* Xen-unstable, stubdom causes hypervisor crash
@ 2015-05-20 15:39 Wei Liu
2015-05-20 15:43 ` Andrew Cooper
0 siblings, 1 reply; 8+ messages in thread
From: Wei Liu @ 2015-05-20 15:39 UTC (permalink / raw)
To: xen-devel; +Cc: Andrew Cooper, tim, wei.liu2, Jan Beulich, Roger Pau Monné
I discovered this when running qemu-trad stubdom + shadow page table.
(XEN) Assertion 'pages' failed at vmap.c:275
(XEN) ----[ Xen-4.6-unstable x86_64 debug=y Tainted: C ]----
(XEN) CPU: 1
(XEN) RIP: e008:[<ffff82d08013d226>] vfree+0x1e/0x128
(XEN) RFLAGS: 0000000000010246 CONTEXT: hypervisor (d2v0)
(XEN) rax: 0000000000000000 rbx: 0000000000000000 rcx: ffff82c0001fff66
(XEN) rdx: 0000000000000000 rsi: 0000000000009bd1 rdi: 0000000000000000
(XEN) rbp: ffff830224857cc8 rsp: ffff830224857c88 r8: ffff830224857ca4
(XEN) r9: 0000000000000000 r10: ffff82d080261e40 r11: 0000000000000202
(XEN) r12: 0000000000000000 r13: ffff830215672000 r14: 0000000000000000
(XEN) r15: 0000000000000000 cr0: 000000008005003b cr4: 00000000000026f4
(XEN) cr3: 00000001cb060000 cr2: ffff880012dbd6c8
(XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008
(XEN) Xen stack trace from rsp=ffff830224857c88:
(XEN) 0000000000000000 ffff830224857ca8 ffff82d08012f5c6 0000000000000000
(XEN) 0000000000000000 ffff830215672000 0000000000000000 0000000000000000
(XEN) ffff830224857d78 ffff82d08021c4ad 0000000000000200 0000000000000005
(XEN) ffff830224857d58 ffff82d0801620ca ffff830224886020 0000000000000000
(XEN) 0000000000000000 0000000000000000 0000000000000000 0000000000000000
(XEN) ffff830215672ac0 0000000000000000 0000000000000006 000000200200b004
(XEN) ffffffffffffffea ffffffffffffffff 0000000000000006 000000200200b004
(XEN) ffffffffffffffea 0000000000000000 ffff830224857e58 ffff82d0801d4ae0
(XEN) 0000000000000000 0000000000000000 0000000000000001 0000000000000000
(XEN) ffff830224857db8 ffff830224857dc8 0000000000000202 ffff830224857dd8
(XEN) ffff830224857dd8 ffff82d08019e6eb ffff830224857e28 ffff82d08019ed8a
(XEN) ffff83020180a0c8 00000000000ee6c7 ffff830224857e28 ffff830215672000
(XEN) 0000000000000001 0000000000000000 0000000000000000 0000000000000000
(XEN) ffff830224857f08 ffff8300cf0fc1f8 ffff8300cf0fc000 00000000005ef640
(XEN) ffff830224850000 0000000000000000 ffff830224857ef8 ffff82d08011bb5f
(XEN) ffff8300cf0fc200 ffff8300cf0fc208 0000000100000000 ffff8300cf0fc1f8
(XEN) ffff830224857ea8 ffff82d000a0fb00 0000000000000000 ffffffffffffffff
(XEN) ffff830224857ec8 ffff82d000000031 ffff82d080320000 ffff82d08031ff80
(XEN) ffff830224857ef8 ffff8300cf0fc000 00000000005ef640 000000200202e1f0
(XEN) 0000000000000001 000000200201ba18 00007cfddb7a80c7 ffff82d080247bdb
(XEN) Xen call trace:
(XEN) [<ffff82d08013d226>] vfree+0x1e/0x128
(XEN) [<ffff82d08021c4ad>] shadow_track_dirty_vram+0x7ca/0x8aa
(XEN) [<ffff82d0801d4ae0>] do_hvm_op+0x1aec/0x273b
(XEN) [<ffff82d08011bb5f>] do_multicall+0x257/0x3dc
(XEN) [<ffff82d080247bdb>] syscall_enter+0xeb/0x145
(XEN)
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 1:
(XEN) Assertion 'pages' failed at vmap.c:275
(XEN) ****************************************
(XEN)
Any idea what might go wrong?
Wei.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Xen-unstable, stubdom causes hypervisor crash
2015-05-20 15:39 Xen-unstable, stubdom causes hypervisor crash Wei Liu
@ 2015-05-20 15:43 ` Andrew Cooper
2015-05-20 15:45 ` Andrew Cooper
0 siblings, 1 reply; 8+ messages in thread
From: Andrew Cooper @ 2015-05-20 15:43 UTC (permalink / raw)
To: Wei Liu, xen-devel; +Cc: tim, Jan Beulich, Roger Pau Monné
On 20/05/15 16:39, Wei Liu wrote:
> I discovered this when running qemu-trad stubdom + shadow page table.
>
> (XEN) Assertion 'pages' failed at vmap.c:275
> (XEN) ----[ Xen-4.6-unstable x86_64 debug=y Tainted: C ]----
> (XEN) CPU: 1
> (XEN) RIP: e008:[<ffff82d08013d226>] vfree+0x1e/0x128
> (XEN) RFLAGS: 0000000000010246 CONTEXT: hypervisor (d2v0)
> (XEN) rax: 0000000000000000 rbx: 0000000000000000 rcx: ffff82c0001fff66
> (XEN) rdx: 0000000000000000 rsi: 0000000000009bd1 rdi: 0000000000000000
> (XEN) rbp: ffff830224857cc8 rsp: ffff830224857c88 r8: ffff830224857ca4
> (XEN) r9: 0000000000000000 r10: ffff82d080261e40 r11: 0000000000000202
> (XEN) r12: 0000000000000000 r13: ffff830215672000 r14: 0000000000000000
> (XEN) r15: 0000000000000000 cr0: 000000008005003b cr4: 00000000000026f4
> (XEN) cr3: 00000001cb060000 cr2: ffff880012dbd6c8
> (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008
> (XEN) Xen stack trace from rsp=ffff830224857c88:
> (XEN) 0000000000000000 ffff830224857ca8 ffff82d08012f5c6 0000000000000000
> (XEN) 0000000000000000 ffff830215672000 0000000000000000 0000000000000000
> (XEN) ffff830224857d78 ffff82d08021c4ad 0000000000000200 0000000000000005
> (XEN) ffff830224857d58 ffff82d0801620ca ffff830224886020 0000000000000000
> (XEN) 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> (XEN) ffff830215672ac0 0000000000000000 0000000000000006 000000200200b004
> (XEN) ffffffffffffffea ffffffffffffffff 0000000000000006 000000200200b004
> (XEN) ffffffffffffffea 0000000000000000 ffff830224857e58 ffff82d0801d4ae0
> (XEN) 0000000000000000 0000000000000000 0000000000000001 0000000000000000
> (XEN) ffff830224857db8 ffff830224857dc8 0000000000000202 ffff830224857dd8
> (XEN) ffff830224857dd8 ffff82d08019e6eb ffff830224857e28 ffff82d08019ed8a
> (XEN) ffff83020180a0c8 00000000000ee6c7 ffff830224857e28 ffff830215672000
> (XEN) 0000000000000001 0000000000000000 0000000000000000 0000000000000000
> (XEN) ffff830224857f08 ffff8300cf0fc1f8 ffff8300cf0fc000 00000000005ef640
> (XEN) ffff830224850000 0000000000000000 ffff830224857ef8 ffff82d08011bb5f
> (XEN) ffff8300cf0fc200 ffff8300cf0fc208 0000000100000000 ffff8300cf0fc1f8
> (XEN) ffff830224857ea8 ffff82d000a0fb00 0000000000000000 ffffffffffffffff
> (XEN) ffff830224857ec8 ffff82d000000031 ffff82d080320000 ffff82d08031ff80
> (XEN) ffff830224857ef8 ffff8300cf0fc000 00000000005ef640 000000200202e1f0
> (XEN) 0000000000000001 000000200201ba18 00007cfddb7a80c7 ffff82d080247bdb
> (XEN) Xen call trace:
> (XEN) [<ffff82d08013d226>] vfree+0x1e/0x128
> (XEN) [<ffff82d08021c4ad>] shadow_track_dirty_vram+0x7ca/0x8aa
> (XEN) [<ffff82d0801d4ae0>] do_hvm_op+0x1aec/0x273b
> (XEN) [<ffff82d08011bb5f>] do_multicall+0x257/0x3dc
> (XEN) [<ffff82d080247bdb>] syscall_enter+0xeb/0x145
> (XEN)
> (XEN)
> (XEN) ****************************************
> (XEN) Panic on CPU 1:
> (XEN) Assertion 'pages' failed at vmap.c:275
> (XEN) ****************************************
> (XEN)
>
> Any idea what might go wrong?
I have an idea - patch incoming
~Andrew
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Xen-unstable, stubdom causes hypervisor crash
2015-05-20 15:43 ` Andrew Cooper
@ 2015-05-20 15:45 ` Andrew Cooper
2015-05-20 15:52 ` Wei Liu
2015-05-20 15:59 ` Jan Beulich
0 siblings, 2 replies; 8+ messages in thread
From: Andrew Cooper @ 2015-05-20 15:45 UTC (permalink / raw)
To: Wei Liu, xen-devel; +Cc: tim, Jan Beulich, Roger Pau Monné
On 20/05/15 16:43, Andrew Cooper wrote:
> On 20/05/15 16:39, Wei Liu wrote:
>> I discovered this when running qemu-trad stubdom + shadow page table.
