Xen devel - Oct 2011 - c/s 23990:1c8789852eaf: xen crashes

Hi,

c/s 23990:1c8789852eaf crashes xen due to a NULL pointer dereference
within the xen kernel.

I have two different call traces:

(XEN) ----[ Xen-4.2-unstable  x86_64  debug=y  Tainted:    C ]----
(XEN) CPU:    0
(XEN) RIP:    e008:[<ffff82c480151409>] __find_first_bit+0x11/0x2b
(XEN) RFLAGS: 0000000000010246   CONTEXT: hypervisor
(XEN) rax: 0000000000000000   rbx: 0000000000000000   rcx: 0000000000000001
(XEN) rdx: 0000000000000000   rsi: 0000000000000047   rdi: 0000000000000000
(XEN) rbp: ffff82c4802afcf8   rsp: ffff82c4802afcf0   r8:  000000124c1fd4d5
(XEN) r9:  0000000000000007   r10: 0000000000000000   r11: 0000000000000246
(XEN) r12: ffff83012ffb8880   r13: ffff82c4802afe48   r14: 0000000000000000
(XEN) r15: 000000124bcd51be   cr0: 000000008005003b   cr4: 00000000000006f0
(XEN) cr3: 0000000228fb9000   cr2: 0000000000000000
(XEN) ds: 0017   es: 0017   fs: 0000   gs: 0000   ss: e010   cs: e008
(XEN) Xen stack trace from rsp=ffff82c4802afcf0:
(XEN)    0000000000000008 ffff82c4802afd78 ffff82c48019a3c0 0000000000000002
(XEN)    ffff82c4802afd28 ffff82c4802aff18 ffff83012ffb88a0 0000000000000000
(XEN)    0000000000000000 0000000000000000 0000000000000000 ffff8300cfafa15c
(XEN)    ffff83012ff000a4 ffff82c4802588c0 ffff82c4802afe48 0000000000000000
(XEN)    ffff83012ff00080 ffff82c4802afd88 ffff82c480199f83 ffff82c4802afdc8
(XEN)    ffff82c48017e3da ffff83012ff00080 ffff83012ff00080 ffff82c4802afdc8
(XEN)    ffff82c480160391 ffff82c48012478d ffff83012ff000a4 ffff82c4802afe38
(XEN)    ffff82c480165054 ffff82c4802afe38 0000000000000000 0000000000000000
(XEN)    0000000000000000 0000000000000000 0000000000000000 ffff82c4802afe38
(XEN)    ffff82c4802aff18 ffff8300cfcff000 ffff8300cfafa000 0000000000000002
(XEN)    000000124b882e0c 00007d3b7fd50197 ffff82c48015d646 000000124b882e0c
(XEN)    0000000000000002 ffff8300cfafa000 ffff8300cfcff000 ffff82c4802afef0
(XEN)    ffff82c4802aff18 0000000000000246 0000000000000000 0000000000000007
(XEN)    000000124c1fd4d5 ffff82c4802fd4f0 0000000000000000 ffff82c4802e3460
(XEN)    ffff82c4802aff18 ffff8300cfcff000 000000f000000000 ffff82c48015603c
(XEN)    000000000000e008 0000000000000246 ffff82c4802afef0 000000000000e010
(XEN)    ffff82c4802aff10 ffff82c480156089 ffff82c4801241db 0000000000000000
(XEN)    ffff82c4802afd18 0000000000000000 ffffa0002312f840 ffffa0002312d110
(XEN)    ffffffff80c5cac0 ffffa00023344c40 ffffa0002312f840 0000000000000246
(XEN)    0000000000000000 0000000000000000 0000000000000000 0000000000000000
(XEN) Xen call trace:
(XEN)    [<ffff82c480151409>] __find_first_bit+0x11/0x2b
(XEN)    [<ffff82c48019a3c0>] handle_hpet_broadcast+0x97/0x24b
(XEN)    [<ffff82c480199f83>] hpet_legacy_irq_tick+0x42/0x50
(XEN)    [<ffff82c48017e3da>] timer_interrupt+0x24/0x198
(XEN)    [<ffff82c480165054>] do_IRQ+0x542/0x5ef
(XEN)    [<ffff82c48015d646>] common_interrupt+0x26/0x30
(XEN)    [<ffff82c48015603c>] default_idle+0x60/0x65
(XEN)    [<ffff82c480156089>] idle_loop+0x48/0x56
(XEN)
(XEN) Pagetable walk from 0000000000000000:
(XEN)  L4[0x000] = 000000012b778027 0000000000004887
(XEN)  L3[0x000] = 000000012b6cf027 0000000000004930
(XEN)  L2[0x000] = 0000000000000000 ffffffffffffffff
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 0:
(XEN) FATAL PAGE FAULT
(XEN) [error_code=0000]
(XEN) Faulting linear address: 0000000000000000
(XEN) ****************************************
(XEN)
(XEN) Reboot in five seconds...


