From mboxrd@z Thu Jan 1 00:00:00 1970 From: Vincent Bernardoff Subject: Re: Crashing kernel with dom0/libxc gnttab/gntshr Date: Tue, 30 Jul 2013 14:41:20 +0100 Message-ID: <51F7C280.6040703@luminar.eu.org> References: <51F79A58.5060004@citrix.com> <1375181944.11701.102.camel@kazak.uk.xensource.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------070406030703050506000009" Return-path: In-Reply-To: <1375181944.11701.102.camel@kazak.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org This is a multi-part message in MIME format. --------------070406030703050506000009 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 30/07/2013 11:59, Ian Campbell wrote: > On Tue, 2013-07-30 at 11:50 +0100, Vincent Bernardoff wrote: >> >Hi, >> > >> >The attached program makes my kernel (3.9.9-1-ARCH, stock Archlinux >> >kernel) crash with the attached dmesg output. > The dmesg output seems to start halfway through a crash message, which > means it is missing the PC etc and may not be the first crash in any > case. > > Please could you configure a serial console and try and capture the > first crash message in its entirety. Bonus points if you can avoid > linewrapping the dmesg too ;-) > >> >The program just shares a page from dom0 to dom0, > Not just from dom0 to dom0 but actually within the same process. I'm not > sure that matters but it is a bit unusual. Are you able to repro this > with two separate processes acting as front vs. backend? > > The reason I ask is that it isn't clear if the crash is the process with > its front or back "hat" on, separating the two out would be useful. > Here is the updated version, with a program that calls fork() and here is a better dmesg dump as well. The faulty program is the server (sharer). Vincent --------------070406030703050506000009 Content-Type: text/x-csrc; name="libxc_gntshr_bug2.c" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="libxc_gntshr_bug2.c" #include #include #include #include #include #include #include #include int main(int argc, char** argv) { void* map_shr; void* map_tab; int ret; int status; int s_to_c[2]; int c_to_s[2]; /* setup pipes for communication */ if(pipe(s_to_c) == -1) { perror("pipe"); exit(EXIT_FAILURE); } if(pipe(c_to_s) == -1) { perror("pipe"); exit(EXIT_FAILURE); } if (fork() != 0) /* Parent code*/ { uint32_t ref; char buf[1]; xc_gntshr *shr_h = xc_gntshr_open(NULL, 0); printf("I'm server, with pid %d\n", getpid()); if (shr_h == NULL) { perror("xc_gntshr_open"); exit(EXIT_FAILURE); } map_shr = xc_gntshr_share_pages(shr_h, 0, 1, &ref, 1); if (map_shr == NULL) { perror("xc_gntshr_share_pages"); exit(EXIT_FAILURE); } /* Send the gntref to the client. */ write(s_to_c[1], &ref, sizeof(uint32_t)); read(c_to_s[0], buf, 1); /* Now we unshare the page */ ret = xc_gntshr_munmap(shr_h, map_shr, 1); if (ret != 0) { perror("xc_gntshr_munmap"); exit(EXIT_FAILURE); } /* At this point, the kernel should complain… */ /* Waiting for the child to die. */ wait(&status); printf("Children died with status %d\n", status); return 0; } else /* Child code */ { uint32_t ref; xc_gnttab *tab_h = xc_gnttab_open(NULL, 0); printf("I'm client, with pid %d\n", getpid()); if (tab_h == NULL) { perror("xc_gnttab_open"); exit(EXIT_FAILURE); } /* Receive the ref from the server. */ read(s_to_c[0], &ref, sizeof(uint32_t)); /* Ready to map! */ map_tab = xc_gnttab_map_grant_ref(tab_h, 0, ref, PROT_READ|PROT_WRITE); if (map_tab == NULL) { perror("xc_gnttab_map_grant_ref"); exit(EXIT_FAILURE); } /* Sending a msg to server to indicate that he can now unshare. */ write(c_to_s[1], "\0", 1); return 0; } return 0; } --------------070406030703050506000009 Content-Type: text/x-log; name="dmesg.log" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="dmesg.log" [ 1461.873885] BUG: Bad page map in process a.out pte:12bfff127 pmd:cc6c0067 [ 1461.873891] page:ffffea0004afffc0 count:0 mapcount:-1 mapping: (null) index:0xffffffffffffffff [ 1461.873893] page flags: 0x2fc000000000c04(referenced|reserved|private) [ 1461.873898] addr:00007fe1c3f6c000 vm_flags:140400fb anon_vma: (null) mapping:ffff880114555be8 index:0 [ 1461.873899] vma->vm_ops->fault: (null) [ 1461.873911] vma->vm_file->f_op->mmap: gntalloc_mmap+0x0/0x1d0 [xen_gntalloc] [ 1461.873914] CPU: 1 PID: 1010 Comm: a.out Tainted: G B 3.10.3-1-ARCH #1 [ 1461.873916] Hardware name: Dell Inc. Precision WorkStation T3400 /0TP412, BIOS A05 05/09/2008 [ 1461.873917] ffff8800cc407450 ffff8800bea35cc0 ffffffff814bd2df ffff8800bea35d08 [ 1461.873920] ffffffff81146404 ffffea0004afffc0 ffff880114555be8 ffff8800cc6c0b60 [ 1461.873923] ffffea0004afffc0 00007fe1c3f6d000 ffff8800bea35e30 00007fe1c3f6c000 [ 1461.873925] Call Trace: [ 1461.873932] [] dump_stack+0x19/0x1b [ 1461.873937] [] print_bad_pte+0x1b4/0x270 [ 1461.873939] [] unmap_single_vma+0x803/0x8d0 [ 1461.873944] [] ? SyS_readahead+0xb0/0xb0 [ 1461.873948] [] unmap_vmas+0x49/0x90 [ 1461.873951] [] unmap_region+0x99/0x110 [ 1461.873954] [] ? vma_rb_erase+0x129/0x240 [ 1461.873956] [] do_munmap+0x23a/0x3e0 [ 1461.873958] [] vm_munmap+0x41/0x60 [ 1461.873961] [] SyS_munmap+0x22/0x30 [ 1461.873964] [] system_call_fastpath+0x1a/0x1f --------------070406030703050506000009 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --------------070406030703050506000009--