On Sun, Aug 02, 2020 at 12:16:53PM -0700, Hugh Dickins wrote: > Only once have I seen this scenario (and forgot even to notice what > forced the eventual crash): a sequence of "BUG: Bad page map" alerts > from vm_normal_page(), from zap_pte_range() servicing exit_mmap(); > pmd:00000000, pte values corresponding to data in physical page 0. > > The pte mappings being zapped in this case were supposed to be from a > huge page of ext4 text (but could as well have been shmem): my belief > is that it was racing with collapse_file()'s retract_page_tables(), > found *pmd pointing to a page table, locked it, but *pmd had become > 0 by the time start_pte was decided. > > In most cases, that possibility is excluded by holding mmap lock; > but exit_mmap() proceeds without mmap lock. Most of what's run by > khugepaged checks khugepaged_test_exit() after acquiring mmap lock: > khugepaged_collapse_pte_mapped_thps() and hugepage_vma_revalidate() > do so, for example. But retract_page_tables() did not: fix that > (using an mm variable instead of vma->vm_mm repeatedly). Hm. I'm not sure I follow. vma->vm_mm has to be valid as long as we hold i_mmap lock, no? Unlinking a VMA requires it. -- Kirill A. Shutemov