>>
>> (XEN) Assertion 'pages' failed at vmap.c:275
>> (XEN) ----[ Xen-4.6-unstable x86_64 debug=y Tainted: C ]----
>> (XEN) CPU: 1
>> (XEN) RIP: e008:[<ffff82d08013d226>] vfree+0x1e/0x128
>> (XEN) RFLAGS: 0000000000010246 CONTEXT: hypervisor (d2v0)
>> (XEN) rax: 0000000000000000 rbx: 0000000000000000 rcx: ffff82c0001fff66
>> (XEN) rdx: 0000000000000000 rsi: 0000000000009bd1 rdi: 0000000000000000
>> (XEN) rbp: ffff830224857cc8 rsp: ffff830224857c88 r8: ffff830224857ca4
>> (XEN) r9: 0000000000000000 r10: ffff82d080261e40 r11: 0000000000000202
>> (XEN) r12: 0000000000000000 r13: ffff830215672000 r14: 0000000000000000
>> (XEN) r15: 0000000000000000 cr0: 000000008005003b cr4: 00000000000026f4
>> (XEN) cr3: 00000001cb060000 cr2: ffff880012dbd6c8
>> (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008
>> (XEN) Xen stack trace from rsp=ffff830224857c88:
>> (XEN) 0000000000000000 ffff830224857ca8 ffff82d08012f5c6 0000000000000000
>> (XEN) 0000000000000000 ffff830215672000 0000000000000000 0000000000000000
>> (XEN) ffff830224857d78 ffff82d08021c4ad 0000000000000200 0000000000000005
>> (XEN) ffff830224857d58 ffff82d0801620ca ffff830224886020 0000000000000000
>> (XEN) 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> (XEN) ffff830215672ac0 0000000000000000 0000000000000006 000000200200b004
>> (XEN) ffffffffffffffea ffffffffffffffff 0000000000000006 000000200200b004
>> (XEN) ffffffffffffffea 0000000000000000 ffff830224857e58 ffff82d0801d4ae0
>> (XEN) 0000000000000000 0000000000000000 0000000000000001 0000000000000000
>> (XEN) ffff830224857db8 ffff830224857dc8 0000000000000202 ffff830224857dd8
>> (XEN) ffff830224857dd8 ffff82d08019e6eb ffff830224857e28 ffff82d08019ed8a
>> (XEN) ffff83020180a0c8 00000000000ee6c7 ffff830224857e28 ffff830215672000
>> (XEN) 0000000000000001 0000000000000000 0000000000000000 0000000000000000
>> (XEN) ffff830224857f08 ffff8300cf0fc1f8 ffff8300cf0fc000 00000000005ef640
>> (XEN) ffff830224850000 0000000000000000 ffff830224857ef8 ffff82d08011bb5f
>> (XEN) ffff8300cf0fc200 ffff8300cf0fc208 0000000100000000 ffff8300cf0fc1f8
>> (XEN) ffff830224857ea8 ffff82d000a0fb00 0000000000000000 ffffffffffffffff
>> (XEN) ffff830224857ec8 ffff82d000000031 ffff82d080320000 ffff82d08031ff80
>> (XEN) ffff830224857ef8 ffff8300cf0fc000 00000000005ef640 000000200202e1f0
>> (XEN) 0000000000000001 000000200201ba18 00007cfddb7a80c7 ffff82d080247bdb
>> (XEN) Xen call trace:
>> (XEN) [<ffff82d08013d226>] vfree+0x1e/0x128
>> (XEN) [<ffff82d08021c4ad>] shadow_track_dirty_vram+0x7ca/0x8aa
>> (XEN) [<ffff82d0801d4ae0>] do_hvm_op+0x1aec/0x273b
>> (XEN) [<ffff82d08011bb5f>] do_multicall+0x257/0x3dc
>> (XEN) [<ffff82d080247bdb>] syscall_enter+0xeb/0x145
>> (XEN)
>> (XEN)
>> (XEN) ****************************************
>> (XEN) Panic on CPU 1:
>> (XEN) Assertion 'pages' failed at vmap.c:275
>> (XEN) ****************************************
>> (XEN)
>>
>> Any idea what might go wrong?
> I have an idea - patch incoming
Try this: It appears that vfree(NULL) isn't safe.
diff --git a/xen/common/vmap.c b/xen/common/vmap.c
index 8752595..8998e6e 100644
--- a/xen/common/vmap.c
+++ b/xen/common/vmap.c
@@ -272,6 +272,9 @@ void vfree(void *va)
struct page_info *pg;
PAGE_LIST_HEAD(pg_list);
+ if ( !va )
+ return;
+
ASSERT(pages);
for ( i = 0; i < pages; i++ )
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: Xen-unstable, stubdom causes hypervisor crash
2015-05-20 15:45 ` Andrew Cooper
@ 2015-05-20 15:52 ` Wei Liu
2015-05-20 15:59 ` Jan Beulich
1 sibling, 0 replies; 8+ messages in thread
From: Wei Liu @ 2015-05-20 15:52 UTC (permalink / raw)
To: Andrew Cooper; +Cc: xen-devel, Roger Pau Monné, Wei Liu, Jan Beulich, tim
On Wed, May 20, 2015 at 04:45:25PM +0100, Andrew Cooper wrote:
> On 20/05/15 16:43, Andrew Cooper wrote:
> > On 20/05/15 16:39, Wei Liu wrote:
> >> I discovered this when running qemu-trad stubdom + shadow page table.
> >>
> >> (XEN) Assertion 'pages' failed at vmap.c:275
> >> (XEN) ----[ Xen-4.6-unstable x86_64 debug=y Tainted: C ]----
> >> (XEN) CPU: 1
> >> (XEN) RIP: e008:[<ffff82d08013d226>] vfree+0x1e/0x128
> >> (XEN) RFLAGS: 0000000000010246 CONTEXT: hypervisor (d2v0)
> >> (XEN) rax: 0000000000000000 rbx: 0000000000000000 rcx: ffff82c0001fff66
> >> (XEN) rdx: 0000000000000000 rsi: 0000000000009bd1 rdi: 0000000000000000
> >> (XEN) rbp: ffff830224857cc8 rsp: ffff830224857c88 r8: ffff830224857ca4
> >> (XEN) r9: 0000000000000000 r10: ffff82d080261e40 r11: 0000000000000202
> >> (XEN) r12: 0000000000000000 r13: ffff830215672000 r14: 0000000000000000
> >> (XEN) r15: 0000000000000000 cr0: 000000008005003b cr4: 00000000000026f4
> >> (XEN) cr3: 00000001cb060000 cr2: ffff880012dbd6c8
> >> (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008
> >> (XEN) Xen stack trace from rsp=ffff830224857c88:
> >> (XEN) 0000000000000000 ffff830224857ca8 ffff82d08012f5c6 0000000000000000
> >> (XEN) 0000000000000000 ffff830215672000 0000000000000000 0000000000000000
> >> (XEN) ffff830224857d78 ffff82d08021c4ad 0000000000000200 0000000000000005
> >> (XEN) ffff830224857d58 ffff82d0801620ca ffff830224886020 0000000000000000
> >> (XEN) 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> >> (XEN) ffff830215672ac0 0000000000000000 0000000000000006 000000200200b004
> >> (XEN) ffffffffffffffea ffffffffffffffff 0000000000000006 000000200200b004
> >> (XEN) ffffffffffffffea 0000000000000000 ffff830224857e58 ffff82d0801d4ae0
> >> (XEN) 0000000000000000 0000000000000000 0000000000000001 0000000000000000
> >> (XEN) ffff830224857db8 ffff830224857dc8 0000000000000202 ffff830224857dd8
> >> (XEN) ffff830224857dd8 ffff82d08019e6eb ffff830224857e28 ffff82d08019ed8a
> >> (XEN) ffff83020180a0c8 00000000000ee6c7 ffff830224857e28 ffff830215672000
> >> (XEN) 0000000000000001 0000000000000000 0000000000000000 0000000000000000
> >> (XEN) ffff830224857f08 ffff8300cf0fc1f8 ffff8300cf0fc000 00000000005ef640
> >> (XEN) ffff830224850000 0000000000000000 ffff830224857ef8 ffff82d08011bb5f
> >> (XEN) ffff8300cf0fc200 ffff8300cf0fc208 0000000100000000 ffff8300cf0fc1f8
> >> (XEN) ffff830224857ea8 ffff82d000a0fb00 0000000000000000 ffffffffffffffff
> >> (XEN) ffff830224857ec8 ffff82d000000031 ffff82d080320000 ffff82d08031ff80
> >> (XEN) ffff830224857ef8 ffff8300cf0fc000 00000000005ef640 000000200202e1f0
> >> (XEN) 0000000000000001 000000200201ba18 00007cfddb7a80c7 ffff82d080247bdb
> >> (XEN) Xen call trace:
> >> (XEN) [<ffff82d08013d226>] vfree+0x1e/0x128
> >> (XEN) [<ffff82d08021c4ad>] shadow_track_dirty_vram+0x7ca/0x8aa
> >> (XEN) [<ffff82d0801d4ae0>] do_hvm_op+0x1aec/0x273b
> >> (XEN) [<ffff82d08011bb5f>] do_multicall+0x257/0x3dc
> >> (XEN) [<ffff82d080247bdb>] syscall_enter+0xeb/0x145
> >> (XEN)
> >> (XEN)
> >> (XEN) ****************************************
> >> (XEN) Panic on CPU 1:
> >> (XEN) Assertion 'pages' failed at vmap.c:275
> >> (XEN) ****************************************
> >> (XEN)
> >>
> >> Any idea what might go wrong?
> > I have an idea - patch incoming
>
> Try this: It appears that vfree(NULL) isn't safe.
>
Tested-by: Wei Liu <wei.liu2@citrix.com>
> diff --git a/xen/common/vmap.c b/xen/common/vmap.c
> index 8752595..8998e6e 100644
> --- a/xen/common/vmap.c
> +++ b/xen/common/vmap.c
> @@ -272,6 +272,9 @@ void vfree(void *va)
> struct page_info *pg;
> PAGE_LIST_HEAD(pg_list);
>
> + if ( !va )
> + return;
> +
> ASSERT(pages);
>
> for ( i = 0; i < pages; i++ )
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Xen-unstable, stubdom causes hypervisor crash
2015-05-20 15:45 ` Andrew Cooper
2015-05-20 15:52 ` Wei Liu
@ 2015-05-20 15:59 ` Jan Beulich
2015-05-20 16:03 ` Andrew Cooper
2015-05-20 16:04 ` Roger Pau Monné
1 sibling, 2 replies; 8+ messages in thread
From: Jan Beulich @ 2015-05-20 15:59 UTC (permalink / raw)
To: Andrew Cooper, Wei Liu; +Cc: xen-devel, tim, roger.pau
>>> On 20.05.15 at 17:45, <andrew.cooper3@citrix.com> wrote:
> On 20/05/15 16:43, Andrew Cooper wrote:
>> On 20/05/15 16:39, Wei Liu wrote:
>>> I discovered this when running qemu-trad stubdom + shadow page table.
>>>
>>> (XEN) Assertion 'pages' failed at vmap.c:275
>>> (XEN) ----[ Xen-4.6-unstable x86_64 debug=y Tainted: C ]----
>>> (XEN) CPU: 1
>>> (XEN) RIP: e008:[<ffff82d08013d226>] vfree+0x1e/0x128
>>> (XEN) RFLAGS: 0000000000010246 CONTEXT: hypervisor (d2v0)
>>> (XEN) rax: 0000000000000000 rbx: 0000000000000000 rcx: ffff82c0001fff66
>>> (XEN) rdx: 0000000000000000 rsi: 0000000000009bd1 rdi: 0000000000000000
>>> (XEN) rbp: ffff830224857cc8 rsp: ffff830224857c88 r8: ffff830224857ca4
>>> (XEN) r9: 0000000000000000 r10: ffff82d080261e40 r11: 0000000000000202
>>> (XEN) r12: 0000000000000000 r13: ffff830215672000 r14: 0000000000000000
>>> (XEN) r15: 0000000000000000 cr0: 000000008005003b cr4: 00000000000026f4
>>> (XEN) cr3: 00000001cb060000 cr2: ffff880012dbd6c8
>>> (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008
>>> (XEN) Xen stack trace from rsp=ffff830224857c88:
>>> (XEN) 0000000000000000 ffff830224857ca8 ffff82d08012f5c6 0000000000000000
>>> (XEN) 0000000000000000 ffff830215672000 0000000000000000 0000000000000000
>>> (XEN) ffff830224857d78 ffff82d08021c4ad 0000000000000200 0000000000000005
>>> (XEN) ffff830224857d58 ffff82d0801620ca ffff830224886020 0000000000000000
>>> (XEN) 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>>> (XEN) ffff830215672ac0 0000000000000000 0000000000000006 000000200200b004
>>> (XEN) ffffffffffffffea ffffffffffffffff 0000000000000006 000000200200b004
>>> (XEN) ffffffffffffffea 0000000000000000 ffff830224857e58 ffff82d0801d4ae0
>>> (XEN) 0000000000000000 0000000000000000 0000000000000001 0000000000000000
>>> (XEN) ffff830224857db8 ffff830224857dc8 0000000000000202 ffff830224857dd8
>>> (XEN) ffff830224857dd8 ffff82d08019e6eb ffff830224857e28 ffff82d08019ed8a
>>> (XEN) ffff83020180a0c8 00000000000ee6c7 ffff830224857e28 ffff830215672000
>>> (XEN) 0000000000000001 0000000000000000 0000000000000000 0000000000000000
>>> (XEN) ffff830224857f08 ffff8300cf0fc1f8 ffff8300cf0fc000 00000000005ef640
>>> (XEN) ffff830224850000 0000000000000000 ffff830224857ef8 ffff82d08011bb5f
>>> (XEN) ffff8300cf0fc200 ffff8300cf0fc208 0000000100000000 ffff8300cf0fc1f8
>>> (XEN) ffff830224857ea8 ffff82d000a0fb00 0000000000000000 ffffffffffffffff
>>> (XEN) ffff830224857ec8 ffff82d000000031 ffff82d080320000 ffff82d08031ff80
>>> (XEN) ffff830224857ef8 ffff8300cf0fc000 00000000005ef640 000000200202e1f0
>>> (XEN) 0000000000000001 000000200201ba18 00007cfddb7a80c7 ffff82d080247bdb
>>> (XEN) Xen call trace:
>>> (XEN) [<ffff82d08013d226>] vfree+0x1e/0x128
>>> (XEN) [<ffff82d08021c4ad>] shadow_track_dirty_vram+0x7ca/0x8aa
>>> (XEN) [<ffff82d0801d4ae0>] do_hvm_op+0x1aec/0x273b
>>> (XEN) [<ffff82d08011bb5f>] do_multicall+0x257/0x3dc
>>> (XEN) [<ffff82d080247bdb>] syscall_enter+0xeb/0x145
>>> (XEN)
>>> (XEN)
>>> (XEN) ****************************************
>>> (XEN) Panic on CPU 1:
>>> (XEN) Assertion 'pages' failed at vmap.c:275
>>> (XEN) ****************************************
>>> (XEN)
>>>
>>> Any idea what might go wrong?
>> I have an idea - patch incoming
>
> Try this: It appears that vfree(NULL) isn't safe.
And intentionally so (I think this was even mentioned while discussing
the patch), matching vunmap().
