Bug 215309

Summary: Bad page state in process telegram-desktop - Kernel panic
Product: Memory Management Reporter: Gorgo (gorghino)
Component: Page AllocatorAssignee: Andrew Morton (akpm)
Status: RESOLVED ANSWERED    
Severity: high CC: gorghino, luis.henriques
Priority: P1    
Hardware: x86-64   
OS: Linux   
Kernel Version: 5.15.5-76051505-generic Subsystem:
Regression: No Bisected commit-id:

Description Gorgo 2021-12-12 14:22:42 UTC 
OS="Pop!_OS 21.04"
Telegram-desktop (flatpak) v.3.3

**Steps to reproduce:**
1. Send this (https://drive.google.com/file/d/1Dd-GkVX9CezHua6TPFB-GBD1ShEC_1WX/view?usp=sharing) file (20MB ASCII text) to a chat (or Saved messages)
2. The system hangs

**Log:**
```
dic 10 17:01:15 pop-os kernel: BUG: Bad page state in process telegram-deskto  pfn:2d542b
dic 10 17:01:15 pop-os kernel: page:00000000dce6c32a refcount:1 mapcount:0 mapping:00000000b6e6acb9 index:0x9 pfn:0x2d542b
dic 10 17:01:15 pop-os kernel: memcg:ffff950ad698b000
dic 10 17:01:15 pop-os kernel: aops:ext4_da_aops ino:1441cee dentry name:"canLog-Timing-101221.log"
dic 10 17:01:15 pop-os kernel: flags: 0x17ffffc0000036(referenced|uptodate|lru|active|node=0|zone=2|lastcpupid=0x1fffff)
dic 10 17:01:15 pop-os kernel: raw: 0017ffffc0000036 dead000000000100 dead000000000122 ffff950c977d7a00
dic 10 17:01:15 pop-os kernel: raw: 0000000000000009 0000000000000000 00000001ffffffff ffff950ad698b000
dic 10 17:01:15 pop-os kernel: page dumped because: page still charged to cgroup
dic 10 17:01:15 pop-os kernel: Modules linked in: ftdi_sio usbserial rfcomm xfrm_user xfrm_algo twofish_generic twofish_avx_x86_64 twofish_x86_64_3way twofish_x86_64 twofish_common serpent_avx2 serpent_avx_x86_64 serpent_sse2_x86_64 serpent_generic blow>
dic 10 17:01:15 pop-os kernel:  soundwire_bus ledtrig_audio snd_soc_core snd_hda_codec_hdmi snd_compress iwlmvm ac97_bus snd_pcm_dmaengine uvcvideo btusb btrtl videobuf2_vmalloc snd_hda_intel btbcm videobuf2_memops snd_intel_dspcfg btintel videobuf2_v4l>
dic 10 17:01:15 pop-os kernel:  auth_rpcgss ppdev nfs_acl lockd lp grace parport sunrpc ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress dm_crypt raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc>
dic 10 17:01:15 pop-os kernel: CPU: 8 PID: 76788 Comm: telegram-deskto Tainted: P           OE     5.15.5-76051505-generic #202111250933~1638201579~21.04~09f1aa7-Ubuntu
dic 10 17:01:15 pop-os kernel: Hardware name: Razer Blade 15 Advanced Model (Early 2020) - RZ09-033/CH551, BIOS 1.06 09/16/2020
dic 10 17:01:15 pop-os kernel: Call Trace:
dic 10 17:01:15 pop-os kernel:  <TASK>
dic 10 17:01:15 pop-os kernel:  show_stack+0x52/0x58
dic 10 17:01:15 pop-os kernel:  dump_stack_lvl+0x4a/0x5f
dic 10 17:01:15 pop-os kernel:  dump_stack+0x10/0x12
dic 10 17:01:15 pop-os kernel:  bad_page.cold+0x63/0x94
dic 10 17:01:15 pop-os kernel:  check_free_page_bad+0x66/0x70
dic 10 17:01:15 pop-os kernel:  free_pcppages_bulk+0x1c3/0x330
dic 10 17:01:15 pop-os kernel:  free_unref_page_commit.constprop.0+0xde/0xf0
dic 10 17:01:15 pop-os kernel:  free_unref_page_list+0x190/0x2c0
dic 10 17:01:15 pop-os kernel:  release_pages+0x165/0x4b0
dic 10 17:01:15 pop-os kernel:  __pagevec_release+0x21/0x60
dic 10 17:01:15 pop-os kernel:  invalidate_inode_pages2_range+0x354/0x3e0
dic 10 17:01:15 pop-os kernel:  invalidate_inode_pages2+0x17/0x20
dic 10 17:01:15 pop-os kernel:  fuse_finish_open+0x7f/0x150
dic 10 17:01:15 pop-os kernel:  fuse_open_common+0xbb/0x1a0
dic 10 17:01:15 pop-os kernel:  ? fuse_open_common+0x1a0/0x1a0
dic 10 17:01:15 pop-os kernel:  fuse_open+0x10/0x20
dic 10 17:01:15 pop-os kernel:  do_dentry_open+0x157/0x370
dic 10 17:01:15 pop-os kernel:  vfs_open+0x2d/0x30
dic 10 17:01:15 pop-os kernel:  do_open+0x1b4/0x360
dic 10 17:01:15 pop-os kernel:  path_openat+0x10a/0x1d0
dic 10 17:01:15 pop-os kernel:  do_filp_open+0xb6/0x160
dic 10 17:01:15 pop-os kernel:  do_sys_openat2+0x9b/0x160
dic 10 17:01:15 pop-os kernel:  __x64_sys_openat+0x56/0x90
dic 10 17:01:15 pop-os kernel:  do_syscall_64+0x59/0xc0
dic 10 17:01:15 pop-os kernel:  ? do_syscall_64+0x69/0xc0
dic 10 17:01:15 pop-os kernel:  ? irqentry_exit_to_user_mode+0x9/0x20
dic 10 17:01:15 pop-os kernel:  ? irqentry_exit+0x19/0x30
dic 10 17:01:15 pop-os kernel:  ? exc_page_fault+0x89/0x160
dic 10 17:01:15 pop-os kernel:  ? asm_exc_page_fault+0x8/0x30
dic 10 17:01:15 pop-os kernel:  entry_SYSCALL_64_after_hwframe+0x44/0xae
dic 10 17:01:15 pop-os kernel: RIP: 0033:0x7f04fb81b542
dic 10 17:01:15 pop-os kernel: Code: 89 45 b0 eb 93 0f 1f 00 44 89 55 9c e8 67 f5 ff ff 44 8b 55 9c 44 89 e2 4c 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 44 89 c7 89 45 9c e8 bb f5 ff ff 8b 45 9c
dic 10 17:01:15 pop-os kernel: RSP: 002b:00007ffdb94a3e40 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
dic 10 17:01:15 pop-os kernel: RAX: ffffffffffffffda RBX: 00007f04f02fc590 RCX: 00007f04fb81b542
dic 10 17:01:15 pop-os kernel: RDX: 0000000000080000 RSI: 00007f04f02fc590 RDI: 00000000ffffff9c
dic 10 17:01:15 pop-os kernel: RBP: 00007ffdb94a3eb0 R08: 0000000000000000 R09: ffffffffffffe798
dic 10 17:01:15 pop-os kernel: R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000080000
dic 10 17:01:15 pop-os kernel: R13: 00007f04f02fc590 R14: 00007ffdb94a3ed0 R15: 00007f04f03ea950
dic 10 17:01:15 pop-os kernel:  </TASK>
dic 10 17:01:15 pop-os kernel: BUG: Bad page state in process telegram-deskto  pfn:2dd06a
dic 10 17:01:15 pop-os kernel: page:0000000086cb8f7b refcount:1 mapcount:0 mapping:00000000b6e6acb9 index:0xa pfn:0x2dd06a
dic 10 17:01:15 pop-os kernel: memcg:ffff950ad698b000
dic 10 17:01:15 pop-os kernel: aops:ext4_da_aops ino:1441cee dentry name:"canLog-Timing-101221.log"
dic 10 17:01:15 pop-os kernel: flags: 0x17ffffc0000036(referenced|uptodate|lru|active|node=0|zone=2|lastcpupid=0x1fffff)
dic 10 17:01:15 pop-os kernel: raw: 0017ffffc0000036 dead000000000100 dead000000000122 ffff950c977d7a00
dic 10 17:01:15 pop-os kernel: raw: 000000000000000a 0000000000000000 00000001ffffffff ffff950ad698b000
dic 10 17:01:15 pop-os kernel: page dumped because: page still charged to cgroup
dic 10 17:01:15 pop-os kernel: Modules linked in: ftdi_sio usbserial rfcomm xfrm_user xfrm_algo twofish_generic twofish_avx_x86_64 twofish_x86_64_3way twofish_x86_64 twofish_common serpent_avx2 serpent_avx_x86_64 serpent_sse2_x86_64 serpent_generic blow>
dic 10 17:01:15 pop-os kernel:  soundwire_bus ledtrig_audio snd_soc_core snd_hda_codec_hdmi snd_compress iwlmvm ac97_bus snd_pcm_dmaengine uvcvideo btusb btrtl videobuf2_vmalloc snd_hda_intel btbcm videobuf2_memops snd_intel_dspcfg btintel videobuf2_v4l>
dic 10 17:01:15 pop-os kernel:  auth_rpcgss ppdev nfs_acl lockd lp grace parport sunrpc ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress dm_crypt raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc>
dic 10 17:01:15 pop-os kernel: CPU: 8 PID: 76788 Comm: telegram-deskto Tainted: P    B      OE     5.15.5-76051505-generic #202111250933~1638201579~21.04~09f1aa7-Ubuntu
dic 10 17:01:15 pop-os kernel: Hardware name: Razer Blade 15 Advanced Model (Early 2020) - RZ09-033/CH551, BIOS 1.06 09/16/2020
