From: Ian Campbell <Ian.Campbell@citrix.com>
To: M A Young <m.a.young@durham.ac.uk>
Cc: Dave,
"xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>,
McCracken <dave.mccracken@oracle.com>
Subject: Re: Re: Balloon driver crash
Date: Thu, 3 Jun 2010 21:36:42 +0100 [thread overview]
Message-ID: <1275597402.2782.47.camel@localhost.localdomain> (raw)
In-Reply-To: <alpine.LFD.2.00.1006032028110.20613@vega4.dur.ac.uk>
On Thu, 2010-06-03 at 20:37 +0100, M A Young wrote:
> On Thu, 3 Jun 2010, M A Young wrote:
>
> > I get the following crash when I try to start up a guest on a low memory
> > machine
> >
> > BUG: unable to handle kernel NULL pointer dereference at (null)
> > IP: [<c0632641>] balloon_process+0x3e5/0x596
> > *pdpt = 0000000000aac001 *pde = 0000000000000000 Oops: 0000 [#1] SMP last
> > sysfs file: /sys/devices/system/xen_memory/xen_memory0/info/current_kb
> > Modules linked in: nfs lockd fscache nfs_acl nf_conntrack_ftp bridge stp llc
> > autofs4 rpcsec_gss_krb5 auth_rpcgss des_generic sunrpc ip6table_filter
> > ip6_tables ipv6 xen_evtchn xenfs snd_intel8x0 snd_ac97_codec ac97_bus snd_seq
> > snd_seq_device ppdev snd_pcm parport_pc parport snd_timer e100 snd soundcore
> > mii iTCO_wdt snd_page_alloc i2c_i801 iTCO_vendor_support i915 drm_kms_helper
> > drm i2c_algo_bit i2c_core video output [last unloaded: scsi_wait_scan]
> > Pid: 6, comm: events/0 Not tainted (2.6.32.14-1.2.105.xendom0.fc12.i686.PAE
> > #1) EIP: 0061:[<c0632641>] EFLAGS: 00010046 CPU: 0
> > EIP is at balloon_process+0x3e5/0x596
> > EAX: c25f6000 EBX: 00000f02 ECX: c269e038 EDX: 00000000
> > ESI: 00000000 EDI: 00018f02 EBP: dc09df6c ESP: dc09df08
> > DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0069
> > Process events/0 (pid: 6, ti=dc09c000 task=dc083fc0 task.ti=dc09c000)
> > Stack:
> > dc09df38 dc09df4c c0ab0288 00000000 00000001 ffffb4d7 00000000 00018f02
> > 00000f02 00000000 000003a9 00000000 c0407250 c2a10004 c2a19b04 c2a10004
> > c0407247 00000000 00000000 00000000 00000000 00007ff0 c2a1d460 c09db2dc
> > Call Trace:
> > [<c0407250>] ? check_events+0x8/0xc
> > [<c0407247>] ? xen_restore_fl_direct_end+0x0/0x1
> > [<c0458d11>] ? worker_thread+0x140/0x1b9
> > [<c063225c>] ? balloon_process+0x0/0x596
> > [<c045c79d>] ? autoremove_wake_function+0x0/0x34
> > [<c0458bd1>] ? worker_thread+0x0/0x1b9
> > [<c045c565>] ? kthread+0x64/0x69
> > [<c045c501>] ? kthread+0x0/0x69
> > [<c040ac07>] ? kernel_thread_helper+0x7/0x10
> > Code: ff 25 ff ff ff 7f 8b 55 c8 39 f8 89 04 95 e0 7e b6 c0 b8 01 00 00 00 0f
> > 44 45 a8 83 ca ff 89 45 a8 89 d8 e8 ed 3f dd ff 8b 55 b4 <8b> 02 c1 e8 1e 69
> > c0 00 0b 00 00 05 80 13 9f c0 2b 80 ec 0a 00 EIP: [<c0632641>]
> > balloon_process+0x3e5/0x596 SS:ESP 0069:dc09df08
> > CR2: 0000000000000000
> >
> > The relevant address is
> > 0xc0632641 <balloon_process+997>: mov (%edx),%eax
>
> This seems to be about line 343 of drivers/xen/balloon.c in the subroutine
> decrease_reservation which is
> for (j = 0; j < balloon_npages; j++, lpfn++, mfn++) {
> if ((discontig_frame_list[j] = pfn_to_mfn(lpfn))
> != mfn)
> discontig_free = 1;
>
> set_phys_to_machine(lpfn, INVALID_P2M_ENTRY);
> /* here */ if (!PageHighMem(page)) {
> ret = HYPERVISOR_update_va_mapping(
> (unsigned long)__va(lpfn <<
> PAGE_SHIFT),
> __pte_ma(0), 0);
> BUG_ON(ret);
> }
> }
>
> >From what I can tell page is meaningless in this context as it is just
> a temporary variable used in the previous loop, so I would
> guess that PageHighMem should be checking something else, or page should
> be set somewhere eg. at a guess page=pfn_to_page(lpfn);
That would be my guess also. CCing Dave McCracken who looks to have
introduced this code in 0e898d5e "Add hugepage support to balloon
driver"
Ian.
next prev parent reply other threads:[~2010-06-03 20:36 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-03 13:37 Balloon driver crash M A Young
2010-06-03 19:37 ` M A Young
2010-06-03 20:36 ` Ian Campbell [this message]
2010-06-03 22:38 ` Dave McCracken
2010-06-07 19:29 ` M A Young
2010-06-08 7:56 ` Ian Campbell
2010-06-08 8:28 ` M A Young
2010-06-08 8:42 ` Ian Campbell
2010-06-08 9:25 ` [PATCH] " M A Young
2010-06-08 10:59 ` Pasi Kärkkäinen
2010-06-08 11:07 ` M A Young
2010-06-08 16:43 ` Jeremy Fitzhardinge
2010-06-08 18:08 ` M A Young
2010-06-08 18:34 ` Jeremy Fitzhardinge
2010-06-08 22:48 ` Jeremy Fitzhardinge
2010-06-08 23:08 ` M A Young
2010-06-08 23:38 ` Jeremy Fitzhardinge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1275597402.2782.47.camel@localhost.localdomain \
--to=ian.campbell@citrix.com \
--cc=dave.mccracken@oracle.com \
--cc=m.a.young@durham.ac.uk \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).