From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1IVwHj-0006vF-PP
	for qemu-devel@nongnu.org; Thu, 13 Sep 2007 17:31:39 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1IVwHh-0006uG-LR
	for qemu-devel@nongnu.org; Thu, 13 Sep 2007 17:31:39 -0400
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1IVwHh-0006u9-Ex
	for qemu-devel@nongnu.org; Thu, 13 Sep 2007 17:31:37 -0400
Received: from nan.false.org ([208.75.86.248])
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <drow@false.org>) id 1IVwHh-0006xM-5c
	for qemu-devel@nongnu.org; Thu, 13 Sep 2007 17:31:37 -0400
Received: from nan.false.org (localhost [127.0.0.1])
	by nan.false.org (Postfix) with ESMTP id 243829829E
	for <qemu-devel@nongnu.org>; Thu, 13 Sep 2007 21:31:35 +0000 (GMT)
Received: from caradoc.them.org (22.svnf5.xdsl.nauticom.net [209.195.183.55])
	by nan.false.org (Postfix) with ESMTP id E2FC0980BD
	for <qemu-devel@nongnu.org>; Thu, 13 Sep 2007 21:31:34 +0000 (GMT)
Received: from drow by caradoc.them.org with local (Exim 4.67)
	(envelope-from <drow@caradoc.them.org>) id 1IVwHd-0002fe-1M
	for qemu-devel@nongnu.org; Thu, 13 Sep 2007 17:31:33 -0400
Date: Thu, 13 Sep 2007 17:31:32 -0400
From: Daniel Jacobowitz <drow@false.org>
Message-ID: <20070913213132.GA22441@caradoc.them.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Subject: [Qemu-devel] More MIPS panics
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

When fixing the breakpoint failure Jason's reproducible testcase was
very helpful, so I'll return the favor in case someone else wants to
fix this one...

Running huge.exp from the gdb testsuite over gdbserver, with the
gdbserver inside a mips or mipsel qemu, reliably crashes the kernel.
It will end up taking a recursive fault, and when it runs out of stack
it'll start overwriting other helpful things like the page tables.

All you need is a file with a single huge static array full of zero
bytes.  0x800000 bytes works nicely.  If you tell gdb to print it
while running a native MIPS gdb, it reads the contents from
/proc/PID/mem using pread in a single huge lump; this works fine.  If
you tell gdb to print it while connected to gdbserver, gdbserver will
use ptrace to read it one word at a time.  This does not work fine.
At some random point in the array the kernel will go belly-up.
Therefore I assume this is something to do with frequently mapping and
unmapping pages in the kmap area.

So far I have not had any luck figuring out what's going on.  It seems
like a zero word appears in the wrong place, though, so my suspect is
the mapping and unmapping in copy_to_user_page...

-- 
Daniel Jacobowitz
CodeSourcery