[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] RE: [PATCH] mem_sharing: fix race condition of nominate and unshare



Hi Tim & Jui-Hao:
 
      When I use Linux HVM instead of Windows HVM, more bug shows up.
 
      I only start on VM, and when I destroy it , xen crashed on mem_sharing_unshare_page()
which in line709, hash_entry is NULL. Later I found the handle has been removed in
mem_sharing_share_pages(), please refer logs below.
 
----mem_sharing_unshare_page
708     /* Remove the gfn_info from the list */
709     hash_entry = mem_sharing_hash_lookup(handle);
710     list_for_each(le, &hash_entry->gfns)
711     {
712         gfn_info = list_entry(le, struct gfn_info, list);
713         if((gfn_info->gfn == gfn) && (gfn_info->domain == d->domain_id))
714             goto gfn_found;
715     }
716     printk("Could not find gfn_info for shared gfn: %lx\n", gfn);
717     BUG();
 
 
----mem_sharing_share_page
 
649     printk("del %lu\n", ch);
650     list_for_each_safe(le, te, &ce->gfns)
651     {
652         gfn = list_entry(le, struct gfn_info, list);
653         /* Get the source page and type, this should never fail
654          * because we are under shr lock, and got non-null se */
655         BUG_ON(!get_page_and_type(spage, dom_cow, PGT_shared_page));
656         /* Move the gfn_info from ce list to se list */
657         list_del(&gfn->list);
658         d = get_domain_by_id(gfn->domain);
659         BUG_ON(!d);
660          BUG_ON(set_shared_p2m_entry(d, gfn->gfn, se->mfn) == 0);
661         put_domain(d);
662         list_add(&gfn->list, &se->gfns);
663         put_page_and_type(cpage);
664         mem_sharing_debug_gfn(d, gfn->gfn);
665     }
666     ASSERT(list_empty(&ce->gfns));
667     mem_sharing_hash_delete(ch);
668     atomic_inc(&nr_saved_mfns);
669     /* Free the client page */
670     if(test_and_clear_bit(_PGC_allocated, &cpage->count_info))
671         put_page(cpage);
672     mem_sharing_debug_gfn(d, gfn->gfn);      &nb sp;                                                                                                          
673     ret = 0;
 
