Nick Piggin wrote:
Well, I think I said it shouldn't oops like this... I don't think it
is particularly robust WRT error cases or concurrent page faults
(between mmap and ioctl).
As we established earlier with a debug patch, the reason for the oops
is that VM_PFNMAP has been cleared from your vma->vm_flags for some
reason. This is causing the unmap code to mistakenly try to remove
reverse maps and refcounts from the struct pages.
I don't know why VM_PFNMAP should be getting cleared. But if it
remains set then the oops should go away.
As one of my tests, I manually added the VM_PFNMAP flag before calling remap_pfn_range(). This did not resolve the issue. Also, I checked the kernel source (vanilla Fedora Core 5) and VM_PFNMAP is always added inside remap_pfn_range() anyway, along with VM_IO & VM_RESERVED.
Note that the kernel oops I posted only happened rarely. Most of the time, the system completely froze immediately when the file descriptor was closed and I didn't get any oops message.