[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] vfree crash

  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "andrew.cooper3@xxxxxxxxxx" <andrew.cooper3@xxxxxxxxxx>
  • From: Petre Ovidiu PIRCALABU <ppircalabu@xxxxxxxxxxxxxxx>
  • Date: Fri, 28 Jun 2019 17:59:55 +0000
  • Accept-language: ro-RO, en-US
  • Arc-authentication-results: i=1; test.office365.com 1;spf=none;dmarc=none;dkim=none;arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=testarcselector01; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uRqUiCXfJOcUBYoM4u2CMQwEXu05/YYKxHedcOXy3e8=; b=KHjmr5MBeFqkQTeTwiJ+Su8Lx/84w3lcCAm7eussrPu3WuU7sZfF3HTUg80NdTqioKBaOEZsO+OSMPIn5ls88MKUhCkrrKTYTjbf0xoocIWga21TN6wiQRs8ZYYbDsCqhtzllo6AtpeLXMYnxSVQdG3rL/fYavQTebdU5RgZA0A=
  • Arc-seal: i=1; a=rsa-sha256; s=testarcselector01; d=microsoft.com; cv=none; b=LduZEv2jyoiYCFeVnc+0VCyk05GNVTGaClDU2M2kfK08RuCcw5VwzyAuGLF/Ho8PrWI2Ac9mjVahNMl34mZM6uyOX8cu9CL6NwdLB6L/pSFQ2UPydueQemRvZfWBeuntboJyrX6lGgIjOBjvkr2MH9gplZSZjOBy7RtjlfHr24E=
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=ppircalabu@xxxxxxxxxxxxxxx;
  • Cc: Alexandru Stefan ISAILA <aisaila@xxxxxxxxxxxxxxx>, "rcojocaru@xxxxxxxxxxxxxxx" <rcojocaru@xxxxxxxxxxxxxxx>
  • Delivery-date: Fri, 28 Jun 2019 18:00:10 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHVLdtKR3tMnDvHzU6ntSjZrlUsUQ==
  • Thread-topic: vfree crash
Hello,

I need your help to pinpoint the root cause of a problem. To my
understanding vfree should be used when allocating memory with vmalloc.

But, I have the following scenario which results in a XEN crash:
- allocate a number of frames using vmalloc (vzalloc) (e.g. using a
domctl) and assign them to the calling domain
- map the frames using xenforeignmemory_map_resource
....
- xenforeignmemory_unmap_resource
- vfree.

(XEN) ----[ Xen-4.13-unstable  x86_64  debug=y   Tainted:  C   ]----
(XEN) CPU:    6
(XEN) RIP:    e008:[<ffff82d08022618d>] free_domheap_pages+0x2d0/0x40d
(XEN) RFLAGS: 0000000000010246   CONTEXT: hypervisor (d0v3)
(XEN) rax: ffff82e00bf6ee00   rbx: ffff830806584000   rcx:
ffff82ffffffffe0
(XEN) rdx: ffff82ffffffffe0   rsi: 0000000000000000   rdi:
ffff830806584028
(XEN) rbp: ffff8308065a7c78   rsp:
ffff8308065a7c38   r8:  00000000ffffffff
(XEN) r9:  0000000000000001   r10: ffff82e000000000   r11:
4000000000000000
(XEN) r12: ffff82e00bf6ee00   r13: ffff830806584028   r14:
ffff830806584038
(XEN) r15: 00ffffffffffffff   cr0: 0000000080050033   cr4:
0000000000362660
(XEN) cr3: 00000005fb565000   cr2: ffff82ffffffffe0
(XEN) fsb: 00007f1265e36700   gsb: ffff8882168c0000   gss:
0000000000000000
(XEN) ds: 0000   es: 0000   fs: 0000   gs: 0000   ss: e010   cs: e008
(XEN) Xen code around <ffff82d08022618d>
(free_domheap_pages+0x2d0/0x40d):
(XEN)  47 08 0f 85 0f 01 00 00 <c7> 02 ff ff ff ff 48 89 57 08 eb 4b 48
39 83 30
(XEN) Xen stack trace from rsp=ffff8308065a7c38:
(XEN)    ffff830806584020 0000000000000001 ffff8308065a7c78
ffff82e00bf6ee00
(XEN)    0000000000000000 ffff82e000000000 0000000000000001
000ffffffffff000
(XEN)    ffff8308065a7cd8 ffff82d08024323f 0000000000000000
ffff82c000267000
(XEN)    0000000000000000 00000001065a7ca8 8086000000008086
ffff8305f822bfe0
(XEN)    ffff8305fd17a000 00007f1265e53010 ffff8305fd17a000
0000000000000000
(XEN)    ffff8308065a7d28 ffff82d0802484fc ffff8305fd17a000
0000000000000000
(XEN)    0000000000000292 0000000000000000 ffff8305fd17a000
00007f1265e53010
(XEN)    ffff82d08020550f 0000000000000000 ffff8308065a7e48
ffff82d080206c2c
(XEN)    0000000000000003 00007f1265e52000 80000005fb770327
00007f1265e52000
(XEN)    ffff830806559000 ffff830806584000 ffff830806584000
0000000000000001
(XEN)    ffff8308065a7d88 ffff82d0802861cd 0000001100000053
0000000000000001
(XEN)    0000000000000001 0000000000000000 0000000000000000
0000000000000000
(XEN)    0000000000000000 0000000000000000 0000000000000000
0000000000000000
(XEN)    0000000000000000 0000000000000000 0000000000000000
0000000000000000
(XEN)    0000000000000000 0000000000000000 0000000000000000
09fab73a51d28500
(XEN)    ffff82d0803803d4 ffff8308065a7ef8 ffff830806559000
0000000000000024
(XEN)    ffff82d08020550f 0000000000000001 ffff8308065a7ee8
ffff82d080379fb7
(XEN)    00007f1265e53010 deadbeefdeadf00d deadbeefdeadf00d
deadbeefdeadf00d
(XEN)    deadbeefdeadf00d deadbeefdeadf00d ffff82d0803803d4
ffff82d0803803c8
(XEN)    ffff82d0803803d4 ffff82d0803803c8 ffff82d0803803d4
ffff82d0803803c8
(XEN) Xen call trace:
(XEN)    [<ffff82d08022618d>] free_domheap_pages+0x2d0/0x40d
(XEN)    [<ffff82d08024323f>] vfree+0x126/0x159
(XEN)    [<ffff82d0802484fc>] mock_domctl+0x177/0x19e
(XEN)    [<ffff82d080206c2c>] do_domctl+0x171d/0x1beb
(XEN)    [<ffff82d080379fb7>] pv_hypercall+0x2aa/0x521
(XEN)    [<ffff82d080380432>] lstar_enter+0x112/0x120
(XEN) 
(XEN) Pagetable walk from ffff82ffffffffe0:
(XEN)  L4[0x105] = 00000000dd28e063 ffffffffffffffff
(XEN)  L3[0x1ff] = 0000000000000000 ffffffffffffffff
(XEN) 
(XEN) ****************************************
(XEN) Panic on CPU 6:
(XEN) FATAL PAGE FAULT
(XEN) [error_code=0002]
(XEN) Faulting linear address: ffff82ffffffffe0
(XEN) ****************************************
(XEN) 
(XEN) Reboot in five seconds...
(XEN) APIC error on CPU0: 40(00)

The crash happens when page_list_del2 is called (arch_free_heap_page(d,
&pg[i])). This in turn calls __page_list_del_head and is caused by the
"prev->list.next = PAGE_LIST_NULL;" statement (head->tail == page)

The problem is strictly related to vfree because if I call vunmap and
free_domheap_page manually, the crash doesn't occur anymore.

Unfortunately I have no ideea what might cause this.

I have pushed a small test which triggers this crash at
https://github.com/petrepircalabu/xen/tree/vfree_crash and I would
greatly appreciate your input.

Many thanks for your support,
Petre


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.