 
-------log------------
     
(XEN) del 31261
(XEN) Debug for domain=1, gfn=75fd5, Debug page: MFN=179fd5 is ci=8000000000000005, ti=8400000000000001, owner_id=32755
(XEN) Debug for domain=1, gfn=75fd5, Debug page: MFN=179fd5 is ci=4, ti=8400000000000001, owner_id=32755
(XEN) del 31262
(XEN) Debug for domain=1, gfn=75fd6, Debug page: MFN=179fd6 is ci=8000000000000005, ti=8400000000000001, owner_id=32755
(XEN) Debug for domain=1, gfn=75fd6, Debug page: MFN=179fd6 is ci=4, ti=8400000000000001, owner_id=32755
(XEN) del 31263
(XEN) Debug for domain=1, gfn=75fd7, Debug page: MFN=179fd7 is ci=8000000000000005, ti=8400000000000001, owner_id=32755
(XEN) Debug for domain=1, gfn=75fd7, Debug page: MFN=179fd7 is ci=4, ti=8400000000000001, owner_id=32755
(XEN) del 31264
(XEN) Debug for domain=1, gfn=75fd8, Debug page: MFN=179fd8 is ci=8000000000000005, ti=8400000000000001, owner_id=32755
(XEN) Debug for domain=1, gfn=75fd8, Debug page: MFN=179fd8 is ci=4, ti=8400000000000001, owner_id=32755
(XEN) del 31265
(XEN) Debug for domain=1, gfn=75fd9, Debug page: MFN=179fd9 is ci=8000000000000005, ti=8400000000000001, owner_id=32755
(XEN) Debug for domain=1, gfn=75fd9, Debug page: MFN=179fd9 is ci=4, ti=8400000000000001, owner_id=32755
(XEN) del 31266
(XEN) Debug for domain=1, gfn=75fda, Debug page: MFN=179fda is ci=8000000000000005, ti=8400000000000001, owner_id=32755
(XEN) Debug for domain=1, gfn=75fda, Debug page: MFN=179fda is ci=4, ti=8400000000000001, owner_id=32755
(XEN) del 31267
(XEN) Debug for domain=1, gfn=75fdb, Debug page: MFN=179fdb is ci=8000000000000005, ti=8400000000000001, owner_id=32755
(XEN) Debug for domain=1, gfn=75fdb, Debug page: MFN=179fdb is ci=4, ti=8400000000000001, owner_id=32755
(XEN) del 31268
(XEN) Debug for domain=1, gfn=75fdc, Debug page: MFN=179fdc is ci=8000000000000005, ti=8400000000000001, owner_id=32755
(XEN) Debug for domain=1, gfn=75fdc, Debug page: MFN= 179fdc is ci=4, ti=8400000000000001, owner_id=32755
(XEN) del 31269
(XEN) Debug for domain=1, gfn=75fdd, Debug page: MFN=179fdd is ci=8000000000000005, ti=8400000000000001, owner_id=32755
(XEN) Debug for domain=1, gfn=75fdd, Debug page: MFN=179fdd is ci=4, ti=8400000000000001, owner_id=32755
(XEN) del 31270
(XEN) Debug for domain=1, gfn=75fde, Debug page: MFN=179fde is ci=8000000000000005, ti=8400000000000001, owner_id=32755
(XEN) Debug for domain=1, gfn=75fde, Debug page: MFN=179fde is ci=4, ti=8400000000000001, owner_id=32755
blktap_sysfs_destroy
(XEN) handle 31261
(XEN) Debug for domain=1, gfn=75fd5, Debug page: MFN=179fd5 is ci=1, ti=8400000000000001, owner_id=32755
(XEN) ----[ Xen-4.0.0  x86_64  debug=n  Not tainted ]----
(XEN) CPU:    1
(XEN) RIP:    e008:[<ffff82c4801bfeeb>] mem_sharing_unshare_page+0x1ab/0x740
(XEN) RFLAGS: 0000000000010246   CONTEXT: hypervisor
(XEN ) rax: 0000000000000000   rbx: 0000000000179fd5   rcx: 0000000000000082
(XEN) rdx: 000000000000000a   rsi: 000000000000000a   rdi: ffff82c48021e9c4
(XEN) rbp: ffff8302dd6a0000   rsp: ffff83023ff3fcd0   r8:  0000000000000001
(XEN) r9:  0000000000000000   r10: 00000000fffffff8   r11: 0000000000000005
(XEN) r12: 0000000000075fd5   r13: 0000000000000002   r14: 0000000000000000
(XEN) r15: ffff82f602f3faa0   cr0: 000000008005003b   cr4: 00000000000026f0
(XEN) cr3: 000000031b83b000   cr2: 0000000000000018
(XEN) ds: 002b   es: 002b   fs: 0000   gs: 0000   ss: e010   cs: e008
(XEN) Xen stack trace from rsp=ffff83023ff3fcd0:
(XEN)    ffff83023fe60000 ffff830173da4410 0000000100000000 0000000000000000
(XEN)    0000000000007a1d 00000000000000 01 0000000000000009 ffff8302dd6a0000
(XEN)    ffff83023ff3fd40 ffff82c4801df7e9 ffff83023ff3ff28 ffff83023ff3fd94
(XEN)    0000000000075fd5 0000000d000001d5 ffff83033e950000 0000000000075fd5
(XEN)    ffff83063fde8ef0 ffff8302dd6a0000 ffff83023ff3fd94 ffff82c48037a980
(XEN)    ffff82c480253080 ffff82c4801b8949 ffff8302dd6a0180 ffff82c48037a980
(XEN)    0000000d80253080 ffff8302dd6a0000 ffff8302dd6a0000 00000000ffffffff
(XEN)    ffff8302dd6a0000 ffff82c4801b681c 0000000000000000 ffff82c480149b74
(XEN)    ffff8300bf560000 ffff8300bf560000 fffffffffffffff8 00000000ffffffff
(XEN)    ffff8302dd6a0000 ffff82c4801061fc ffff8300bf552060 0000000000000000
(XEN)    ffff82c4802531a0 0000000000000001 ffff82c480376980 ffff82c48012218c
(XEN)    0000000000000001 fffffffffffffffd ffff83023ff3ff28 ffff82c48011c588
(XEN)    ffff83023ff3ff28 ffff83063fdeb170 ffff83063fdeb230 ffff8300bf552000
(XEN)    000001831ea27db3 ffff82c480189c6a 7fffffffffffffff ffff82c4801441b5
(XEN)    ffff82c48037b7b0 ffff82c48011e474 0000000000000001 ffffffffffffffff
(XEN)    0000000000000000 0000000000000000 0000000080376980 00001833000116f2
(XEN)    ffffffffffffffff ffff83023ff3ff28 ffff82c480251b00 ffff83023ff3fe28
(XEN)    ffff8300bf552000 000001831ea27db3 ffff82c480253080 ffff82c480149ad6
(XEN)    0000000000000000 0000000000002000 ffff8300bf2fc000 0000000000000000
(XEN)    0000000000000000 0000000000000000 0000000000000000 ffff88015f8f9f10
(XEN) Xen call trace:
(XEN)    [<ffff82c4801bfeeb>] mem_sharing_unshare_page+0x1ab/0x740
(XEN)    [<ffff82c4801df7e9>] ept_get_entry+0xa9/0x1c0
(XEN)    [<ffff82 c4801b8949>] p2m_teardown+0x129/0x170
(XEN)    [<ffff82c4801b681c>] paging_final_teardown+0x2c/0x40
(XEN)    [<ffff82c480149b74>] arch_domain_destroy+0x44/0x170
(XEN)    [<ffff82c4801061fc>] complete_domain_destroy+0x6c/0x130
(XEN)    [<ffff82c48012218c>] rcu_process_callbacks+0xac/0x220
(XEN)    [<ffff82c48011c588>] __do_softirq+0x58/0x80
(XEN)    [<ffff82c480189c6a>] acpi_processor_idle+0x14a/0x740
(XEN)    [<ffff82c4801441b5>] reprogram_timer+0x55/0x90
(XEN)    [<ffff82c48011e474>] timer_softirq_action+0x1a4/0x360
(XEN)    [<ffff82c480149ad6>] idle_loop+0x26/0x80
(XEN)   
(XEN) Pagetable walk from 0000000000000018:
(XEN)  L4[0x000] = 00000001676bd067 0000000000156103
(XEN)  L3[0x000] = 000000031b947067 0000000000121c8d(XEN)  L2[0x000] = 0000000000000000 ffffffffffffffff
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 1:
(XEN) FATAL PAGE FAULT
(XEN) [error_code=0000]
(XEN) Faulting linear address: 0000000000000018
(XEN) ****************************************
(XEN)
(XEN) Manual reset required ('noreboot' specified
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.