Hi, I occasionally meet with xen crash when the PV guest shuts down. BTW, I''m using xen c/s 20702. Per the log, the reason is: v->domain->poll_mask is NULL in poll_timer_fn(). The poll_mask is freed and set to NULL in domain_kill() -> evtchn_destroy(), but the poll_timer may keep active until complete_domain_destroy() -> sched_destroy_vcpu() -> kill_timer(). Between them, the timer may be fired and poll_timer_fn() would access the NULL pointer and cause the crash. Maybe here we should move kill_timer() a little earlier, or free the poll_mask a little later? Thanks, -- Dexuan (XEN) ----[ Xen-4.0.0-rc1-pre x86_64 debug=y Not tainted ]---- (XEN) CPU: 2 (XEN) RIP: e008:[<ffff82c48011d8e4>] poll_timer_fn+0x11/0x22 (XEN) RFLAGS: 0000000000010246 CONTEXT: hypervisor (XEN) rax: 0000000000000000 rbx: ffff82c48026f100 rcx: 0000000000000001 (XEN) rdx: 0000000000000000 rsi: ffff83004a218090 rdi: ffff83004a218000 (XEN) rbp: ffff83007d0bfe40 rsp: ffff83007d0bfe40 r8: 0000000000000001 (XEN) r9: 0000000000000001 r10: 0000ffff0000ffff r11: 00ff00ff00ff00ff (XEN) r12: ffff83004a218000 r13: ffff82c48011d8d3 r14: ffff83007d3e7b08 (XEN) r15: ffff83007d3e7b00 cr0: 000000008005003b cr4: 00000000000026f0 (XEN) cr3: 0000000068f91000 cr2: 0000000000000000 (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008 (XEN) Xen stack trace from rsp=ffff83007d0bfe40: (XEN) ffff83007d0bfe70 ffff82c4801203ea 0000000000000002 ffff83007d3e7528 (XEN) ffff82c48026f100 00008f3e7bff5dfd ffff83007d0bfed0 ffff82c4801205c6 (XEN) ffff83007d0bff28 ffff83007d3e7b00 0000ffff0000ffff ffff82c48026f100 (XEN) 0000000000000001 0000000000000002 ffff83007d0bff28 ffff82c48030c680 (XEN) 0000000000000002 ffff82c48026f080 ffff83007d0bff00 ffff82c48011e400 (XEN) 000000000000e008 ffff83007d0bff28 ffff82c48026ba00 ffff83007a6da000 (XEN) ffff83007d0bff20 ffff82c48014b6cb 0000000000000002 ffff83007d3c0000 (XEN) ffff83007d0bfdb8 0000000000000000 0000000000000000 0000000000000000 (XEN) 0000000000000000 ffffffff80753f48 0000000000000000 0000000000000246 (XEN) ffffffff807c37d8 00000000000000b7 0000000100efdcba 0000000000000000 (XEN) ffffffff802053aa 0000000000000000 00000000deadbeef 00000000deadbeef (XEN) 0000010000000000 ffffffff802053aa 000000000000e033 0000000000000246 (XEN) ffffffff80753f10 000000000000e02b 555555555555beef 555555555555beef (XEN) 555555555555beef 555555555555beef 5555555500000002 ffff83007d3c0000 (XEN) Xen call trace: (XEN) [<ffff82c48011d8e4>] poll_timer_fn+0x11/0x22 (XEN) [<ffff82c4801203ea>] execute_timer+0x2e/0x4c (XEN) [<ffff82c4801205c6>] timer_softirq_action+0x1be/0x377 (XEN) [<ffff82c48011e400>] do_softirq+0x6a/0x77 (XEN) [<ffff82c48014b6cb>] idle_loop+0x7a/0x81 (XEN) (XEN) Pagetable walk from 0000000000000000: (XEN) L4[0x000] = 000000006a45c067 00000000000107a3 (XEN) L3[0x000] = 000000006a4ef067 0000000000010710 (XEN) L2[0x000] = 0000000000000000 ffffffffffffffff (XEN) (XEN) **************************************** (XEN) Panic on CPU 2: (XEN) FATAL PAGE FAULT (XEN) [error_code=0002] (XEN) Faulting linear address: 0000000000000000 (XEN) **************************************** _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
On 24/12/2009 11:31, "Cui, Dexuan" <dexuan.cui@intel.com> wrote:> Hi, I occasionally meet with xen crash when the PV guest shuts down. > BTW, I''m using xen c/s 20702. > Per the log, the reason is: v->domain->poll_mask is NULL in poll_timer_fn(). > > The poll_mask is freed and set to NULL in domain_kill() -> evtchn_destroy(), > but the poll_timer may keep active until complete_domain_destroy() -> > sched_destroy_vcpu() -> kill_timer(). Between them, the timer may be fired and > poll_timer_fn() would access the NULL pointer and cause the crash. > > Maybe here we should move kill_timer() a little earlier, or free the poll_mask > a little later?Easiest just to free the mask later. Should be fixed by c/s 20722. Thanks, Keir _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel