From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Vrable <mvrable@cs.ucsd.edu>
Subject: [PATCH] Do not call BUG() in translated mode in
	xen_create_contiguous_region
Date: Wed, 22 Feb 2006 13:45:06 -0800
Message-ID: <20060222214506.GA20180@vrable.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <xen-devel-bounces@lists.xensource.com>
Content-Disposition: inline
List-Unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: xen-devel@lists.xensource.com
List-Id: xen-devel@lists.xenproject.org

I've encountered a kernel crash when running a domain in shadow
translated mode with networking support:

    kernel BUG at arch/i386/mm/hypervisor.c:328!
    invalid opcode: 0000 [#1]
    SMP
    Modules linked in:
    CPU:    0
    EIP:    0061:[<c01165ba>]    Not tainted VLI
    EFLAGS: 00010002   (2.6.16-rc4-xenU #1)
    EIP is at xen_create_contiguous_region+0x2ea/0x3f0
[...]
     [<c01087ed>] show_stack_log_lvl+0xcd/0x120
     [<c01089eb>] show_registers+0x1ab/0x240
     [<c0108cf1>] die+0x111/0x240
     [<c0109048>] do_trap+0x98/0xe0
     [<c0109361>] do_invalid_op+0xa1/0xb0
     [<c01081d7>] error_code+0x2b/0x30
     [<c02503ec>] skbuff_ctor+0x6c/0x80
     [<c015eb94>] cache_alloc_refill+0x524/0x570
     [<c015e65c>] kmem_cache_alloc+0x7c/0x90
     [<c0263588>] alloc_skb_from_cache+0x58/0x110
     [<c0250488>] __alloc_skb+0x48/0xa0
     [<c028e2a2>] tcp_collapse+0x132/0x360
     [<c028e5f5>] tcp_prune_queue+0x125/0x330
     [<c0291445>] tcp_data_queue+0x5b5/0xca0
     [<c0292c16>] tcp_rcv_established+0x276/0x7e0
     [<c0299faa>] tcp_v4_do_rcv+0xda/0x320
     [<c029b0e0>] tcp_v4_rcv+0x830/0x900
     [<c027f2ee>] ip_local_deliver+0xae/0x1a0
     [<c027f087>] ip_rcv+0x2e7/0x4a0
     [<c026b387>] netif_receive_skb+0x197/0x220
     [<c0259563>] netif_poll+0x3d3/0x7f0
     [<c0268f0e>] net_rx_action+0xbe/0x1c0
     [<c0124ccc>] __do_softirq+0x8c/0x120
     [<c0124de5>] do_softirq+0x85/0x90
     [<c0124f39>] irq_exit+0x39/0x50
     [<c0109e05>] do_IRQ+0x25/0x30
     [<c024e63f>] evtchn_do_upcall+0x9f/0xe0
     [<c0108208>] hypervisor_callback+0x2c/0x34
     [<c0106a67>] cpu_idle+0x77/0xf0
     [<c0105035>] rest_init+0x35/0x40
     [<c034e56a>] start_kernel+0x2ea/0x380
     [<c010005e>] 0xc010005e

The following patch against xen-unstable.hg should fix the problem.

--Michael Vrable


# HG changeset patch
# User Michael Vrable <mvrable@cs.ucsd.edu>
# Node ID 5747b738b00a6322cd3b61220eb508c24183fa0a
# Parent  697fac283c9e565b4c9697c70a5529d06a488df9
Return -ENOMEM in xen_create_contiguous_region when running translated.

Previously, calling xen_create_contiguous_region with order > 0 while
running in translated shadow mode (XENFEAT_auto_translated_physmap set)
resulted in BUG() being called.  This can cause a crash in Xen's
skbuff_ctor.

xen_create_contiguous_region does have a mechanism to signal failure to
create a contiguous region: it returns -ENOMEM.  Simply do this
unconditionally for multi-page requests when in translated mode.

Signed-off-by: Michael Vrable <mvrable@cs.ucsd.edu>

diff -r 697fac283c9e -r 5747b738b00a linux-2.6-xen-sparse/arch/i386/mm/hypervisor.c
--- a/linux-2.6-xen-sparse/arch/i386/mm/hypervisor.c	Wed Feb 22 19:11:23 2006 +0000
+++ b/linux-2.6-xen-sparse/arch/i386/mm/hypervisor.c	Wed Feb 22 13:30:48 2006 -0800
@@ -325,7 +325,9 @@ int xen_create_contiguous_region(
 	};
 
 	if (xen_feature(XENFEAT_auto_translated_physmap)) {
-		BUG_ON(order >= 1);
+		if (order >= 1)
+			return -ENOMEM;
+
 		return 0;
 	}