> --- a/xen/common/vmap.c
> +++ b/xen/common/vmap.c
> @@ -272,6 +272,9 @@ void vfree(void *va)
> struct page_info *pg;
> PAGE_LIST_HEAD(pg_list);
>
> + if ( !va )
> + return;
va was already used by that time (and the above only works due to
vm_index() range checking va).
Jan
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Xen-unstable, stubdom causes hypervisor crash
2015-05-20 15:59 ` Jan Beulich
@ 2015-05-20 16:03 ` Andrew Cooper
2015-05-20 16:04 ` Roger Pau Monné
1 sibling, 0 replies; 8+ messages in thread
From: Andrew Cooper @ 2015-05-20 16:03 UTC (permalink / raw)
To: Jan Beulich, Wei Liu; +Cc: xen-devel, tim, roger.pau
On 20/05/15 16:59, Jan Beulich wrote:
>>>> On 20.05.15 at 17:45, <andrew.cooper3@citrix.com> wrote:
>> On 20/05/15 16:43, Andrew Cooper wrote:
>>> On 20/05/15 16:39, Wei Liu wrote:
>>>> I discovered this when running qemu-trad stubdom + shadow page table.
>>>>
>>>> (XEN) Assertion 'pages' failed at vmap.c:275
>>>> (XEN) ----[ Xen-4.6-unstable x86_64 debug=y Tainted: C ]----
>>>> (XEN) CPU: 1
>>>> (XEN) RIP: e008:[<ffff82d08013d226>] vfree+0x1e/0x128
>>>> (XEN) RFLAGS: 0000000000010246 CONTEXT: hypervisor (d2v0)
>>>> (XEN) rax: 0000000000000000 rbx: 0000000000000000 rcx: ffff82c0001fff66
>>>> (XEN) rdx: 0000000000000000 rsi: 0000000000009bd1 rdi: 0000000000000000
>>>> (XEN) rbp: ffff830224857cc8 rsp: ffff830224857c88 r8: ffff830224857ca4
>>>> (XEN) r9: 0000000000000000 r10: ffff82d080261e40 r11: 0000000000000202
>>>> (XEN) r12: 0000000000000000 r13: ffff830215672000 r14: 0000000000000000
>>>> (XEN) r15: 0000000000000000 cr0: 000000008005003b cr4: 00000000000026f4
>>>> (XEN) cr3: 00000001cb060000 cr2: ffff880012dbd6c8
>>>> (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008
>>>> (XEN) Xen stack trace from rsp=ffff830224857c88:
>>>> (XEN) 0000000000000000 ffff830224857ca8 ffff82d08012f5c6 0000000000000000
>>>> (XEN) 0000000000000000 ffff830215672000 0000000000000000 0000000000000000
>>>> (XEN) ffff830224857d78 ffff82d08021c4ad 0000000000000200 0000000000000005
>>>> (XEN) ffff830224857d58 ffff82d0801620ca ffff830224886020 0000000000000000
>>>> (XEN) 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>>>> (XEN) ffff830215672ac0 0000000000000000 0000000000000006 000000200200b004
>>>> (XEN) ffffffffffffffea ffffffffffffffff 0000000000000006 000000200200b004
>>>> (XEN) ffffffffffffffea 0000000000000000 ffff830224857e58 ffff82d0801d4ae0
>>>> (XEN) 0000000000000000 0000000000000000 0000000000000001 0000000000000000
>>>> (XEN) ffff830224857db8 ffff830224857dc8 0000000000000202 ffff830224857dd8
>>>> (XEN) ffff830224857dd8 ffff82d08019e6eb ffff830224857e28 ffff82d08019ed8a
>>>> (XEN) ffff83020180a0c8 00000000000ee6c7 ffff830224857e28 ffff830215672000
>>>> (XEN) 0000000000000001 0000000000000000 0000000000000000 0000000000000000
>>>> (XEN) ffff830224857f08 ffff8300cf0fc1f8 ffff8300cf0fc000 00000000005ef640
>>>> (XEN) ffff830224850000 0000000000000000 ffff830224857ef8 ffff82d08011bb5f
>>>> (XEN) ffff8300cf0fc200 ffff8300cf0fc208 0000000100000000 ffff8300cf0fc1f8
>>>> (XEN) ffff830224857ea8 ffff82d000a0fb00 0000000000000000 ffffffffffffffff
>>>> (XEN) ffff830224857ec8 ffff82d000000031 ffff82d080320000 ffff82d08031ff80
>>>> (XEN) ffff830224857ef8 ffff8300cf0fc000 00000000005ef640 000000200202e1f0
>>>> (XEN) 0000000000000001 000000200201ba18 00007cfddb7a80c7 ffff82d080247bdb
>>>> (XEN) Xen call trace:
>>>> (XEN) [<ffff82d08013d226>] vfree+0x1e/0x128
>>>> (XEN) [<ffff82d08021c4ad>] shadow_track_dirty_vram+0x7ca/0x8aa
>>>> (XEN) [<ffff82d0801d4ae0>] do_hvm_op+0x1aec/0x273b
>>>> (XEN) [<ffff82d08011bb5f>] do_multicall+0x257/0x3dc
>>>> (XEN) [<ffff82d080247bdb>] syscall_enter+0xeb/0x145
>>>> (XEN)
>>>> (XEN)
>>>> (XEN) ****************************************
>>>> (XEN) Panic on CPU 1:
>>>> (XEN) Assertion 'pages' failed at vmap.c:275
>>>> (XEN) ****************************************
>>>> (XEN)
>>>>
>>>> Any idea what might go wrong?
