Bug 249409 - Mapping guest pages can crash Dom0
Mapping guest pages can crash Dom0
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel-xen (Show other bugs)
5.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Chris Lalancette
Martin Jenner
:
: 253479 (view as bug list)
Depends On: 248947
Blocks: 254208
  Show dependency treegraph
 
Reported: 2007-07-24 10:31 EDT by Markus Armbruster
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2007-0959
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 14:56:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Simple test program to map and read arbitrary mfns (741 bytes, text/x-csrc)
2007-07-24 10:56 EDT, Markus Armbruster
no flags Details
Patch to fix this crash (603 bytes, patch)
2007-08-24 09:33 EDT, Chris Lalancette
no flags Details | Diff

  None (edit)
Description Markus Armbruster 2007-07-24 10:31:15 EDT
+++ This bug was initially created as a clone of Bug #248947 +++

Description of problem:
Running host on RHEL-5.1 x86_64 platform. Attempt to install a i386 FC6 guest.
When the VNC Viewer program launches the host system will kernel panic.

Jul 19 15:04:29 pumpkin ----------- [cut here ] --------- [please bite here ]
--------- 
Jul 19 15:04:29 pumpkin Kernel BUG at mm/memory.c:2290 
Jul 19 15:04:29 pumpkin invalid opcode: 0000 [1] 
Jul 19 15:04:29 pumpkin SMP 
Jul 19 15:04:29 pumpkin  
Jul 19 15:04:29 pumpkin last sysfs file: /class/misc/evtchn/dev 
Jul 19 15:04:29 pumpkin CPU 0 
Jul 19 15:04:29 pumpkin  
Jul 19 15:04:29 pumpkin Modules linked in:
Jul 19 15:04:29 pumpkin  xt_physdev
Jul 19 15:04:29 pumpkin  iptable_filter
Jul 19 15:04:29 pumpkin  ip_tables
Jul 19 15:04:29 pumpkin  netconsole
Jul 19 15:04:29 pumpkin  i915
Jul 19 15:04:29 pumpkin  drm
Jul 19 15:04:29 pumpkin  netloop
Jul 19 15:04:29 pumpkin  netbk
Jul 19 15:04:29 pumpkin  blktap
Jul 19 15:04:29 pumpkin  blkbk
Jul 19 15:04:29 pumpkin  bridge
Jul 19 15:04:29 pumpkin  autofs4
Jul 19 15:04:29 pumpkin  hidp
Jul 19 15:04:29 pumpkin  rfcomm
Jul 19 15:04:29 pumpkin  l2cap
Jul 19 15:04:29 pumpkin  bluetooth
Jul 19 15:04:29 pumpkin  sunrpc
Jul 19 15:04:29 pumpkin  bonding
Jul 19 15:04:29 pumpkin  ipt_REJECT
Jul 19 15:04:29 pumpkin  ip6t_REJECT
Jul 19 15:04:29 pumpkin  xt_tcpudp
Jul 19 15:04:29 pumpkin  ip6table_filter
Jul 19 15:04:29 pumpkin  ip6_tables
Jul 19 15:04:29 pumpkin  x_tables
Jul 19 15:04:29 pumpkin  dm_multipath
Jul 19 15:04:29 pumpkin  video
Jul 19 15:04:29 pumpkin  sbs
Jul 19 15:04:29 pumpkin  backlight
Jul 19 15:04:29 pumpkin  i2c_ec
Jul 19 15:04:29 pumpkin  button
Jul 19 15:04:29 pumpkin  battery
Jul 19 15:04:29 pumpkin  asus_acpi
Jul 19 15:04:29 pumpkin  ac
Jul 19 15:04:29 pumpkin  ipv6
Jul 19 15:04:29 pumpkin  lp
Jul 19 15:04:29 pumpkin  sr_mod
Jul 19 15:04:29 pumpkin  cdrom
Jul 19 15:04:29 pumpkin  snd_hda_intel
Jul 19 15:04:29 pumpkin  snd_hda_codec
Jul 19 15:04:29 pumpkin  sg
Jul 19 15:04:29 pumpkin  snd_seq_dummy
Jul 19 15:04:29 pumpkin  snd_seq_oss
Jul 19 15:04:29 pumpkin  snd_seq_midi_event
Jul 19 15:04:29 pumpkin  snd_seq
Jul 19 15:04:29 pumpkin  snd_seq_device
Jul 19 15:04:29 pumpkin  snd_pcm_oss
Jul 19 15:04:29 pumpkin  snd_mixer_oss
Jul 19 15:04:29 pumpkin  snd_pcm
Jul 19 15:04:29 pumpkin  snd_timer
Jul 19 15:04:29 pumpkin  snd
Jul 19 15:04:29 pumpkin  serio_raw
Jul 19 15:04:29 pumpkin  soundcore
Jul 19 15:04:29 pumpkin  shpchp
Jul 19 15:04:29 pumpkin  snd_page_alloc
Jul 19 15:04:29 pumpkin  pcspkr
Jul 19 15:04:29 pumpkin  pata_marvell
Jul 19 15:04:29 pumpkin  e1000
Jul 19 15:04:29 pumpkin  parport_pc
Jul 19 15:04:29 pumpkin  parport
Jul 19 15:04:29 pumpkin  i2c_i801
Jul 19 15:04:29 pumpkin  i2c_core
Jul 19 15:04:29 pumpkin  dm_snapshot
Jul 19 15:04:29 pumpkin  dm_zero
Jul 19 15:04:29 pumpkin  dm_mirror
Jul 19 15:04:29 pumpkin  dm_mod
Jul 19 15:04:29 pumpkin  ata_piix
Jul 19 15:04:29 pumpkin  libata
Jul 19 15:04:29 pumpkin  sd_mod
Jul 19 15:04:29 pumpkin  scsi_mod
Jul 19 15:04:29 pumpkin  ext3
Jul 19 15:04:29 pumpkin  jbd
Jul 19 15:04:29 pumpkin  ehci_hcd
Jul 19 15:04:29 pumpkin  ohci_hcd
Jul 19 15:04:29 pumpkin  uhci_hcd
Jul 19 15:04:29 pumpkin  
Jul 19 15:04:29 pumpkin Pid: 4753, comm: xen-vncfbo Not tainted 2.6.18-32.el5xen #1 
Jul 19 15:04:29 pumpkin RIP: e030:[<ffffffff80208b30>] 
Jul 19 15:04:29 pumpkin  [<ffffffff80208b30>] __handle_mm_fault+0x379/0xf46 
Jul 19 15:04:29 pumpkin RSP: e02b:ffff880052bebde8  EFLAGS: 00010202 
Jul 19 15:04:29 pumpkin RAX: ffffffff80514840 RBX: 0000000000000810 RCX:
00003ffffffff000 
Jul 19 15:04:29 pumpkin RDX: 000000003717e810 RSI: 0000000000000067 RDI:
ffff880051cf3080 
Jul 19 15:04:29 pumpkin RBP: ffff880051cf3080 R08: 000000000063e6c0 R09:
0000000000000040 
Jul 19 15:04:30 pumpkin R10: 000000001adbdf58 R11: 00002aaaaaf02000 R12:
0000000000000000 
Jul 19 15:04:30 pumpkin R13: ffff88003717e810 R14: 00002aaaaaf02000 R15:
ffff880052bf31e0 
Jul 19 15:04:30 pumpkin FS:  00002aaaae23c870(0063) GS:ffffffff80599000(0000)
knlGS:0000000000000000 
Jul 19 15:04:30 pumpkin CS:  e033 DS: 0000 ES: 0000 
Jul 19 15:04:30 pumpkin Process xen-vncfbo (pid: 4753, threadinfo
ffff880052bea000, task ffff88005cae8100) 
Jul 19 15:04:30 pumpkin Stack: 
Jul 19 15:04:30 pumpkin  000000000001adbc 
Jul 19 15:04:30 pumpkin  000000001ae0d000 
Jul 19 15:04:30 pumpkin  ffff880051cf3080 
Jul 19 15:04:30 pumpkin  ffff8800372a8ab8 
Jul 19 15:04:30 pumpkin  
Jul 19 15:04:30 pumpkin  0000000000000000 
Jul 19 15:04:30 pumpkin  ffff88003733e518 
Jul 19 15:04:30 pumpkin  ffff880051cf3100 
Jul 19 15:04:30 pumpkin  0000000000000000 
Jul 19 15:04:30 pumpkin  
Jul 19 15:04:30 pumpkin  ffff880052ad2a50 
Jul 19 15:04:30 pumpkin  ffffffff80261889 
Jul 19 15:04:30 pumpkin  
Jul 19 15:04:30 pumpkin Call Trace: 
Jul 19 15:04:30 pumpkin  [<ffffffff80261889>] _spin_lock_irqsave+0x9/0x14 
Jul 19 15:04:30 pumpkin  [<ffffffff802641db>] do_page_fault+0xe48/0x11dc 
Jul 19 15:04:30 pumpkin  [<ffffffff8025d823>] error_exit+0x0/0x6e 
Jul 19 15:04:30 pumpkin  
Jul 19 15:04:30 pumpkin  
Jul 19 15:04:30 pumpkin Code: 
Jul 19 15:04:30 pumpkin 0f 
Jul 19 15:04:30 pumpkin 0b 
Jul 19 15:04:30 pumpkin 68 
Jul 19 15:04:30 pumpkin ee 
Jul 19 15:04:30 pumpkin 50 
Jul 19 15:04:30 pumpkin 47 
Jul 19 15:04:30 pumpkin 80 
Jul 19 15:04:30 pumpkin c2 
Jul 19 15:04:30 pumpkin f2 
Jul 19 15:04:30 pumpkin 08 
Jul 19 15:04:30 pumpkin 49 
Jul 19 15:04:30 pumpkin 8b 
Jul 19 15:04:30 pumpkin 87 
Jul 19 15:04:30 pumpkin 90 
Jul 19 15:04:30 pumpkin 00 
Jul 19 15:04:30 pumpkin last message repeated 2 times
Jul 19 15:04:30 pumpkin 48 
Jul 19 15:04:30 pumpkin c7 
Jul 19 15:04:30 pumpkin 44 
Jul 19 15:04:30 pumpkin  
Jul 19 15:04:30 pumpkin RIP 
Jul 19 15:04:30 pumpkin  [<ffffffff80208b30>] __handle_mm_fault+0x379/0xf46 
Jul 19 15:04:30 pumpkin  RSP <ffff880052bebde8> 
Jul 19 15:04:30 pumpkin  
Jul 19 15:04:30 pumpkin Kernel panic - not syncing: Fatal exception 
Jul 19 15:04:30 pumpkin  


