[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NULL pointer dereference in xenbus_thread->...

  • To: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Jason Andryuk <jandryuk@xxxxxxxxx>
  • From: Jason Andryuk <jason.andryuk@xxxxxxx>
  • Date: Wed, 30 Apr 2025 10:29:58 -0400
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=invisiblethingslab.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nj4RH+eKlAWDYAxghd5E9mS1Ai32Wi5A5IgSdoR0AMg=; b=hUZZF2azFXkCTbqbCS9v59sisWqrmIorXm7OlBoTgSn+SsgAR0gC7HyKYtKCh02RgmQ0LtjJWmX8MQGLmdbUhivBAvqiD7eJ/KYd0FQAdQeEaCUeGgM7PyHauIYmg65WTIKfP40165nYlJnVKDk419SUd+Xe9CBZfxxmLV1MDz7vEx6wLn9dic5I2HFKy8HB0venfU0QlDVINMFEGJelgxI/6C14Efee3B1gmBt59ABYv6gEogu+Q8A2IYFXAI8lzHTpPgVo6FnNOFBzxwIuPu5K/1cHPf9bIEDLgi9dg4h9CP2WCKX1TAYEvDSljN9pO4sjzaT6s7n+FG3VxpK0gQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=B8OiC/hs5OLtxXL5q0yFrDwVn+gB+PXb3TekhAimNRHyK5xfyVP3999yzEmFRAnKFrttKrnwcCNq9zQakvSCLBFJf2Y5C/JeduL3zJFUQqVfJDSANL3/6Xsmt9GMLowF7JfwjNQ5bmL3f/TRrR+eiSOwzn1g3d6SpJ6y6FQEWkkxa2RHo2mgSEwrLihnmCuw6tB7IguDsbzq0tNNfCEqJY6syiaQnQ1Etgp4Vw5ALdbG506ab3b5Bzg+C8FafZzGyStOU9lgsuqZs+uRwkuyUYdHe4L3bJUeG72UECZf4GWcpLP/2E+aqzhGQqycEhKGZypl/nlyNubvsQyDa/x6/A==
  • Cc: Julien Grall <julien@xxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>
  • Delivery-date: Wed, 30 Apr 2025 14:30:12 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 2025-04-30 06:56, Marek Marczykowski-Górecki wrote:

On Tue, Apr 29, 2025 at 08:59:45PM -0400, Jason Andryuk wrote:

Hi Marek,

On Wed, Apr 23, 2025 at 8:42 AM Marek Marczykowski-Górecki
<marmarek@xxxxxxxxxxxxxxxxxxxxxx> wrote:



I've got some more report confirming it's still happening on Linux
6.12.18. Is there anything I can do to help fixing this? Maybe ask users
to enable some extra logging?


Have you been able to capture a crash with debug symbols and run it
through scripts/decode_stacktrace.sh?


Not really, as I don't have debug symbols for this kernel. And I can't
reliably reproduce it myself (for me it happens about once in a
month...). I can try reproducing debug symbols, theoretically I should
have all ingredients for it.


I'm curious what process_msg+0x18e/0x2f0 is.  process_writes() has a
direct call to wake_up(), but process_msg() calling req->cb(req) may
be xs_wake_up() which is a thin wrapper over wake_up().


There is a code dump in the crash message, does it help?
That's a little deeper in the call chain. If you have a vmlinux or bzImage with a matching stacktrace, that would work to look up the address in the disassembly. So if you don't have a matching pair, maybe try to catch it the next time. 


They make me wonder if req has been free()ed and at least partially
zero-ed, but it still has wake_up() called.  The call stack here is
reminiscent of the one here
https://lore.kernel.org/xen-devel/Z_lJTyVipJJEpWg2@mail-itl/ and the
unexpected value there is 0.


That's interesting idea, the one above I've seen only on 6.15-rc1 (and
no latter rc). But maybe?
I am guessing, so I could be wrong. NULL pointer and unexpected zero value are both 0 at least. Also Whonix looks like it may use init_on_free=1 to zero memory at free time. 

Regards,
Jason

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.