(XEN) ----[ Xen-4.2-unstable  x86_64  debug=y  Tainted:    C ]----
(XEN) CPU:    0
(XEN) RIP:    e008:[<ffff82c480151329>] __find_first_bit+0x11/0x2b
(XEN) RFLAGS: 0000000000010246   CONTEXT: hypervisor
(XEN) rax: 0000000000000000   rbx: 0000000000000000   rcx: 0000000000000001
(XEN) rdx: 0000000000000000   rsi: 0000000000000047   rdi: 0000000000000000
(XEN) rbp: ffff82c4802afdc8   rsp: ffff82c4802afdc0   r8:  0000000000000000
(XEN) r9:  00007f7ff7b2d000   r10: 00007f7ff661f800   r11: 0000000000000246
(XEN) r12: ffff83012ffb8880   r13: ffff82c4802aff18   r14: 0000000000000000
(XEN) r15: 00000011bd0ab1c3   cr0: 000000008005003b   cr4: 00000000000006f0
(XEN) cr3: 000000012ab4e000   cr2: 0000000000000000
(XEN) ds: 0017   es: 0017   fs: 0000   gs: 0000   ss: 0000   cs: e008
(XEN) Xen stack trace from rsp=ffff82c4802afdc0:
(XEN)    0000000000000008 ffff82c4802afe48 ffff82c48019a2c0 ffff82c4802afdf8
(XEN)    ffff82c4802afdf8 ffff82c4802aff18 ffff83012ffb88a0 0000000000000000
(XEN)    0000000000000000 0000000000000000 0000000000000000 ffff82c4802afef8
(XEN)    ffff83012ff000a4 ffff82c4802586c0 ffff82c4802aff18 0000000000000000
(XEN)    ffff83012ff00080 ffff82c4802afe58 ffff82c480199e83 ffff82c4802afe98
(XEN)    ffff82c48017e2da ffff83012ff00080 ffff83012ff00080 ffff82c4802afe98
(XEN)    ffff82c480160291 ffff82c4801246ed ffff83012ff000a4 ffff82c4802aff08
(XEN)    ffff82c480164f54 ffffffff80102160 0000000000000000 00000000f543802a
(XEN)    0000000000000000 0000000000000246 00007f7fffffd418 000000000000e02b
(XEN)    00007f7ff7fe6000 00007f7ff7b2f000 0000000000000013 0000000000000001
(XEN)    00007f7ff7b2f000 00007d3b7fd500c7 ffff82c48015d546 00007f7ff7b2f000
(XEN)    0000000000000001 0000000000000013 00007f7ff7b2f000 00007f7fffffd4d0
(XEN)    00007f7ff7fe6000 0000000000000246 00007f7ff661f800 00007f7ff7b2d000
(XEN)    0000000000000000 0000000000000021 00007f7ff543802a 0000000000000000
(XEN)    00007f7fffffd48c 0000000000000011 000000f000000000 000000000047004e
(XEN)    000000000000e033 0000000000000206 00007f7fffffd4b0 000000000000e02b
(XEN)    000000000000beef 000000000000beef 000000000000beef 000000000000beef
(XEN)    0000000000000000 ffff8300cfafa000 0000000000000000 0000000000000000
(XEN) Xen call trace:
(XEN)    [<ffff82c480151329>] __find_first_bit+0x11/0x2b
(XEN)    [<ffff82c48019a2c0>] handle_hpet_broadcast+0x97/0x24b
(XEN)    [<ffff82c480199e83>] hpet_legacy_irq_tick+0x42/0x50
(XEN)    [<ffff82c48017e2da>] timer_interrupt+0x24/0x198
(XEN)    [<ffff82c480164f54>] do_IRQ+0x542/0x5ef
(XEN)
(XEN) Pagetable walk from 0000000000000000:
(XEN)  L4[0x000] = 000000012aeea027 0000000000005115
(XEN)  L3[0x000] = 000000021f809027 00000000000027f6
(XEN)  L2[0x000] = 0000000000000000 ffffffffffffffff
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 0:
(XEN) FATAL PAGE FAULT
(XEN) [error_code=0000]
(XEN) Faulting linear address: 0000000000000000
(XEN) ****************************************
(XEN)
(XEN) Reboot in five seconds...



