBX: 000055b5fb23ae30 RCX: 00007f8d36fda779
> [ 19.294054][ T422] RDX: 0000000000000000 RSI: 000055b5e55e332b RDI: 0000000000000004
> [ 19.294056][ T422] RBP: 0000000000000000 R08: 0000000000000000 R09: 000055b5fb23c020
> [ 19.294059][ T422] R10: 0000000000000000 R11: 0000000000000246 R12: 000055b5e55e332b
> [ 19.294061][ T422] R13: 0000000000040000 R14: 000055b5fb23ade0 R15: 0000000000000000
> [ 19.294069][ T422] </TASK>
> [ 19.294071][ T422] Disabling lock debugging due to kernel taint
> [ 19.373082][ T422] BUG: Bad page state in process modprobe pfn:163532
> [ 19.373680][ T422] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x163532
> [ 19.374387][ T422] flags: 0x8000000000000000(zone=2)
> [ 19.374795][ T422] raw: 8000000000000000 dead000000000100 dead000000000122 0000000000000000
> [ 19.375424][ T422] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
> [ 19.376107][ T422] page dumped because: nonzero _refcount
> [ 19.376525][ T422] Modules linked in: torture
> [ 19.376917][ T422] CPU: 0 UID: 0 PID: 422 Comm: modprobe Tainted: G B 6.18.0-rc5-00422-gffb870b76682 #1 PREEMPT(none) 65c9d11eede624b36533d4efe2c3c7798fc76b60
> [ 19.376925][ T422] Tainted: [B]=BAD_PAGE
> [ 19.376927][ T422] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> [ 19.376930][ T422] Call Trace:
> [ 19.376933][ T422] <TASK>
> [ 19.376936][ T422] dump_stack_lvl (lib/dump_stack.c:123)
> [ 19.376946][ T422] ? show_regs_print_info (lib/dump_stack.c:104)
> [ 19.376952][ T422] ? smp_call_function_many (kernel/smp.c:784)
> [ 19.376959][ T422] bad_page (mm/page_alloc.c:?)
> [ 19.376964][ T422] __free_frozen_pages (mm/page_alloc.c:?)
> [ 19.376972][ T422] change_page_attr_set_clr (include/linux/list.h:372)
> [ 19.376979][ T422] ? __set_memory_prot (arch/x86/mm/pat/set_memory.c:2041)
> [ 19.376984][ T422] ? __set_memory_prot (arch/x86/mm/pat/set_memory.c:2041)
> [ 19.376989][ T422] ? trace_contention_end (include/trace/events/lock.h:122)
> [ 19.376995][ T422] ? do_raw_spin_lock (arch/x86/include/asm/atomic.h:107)
> [ 19.377001][ T422] set_memory_rox (arch/x86/mm/pat/set_memory.c:2327)
> [ 19.377006][ T422] ? set_memory_nx (arch/x86/mm/pat/set_memory.c:2123 arch/x86/mm/pat/set_memory.c:2312)
> [ 19.377010][ T422] ? set_memory_ro (arch/x86/mm/pat/set_memory.c:2321)
> [ 19.377016][ T422] ? _raw_spin_unlock (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:143 kernel/locking/spinlock.c:186)
> [ 19.377023][ T422] ? find_vmap_area (mm/vmalloc.c:2507)
> [ 19.377028][ T422] module_enable_text_rox (kernel/module/strict_rwx.c:40)
> [ 19.377036][ T422] complete_formation (kernel/module/main.c:3258)
> [ 19.377042][ T422] ? __might_fault (mm/memory.c:7142)
> [ 19.377046][ T422] ? post_relocation (kernel/module/main.c:3237)
> [ 19.377051][ T422] ? __might_fault (mm/memory.c:7142)
> [ 19.377054][ T422] ? init_build_id (kernel/module/kallsyms.c:?)
> [ 19.377061][ T422] load_module (kernel/module/main.c:3468)
> [ 19.377069][ T422] __se_sys_finit_module (kernel/module/main.c:? kernel/module/main.c:3713 kernel/module/main.c:3739 kernel/module/main.c:3723)
> [ 19.377074][ T422] ? __x64_sys_finit_module (kernel/module/main.c:3723)
> [ 19.377081][ T422] ? do_sys_openat2 (fs/open.c:1447)
> [ 19.377089][ T422] ? __ia32_sys_write (fs/read_write.c:754)
> [ 19.377095][ T422] ? do_sys_open (fs/open.c:1452)
> [ 19.377100][ T422] ? entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> [ 19.377104][ T422] do_syscall_64 (arch/x86/entry/syscall_64.c:?)
> [ 19.377111][ T422] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> [ 19.377115][ T422] RIP: 0033:0x7f8d36fda779
> [ 19.377120][ T422] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4f 86 0d 00 f7 d8 64 89 01 48
This is not a problem with this patch. It's actually a symptom of commit
bf9e4e30f3538 ("x86/mm: use pagetable_free()"). We're freeing ptdescs
that haven't been allocated from the ptdesc allocator - aka
pagetable_alloc().
next prev parent reply other threads:[~2025-11-18 0:44 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-13 14:04 [PATCH 0/4] Convert pgtable to use frozen pages Matthew Wilcox (Oracle)
2025-11-13 14:04 ` [PATCH 1/4] mm: Use frozen pages for page tables Matthew Wilcox (Oracle)
2025-11-13 18:24 ` Vishal Moola (Oracle)
2025-11-13 19:14 ` Vishal Moola (Oracle)
2025-11-14 13:45 ` Matthew Wilcox
2025-11-14 14:31 ` Will Deacon
2025-11-17 14:38 ` kernel test robot
2025-11-18 0:44 ` Vishal Moola (Oracle) [this message]
2025-11-19 15:46 ` Chih-En Lin
2025-11-20 13:55 ` David Hildenbrand (Red Hat)
2025-11-13 14:04 ` [PATCH 2/4] mm: Account pagetable memory when allocated Matthew Wilcox (Oracle)
2025-11-13 19:39 ` Vishal Moola (Oracle)
2025-11-13 14:04 ` [PATCH 3/4] mm: Mark " Matthew Wilcox (Oracle)
2025-11-18 17:00 ` David Hildenbrand (Red Hat)
2025-11-13 14:04 ` [PATCH 4/4] pgtable: Remove uses of page->lru Matthew Wilcox (Oracle)
2025-11-20 13:56 ` David Hildenbrand (Red Hat)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aRvBbYmCz-jkIzo1@fedora \
--to=vishal.moola@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=david@kernel.org \
--cc=linux-mm@kvack.org \
--cc=lkp@intel.com \
--cc=oe-lkp@lists.linux.dev \
--cc=oliver.sang@intel.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox