From mboxrd@z Thu Jan 1 00:00:00 1970 From: Vincent Bernardoff Subject: Crashing kernel with dom0/libxc gnttab/gntshr Date: Tue, 30 Jul 2013 11:50:00 +0100 Message-ID: <51F79A58.5060004@citrix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------030509080808090003030006" Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org --------------030509080808090003030006 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit Hi, The attached program makes my kernel (3.9.9-1-ARCH, stock Archlinux kernel) crash with the attached dmesg output. The program just shares a page from dom0 to dom0, then map the page, then unshare the page, and the unsharing makes the kernel crash. I ran into this issue while implementing a native OCaml vchan driver. I'm very much interested in advices/help. Cheers, Vincent --------------030509080808090003030006 Content-Type: text/x-csrc; name="libxc_gntshr_bug2.c" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="libxc_gntshr_bug2.c" #include #include #include #include #include int main(int argc, char** argv) { void* map_shr; void* map_tab; uint32_t ref; int ret; xc_gntshr *shr_h = xc_gntshr_open(NULL, 0); if (shr_h == NULL) { perror("xc_gntshr_open"); exit(EXIT_FAILURE); } xc_gnttab *tab_h = xc_gnttab_open(NULL, 0); if (tab_h == NULL) { perror("xc_gnttab_open"); exit(EXIT_FAILURE); } map_shr = xc_gntshr_share_pages(shr_h, 0, 1, &ref, 1); if (map_shr == NULL) { perror("xc_gntshr_share_pages"); exit(EXIT_FAILURE); } map_tab = xc_gnttab_map_grant_ref(tab_h, 0, ref, PROT_READ|PROT_WRITE); if (map_tab == NULL) { perror("xc_gnttab_map_grant_ref"); exit(EXIT_FAILURE); } /* Now we unshare the page */ ret = xc_gntshr_munmap(shr_h, map_shr, 1); if (ret != 0) { perror("xc_gntshr_munmap"); exit(EXIT_FAILURE); } /* At this point, the kernel should complain… */ return 0; } --------------030509080808090003030006 Content-Type: text/x-log; name="dmesg.log" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="dmesg.log" [ 299.710029] FS: 00007fe69748f700(0000) GS:ffff88011ba40000(0000) knlGS:0000000000000000 [ 299.710029] CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b [ 299.710029] CR2: 00007fe696d78f30 CR3: 00000000c34fe000 CR4: 0000000000002660 [ 299.710029] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 299.710029] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 299.876698] Process a.out (pid: 922, threadinfo ffff8800cc3c6000, task ffff8800c34829e0) [ 299.876698] Stack: [ 299.876698] ffff8800cc2dc5b0 ffff8800cc3c7d88 ffff88000251bc60 ffff88000251b980 [ 299.876698] ffff88000251b960 ffff88000251b990 ffff8800c34829e0 ffff8800cc3c7dd8 [ 299.876698] ffffffffa03e847f ffff88000251b990 ffff880114d50a80 0000000000000000 [ 299.876698] Call Trace: [ 299.876698] [] ? mn_release+0x4f/0x130 [xen_gntdev] [ 299.876698] [] ? __mmu_notifier_release+0x44/0xc0 [ 299.876698] [] ? exit_mmap+0x149/0x170 [ 299.876698] [] ? _raw_spin_lock_irqsave+0x1a/0x50 [ 299.876698] [] ? exit_robust_list+0x6a/0x130 [ 299.876698] [] ? mmput+0x59/0x120 [ 299.876698] [] ? do_exit+0x27f/0xab0 [ 299.876698] [] ? do_munmap+0x2b0/0x3e0 [ 299.876698] [] ? do_group_exit+0x3f/0xa0 [ 299.876698] [] ? sys_exit_group+0x14/0x20 [ 299.876698] [] ? system_call_fastpath+0x1a/0x1f [ 299.876698] Code: 00 00 00 d8 02 3c cc 00 88 ff ff ff ff ff ff ff ff ff ff 60 7d 3c cc 00 88 ff ff 30 e0 00 00 00 00 00 00 82 02 01 00 00 00 00 00 <70> 7d 3c cc 00 88 ff ff 2b e0 00 00 00 00 00 00 b0 c5 2d cc 00 [ 299.876698] RIP [] 0xffff8800cc3c7d5f [ 299.876698] RSP [ 299.964961] ---[ end trace 2cc41b9c64237359 ]--- [ 299.964962] Fixing recursive fault but reboot is needed! [ 299.964963] BUG: scheduling while atomic: a.out/922/0x00000002 [ 299.964985] Modules linked in: snd_hda_codec_hdmi snd_hda_codec_analog snd_hda_intel snd_hda_codec iTCO_wdt gpio_ich iTCO_vendor_support ppdev evdev dcdbas radeon mperf psmouse tg3 coretemp microcode serio_ raw pcspkr snd_hwdep snd_pcm ttm snd_page_alloc snd_timer drm_kms_helper i2c_i801 snd x38_edac edac_core ptp pps_core lpc_ich libphy drm i2c_algo_bit i2c_core soundcore parport_pc parport button processor xenf s xen_privcmd xen_pciback xen_netback xen_blkback xen_gntalloc xen_gntdev xen_evtchn nfs lockd sunrpc fscache ext4 crc16 mbcache jbd2 hid_generic usbhid hid sr_mod cdrom sd_mod ahci libahci libata scsi_mod ehc i_pci uhci_hcd ehci_hcd usbcore usb_common [ 299.964987] Pid: 922, comm: a.out Tainted: G B D 3.9.9-1-ARCH #1 [ 299.964987] Call Trace: [ 299.964991] [] __schedule_bug+0x4d/0x5b [ 299.964994] [] __schedule+0x936/0x940 [ 299.964997] [] ? console_trylock+0x19/0x70 [ 299.964999] [] ? _raw_spin_unlock+0x36/0x40 [ 299.965002] [] ? vprintk_emit+0x176/0x4c0 [ 299.965004] [] ? printk+0x54/0x56 [ 299.965007] [] schedule+0x29/0x70 [ 299.965009] [] do_exit+0xa29/0xab0 [ 299.965012] [] ? kmsg_dump+0xc1/0xd0 [ 299.965015] [] oops_end+0xa3/0xe0 [ 299.965019] [] die+0x4b/0x70 [ 299.965021] [] do_trap+0x60/0x170 [ 299.965024] [] do_invalid_op+0x95/0xb0 [ 299.965027] [] ? xen_batched_set_pte+0xdc/0x200 [ 299.965030] [] ? _raw_spin_lock_irqsave+0x1a/0x50 [ 299.965032] [] ? _raw_spin_unlock_irqrestore+0x12/0x50 [ 299.965035] [] invalid_op+0x1e/0x30 [ 299.965038] [] ? mn_release+0x4f/0x130 [xen_gntdev] [ 299.965042] [] ? __mmu_notifier_release+0x44/0xc0 [ 299.965045] [] ? exit_mmap+0x149/0x170 [ 299.965047] [] ? _raw_spin_lock_irqsave+0x1a/0x50 [ 299.965050] [] ? exit_robust_list+0x6a/0x130 [ 299.965055] [] ? mmput+0x59/0x120 [ 299.965057] [] ? do_exit+0x27f/0xab0 [ 299.965060] [] ? do_munmap+0x2b0/0x3e0 [ 299.965062] [] ? do_group_exit+0x3f/0xa0 [ 299.965065] [] ? sys_exit_group+0x14/0x20 [ 299.965067] [] ? system_call_fastpath+0x1a/0x1f --------------030509080808090003030006 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --------------030509080808090003030006--