-- 
---to satisfy European Law for business letters:
Advanced Micro Devices GmbH
Einsteinring 24, 85689 Dornach b. Muenchen
Geschaeftsfuehrer: Alberto Bozzo, Andrew Bowd
Sitz: Dornach, Gemeinde Aschheim, Landkreis Muenchen
Registergericht Muenchen, HRB Nr. 43632


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Hi Christoph,
>>> On 21.10.11 at 14:29, Christoph Egger
<Christoph.Egger@amd.com> wrote:
> c/s 23990:1c8789852eaf crashes xen due to a NULL pointer dereference
> within the xen kernel.
I may have to ask for some debugging help here - obviously I haven''t
seen this on any of my systems, and looking at the code I also fail to
see how this can happen: handle_hpet_broadcast() gets installed into
hpet_events->event_handler only after successful allocation of
hpet_events->cpumask (we''re talking about the num_hpets_used == 0
case here, which again only after the allocation sets HPET_EVT_LEGACY,
while hpet_legacy_irq_tick() doesn''t allow
hpet_events->event_handler
to be called without that flag set). So I''m confused and can''t
immediately
help.
> I have two different call traces:
They''re really pretty similar.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

>>> On 21.10.11 at 15:02, "Jan Beulich"
<JBeulich@suse.com> wrote:
> Hi Christoph,
> 
>>>> On 21.10.11 at 14:29, Christoph Egger
<Christoph.Egger@amd.com> wrote:
>> c/s 23990:1c8789852eaf crashes xen due to a NULL pointer dereference
>> within the xen kernel.
> 
> I may have to ask for some debugging help here - obviously I
haven''t
> seen this on any of my systems, and looking at the code I also fail to
> see how this can happen: handle_hpet_broadcast() gets installed into
> hpet_events->event_handler only after successful allocation of
> hpet_events->cpumask (we''re talking about the num_hpets_used ==
0
> case here, which again only after the allocation sets HPET_EVT_LEGACY,
> while hpet_legacy_irq_tick() doesn''t allow
hpet_events->event_handler
> to be called without that flag set). So I''m confused and
can''t immediately
> help.
I think I can see how this can happen, but I''m still trying to find out
why I don''t encounter this. A fix should nevertheless be available
shortly.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

>>> On 21.10.11 at 14:29, Christoph Egger
<Christoph.Egger@amd.com> wrote:
> c/s 23990:1c8789852eaf crashes xen due to a NULL pointer dereference
> within the xen kernel.
Would you be able to give the patch I just sent a try before I commit it?

Thanks, Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 10/21/11 16:01, Jan Beulich wrote:
>>>> On 21.10.11 at 14:29, Christoph
Egger<Christoph.Egger@amd.com>  wrote:
>> c/s 23990:1c8789852eaf crashes xen due to a NULL pointer dereference
>> within the xen kernel.
>
> Would you be able to give the patch I just sent a try before I commit it?
>
With this patch I can no longer reproduce the crash.

Christoph


-- 
---to satisfy European Law for business letters:
Advanced Micro Devices GmbH
Einsteinring 24, 85689 Dornach b. Muenchen
Geschaeftsfuehrer: Alberto Bozzo, Andrew Bowd
Sitz: Dornach, Gemeinde Aschheim, Landkreis Muenchen
Registergericht Muenchen, HRB Nr. 43632


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel