* PCI BAR register space written with garbage in HVM guest.
@ 2010-03-16 1:09 Dan Gora
2010-03-16 1:48 ` Konrad Rzeszutek Wilk
` (2 more replies)
0 siblings, 3 replies; 14+ messages in thread
From: Dan Gora @ 2010-03-16 1:09 UTC (permalink / raw)
To: xen-devel
Hi All,
I'm having a problem where if I pass through two instances of my
device to a HVM domU, one of the board instances is having it's PCI
BAR registers overwritten with garbage by some unknown actor 30
seconds to a minute after I load my driver. I cannnot for the life of
me find what might possibly be overwriting the BAR registers.
I've added a debugging printf to XEN in
xen/arch/x86/pci.c:pci_conf_write() and I can see the entire PCI BAR
address space being overwritten with garbage:
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080000 offset=0x0
bytes=4 value=0xffffffff
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080004 offset=0x0
bytes=4 value=0x1600ffff
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080008 offset=0x0
bytes=4 value=0x64d5323e
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x8008000c offset=0x0
bytes=4 value=0x450008
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080010 offset=0x0
bytes=4 value=0xa7e54002
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080014 offset=0x0
bytes=4 value=0x11400000
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080018 offset=0x0
bytes=4 value=0x693
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x8008001c offset=0x0
bytes=4 value=0xffff0000
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080020 offset=0x0
bytes=4 value=0x4400ffff
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080024 offset=0x0
bytes=4 value=0x2c024300
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080028 offset=0x0
bytes=4 value=0x1012dac
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x8008002c offset=0x0
bytes=4 value=0xa1c30006
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080030 offset=0x0
bytes=4 value=0xa00040d
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080034 offset=0x0
bytes=4 value=0x0
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080038 offset=0x0
bytes=4 value=0x0
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x8008003c offset=0x0
bytes=4 value=0x0
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080040 offset=0x0
bytes=4 value=0x0
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080044 offset=0x0
bytes=4 value=0x16000000
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080048 offset=0x0
bytes=4 value=0x64d5323e
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x8008004c offset=0x0
bytes=4 value=0x0
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080050 offset=0x0
bytes=4 value=0x0
<snipped, rest of PCI BAR registers written with 0x0...>
I've added printks to the dom0 and domU kernels in the
pci_bus_write_config_##size() macros in drivers/pci/access.c and in
arch/x86/pci/direct.c to print every time the kernel accesses PCI
configuration space, but I only see these printfs when my driver
access my board's PCI configuration space or some other driver
accesses PCI configuration space, but I do NOT see them when this PCI
BAR register space trashing happens.
So I noticed also that lspci does not cause these kernel printfs to
occur and upon reading the pciutils source code I learned that pretty
much anything which can do an outl() to 0xcf8/0xcfc can mess with PCI
configuration space.
So now I figure it must be some user space thing unless I'm just
missing some other way which the kernel or XEN can access PCI
configuration space, but what could it possibly be?
This problem only occurs in HVM guests and only seems to occur when I
pass two instances of my device to the domU and only occurs many many
seconds after I load my driver (30-60 seconds). I'm absolutely sure
that it's not my driver because the kernel printfs show up when my
driver accesses PCI configuration space.
I'm really pretty much at a loss as even how to debug this. There
doesn't appear to be any dump_stack() in XEN so that I can see what
called pci_conf_write() in XEN, but even then it appears that it only
gets called as a trap from the dom0 or domU. It's not clear to me if
you can even see what process/stack actually caused the trap back in
the dom0 or domU. Is that possible?
Is there anything else that I should look at? qemu? pciback?
pcifront? Am I missing some access method to PCI configuration space
down in the kernel or is pci_confl_read/write pretty much it? Any
ideas what would possibly be trying to overwrite all of PCI
configuration space like this?
_any_ ideas are most welcome..
thanks
dan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: PCI BAR register space written with garbage in HVM guest.
2010-03-16 1:09 PCI BAR register space written with garbage in HVM guest Dan Gora
@ 2010-03-16 1:48 ` Konrad Rzeszutek Wilk
2010-03-16 2:55 ` Dan Gora
2010-03-16 10:24 ` Jan Beulich
2010-03-17 0:14 ` Dan Gora
2 siblings, 1 reply; 14+ messages in thread
From: Konrad Rzeszutek Wilk @ 2010-03-16 1:48 UTC (permalink / raw)
To: Dan Gora; +Cc: xen-devel
On Mon, Mar 15, 2010 at 10:09:28PM -0300, Dan Gora wrote:
> Hi All,
>
> I'm having a problem where if I pass through two instances of my
> device to a HVM domU, one of the board instances is having it's PCI
> BAR registers overwritten with garbage by some unknown actor 30
> seconds to a minute after I load my driver. I cannnot for the life of
> me find what might possibly be overwriting the BAR registers.
>
> I've added a debugging printf to XEN in
> xen/arch/x86/pci.c:pci_conf_write() and I can see the entire PCI BAR
> address space being overwritten with garbage:
>
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080000 offset=0x0
> bytes=4 value=0xffffffff
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080004 offset=0x0
> bytes=4 value=0x1600ffff
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080008 offset=0x0
> bytes=4 value=0x64d5323e
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x8008000c offset=0x0
> bytes=4 value=0x450008
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080010 offset=0x0
> bytes=4 value=0xa7e54002
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080014 offset=0x0
> bytes=4 value=0x11400000
Wow.. That is impressive. Are the values always the same? Or are they
truly random?
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080018 offset=0x0
> bytes=4 value=0x693
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x8008001c offset=0x0
> bytes=4 value=0xffff0000
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080020 offset=0x0
> bytes=4 value=0x4400ffff
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080024 offset=0x0
> bytes=4 value=0x2c024300
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080028 offset=0x0
> bytes=4 value=0x1012dac
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x8008002c offset=0x0
> bytes=4 value=0xa1c30006
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080030 offset=0x0
> bytes=4 value=0xa00040d
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080034 offset=0x0
> bytes=4 value=0x0
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080038 offset=0x0
> bytes=4 value=0x0
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x8008003c offset=0x0
> bytes=4 value=0x0
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080040 offset=0x0
> bytes=4 value=0x0
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080044 offset=0x0
> bytes=4 value=0x16000000
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080048 offset=0x0
> bytes=4 value=0x64d5323e
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x8008004c offset=0x0
> bytes=4 value=0x0
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080050 offset=0x0
> bytes=4 value=0x0
> <snipped, rest of PCI BAR registers written with 0x0...>
>
> I've added printks to the dom0 and domU kernels in the
> pci_bus_write_config_##size() macros in drivers/pci/access.c and in
> arch/x86/pci/direct.c to print every time the kernel accesses PCI
> configuration space, but I only see these printfs when my driver
> access my board's PCI configuration space or some other driver
> accesses PCI configuration space, but I do NOT see them when this PCI
> BAR register space trashing happens.
>
> So I noticed also that lspci does not cause these kernel printfs to
> occur and upon reading the pciutils source code I learned that pretty
> much anything which can do an outl() to 0xcf8/0xcfc can mess with PCI
> configuration space.
>
> So now I figure it must be some user space thing unless I'm just
> missing some other way which the kernel or XEN can access PCI
> configuration space, but what could it possibly be?
>
> This problem only occurs in HVM guests and only seems to occur when I
> pass two instances of my device to the domU and only occurs many many
> seconds after I load my driver (30-60 seconds). I'm absolutely sure
> that it's not my driver because the kernel printfs show up when my
> driver accesses PCI configuration space.
>
> I'm really pretty much at a loss as even how to debug this. There
> doesn't appear to be any dump_stack() in XEN so that I can see what
> called pci_conf_write() in XEN, but even then it appears that it only
> gets called as a trap from the dom0 or domU. It's not clear to me if
> you can even see what process/stack actually caused the trap back in
> the dom0 or domU. Is that possible?
You could instrument the code (Xen) to crash the DomU domain when you
detect garbage. Then you can pick at with xenctx to look at its stack..etc
>
> Is there anything else that I should look at? qemu? pciback?
> pcifront? Am I missing some access method to PCI configuration space
> down in the kernel or is pci_confl_read/write pretty much it? Any
QEMU uses libpci, which is the same as lspci, and that looks to work.
You can crank up the verbosity of pciback and pcifront with its
parameters to see if they are the ones doing this. But your domain is
HVM DomU so the pcifront/pciback is not utilized.
That narrows it down to QEMU or the Dom0 kernel.
> ideas what would possibly be trying to overwrite all of PCI
> configuration space like this?
>
> _any_ ideas are most welcome..
>
> thanks
> dan
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: PCI BAR register space written with garbage in HVM guest.
2010-03-16 1:48 ` Konrad Rzeszutek Wilk
@ 2010-03-16 2:55 ` Dan Gora
2010-03-16 10:27 ` Jan Beulich
2010-03-16 15:20 ` Konrad Rzeszutek Wilk
0 siblings, 2 replies; 14+ messages in thread
From: Dan Gora @ 2010-03-16 2:55 UTC (permalink / raw)
To: Konrad Rzeszutek Wilk; +Cc: xen-devel
On Mon, Mar 15, 2010 at 10:48 PM, Konrad Rzeszutek Wilk
<konrad.wilk@oracle.com> wrote:
>> I've added a debugging printf to XEN in
>> xen/arch/x86/pci.c:pci_conf_write() and I can see the entire PCI BAR
>> address space being overwritten with garbage:
>>
>> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080000 offset=0x0
>> bytes=4 value=0xffffffff
>> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080004 offset=0x0
>> bytes=4 value=0x1600ffff
>> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080008 offset=0x0
>> bytes=4 value=0x64d5323e
>> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x8008000c offset=0x0
>> bytes=4 value=0x450008
>> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080010 offset=0x0
>> bytes=4 value=0xa7e54002
>> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080014 offset=0x0
>> bytes=4 value=0x11400000
>
> Wow.. That is impressive. Are the values always the same? Or are they
> truly random?
I'm pretty sure that they are always the same...
>> I'm really pretty much at a loss as even how to debug this. There
>> doesn't appear to be any dump_stack() in XEN so that I can see what
>> called pci_conf_write() in XEN, but even then it appears that it only
>> gets called as a trap from the dom0 or domU. It's not clear to me if
>> you can even see what process/stack actually caused the trap back in
>> the dom0 or domU. Is that possible?
>
> You could instrument the code (Xen) to crash the DomU domain when you
> detect garbage. Then you can pick at with xenctx to look at its stack..etc
This is where I could really use some help... Is it possible crash
only the domU from with xen? What would it leave behind to analyze
with xenctx?
>>
>> Is there anything else that I should look at? qemu? pciback?
>> pcifront? Am I missing some access method to PCI configuration space
>> down in the kernel or is pci_confl_read/write pretty much it? Any
>
> QEMU uses libpci, which is the same as lspci, and that looks to work.
>
> You can crank up the verbosity of pciback and pcifront with its
> parameters to see if they are the ones doing this. But your domain is
> HVM DomU so the pcifront/pciback is not utilized.
>
Yeah I tried that and there doesn't appear to be anything going on there.
<aside>
What is pcifront/pciback's role for HVM guests exactly? I understand
that you "hide" the devices from the dom0 with pciback and it
definately loads and does *something* when the HVM guest comes up, but
accesses from the domU don't appear to go through it at all (I
understand that it works with qemu somehow, but that channel too is
not at all clear how it works...)
I've looked through qemu enough to kind of understand that it's
responsible for abstracting the PCI configuration space for the domU,
but I don't really understand how accesses get channeled through to it
from the domU. Does it use hypercalls somehow? Can someone explain
how this whole flow is supposed to work for PCI configuration space
accesses?
</aside>
> That narrows it down to QEMU or the Dom0 kernel.
Yeah that's what I figured.. I instrumented qemu a bit and also did
not see anything going on in there, but I'm not at the office anymore
so I cannot tell you exactly what functions I instrumented. I'm going
to look into this more tomorrow.
thanks a lot for your help...
dan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: PCI BAR register space written with garbage in HVM guest.
2010-03-16 1:09 PCI BAR register space written with garbage in HVM guest Dan Gora
2010-03-16 1:48 ` Konrad Rzeszutek Wilk
@ 2010-03-16 10:24 ` Jan Beulich
2010-03-17 0:14 ` Dan Gora
2 siblings, 0 replies; 14+ messages in thread
From: Jan Beulich @ 2010-03-16 10:24 UTC (permalink / raw)
To: Dan Gora; +Cc: xen-devel
>>> Dan Gora <dan.gora@gmail.com> 16.03.10 02:09 >>>
>I'm really pretty much at a loss as even how to debug this. There
>doesn't appear to be any dump_stack() in XEN so that I can see what
>called pci_conf_write() in XEN, but even then it appears that it only
>gets called as a trap from the dom0 or domU. It's not clear to me if
>you can even see what process/stack actually caused the trap back in
>the dom0 or domU. Is that possible?
show_execution_state(guest_cpu_user_regs());
Jan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: PCI BAR register space written with garbage in HVM guest.
2010-03-16 2:55 ` Dan Gora
@ 2010-03-16 10:27 ` Jan Beulich
2010-03-16 15:20 ` Konrad Rzeszutek Wilk
1 sibling, 0 replies; 14+ messages in thread
From: Jan Beulich @ 2010-03-16 10:27 UTC (permalink / raw)
To: Dan Gora; +Cc: xen-devel, Konrad Rzeszutek Wilk
>>> Dan Gora <dan.gora@gmail.com> 16.03.10 03:55 >>>
>This is where I could really use some help... Is it possible crash
>only the domU from with xen? What would it leave behind to analyze
>with xenctx?
domain_crash(current->domain);
assuming the access happens in the context of the DomU. If it happens
in Dom0's context (e.g. coming from qemu) you'd still kill the whole
system with this, so be careful.
Jan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: PCI BAR register space written with garbage in HVM guest.
2010-03-16 2:55 ` Dan Gora
2010-03-16 10:27 ` Jan Beulich
@ 2010-03-16 15:20 ` Konrad Rzeszutek Wilk
2010-03-16 15:54 ` Jan Beulich
1 sibling, 1 reply; 14+ messages in thread
From: Konrad Rzeszutek Wilk @ 2010-03-16 15:20 UTC (permalink / raw)
To: Dan Gora; +Cc: xen-devel
> <aside>
> What is pcifront/pciback's role for HVM guests exactly? I understand
None functionaly. The purpose is to "bind" the PCI devices to pciback
(or pcistub) so that no other kernel module usurps it and starts
utilizing it.
> that you "hide" the devices from the dom0 with pciback and it
> definately loads and does *something* when the HVM guest comes up, but
> accesses from the domU don't appear to go through it at all (I
> understand that it works with qemu somehow, but that channel too is
> not at all clear how it works...)
With HVM pciback is not used. You need an virtualization aware IOMMU to
pass through PCI devices to the guest. PCIback/PCI front is for PV
guests and on machine where you don't neccessarily have this fancy
IOMMU.
> I've looked through qemu enough to kind of understand that it's
> responsible for abstracting the PCI configuration space for the domU,
> but I don't really understand how accesses get channeled through to it
> from the domU. Does it use hypercalls somehow? Can someone explain
The Hypervisor gets "trapped" when an outb is made (look for
emulate_privileged_op function and specifically out).
Then it somehow injects the fault in QEMU which does the rest. I don't
remember the details of how it does thought :-(
> how this whole flow is supposed to work for PCI configuration space
> accesses?
> </aside>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: PCI BAR register space written with garbage in HVM guest.
2010-03-16 15:20 ` Konrad Rzeszutek Wilk
@ 2010-03-16 15:54 ` Jan Beulich
0 siblings, 0 replies; 14+ messages in thread
From: Jan Beulich @ 2010-03-16 15:54 UTC (permalink / raw)
To: Dan Gora, Konrad Rzeszutek Wilk; +Cc: xen-devel
>>> Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> 16.03.10 16:20 >>>
>The Hypervisor gets "trapped" when an outb is made (look for
>emulate_privileged_op function and specifically out).
No, that's only the path taken for pv guests. HVM guests use special
exit events for trapping I/O instructions.
Jan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: PCI BAR register space written with garbage in HVM guest.
2010-03-16 1:09 PCI BAR register space written with garbage in HVM guest Dan Gora
2010-03-16 1:48 ` Konrad Rzeszutek Wilk
2010-03-16 10:24 ` Jan Beulich
@ 2010-03-17 0:14 ` Dan Gora
2010-03-17 2:46 ` Konrad Rzeszutek Wilk
2010-03-18 2:14 ` Dan Gora
2 siblings, 2 replies; 14+ messages in thread
From: Dan Gora @ 2010-03-17 0:14 UTC (permalink / raw)
To: xen-devel
Hi all,
So I have definately tracked the writes as coming from qemu-dm, but
I'm still having trouble with finding out what is causing it. I can
now see the writes occuring down in the kernel (I only had
pci_read_bus_XX traced, I didn't have pci_read_user_XX traced before..
sigh...) and I can also see the problem occuring with strace as well,
but I still cannot find where in qemu corresponds to this behavior...
So here is what I see:
Recall that from Xen HV I can see the bad writes occuring:
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080000 offset=0x0
> bytes=4 value=0xffffffff
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080004 offset=0x0
> bytes=4 value=0x1600ffff
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080008 offset=0x0
> bytes=4 value=0x64d5323e
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x8008000c offset=0x0
> bytes=4 value=0x450008
I also traced the dom0 kernel better and can now also see these same
writes occuring:
Mar 16 21:35:49 sunblade1 kernel: pci_conf1_write: writing 8:0 reg 0x0
len=4 value=0xffffffff
Mar 16 21:35:49 sunblade1 kernel: Pid: 5904, comm: qemu-dm Tainted: G
2.6.27.19-5-xen.dan #7
Mar 16 21:35:49 sunblade1 kernel:
Mar 16 21:35:49 sunblade1 kernel: Call Trace:
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff8020c55a>] dump_trace+0xba/0x379
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff8020c867>]
show_trace_log_lvl+0x4e/0x69
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff8020d5d8>] show_trace+0x15/0x19
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff8048d873>] dump_stack+0x77/0x80
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff80407a92>]
pci_conf1_write+0x86/0x113
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff8040940f>] raw_pci_write+0x24/0x3d
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff80409482>] pci_write+0x2c/0x2e
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff8035ec0f>]
pci_user_write_config_dword+0x62/0xba
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff80364e49>]
pci_write_config+0x110/0x192
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff802ff3eb>] write+0xf5/0x12f
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff802a9bea>] vfs_write+0xb3/0x15c
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff802a9d61>] sys_write+0x4c/0x75
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff8020b7f2>] tracesys+0xaf/0xb4
Mar 16 21:35:49 sunblade1 kernel: [<00007f05d53f97fb>] 0x7f05d53f97fb
Mar 16 21:35:49 sunblade1 kernel:
Mar 16 21:35:49 sunblade1 kernel: pci_conf1_write: writing 8:0 reg 0x4
len=4 value=0x1600ffff
Mar 16 21:35:49 sunblade1 kernel: Pid: 5904, comm: qemu-dm Tainted: G
2.6.27.19-5-xen.dan #7
Mar 16 21:35:49 sunblade1 kernel:
Mar 16 21:35:49 sunblade1 kernel: Call Trace:
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff8020c55a>] dump_trace+0xba/0x379
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff8020c867>]
show_trace_log_lvl+0x4e/0x69
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff8020d5d8>] show_trace+0x15/0x19
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff8048d873>] dump_stack+0x77/0x80
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff80407a92>]
pci_conf1_write+0x86/0x113
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff8040940f>] raw_pci_write+0x24/0x3d
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff80409482>] pci_write+0x2c/0x2e
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff8035ec0f>]
pci_user_write_config_dword+0x62/0xba
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff80364e49>]
pci_write_config+0x110/0x192
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff802ff3eb>] write+0xf5/0x12f
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff802a9bea>] vfs_write+0xb3/0x15c
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff802a9d61>] sys_write+0x4c/0x75
Mar 16 21:35:49 sunblade1 kernel: [<ffffffff8020b7f2>] tracesys+0xaf/0xb4
Mar 16 21:35:50 sunblade1 kernel: [<00007f05d53f97fb>] 0x7f05d53f97fb
Mar 16 21:35:50 sunblade1 kernel:
I also traced qemu-dm with strace and found the culprit:
5904 21:35:47 [ 7f05d3b68b2b]
open("/sys/bus/pci/devices/0000:08:00.0/config", O_RDWR) = 6
5904 21:35:47 [ 7f05d53fa3c8] pwrite(6, "\6\1", 2, 4) = 2
5904 21:35:47 [ 7f05d3b6eb77] ioctl(16, EVIOCGKEYCODE, 0x7fffdde98890) = 0
5904 21:35:47 [ 7f05d53f987b] read(4, 0x7fffdde98870, 16) = -1
EAGAIN (Resource temporarily unavailable)
5904 21:35:47 [ 7fffddf437dc] clock_gettime(CLOCK_MONOTONIC,
{1724, 868201462}) = 0
5904 21:35:47 [ 7fffddf437dc] clock_gettime(CLOCK_MONOTONIC,
{1724, 868259075}) = 0
<snip>
5904 21:35:48 [ 7f05d53f987b] read(16, "o\0\0\0", 4) = 4
5904 21:35:48 [ 7f05d53f97fb] write(16, "o\0\0\0", 4) = 4
5904 21:35:48 [ 7f05d53f97fb] write(6,
"\377\377\377\377\377\377\0\26>2\325d\10\0E\0\2@\0\354\0\0@\21w\302\0\0\0\0\377\377"...,
590) = 256
Notice the length of 590 bytes! The EIP also matches what the kernel
thinks was the syscall which caused the write.