Version-Release number of selected component (if applicable):
2.6.18-32.el5xen

How reproducible:


Steps to Reproduce:
1. Run
/usr/sbin/virt-install --name testdemo --ram 500 --file
/var/lib/xen/images/testdemo.img --file-size 5 --vnc  --location
http://download.fedora.devel.redhat.com/pub/fedora/linux/core/6/i386/os/ --paravirt

2.
3.
  
Actual results:
Kernel panic of host OS

Expected results:
Installer is displayed in VNC viewer

Additional info:
NB, you need the 2 patches in 248192 applied to the Xen userspace before you can
even boot a i386 FC6 domU.

If it is not feasible to make a legacy FC6  PVFB work in a 32-on-64 environment
then we at least need to detect it & refuse to try starting it, rather than
panicing dom0.

-- Additional comment from armbru@redhat.com on 2007-07-24 10:27 EST --
This is really two bugs:

1. The old PVFB backend lacks 32-on-64 capability.  In the test case, it assumes
a 64 bit frontend, misinterprets the shared page, and maps the wrong guest pages.

2. Xen dies when dom0 user space maps the wrong guest pages.  I'm going to clone
this bug to track that.
Comment 1 Markus Armbruster 2007-07-24 10:56:27 EDT
Created attachment 159853 [details]
Simple test program to map and read arbitrary mfns

Drop into tools/xenfb, compile with

    $ gcc -g -O0 -Wall	-D__XEN_TOOLS__  -D_LARGEFILE_SOURCE
-D_LARGEFILE64_SOURCE  -I../../tools/libxc -I../../tools/xenstore
-I../../linux-2.6-xen-sparse/include -o crash249409 crash249409.c
../libxc/libxenctrl.a ../xenstore/libxenstore.a

Then this crashes a freshly booted dom0 not running any guests:
    # ./crash249409 1 3435973664

The crash happens on access of the mapped page.