>>> I have an idea - patch incoming
>> Try this: It appears that vfree(NULL) isn't safe.
> And intentionally so (I think this was even mentioned while discussing
> the patch), matching vunmap().
It absolutely must be NULL-safe given its current use, and really should
be, IMO.
>
>> --- a/xen/common/vmap.c
>> +++ b/xen/common/vmap.c
>> @@ -272,6 +272,9 @@ void vfree(void *va)
>> struct page_info *pg;
>> PAGE_LIST_HEAD(pg_list);
>>
>> + if ( !va )
>> + return;
> va was already used by that time (and the above only works due to
> vm_index() range checking va).
My actual patch has a suitable adjustment, although it appears to be
slow getting onlist.
~Andrew
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Xen-unstable, stubdom causes hypervisor crash
2015-05-20 15:59 ` Jan Beulich
2015-05-20 16:03 ` Andrew Cooper
@ 2015-05-20 16:04 ` Roger Pau Monné
2015-05-20 16:25 ` Tim Deegan
1 sibling, 1 reply; 8+ messages in thread
From: Roger Pau Monné @ 2015-05-20 16:04 UTC (permalink / raw)
To: Jan Beulich, Andrew Cooper, Wei Liu; +Cc: xen-devel, tim
El 20/05/15 a les 17.59, Jan Beulich ha escrit:
>>>> On 20.05.15 at 17:45, <andrew.cooper3@citrix.com> wrote:
>> On 20/05/15 16:43, Andrew Cooper wrote:
>>> On 20/05/15 16:39, Wei Liu wrote:
>>>> I discovered this when running qemu-trad stubdom + shadow page table.
>>>>
>>>> (XEN) Assertion 'pages' failed at vmap.c:275
>>>> (XEN) ----[ Xen-4.6-unstable x86_64 debug=y Tainted: C ]----
>>>> (XEN) CPU: 1
>>>> (XEN) RIP: e008:[<ffff82d08013d226>] vfree+0x1e/0x128
>>>> (XEN) RFLAGS: 0000000000010246 CONTEXT: hypervisor (d2v0)
>>>> (XEN) rax: 0000000000000000 rbx: 0000000000000000 rcx: ffff82c0001fff66
>>>> (XEN) rdx: 0000000000000000 rsi: 0000000000009bd1 rdi: 0000000000000000
>>>> (XEN) rbp: ffff830224857cc8 rsp: ffff830224857c88 r8: ffff830224857ca4
>>>> (XEN) r9: 0000000000000000 r10: ffff82d080261e40 r11: 0000000000000202
>>>> (XEN) r12: 0000000000000000 r13: ffff830215672000 r14: 0000000000000000
>>>> (XEN) r15: 0000000000000000 cr0: 000000008005003b cr4: 00000000000026f4
>>>> (XEN) cr3: 00000001cb060000 cr2: ffff880012dbd6c8
>>>> (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008
>>>> (XEN) Xen stack trace from rsp=ffff830224857c88:
>>>> (XEN) 0000000000000000 ffff830224857ca8 ffff82d08012f5c6 0000000000000000
>>>> (XEN) 0000000000000000 ffff830215672000 0000000000000000 0000000000000000
>>>> (XEN) ffff830224857d78 ffff82d08021c4ad 0000000000000200 0000000000000005
>>>> (XEN) ffff830224857d58 ffff82d0801620ca ffff830224886020 0000000000000000
>>>> (XEN) 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>>>> (XEN) ffff830215672ac0 0000000000000000 0000000000000006 000000200200b004
>>>> (XEN) ffffffffffffffea ffffffffffffffff 0000000000000006 000000200200b004
>>>> (XEN) ffffffffffffffea 0000000000000000 ffff830224857e58 ffff82d0801d4ae0
>>>> (XEN) 0000000000000000 0000000000000000 0000000000000001 0000000000000000
>>>> (XEN) ffff830224857db8 ffff830224857dc8 0000000000000202 ffff830224857dd8
>>>> (XEN) ffff830224857dd8 ffff82d08019e6eb ffff830224857e28 ffff82d08019ed8a
>>>> (XEN) ffff83020180a0c8 00000000000ee6c7 ffff830224857e28 ffff830215672000
>>>> (XEN) 0000000000000001 0000000000000000 0000000000000000 0000000000000000
>>>> (XEN) ffff830224857f08 ffff8300cf0fc1f8 ffff8300cf0fc000 00000000005ef640
>>>> (XEN) ffff830224850000 0000000000000000 ffff830224857ef8 ffff82d08011bb5f
>>>> (XEN) ffff8300cf0fc200 ffff8300cf0fc208 0000000100000000 ffff8300cf0fc1f8
>>>> (XEN) ffff830224857ea8 ffff82d000a0fb00 0000000000000000 ffffffffffffffff
>>>> (XEN) ffff830224857ec8 ffff82d000000031 ffff82d080320000 ffff82d08031ff80
>>>> (XEN) ffff830224857ef8 ffff8300cf0fc000 00000000005ef640 000000200202e1f0
>>>> (XEN) 0000000000000001 000000200201ba18 00007cfddb7a80c7 ffff82d080247bdb
>>>> (XEN) Xen call trace:
>>>> (XEN) [<ffff82d08013d226>] vfree+0x1e/0x128
>>>> (XEN) [<ffff82d08021c4ad>] shadow_track_dirty_vram+0x7ca/0x8aa
>>>> (XEN) [<ffff82d0801d4ae0>] do_hvm_op+0x1aec/0x273b
>>>> (XEN) [<ffff82d08011bb5f>] do_multicall+0x257/0x3dc
>>>> (XEN) [<ffff82d080247bdb>] syscall_enter+0xeb/0x145
>>>> (XEN)
>>>> (XEN)
>>>> (XEN) ****************************************
>>>> (XEN) Panic on CPU 1:
>>>> (XEN) Assertion 'pages' failed at vmap.c:275
>>>> (XEN) ****************************************
>>>> (XEN)
>>>>
>>>> Any idea what might go wrong?