Anyone have any idea where this could be happening in qemu? I'm
pretty sure that it's not originating with the domU because I traced
the domU kenrel's pci config access routines pci_conf1_write/read the
same way as the dom0's and there are no printfs in the domU kernel
when this occurs.
Again, thanks for all the help,
dan
On Mon, Mar 15, 2010 at 10:09 PM, Dan Gora <dan.gora@gmail.com> wrote:
> Hi All,
>
> I'm having a problem where if I pass through two instances of my
> device to a HVM domU, one of the board instances is having it's PCI
> BAR registers overwritten with garbage by some unknown actor 30
> seconds to a minute after I load my driver. I cannnot for the life of
> me find what might possibly be overwriting the BAR registers.
>
> I've added a debugging printf to XEN in
> xen/arch/x86/pci.c:pci_conf_write() and I can see the entire PCI BAR
> address space being overwritten with garbage:
>
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080000 offset=0x0
> bytes=4 value=0xffffffff
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080004 offset=0x0
> bytes=4 value=0x1600ffff
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080008 offset=0x0
> bytes=4 value=0x64d5323e
> (XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x8008000c offset=0x0
> bytes=4 value=0x450008
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Re: PCI BAR register space written with garbage in HVM guest.
2010-03-17 0:14 ` Dan Gora
@ 2010-03-17 2:46 ` Konrad Rzeszutek Wilk
2010-03-17 3:31 ` Dan Gora
2010-03-18 2:14 ` Dan Gora
1 sibling, 1 reply; 14+ messages in thread
From: Konrad Rzeszutek Wilk @ 2010-03-17 2:46 UTC (permalink / raw)
To: Dan Gora; +Cc: xen-devel
> open("/sys/bus/pci/devices/0000:08:00.0/config", O_RDWR) = 6
> 5904 21:35:47 [ 7f05d53fa3c8] pwrite(6, "\6\1", 2, 4) = 2
> 5904 21:35:47 [ 7f05d3b6eb77] ioctl(16, EVIOCGKEYCODE, 0x7fffdde98890) = 0
> 5904 21:35:47 [ 7f05d53f987b] read(4, 0x7fffdde98870, 16) = -1
> EAGAIN (Resource temporarily unavailable)
> 5904 21:35:47 [ 7fffddf437dc] clock_gettime(CLOCK_MONOTONIC,
> {1724, 868201462}) = 0
> 5904 21:35:47 [ 7fffddf437dc] clock_gettime(CLOCK_MONOTONIC,
> {1724, 868259075}) = 0
There is a snippet of QEMU that has that (hw/pass-through.c),
function pt_pci_write_config:
.. snip ..
ret = pci_write_block(pci_dev, address, (uint8_t *)&val, len);
if (!ret)
PT_LOG("Error: pci_write_block failed. return value[%d].\n",
ret);
}
if (pm_state != NULL && pm_state->flags & PT_FLAG_TRANSITING)
/* set QEMUTimer */
qemu_mod_timer(pm_state->pm_timer,
(qemu_get_clock(rt_clock) + pm_state->pm_delay));
>
> <snip>
>
> 5904 21:35:48 [ 7f05d53f987b] read(16, "o\0\0\0", 4) = 4
> 5904 21:35:48 [ 7f05d53f97fb] write(16, "o\0\0\0", 4) = 4
> 5904 21:35:48 [ 7f05d53f97fb] write(6,
> "\377\377\377\377\377\377\0\26>2\325d\10\0E\0\2@\0\354\0\0@\21w\302\0\0\0\0\377\377"...,
> 590) = 256
I would turn on all of those debug options and see if anything is
happening.
Actually I would instrument all of the 'pci_write_block' calls.
>
> Notice the length of 590 bytes! The EIP also matches what the kernel
> thinks was the syscall which caused the write.
>
> Anyone have any idea where this could be happening in qemu? I'm
Can you attach debug to it? Or maybe run 'objdump' on the qemu-dm and
see if the address correspond to some code in it?
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Re: PCI BAR register space written with garbage in HVM guest.
2010-03-17 2:46 ` Konrad Rzeszutek Wilk
@ 2010-03-17 3:31 ` Dan Gora
0 siblings, 0 replies; 14+ messages in thread
From: Dan Gora @ 2010-03-17 3:31 UTC (permalink / raw)
To: Konrad Rzeszutek Wilk; +Cc: xen-devel
On Tue, Mar 16, 2010 at 11:46 PM, Konrad Rzeszutek Wilk
<konrad.wilk@oracle.com> wrote:
> There is a snippet of QEMU that has that (hw/pass-through.c),
> function pt_pci_write_config:
>
> .. snip ..
> ret = pci_write_block(pci_dev, address, (uint8_t *)&val, len);
>
> if (!ret)
> PT_LOG("Error: pci_write_block failed. return value[%d].\n",
> ret);
> }
>
> if (pm_state != NULL && pm_state->flags & PT_FLAG_TRANSITING)
> /* set QEMUTimer */
> qemu_mod_timer(pm_state->pm_timer,
> (qemu_get_clock(rt_clock) + pm_state->pm_delay));
I turned on all the debugging in there and I see messages, but none
when the bad writes occur, which made me think that they were not
coming from there...
>> <snip>
>>
>> 5904 21:35:48 [ 7f05d53f987b] read(16, "o\0\0\0", 4) = 4
>> 5904 21:35:48 [ 7f05d53f97fb] write(16, "o\0\0\0", 4) = 4
>> 5904 21:35:48 [ 7f05d53f97fb] write(6,
>> "\377\377\377\377\377\377\0\26>2\325d\10\0E\0\2@\0\354\0\0@\21w\302\0\0\0\0\377\377"...,
>> 590) = 256
>
> I would turn on all of those debug options and see if anything is
> happening.
done.. nothing :( At least not during the error.
> Actually I would instrument all of the 'pci_write_block' calls.
I'll try that tomorrow...
> Can you attach debug to it? Or maybe run 'objdump' on the qemu-dm and
> see if the address correspond to some code in it?
Yes I can debug it, but really the only thing that I have to hang my
hat on is write(). So I figure that it must be coming from pciutils
since it's messing with /sys/bus/pci, but I don't really know much
about pciutils so wasn't sure what to grep around for.
I'll try and trace the pci_write_block calls and put gdb on it
tomorrow and see if anything pops up.
thanks,
dan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: PCI BAR register space written with garbage in HVM guest.
2010-03-17 0:14 ` Dan Gora
2010-03-17 2:46 ` Konrad Rzeszutek Wilk
@ 2010-03-18 2:14 ` Dan Gora
[not found] ` <20100318143207.GF14445@phenom.dumpdata.com>
1 sibling, 1 reply; 14+ messages in thread
From: Dan Gora @ 2010-03-18 2:14 UTC (permalink / raw)
To: xen-devel
Hi all,
I apologize for the length of this message, but I figured that it was
probably better to supply too much info rather than too little...
I've made some good progress debugging this today. The problem looks
pretty bizarre...
I finally figured out how to trap the problem in gdb with the help of
the conditional break point. Since I know that it's a write to fd 6
of length 590 bytes I just make gdb break on that:
(gdb) disass write
Dump of assembler code for function write:
0x00007f2c3afe07b0 <write+0>: cmpl $0x0,0x20db59(%rip) #
0x7f2c3b1ee310 <__pthread_multiple_threads>
0x00007f2c3afe07b7 <write+7>: jne 0x7f2c3afe07c9 <write+25>
0x00007f2c3afe07b9 <__write_nocancel+0>: mov $0x1,%eax
0x00007f2c3afe07be <__write_nocancel+5>: syscall
0x00007f2c3afe07c0 <__write_nocancel+7>: cmp $0xfffffffffffff001,%rax
0x00007f2c3afe07c6 <__write_nocancel+13>: jae 0x7f2c3afe081b
<write+107>
0x00007f2c3afe07c8 <__write_nocancel+15>: retq
0x00007f2c3afe07c9 <write+25>: sub $0x28,%rsp
0x00007f2c3afe07cd <write+29>: mov %rdi,0x8(%rsp)
0x00007f2c3afe07d2 <write+34>: mov %rsi,0x10(%rsp)
0x00007f2c3afe07d7 <write+39>: mov %rdx,0x18(%rsp)
0x00007f2c3afe07dc <write+44>: callq 0x7f2c3afe0380
<__pthread_enable_asynccancel>
0x00007f2c3afe07e1 <write+49>: mov 0x8(%rsp),%rdi
0x00007f2c3afe07e6 <write+54>: mov 0x10(%rsp),%rsi
0x00007f2c3afe07eb <write+59>: mov 0x18(%rsp),%rdx
0x00007f2c3afe07f0 <write+64>: mov %rax,(%rsp)
0x00007f2c3afe07f4 <write+68>: mov $0x1,%eax
0x00007f2c3afe07f9 <write+73>: syscall
0x00007f2c3afe07fb <write+75>: mov (%rsp),%rdi
0x00007f2c3afe07ff <write+79>: mov %rax,0x8(%rsp)
0x00007f2c3afe0804 <write+84>: callq 0x7f2c3afe0350
<__pthread_disable_asynccancel>
0x00007f2c3afe0809 <write+89>: mov 0x8(%rsp),%rax
0x00007f2c3afe080e <write+94>: add $0x28,%rsp
0x00007f2c3afe0812 <write+98>: cmp $0xfffffffffffff001,%rax
0x00007f2c3afe0818 <write+104>: jae 0x7f2c3afe081b <write+107>
0x00007f2c3afe081a <write+106>: retq
0x00007f2c3afe081b <write+107>: mov 0x20977e(%rip),%rcx #
0x7f2c3b1e9fa0
0x00007f2c3afe0822 <write+114>: xor %edx,%edx
0x00007f2c3afe0824 <write+116>: sub %rax,%rdx
0x00007f2c3afe0827 <write+119>: mov %edx,%fs:(%rcx)
0x00007f2c3afe082a <write+122>: or $0xffffffffffffffff,%rax
0x00007f2c3afe082e <write+126>: jmp 0x7f2c3afe081a <write+106>
End of assembler dump.
(gdb) break *0x00007f2c3afe07f4 if $rdi == 6 && $rdx == 590
Breakpoint 1 at 0x7f2c3afe07f4
(gdb) info break
Num Type Disp Enb Address What
1 breakpoint keep y 0x00007f2c3afe07f4 <write+68>
stop only if $rdi == 6 && $rdx == 590
===================
Here the breakpoint fires, but the bad writes do not occur when we perform
the syscall.
===================
Breakpoint 1, 0x00007f2c3afe07f4 in write () from /lib64/libpthread.so.0
(gdb) bt
#0 0x00007f2c3afe07f4 in write () from /lib64/libpthread.so.0
#1 0x000000000040746d in tap_receive (opaque=0xa940f0,
buf=0x7fff43a7f080 "������", size=<value optimized out>)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/vl.c:4079
#2 0x0000000000407081 in qemu_send_packet (vc1=0xaf99d0,
buf=0x7fff43a7f080 "������", size=590)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/vl.c:3865
#3 0x00000000004235a0 in rtl8139_transmit_one (s=0xaf9780,
descriptor=<value optimized out>)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/hw/rtl8139.c:1810
#4 0x0000000000424ae7 in rtl8139_io_writel (opaque=0x6,
addr=<value optimized out>, val=524878)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/hw/rtl8139.c:2367
#5 0x00000000004726a3 in cpu_physical_memory_rw (_addr=<value optimized out>,
buf=0x7f2c3ba7e018 <Address 0x7f2c3ba7e018 out of bounds>,
_len=<value optimized out>, is_write=1) at exec-dm.c:510
#6 0x00000000004a4703 in cpu_ioreq_move (env=<value optimized out>,
req=0x7f2c3ba7e000) at helper2.c:319
#7 0x00000000004a4fb1 in cpu_handle_ioreq (opaque=<value optimized out>)
at helper2.c:508
#8 0x000000000040aeb4 in main_loop_wait (timeout=10)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/vl.c:7175
#9 0x00000000004a4dbd in main_loop () at helper2.c:571
#10 0x000000000040feb3 in main (argc=20, argv=0x7fff43a82968)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/vl.c:8950
========================
Here is the data buffer that is being written by rtl8139_transmit():
Notice that it looks like an ethernet frame! But it is being written
down the sysfs pci configuration space descriptor!
========================
(gdb) x/590xb 0x7fff43a7f080
0x7fff43a7f080: 0xff 0xff 0xff 0xff 0xff 0xff 0x00 0x16
0x7fff43a7f088: 0x3e 0x32 0xd5 0x64 0x08 0x00 0x45 0x00
0x7fff43a7f090: 0x02 0x40 0x91 0x0d 0x00 0x00 0x40 0x11
0x7fff43a7f098: 0xe7 0xa0 0x00 0x00 0x00 0x00 0xff 0xff
0x7fff43a7f0a0: 0xff 0xff 0x00 0x44 0x00 0x43 0x02 0x2c
0x7fff43a7f0a8: 0xc4 0xb7 0x01 0x01 0x06 0x00 0xae 0xb8
0x7fff43a7f0b0: 0x09 0x63 0x00 0x0a 0x00 0x00 0x00 0x00
0x7fff43a7f0b8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff43a7f0c0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x16
0x7fff43a7f0c8: 0x3e 0x32 0xd5 0x64 0x00 0x00 0x00 0x00
0x7fff43a7f0d0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff43a7f0d8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff43a7f0e0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff43a7f0e8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff43a7f0f0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff43a7f0f8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
=================================
So we load and unload my driver in the domU. After several
seconds the breakpoint hits again and the bad writes actually happen
when we do the write() system call
================================
Breakpoint 1, 0x00007f2c3afe07f4 in write () from /lib64/libpthread.so.0
(gdb) info regi
rax 0x0 0
rbx 0x24e 590
rcx 0x0 0
rdx 0x24e 590
rsi 0x7fff43a7f080 140734328467584
rdi 0x6 6
rbp 0x7fff43a7f080 0x7fff43a7f080
rsp 0x7fff43a7f000 0x7fff43a7f000
r8 0x6 6
r9 0x43e 1086
r10 0x7fff43a811d0 140734328476112
r11 0x202 514
r12 0xa940f0 11092208
r13 0x7fff43a7f080 140734328467584
r14 0x7f2c3ba7e018 139827956146200
r15 0x1 1
rip 0x7f2c3afe07f4 0x7f2c3afe07f4 <write+68>
eflags 0x202 [ IF ]
cs 0x33 51
ss 0xe02b 57387
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
(gdb) x/10i $rip
0x7f2c3afe07f4 <write+68>: mov $0x1,%eax
0x7f2c3afe07f9 <write+73>: syscall
0x7f2c3afe07fb <write+75>: mov (%rsp),%rdi
0x7f2c3afe07ff <write+79>: mov %rax,0x8(%rsp)
0x7f2c3afe0804 <write+84>:
callq 0x7f2c3afe0350 <__pthread_disable_asynccancel>
0x7f2c3afe0809 <write+89>: mov 0x8(%rsp),%rax
0x7f2c3afe080e <write+94>: add $0x28,%rsp
0x7f2c3afe0812 <write+98>: cmp $0xfffffffffffff001,%rax
0x7f2c3afe0818 <write+104>: jae 0x7f2c3afe081b <write+107>
0x7f2c3afe081a <write+106>: retq
(gdb) x/20xb 0x7fff43a7f080
0x7fff43a7f080: 0xff 0xff 0xff 0xff 0xff 0xff 0x00 0x16
0x7fff43a7f088: 0x3e 0x32 0xd5 0x64 0x08 0x00 0x45 0x00
0x7fff43a7f090: 0x02 0x40 0x91 0x0f
=========================
Now do the system call...
