[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] HVM domains crash after upgrade from XEN 4.5.1 to 4.5.2



On 19/11/15 10:24, Jan Beulich wrote:
>>>> On 19.11.15 at 00:17, <andrew.cooper3@xxxxxxxxxx> wrote:
>> The disassembly of do_IRQ now looks like a plausible function, but the
>> consistently faulting address has no plausible way of generating a
>> double fault.  I suspect therefore that something has caused memory
>> corruption in Xen .text section.
> Dump of assembler code for function do_IRQ:
>    0xffff82d080176577 <+0>:   push   %rbp
>    0xffff82d080176578 <+1>:   mov    %rsp,%rbp
>    0xffff82d08017657b <+4>:   push   %r15
>    0xffff82d08017657d <+6>:   push   %r14
>    0xffff82d08017657f <+8>:   push   %r13
>    0xffff82d080176581 <+10>:  push   %r12
>    0xffff82d080176583 <+12>:  push   %rbx
>    0xffff82d080176584 <+13>:  lea    -0x1058(%rsp),%rsp
>    0xffff82d08017658c <+21>:  orq    $0x0,(%rsp)
>    0xffff82d080176591 <+26>:  lea    0x1020(%rsp),%rsp
>
> The orq surely has potential for causing a double fault, if %rsp is
> near the stack limit. The two LEAs look suspect, presumably a
> result of some non-standard option passed to gcc. Removing that
> option might already be a step forward.

Actually yes - that is a huge quantity of stack usage.

(The actual behaviour looks very suspect - it appears to be completely
pointless).

The #DF handler reports that %rsp in the exception frame is within
range.  Having said that,

(XEN) [    2.788209] rbp: ffff83080ca8ed78   rsp: ffff83080ca8dcf8  
r8:  ffff83080ca9d558
...
(XEN) [    2.837474] Valid stack range:
ffff83080ca8e000-ffff83080ca90000, sp=ffff83080ca8dcf8,
tss.esp0=ffff83080ca8ffc0
(XEN) [    2.848969] No stack overflow detected. Skipping stack trace.

In this case, the stack pointer *is* out of range, and has hit the guard
page.

This means:
1) There is some bug in the stack overflow detection in the #DF handler.
2) Whatever options Gentoo compiles Xen with is sufficient to overflow
the 8K hypervisor stack.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.