Serial console:
mm.c:1923:d0 Unknown domain '1'
----------- [cut here ] --------- [please bite here ] ---------
Kernel BUG at mm/memory.c:2290
invalid opcode: 0000 [1] SMP 
last sysfs file: /devices/pci0000:00/0000:00:08.0/irq
CPU 0 
Modules linked in: netloop netbk blktap blkbk ipt_MASQUERADE iptable_nat ip_nat
xt_state ip_conntrack nfnetlink ipt_REJECT xt_tcpudp iptable_filter ip_tables
x_tables bridge autofs4 hidp rfcomm l2cap bluetooth sunrpc ipv6 dm_multipath
video sbs backlight i2c_ec button battery asus_acpi ac parport_pc lp parport
snd_hda_intel snd_hda_codec snd_seq_dummy snd_seq_oss snd_seq_midi_event sg
snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm forcedeth ide_cd
serio_raw snd_timer pcspkr snd k8_edac edac_mc shpchp floppy cdrom soundcore
8250_pnp 8250 serial_core k8temp hwmon snd_page_alloc i2c_nforce2 i2c_core
dm_snapshot dm_zero dm_mirror dm_mod sata_nv libata sd_mod scsi_mod ext3 jbd
ehci_hcd ohci_hcd uhci_hcd
Pid: 4401, comm: crash249409 Not tainted 2.6.18-34.el5xen #1
RIP: e030:[<ffffffff80208b30>]	[<ffffffff80208b30>]
__handle_mm_fault+0x379/0xf46
RSP: e02b:ffff8800ce7b9de8  EFLAGS: 00010202
RAX: ffffffff80514840 RBX: 0000000000000560 RCX: 00003ffffffff000
RDX: 00000000ce399560 RSI: 0000000000000067 RDI: ffff8800ea4320c0
RBP: ffff8800ea4320c0 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: ffff8800ce399560 R14: 00002aaaaaaac000 R15: ffff8800ce378138
FS:  00002aaaaaac3670(0000) GS:ffffffff80599000(0000) knlGS:0000000000000000
CS:  e033 DS: 0000 ES: 0000
Process crash249409 (pid: 4401, threadinfo ffff8800ce7b8000, task
ffff8800ea4ab7a0)
Stack:	00000000fffffff2  0000000080275de1  ffff8800ea4320c0  ffff8800cefc7aa8 

 0000000000001000  00002aaaaaaac000  ffff8800ea4320c0  ffffffff80261889 
 ffff8800ea432128  ffffffff80221ee8 
Call Trace:
 [<ffffffff80261889>] _spin_lock_irqsave+0x9/0x14
 [<ffffffff80221ee8>] __up_read+0x19/0x7f
 [<ffffffff802641db>] do_page_fault+0xe48/0x11dc
 [<ffffffff8030b071>] file_has_perm+0x94/0xa3
 [<ffffffff8025d823>] error_exit+0x0/0x6e


Code: 0f 0b 68 ee 50 47 80 c2 f2 08 49 8b 87 90 00 00 00 48 c7 44 
RIP  [<ffffffff80208b30>] __handle_mm_fault+0x379/0xf46
 RSP <ffff8800ce7b9de8>
 <0>Kernel panic - not syncing: Fatal exception
Comment 2 Chris Lalancette 2007-08-24 09:33:53 EDT
Created attachment 172412 [details]
Patch to fix this crash

This patch is the same one that is attached to BZ 253583, but I'm going to use
this BZ to track the kernel changes.  While this patch does prevent the crash,
Markus correctly points out that with this patch, an invalid
xc_map_foreign_batch will map pages of zeros, instead of cleanly failing.  What
should really happen is a failure of mapping, instead of the successful
mapping.  Nevertheless, I believe we need this patch, and we should open
another BZ to track the appropriate failure scenario.

Chris Lalancette
Comment 4 Don Zickus 2007-08-28 18:37:53 EDT
in 2.6.18-44.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 6 Stephen Tweedie 2007-09-14 09:00:42 EDT
*** Bug 253479 has been marked as a duplicate of this bug. ***
Comment 8 errata-xmlrpc 2007-11-07 14:56:40 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0959.html

Note You need to log in before you can comment on or make changes to this bug.