=========================
(gdb) si
Breakpoint 2, 0x00007f2c3afe07f9 in write () from /lib64/libpthread.so.0
(gdb) si
0x00007f2c3afe07fb in write () from /lib64/libpthread.so.0
====================================
Here the problem occurs.. I see the PCI BAR space being overwritten
on the XEN console. The bad BAR registers exactly match the data.
====================================
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080000 offset=0x0 bytes=4 val
ue=0xffffffff
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080004 offset=0x0 bytes=4 val
ue=0x1600ffff
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080008 offset=0x0 bytes=4 val
ue=0x64d5323e
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x8008000c offset=0x0 bytes=4 val
ue=0x450008
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080010 offset=0x0 bytes=4 val
ue=0xf914002
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080014 offset=0x0 bytes=4 val
ue=0x11400000
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080018 offset=0x0 bytes=4 val
ue=0x9ee7
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x8008001c offset=0x0 bytes=4 val
ue=0xffff0000
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080020 offset=0x0 bytes=4 val
ue=0x4400ffff
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080024 offset=0x0 bytes=4 val
ue=0x2c024300
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x80080028 offset=0x0 bytes=4 val
ue=0x101b7c4
(XEN) xen/arch/x86/pci.c: pci_conf_write: cf8=0x8008002c offset=0x0 bytes=4 val
ue=0xb8ae0006
========================
so let's go see what we can see....
========================
(gdb) bt
#0 0x00007f2c3afe07fb in write () from /lib64/libpthread.so.0
#1 0x000000000040746d in tap_receive (opaque=0xa940f0,
buf=0x7fff43a7f080 "������", size=<value optimized out>)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/vl.c:4079
#2 0x0000000000407081 in qemu_send_packet (vc1=0xaf99d0,
buf=0x7fff43a7f080 "������", size=590)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/vl.c:3865
#3 0x00000000004235a0 in rtl8139_transmit_one (s=0xaf9780,
descriptor=<value optimized out>)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/hw/rtl8139.c:1810
#4 0x0000000000424ae7 in rtl8139_io_writel (opaque=0x6,
addr=<value optimized out>, val=524878)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/hw/rtl8139.c:2367
#5 0x00000000004726a3 in cpu_physical_memory_rw (_addr=<value optimized out>,
buf=0x7f2c3ba7e018 <Address 0x7f2c3ba7e018 out of bounds>,
_len=<value optimized out>, is_write=1) at exec-dm.c:510
#6 0x00000000004a4703 in cpu_ioreq_move (env=<value optimized out>,
req=0x7f2c3ba7e000) at helper2.c:319
#7 0x00000000004a4fb1 in cpu_handle_ioreq (opaque=<value optimized out>)
at helper2.c:508
#8 0x000000000040aeb4 in main_loop_wait (timeout=10)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/vl.c:7175
#9 0x00000000004a4dbd in main_loop () at helper2.c:571
#10 0x000000000040feb3 in main (argc=20, argv=0x7fff43a82968)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/vl.c:8950
(gdb)
(gdb) up
#1 0x000000000040746d in tap_receive (opaque=0xa940f0,
buf=0x7fff43a7f080 "������", size=<value optimized out>)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/vl.c:4079
4079 ret = write(s->fd, buf, size); /* No error handling ?! */
(gdb) print *((TAPState*) opaque)
$2 = {vc = 0xa94910, fd = 6,
down_script = "/etc/xen/qemu-ifdown", '\0' <repeats 1003 times>,
script_arg = "br0", '\0' <repeats 1020 times>, next = 0x0}
(gdb) print *(VLANClientState*) 0xa94910
$3 = {fd_read = 0x407450 <tap_receive>, fd_can_read = 0, opaque = 0xa940f0,
next = 0xaf99d0, vlan = 0xa940a0,
info_str = "tap: ifname=tap1.0 setup_script=/etc/xen/qemu-ifup",
'\0' <repeats 205 times>}
(gdb) print *(VLANState*)0xa940a0
$4 = {id = 1, first_client = 0xa94910, next = 0x0, nb_guest_devs = 1,
nb_host_devs = 1}
(gdb) print *(VLANClientState*) 0xaf99d0
$5 = {fd_read = 0x4235e0 <rtl8139_receive>,
fd_can_read = 0x422770 <rtl8139_can_receive>, opaque = 0xaf9780, next = 0x0,
vlan = 0xa940a0,
info_str = "rtl8139 pci macaddr=00:16:3e:32:d5:64", '\0' <repeats 218 times>}
(gdb) up
#4 0x0000000000424ae7 in rtl8139_io_writel (opaque=0x6,
addr=<value optimized out>, val=524878)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/hw/rtl8139.c:2367
2367 if (rtl8139_transmit_one(s, descriptor))
(gdb) up
#5 0x00000000004726a3 in cpu_physical_memory_rw (_addr=<value optimized out>,
buf=0x7f2c3ba7e018 <Address 0x7f2c3ba7e018 out of bounds>,
_len=<value optimized out>, is_write=1) at exec-dm.c:510
510
io_mem_write[io_index][2](io_mem_opaque[io_index], addr, val);
================================================
Here are the open files at the time.. Notice that fd 6 is open read only..
I don't understand how this write() is working....
================================================
sunblade1:root:bash 2047 => lsof -p 5820
<snip>
qemu-dm 5820 root 0r CHR 1,3 0t0 3278 /dev/null
qemu-dm 5820 root 1w REG 253,5 335301 606514
/var/log/xen/qemu-dm-node1.log
qemu-dm 5820 root 2w REG 253,5 335301 606514
/var/log/xen/qemu-dm-node1.log
qemu-dm 5820 root 3r DIR 253,5 4096 196635
/etc/init.d/rc3.d
qemu-dm 5820 root 4r FIFO 0,6 0t0 13302 pipe
qemu-dm 5820 root 5w FIFO 0,6 0t0 13302 pipe
qemu-dm 5820 root 6r REG 0,0 256 4132
/sys/devices/pci0000:00/0000:00:03.0/0000:07:00.0/0000:08:00.0/config
qemu-dm 5820 root 7u REG 0,3 0 4026538410
/proc/xen/privcmd
qemu-dm 5820 root 8u unix 0xffff8803cd8e6e80 0t0 13325 socket
qemu-dm 5820 root 9u BLK 8,6 0t512 1226 /dev/sda6
qemu-dm 5820 root 10u IPv4 13327 0t0 TCP
localhost:5901 (LISTEN)
qemu-dm 5820 root 11u CHR 5,2 0t0 3280 /dev/ptmx
qemu-dm 5820 root 12u CHR 136,2 0t0 4 /dev/pts/2
qemu-dm 5820 root 13w REG 253,5 881440 606516
/var/log/xen/xend.log
qemu-dm 5820 root 14u FIFO 253,5 0t0 461914
/var/run/tap/qemu-read-1
qemu-dm 5820 root 15u FIFO 253,5 0t0 461935
/var/run/tap/qemu-write-1
qemu-dm 5820 root 16u CHR 10,63 0t0 4375
/dev/xen/evtchn
qemu-dm 5820 root 18r REG 0,0 256 4080
/sys/devices/pci0000:00/0000:00:14.3/config
qemu-dm 5820 root 19r REG 0,0 256 4080
/sys/devices/pci0000:00/0000:00:14.3/config
qemu-dm 5820 root 20r REG 0,0 256 4123
/sys/devices/pci0000:00/0000:00:1f.3/config
qemu-dm 5820 root 21r REG 0,0 256 4123
/sys/devices/pci0000:00/0000:00:1f.3/config
qemu-dm 5820 root 22r FIFO 0,6 0t0 13336 pipe
qemu-dm 5820 root 23w FIFO 0,6 0t0 13336 pipe
qemu-dm 5820 root 28u FIFO 253,5 0t0 461937
/var/run/xend/dm-1-1268876464.fifo
======================================
So, I don't get it... There seem to be several questions here:
1) Why is the rtl driver trying to write into my board's sysfs configuration
space file? Is it possible that it's just getting the wrong path in sysfs
somehow? It seems like it should probably be opening a socket or something.
2) If the file descriptor is open read only, how is the write working?
So I changed the configuration file to only pass through one board:
Here is the configuration file:
=======================================
sunblade1:root:bash 2061 => cat node2.conf
import os, re
arch = os.uname()[4]
if re.search('64', arch):
arch_libdir = 'lib64'
else:
arch_libdir = 'lib'
kernel = "/usr/lib/xen/boot/hvmloader"
builder = 'hvm'
#memory = 512
memory = 2048
name = "node2"
vcpus = 8
pae = 1
acpi = 1
apic = 1
vif =['mac=00:16:3e:32:d5:64, bridge=br0, model=rtl8139']
disk =['phy:sda6,hda,w']
#disk =['phy:sda6,hda,w', 'phy:/dev/loop0,hdc,r']
on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash = 'restart'
device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm'
boot = "cd"
snapshot = 0
sdl = 0
opengl = 1
vnc = 1
vnclisten = "127.0.0.1"
vncdisplay = 1
vncunused = 0
vncpasswd = ''
nographic = 0
stdvga = 0
serial = 'pty'
#pci = ['08:00.0']
pci = ['0e:00.0']
#pci = ['08:00.0', '0e:00.0']
#pci = ['0e:00.0', '08:00.0']
#usb = 1
#usbdevice = 'mouse'
====================================
Which only differs from the original configuration file in the devices
that it exports:
====================================
sunblade1:root:bash 2050 => diff node1.conf node2.conf
13c13
< name = "node1"
---
> name = "node2"
38c38
< #pci = ['0e:00.0']
---
> pci = ['0e:00.0']
40c40
< pci = ['0e:00.0', '08:00.0']
---
> #pci = ['0e:00.0', '08:00.0']
====================================
After starting this domU, qemu doesn't have fd 6 open any more...
====================================
sunblade1:root:bash 2047 => lsof -p 5843
<snip>
qemu-dm 5843 root 0r CHR 1,3 0t0 3278 /dev/null
qemu-dm 5843 root 1w REG 253,5 304274 606587
/var/log/xen/qemu-dm-node2.log
qemu-dm 5843 root 2w REG 253,5 304274 606587
/var/log/xen/qemu-dm-node2.log
qemu-dm 5843 root 3r DIR 253,5 4096 196635
/etc/init.d/rc3.d
qemu-dm 5843 root 4r FIFO 0,6 0t0 13281 pipe
qemu-dm 5843 root 5w FIFO 0,6 0t0 13281 pipe
qemu-dm 5843 root 7u REG 0,3 0 4026538410
/proc/xen/privcmd
qemu-dm 5843 root 8u unix 0xffff8803cc809400 0t0 13313 socket
qemu-dm 5843 root 9u BLK 8,6 0t512 1281 /dev/sda6
qemu-dm 5843 root 10u IPv4 13315 0t0 TCP
localhost:5901 (LISTEN)
qemu-dm 5843 root 11u CHR 5,2 0t0 3280 /dev/ptmx
qemu-dm 5843 root 12u CHR 136,2 0t0 4 /dev/pts/2
qemu-dm 5843 root 13w REG 253,5 906611 606516
/var/log/xen/xend.log
qemu-dm 5843 root 14u FIFO 253,5 0t0 461914
/var/run/tap/qemu-read-1
qemu-dm 5843 root 15u FIFO 253,5 0t0 461935
/var/run/tap/qemu-write-1
qemu-dm 5843 root 16u CHR 10,63 0t0 4370
/dev/xen/evtchn
qemu-dm 5843 root 17u REG 0,0 256 4139
/sys/devices/pci0000:00/0000:00:05.0/0000:0d:00.0/0000:0e:00.0/config
qemu-dm 5843 root 18r REG 0,0 256 4080
/sys/devices/pci0000:00/0000:00:14.3/config
qemu-dm 5843 root 19r REG 0,0 256 4080
/sys/devices/pci0000:00/0000:00:14.3/config
qemu-dm 5843 root 20r REG 0,0 256 4123
/sys/devices/pci0000:00/0000:00:1f.3/config
qemu-dm 5843 root 21r REG 0,0 256 4123
/sys/devices/pci0000:00/0000:00:1f.3/config
qemu-dm 5843 root 22r FIFO 0,6 0t0 13324 pipe
qemu-dm 5843 root 23w FIFO 0,6 0t0 13324 pipe
qemu-dm 5843 root 28u FIFO 253,5 0t0 461937
/var/run/xend/dm-1-1268880243.fifo
======================================
I then started the domU and redebugged qemu-dm with the same break point:
======================================
sunblade1:root:bash 2055 => gdb -p 5843
GNU gdb (GDB; SUSE Linux Enterprise 11) 6.8.50.20081120-cvs
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-suse-linux".
For bug reporting instructions, please see:
<http://bugs.opensuse.org/>.
Attaching to process 5843
<snip>
(gdb) b *0x00007fbce8b0c7f4 if $rdi == 6 && $rdx == 590
Breakpoint 2 at 0x7fbce8b0c7f4
(gdb) c
Continuing.
Breakpoint 2, 0x00007fbce8b0c7f4 in write () from /lib64/libpthread.so.0
(gdb) bt
#0 0x00007fbce8b0c7f4 in write () from /lib64/libpthread.so.0
#1 0x000000000040746d in tap_receive (opaque=0xa940f0,
buf=0x7ffff15a98b0 "������", size=<value optimized out>)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/vl.c:4079
#2 0x0000000000407081 in qemu_send_packet (vc1=0xaf93b0,
buf=0x7ffff15a98b0 "������", size=590)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/vl.c:3865
#3 0x00000000004235a0 in rtl8139_transmit_one (s=0xaf9190,
descriptor=<value optimized out>)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/hw/rtl8139.c:1810
#4 0x0000000000424ae7 in rtl8139_io_writel (opaque=0x6,
addr=<value optimized out>, val=524878)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/hw/rtl8139.c:2367
#5 0x00000000004726a3 in cpu_physical_memory_rw (_addr=<value optimized out>,
buf=0x7fbce95aa018 <Address 0x7fbce95aa018 out of bounds>,
_len=<value optimized out>, is_write=1) at exec-dm.c:510
#6 0x00000000004a4703 in cpu_ioreq_move (env=<value optimized out>,
req=0x7fbce95aa000) at helper2.c:319
#7 0x00000000004a4fb1 in cpu_handle_ioreq (opaque=<value optimized out>)
at helper2.c:508
#8 0x000000000040aeb4 in main_loop_wait (timeout=10)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/vl.c:7175
#9 0x00000000004a4dbd in main_loop () at helper2.c:571
#10 0x000000000040feb3 in main (argc=20, argv=0x7ffff15ad198)
at /home/dg/rpmbuild/BUILD/xen-3.3.1-testing/tools/ioemu-dir/vl.c:8950
(gdb) info regi
rax 0x0 0
rbx 0x24e 590
rcx 0x0 0
rdx 0x24e 590
rsi 0x7ffff15a98b0 140737242634416
rdi 0x6 6
rbp 0x7ffff15a98b0 0x7ffff15a98b0
rsp 0x7ffff15a9830 0x7ffff15a9830
r8 0x6 6
r9 0x1d6 470
r10 0x7ffff15aba00 140737242642944
r11 0x206 518
r12 0xa940f0 11092208
r13 0x7ffff15a98b0 140737242634416
r14 0x7fbce95aa018 140449345609752
r15 0x1 1
rip 0x7fbce8b0c7f4 0x7fbce8b0c7f4 <write+68>
eflags 0x206 [ PF IF ]
cs 0xe033 57395
ss 0xe02b 57387
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
=======================================
Notice that it's writing to fd 6! And fd 6 is not even open... Is
this fd just uninitialized?
That's about as far as I got.
Anyone have any clue as to what is going wrong here?
Should I be posting this on the qemu mailing list?
thanks,
dan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Re: PCI BAR register space written with garbage in HVM guest.
2010-03-18 18:27 ` Dan Gora
@ 2010-03-18 18:10 ` Konrad Rzeszutek Wilk
2010-03-18 19:56 ` Dan Gora
0 siblings, 1 reply; 14+ messages in thread
From: Konrad Rzeszutek Wilk @ 2010-03-18 18:10 UTC (permalink / raw)
To: Dan Gora; +Cc: xen-devel
On Thu, Mar 18, 2010 at 03:27:30PM -0300, Dan Gora wrote:
> On Thu, Mar 18, 2010 at 11:32 AM, Konrad Rzeszutek Wilk
> <konrad.wilk@oracle.com> wrote:
> > On Wed, Mar 17, 2010 at 11:14:13PM -0300, Dan Gora wrote:
> >> Hi all,
> >>
> >> I apologize for the length of this message, but I figured that it was
> >> probably better to supply too much info rather than too little...
> >> I've made some good progress debugging this today. The problem looks
> >> pretty bizarre...
> >
> > I just skimmed through your e-mail and didn't dive in the r8169 code to
> > see if there is something there, but I thought you might want to try
> > using e1000 instead of r8169 driver and see if that makes it work?
>
> Sure enough that fixed the problem! No more writes on fd 6, no more
> PCI BAR regsiter corruption!
> That's good enough for me as a workaround. I guess someone else can
> have a look at this rtl8139 driver.
That is not what I expected, but I am glad to hear that it
makes it possible for you to continue with your project.
It is good to know that the failure path is contained in the r8169
implementation. If it wouldn't be too much trouble, could you send an
e-mail to the QEMU mailing list this thread and your solution in
case there is somebody there itching to work on this.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Re: PCI BAR register space written with garbage in HVM guest.
[not found] ` <20100318143207.GF14445@phenom.dumpdata.com>
@ 2010-03-18 18:27 ` Dan Gora
2010-03-18 18:10 ` Konrad Rzeszutek Wilk
0 siblings, 1 reply; 14+ messages in thread
From: Dan Gora @ 2010-03-18 18:27 UTC (permalink / raw)
To: Konrad Rzeszutek Wilk, xen-devel
On Thu, Mar 18, 2010 at 11:32 AM, Konrad Rzeszutek Wilk
<konrad.wilk@oracle.com> wrote:
> On Wed, Mar 17, 2010 at 11:14:13PM -0300, Dan Gora wrote:
>> Hi all,
>>
>> I apologize for the length of this message, but I figured that it was
>> probably better to supply too much info rather than too little...
>> I've made some good progress debugging this today. The problem looks
>> pretty bizarre...
>
> I just skimmed through your e-mail and didn't dive in the r8169 code to
> see if there is something there, but I thought you might want to try
> using e1000 instead of r8169 driver and see if that makes it work?
Sure enough that fixed the problem! No more writes on fd 6, no more
PCI BAR regsiter corruption!
That's good enough for me as a workaround. I guess someone else can
have a look at this rtl8139 driver.
thanks!
dan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Re: PCI BAR register space written with garbage in HVM guest.
2010-03-18 18:10 ` Konrad Rzeszutek Wilk
@ 2010-03-18 19:56 ` Dan Gora
0 siblings, 0 replies; 14+ messages in thread
From: Dan Gora @ 2010-03-18 19:56 UTC (permalink / raw)
To: Konrad Rzeszutek Wilk; +Cc: xen-devel
On Thu, Mar 18, 2010 at 3:10 PM, Konrad Rzeszutek Wilk
<konrad.wilk@oracle.com> wrote:
> That is not what I expected, but I am glad to hear that it
> makes it possible for you to continue with your project.
>
yeah me either.. :)
> It is good to know that the failure path is contained in the r8169
> implementation. If it wouldn't be too much trouble, could you send an
> e-mail to the QEMU mailing list this thread and your solution in
> case there is somebody there itching to work on this.
done, but there doesn't seem to be much uptake there..
thanks
dan
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2010-03-18 19:56 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-03-16 1:09 PCI BAR register space written with garbage in HVM guest Dan Gora
2010-03-16 1:48 ` Konrad Rzeszutek Wilk
2010-03-16 2:55 ` Dan Gora
2010-03-16 10:27 ` Jan Beulich
2010-03-16 15:20 ` Konrad Rzeszutek Wilk
2010-03-16 15:54 ` Jan Beulich
2010-03-16 10:24 ` Jan Beulich
2010-03-17 0:14 ` Dan Gora
2010-03-17 2:46 ` Konrad Rzeszutek Wilk
2010-03-17 3:31 ` Dan Gora
2010-03-18 2:14 ` Dan Gora
[not found] ` <20100318143207.GF14445@phenom.dumpdata.com>
2010-03-18 18:27 ` Dan Gora
2010-03-18 18:10 ` Konrad Rzeszutek Wilk
2010-03-18 19:56 ` Dan Gora
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.