Re: Crashing kernel with dom0/libxc gnttab/gntshr

[Vincent Bernardoff <vb@luminar.eu.org>]

[-- Attachment #1: Type: text/plain, Size: 1133 bytes --]

On 30/07/2013 11:59, Ian Campbell wrote:
> On Tue, 2013-07-30 at 11:50 +0100, Vincent Bernardoff wrote:
>> >Hi,
>> >
>> >The attached program makes my kernel (3.9.9-1-ARCH, stock Archlinux
>> >kernel) crash with the attached dmesg output.
> The dmesg output seems to start halfway through a crash message, which
> means it is missing the PC etc and may not be the first crash in any
> case.
>
> Please could you configure a serial console and try and capture the
> first crash message in its entirety. Bonus points if you can avoid
> linewrapping the dmesg too ;-)
>
>> >The program just shares a page from dom0 to dom0,
> Not just from dom0 to dom0 but actually within the same process. I'm not
> sure that matters but it is a bit unusual. Are you able to repro this
> with two separate processes acting as front vs. backend?
>
> The reason I ask is that it isn't clear if the crash is the process with
> its front or back "hat" on, separating the two out would be useful.
>

Here is the updated version, with a program that calls fork() and here 
is a better dmesg dump as well. The faulty program is the server (sharer).

Vincent

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: libxc_gntshr_bug2.c --]
[-- Type: text/x-csrc; name="libxc_gntshr_bug2.c", Size: 2243 bytes --]

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <unistd.h>
#include <xenctrl.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/wait.h>

int main(int argc, char** argv)
{
  void* map_shr;
  void* map_tab;
  int ret;
  int status;
  int s_to_c[2];
  int c_to_s[2];

  /* setup pipes for communication */

  if(pipe(s_to_c) == -1)
    {
      perror("pipe");
      exit(EXIT_FAILURE);
    }
  if(pipe(c_to_s) == -1)
    {
      perror("pipe");
      exit(EXIT_FAILURE);
    }

  if (fork() != 0)  /* Parent code*/
    {
      uint32_t ref;
      char buf[1];
      xc_gntshr *shr_h = xc_gntshr_open(NULL, 0);

      printf("I'm server, with pid %d\n", getpid());

      if (shr_h == NULL)
        {
          perror("xc_gntshr_open");
          exit(EXIT_FAILURE);
        }

      map_shr = xc_gntshr_share_pages(shr_h, 0, 1, &ref, 1);
      if (map_shr == NULL)
        {
          perror("xc_gntshr_share_pages");
          exit(EXIT_FAILURE);
        }

      /* Send the gntref to the client. */
      write(s_to_c[1], &ref, sizeof(uint32_t));

      read(c_to_s[0], buf, 1);
      /* Now we unshare the page */
      ret = xc_gntshr_munmap(shr_h, map_shr, 1);
      if (ret != 0)
        {
          perror("xc_gntshr_munmap");
          exit(EXIT_FAILURE);
        }

      /* At this point, the kernel should complain… */
      /* Waiting for the child to die. */
      wait(&status);
      printf("Children died with status %d\n", status);
      return 0;
    }
  else /* Child code */
    {
      uint32_t ref;
      xc_gnttab *tab_h = xc_gnttab_open(NULL, 0);

      printf("I'm client, with pid %d\n", getpid());

      if (tab_h == NULL)
        {
          perror("xc_gnttab_open");
          exit(EXIT_FAILURE);
        }

      /* Receive the ref from the server. */
      read(s_to_c[0], &ref, sizeof(uint32_t));

      /* Ready to map! */

      map_tab = xc_gnttab_map_grant_ref(tab_h, 0, ref, PROT_READ|PROT_WRITE);
      if (map_tab == NULL)
        {
          perror("xc_gnttab_map_grant_ref");
          exit(EXIT_FAILURE);
        }

      /* Sending a msg to server to indicate that he can now
         unshare. */
      write(c_to_s[1], "\0", 1);

      return 0;
    }

  return 0;
}

[-- Attachment #3: dmesg.log --]
[-- Type: text/x-log, Size: 1641 bytes --]

[ 1461.873885] BUG: Bad page map in process a.out  pte:12bfff127 pmd:cc6c0067
[ 1461.873891] page:ffffea0004afffc0 count:0 mapcount:-1 mapping:          (null) index:0xffffffffffffffff
[ 1461.873893] page flags: 0x2fc000000000c04(referenced|reserved|private)
[ 1461.873898] addr:00007fe1c3f6c000 vm_flags:140400fb anon_vma:          (null) mapping:ffff880114555be8 index:0
[ 1461.873899] vma->vm_ops->fault:           (null)
[ 1461.873911] vma->vm_file->f_op->mmap: gntalloc_mmap+0x0/0x1d0 [xen_gntalloc]
[ 1461.873914] CPU: 1 PID: 1010 Comm: a.out Tainted: G    B        3.10.3-1-ARCH #1
[ 1461.873916] Hardware name: Dell Inc. Precision WorkStation T3400  /0TP412, BIOS A05 05/09/2008
[ 1461.873917]  ffff8800cc407450 ffff8800bea35cc0 ffffffff814bd2df ffff8800bea35d08
[ 1461.873920]  ffffffff81146404 ffffea0004afffc0 ffff880114555be8 ffff8800cc6c0b60
[ 1461.873923]  ffffea0004afffc0 00007fe1c3f6d000 ffff8800bea35e30 00007fe1c3f6c000
[ 1461.873925] Call Trace:
[ 1461.873932]  [<ffffffff814bd2df>] dump_stack+0x19/0x1b
[ 1461.873937]  [<ffffffff81146404>] print_bad_pte+0x1b4/0x270
[ 1461.873939]  [<ffffffff811480c3>] unmap_single_vma+0x803/0x8d0
[ 1461.873944]  [<ffffffff8112e5d0>] ? SyS_readahead+0xb0/0xb0
[ 1461.873948]  [<ffffffff811492f9>] unmap_vmas+0x49/0x90
[ 1461.873951]  [<ffffffff8114ed79>] unmap_region+0x99/0x110
[ 1461.873954]  [<ffffffff8114f2f9>] ? vma_rb_erase+0x129/0x240
[ 1461.873956]  [<ffffffff81150f9a>] do_munmap+0x23a/0x3e0
[ 1461.873958]  [<ffffffff81151181>] vm_munmap+0x41/0x60
[ 1461.873961]  [<ffffffff811520c2>] SyS_munmap+0x22/0x30
[ 1461.873964]  [<ffffffff814ca75d>] system_call_fastpath+0x1a/0x1f

[-- Attachment #4: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel