[uml-user] page_mapcount(page) went negative

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I am getting this crash with the current Debian lenny UML kernel, but not with 
the previous one.  

The background is that I use a UML guest to provide a repeatable environment 
for some builds I run each night.  I use Debian lenny as my host and use the 
user-mode-linux packages from that distribution.  The UML image from 
user-mode-linux 2.6.24-1um-1 runs fine.  My builds all run with no problem in 
that guest environment.

However, I wanted to rebuild the kernel and the source package for 
2.6.24-1um-1 is no longer available so I tried using the latest lenny 
version: 2.6.25-1um.  I rebuilt that (linux and modules) from source (with no 
changes yet) but when I use that as the guest UML, within a matter of minutes 
I get a kernel panic:

Eeek! page_mapcount(page) went negative! (-1)
  page pfn = 2cb
  page->flags = 400
  page->count = 1
  page->mapping = 00000000
  vma->vm_ops = 0x83a7d08
  vma->vm_ops->nopage = 0x0
  vma->vm_ops->fault = special_mapping_fault+0x0/0x60
BUG: failure at mm/rmap.c:669/page_remove_rmap()!
Kernel panic - not syncing: BUG!

EIP: 0023:[<080a407a>] CPU: 0 Not tainted ESP: 002b:ffa3753c EFLAGS: 00000256
    Not tainted
EAX: ffffffda EBX: 00008000 ECX: 001b6000 EDX: 00000005
ESI: 00000812 EDI: 00000004 EBP: 00000000 DS: 002b ES: 002b
2732fd38:  [<0809db34>] notifier_call_chain+0x34/0x70
2732fd5c:  [<083120e5>] panic+0x71/0xff
2732fd78:  [<080c9dd3>] page_remove_rmap+0x173/0x180
2732fd90:  [<080c2977>] unmap_vmas+0x297/0x640
2732fda4:  [<0805ff63>] flush_tlb_page+0x113/0x1f0
2732fdf8:  [<080c6205>] unmap_region+0xa5/0x150
2732fe2c:  [<080c73b8>] do_munmap+0x1d8/0x290
2732fe58:  [<080c7e44>] mmap_region+0xd4/0x560
2732fe90:  [<080c5ba0>] arch_get_unmapped_area+0x0/0x160
2732feb8:  [<080b3930>] generic_file_mmap+0x0/0x60
2732fec4:  [<080c84ea>] do_mmap_pgoff+0x21a/0x300
2732ff00:  [<0805f7f6>] sys_mmap2+0x76/0xe0
2732ff30:  [<0806173a>] handle_syscall+0x8a/0xc0
2732ff4c:  [<0805f780>] sys_mmap2+0x0/0xe0
2732ff78:  [<08077a6a>] userspace+0x48a/0x510
2732ff90:  [<08074705>] os_set_thread_area+0x25/0x50
2732ffec:  [<0805e66d>] fork_handler+0x5d/0x70

This is repeatable, and occurs with the same PFN reported, even on two 
completely different host systems (one is an i386 system, the other is an 
amd64 system, although the guest is 32-bit in both cases).  If I switch back 
to the 2.6.24-1um-1 version it is fine.

Any ideas as to what is going wrong?  I have tried Google but I can't find any 
discussion of this error with UML and there doesn't seem to be any recent 
problems in this area mentioned on LKML.  Is anyone else seeing this?  Is 
anyone else using UML 2.6.25 successfully?

What is the best way to report this -- should I log a bug report with the 
Debian user-mode-linux package?

By the way, is there any way I can get the source package for user-mode-linux 
2.6.24-1um-1 so I can use that to rebuild with the changes I need, until this 
problem is fixed?

Graham