>>> I have an idea - patch incoming
>>
>> Try this: It appears that vfree(NULL) isn't safe.
>
> And intentionally so (I think this was even mentioned while discussing
> the patch), matching vunmap().
Yes, but previous versions of vfree where able to cope with NULL. The
following fixes the callers:
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
---
diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
index cea7990..0316b59 100644
--- a/xen/arch/x86/mm/hap/hap.c
+++ b/xen/arch/x86/mm/hap/hap.c
@@ -174,7 +174,8 @@ int hap_track_dirty_vram(struct domain *d,
p2m_ram_logdirty, p2m_ram_rw);
}
out:
- vfree(dirty_bitmap);
+ if ( dirty_bitmap )
+ vfree(dirty_bitmap);
return rc;
}
diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c
index 9e9d19f..88e0f7e 100644
--- a/xen/arch/x86/mm/shadow/common.c
+++ b/xen/arch/x86/mm/shadow/common.c
@@ -3707,7 +3707,8 @@ out:
paging_unlock(d);
rc = -EFAULT;
}
- vfree(dirty_bitmap);
+ if ( dirty_bitmap )
+ vfree(dirty_bitmap);
p2m_unlock(p2m_get_hostp2m(d));
return rc;
}
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: Xen-unstable, stubdom causes hypervisor crash
2015-05-20 16:04 ` Roger Pau Monné
@ 2015-05-20 16:25 ` Tim Deegan
0 siblings, 0 replies; 8+ messages in thread
From: Tim Deegan @ 2015-05-20 16:25 UTC (permalink / raw)
To: Roger Pau Monné; +Cc: Andrew Cooper, Wei Liu, Jan Beulich, xen-devel
At 18:04 +0200 on 20 May (1432145043), Roger Pau Monné wrote:
> El 20/05/15 a les 17.59, Jan Beulich ha escrit:
> >>>> On 20.05.15 at 17:45, <andrew.cooper3@citrix.com> wrote:
> >> Try this: It appears that vfree(NULL) isn't safe.
> >
> > And intentionally so (I think this was even mentioned while discussing
> > the patch), matching vunmap().
>
> Yes, but previous versions of vfree where able to cope with NULL. The
> following fixes the callers:
I'd much rather make vfree(NULL) safe than add guards to all its
callers.
Tim.
> Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
> ---
> diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c
> index cea7990..0316b59 100644
> --- a/xen/arch/x86/mm/hap/hap.c
> +++ b/xen/arch/x86/mm/hap/hap.c
> @@ -174,7 +174,8 @@ int hap_track_dirty_vram(struct domain *d,
> p2m_ram_logdirty, p2m_ram_rw);
> }
> out:
> - vfree(dirty_bitmap);
> + if ( dirty_bitmap )
> + vfree(dirty_bitmap);
>
> return rc;
> }
> diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c
> index 9e9d19f..88e0f7e 100644
> --- a/xen/arch/x86/mm/shadow/common.c
> +++ b/xen/arch/x86/mm/shadow/common.c
> @@ -3707,7 +3707,8 @@ out:
> paging_unlock(d);
> rc = -EFAULT;
> }
> - vfree(dirty_bitmap);
> + if ( dirty_bitmap )
> + vfree(dirty_bitmap);
> p2m_unlock(p2m_get_hostp2m(d));
> return rc;
> }
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-05-20 16:25 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-20 15:39 Xen-unstable, stubdom causes hypervisor crash Wei Liu
2015-05-20 15:43 ` Andrew Cooper
2015-05-20 15:45 ` Andrew Cooper
2015-05-20 15:52 ` Wei Liu
2015-05-20 15:59 ` Jan Beulich
2015-05-20 16:03 ` Andrew Cooper
2015-05-20 16:04 ` Roger Pau Monné
2015-05-20 16:25 ` Tim Deegan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.