dic 10 17:01:15 pop-os kernel: Call Trace:
dic 10 17:01:15 pop-os kernel:  <TASK>
dic 10 17:01:15 pop-os kernel:  show_stack+0x52/0x58
dic 10 17:01:15 pop-os kernel:  dump_stack_lvl+0x4a/0x5f
dic 10 17:01:15 pop-os kernel:  dump_stack+0x10/0x12
dic 10 17:01:15 pop-os kernel:  bad_page.cold+0x63/0x94
dic 10 17:01:15 pop-os kernel:  check_free_page_bad+0x66/0x70
dic 10 17:01:15 pop-os kernel:  free_pcppages_bulk+0x1c3/0x330
dic 10 17:01:15 pop-os kernel:  free_unref_page_commit.constprop.0+0xde/0xf0
dic 10 17:01:15 pop-os kernel:  free_unref_page_list+0x190/0x2c0
dic 10 17:01:15 pop-os kernel:  release_pages+0x165/0x4b0
dic 10 17:01:15 pop-os kernel:  __pagevec_release+0x21/0x60
dic 10 17:01:15 pop-os kernel:  invalidate_inode_pages2_range+0x354/0x3e0
dic 10 17:01:15 pop-os kernel:  invalidate_inode_pages2+0x17/0x20
dic 10 17:01:15 pop-os kernel:  fuse_finish_open+0x7f/0x150
dic 10 17:01:15 pop-os kernel:  fuse_open_common+0xbb/0x1a0
dic 10 17:01:15 pop-os kernel:  ? fuse_open_common+0x1a0/0x1a0
dic 10 17:01:15 pop-os kernel:  fuse_open+0x10/0x20
dic 10 17:01:15 pop-os kernel:  do_dentry_open+0x157/0x370
dic 10 17:01:15 pop-os kernel:  vfs_open+0x2d/0x30
dic 10 17:01:15 pop-os kernel:  do_open+0x1b4/0x360
dic 10 17:01:15 pop-os kernel:  path_openat+0x10a/0x1d0
dic 10 17:01:15 pop-os kernel:  do_filp_open+0xb6/0x160
dic 10 17:01:15 pop-os kernel:  do_sys_openat2+0x9b/0x160
dic 10 17:01:15 pop-os kernel:  __x64_sys_openat+0x56/0x90
dic 10 17:01:15 pop-os kernel:  do_syscall_64+0x59/0xc0
dic 10 17:01:15 pop-os kernel:  ? do_syscall_64+0x69/0xc0
dic 10 17:01:15 pop-os kernel:  ? irqentry_exit_to_user_mode+0x9/0x20
dic 10 17:01:15 pop-os kernel:  ? irqentry_exit+0x19/0x30
dic 10 17:01:15 pop-os kernel:  ? exc_page_fault+0x89/0x160
dic 10 17:01:15 pop-os kernel:  ? asm_exc_page_fault+0x8/0x30
dic 10 17:01:15 pop-os kernel:  entry_SYSCALL_64_after_hwframe+0x44/0xae
dic 10 17:01:15 pop-os kernel: RIP: 0033:0x7f04fb81b542
dic 10 17:01:15 pop-os kernel: Code: 89 45 b0 eb 93 0f 1f 00 44 89 55 9c e8 67 f5 ff ff 44 8b 55 9c 44 89 e2 4c 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 44 89 c7 89 45 9c e8 bb f5 ff ff 8b 45 9c
dic 10 17:01:15 pop-os kernel: RSP: 002b:00007ffdb94a3e40 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
dic 10 17:01:15 pop-os kernel: RAX: ffffffffffffffda RBX: 00007f04f02fc590 RCX: 00007f04fb81b542
dic 10 17:01:15 pop-os kernel: RDX: 0000000000080000 RSI: 00007f04f02fc590 RDI: 00000000ffffff9c
dic 10 17:01:15 pop-os kernel: RBP: 00007ffdb94a3eb0 R08: 0000000000000000 R09: ffffffffffffe798
dic 10 17:01:15 pop-os kernel: R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000080000
dic 10 17:01:15 pop-os kernel: R13: 00007f04f02fc590 R14: 00007ffdb94a3ed0 R15: 00007f04f03ea950
dic 10 17:01:15 pop-os kernel:  </TASK>
dic 10 17:01:15 pop-os kernel: BUG: Bad page state in process telegram-deskto  pfn:2b270c
```
Comment 1 Luis Henriques 2021-12-14 17:58:23 UTC 
Miklos suggested [1] that this is fixed with commits:

712a951025c0 ("fuse: fix page stealing")
473441720c86 ("fuse: release pipe buf after last use")

So, I would suggest you to upgrade to a later kernel that already includes these fixes.  If your kernel is based on stable 5.15.5, anything later (5.15.6) should include that fix as per 5.15 stable changelog [2]

[1] https://lore.kernel.org/linux-fsdevel/Ybi5s7bYkEAqEffs@suse.de/T/#m4f8121e70d3f7f5ddf9012203d500739cddca1d2
[2] https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.6