This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] Xen crash in poll_timer_fn

To: Keir Fraser <keir.fraser@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] Xen crash in poll_timer_fn
From: "Cui, Dexuan" <dexuan.cui@xxxxxxxxx>
Date: Thu, 24 Dec 2009 19:31:34 +0800
Accept-language: zh-CN, en-US
Acceptlanguage: zh-CN, en-US
Delivery-date: Thu, 24 Dec 2009 03:32:03 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcqEjKX7ee8AgX/CQtCYlUm06UHZ3g==
Thread-topic: Xen crash in poll_timer_fn
Hi, I occasionally meet with xen crash when the PV guest shuts down.
BTW, I'm using xen c/s 20702.
Per the log, the reason is: v->domain->poll_mask is NULL in poll_timer_fn().

The poll_mask is freed and set to NULL in domain_kill() -> evtchn_destroy(), 
but the poll_timer may keep active until complete_domain_destroy() -> 
sched_destroy_vcpu() -> kill_timer(). Between them, the timer may be fired and 
poll_timer_fn() would access the NULL pointer and cause the crash.

Maybe here we should move kill_timer() a little earlier, or free the poll_mask 
a little later?

-- Dexuan

(XEN) ----[ Xen-4.0.0-rc1-pre  x86_64  debug=y  Not tainted ]----
(XEN) CPU:    2
(XEN) RIP:    e008:[<ffff82c48011d8e4>] poll_timer_fn+0x11/0x22
(XEN) RFLAGS: 0000000000010246   CONTEXT: hypervisor
(XEN) rax: 0000000000000000   rbx: ffff82c48026f100   rcx: 0000000000000001
(XEN) rdx: 0000000000000000   rsi: ffff83004a218090   rdi: ffff83004a218000
(XEN) rbp: ffff83007d0bfe40   rsp: ffff83007d0bfe40   r8:  0000000000000001
(XEN) r9:  0000000000000001   r10: 0000ffff0000ffff   r11: 00ff00ff00ff00ff
(XEN) r12: ffff83004a218000   r13: ffff82c48011d8d3   r14: ffff83007d3e7b08
(XEN) r15: ffff83007d3e7b00   cr0: 000000008005003b   cr4: 00000000000026f0
(XEN) cr3: 0000000068f91000   cr2: 0000000000000000
(XEN) ds: 0000   es: 0000   fs: 0000   gs: 0000   ss: e010   cs: e008
(XEN) Xen stack trace from rsp=ffff83007d0bfe40:
(XEN)    ffff83007d0bfe70 ffff82c4801203ea 0000000000000002 ffff83007d3e7528
(XEN)    ffff82c48026f100 00008f3e7bff5dfd ffff83007d0bfed0 ffff82c4801205c6
(XEN)    ffff83007d0bff28 ffff83007d3e7b00 0000ffff0000ffff ffff82c48026f100
(XEN)    0000000000000001 0000000000000002 ffff83007d0bff28 ffff82c48030c680
(XEN)    0000000000000002 ffff82c48026f080 ffff83007d0bff00 ffff82c48011e400
(XEN)    000000000000e008 ffff83007d0bff28 ffff82c48026ba00 ffff83007a6da000
(XEN)    ffff83007d0bff20 ffff82c48014b6cb 0000000000000002 ffff83007d3c0000
(XEN)    ffff83007d0bfdb8 0000000000000000 0000000000000000 0000000000000000
(XEN)    0000000000000000 ffffffff80753f48 0000000000000000 0000000000000246
(XEN)    ffffffff807c37d8 00000000000000b7 0000000100efdcba 0000000000000000
(XEN)    ffffffff802053aa 0000000000000000 00000000deadbeef 00000000deadbeef
(XEN)    0000010000000000 ffffffff802053aa 000000000000e033 0000000000000246
(XEN)    ffffffff80753f10 000000000000e02b 555555555555beef 555555555555beef
(XEN)    555555555555beef 555555555555beef 5555555500000002 ffff83007d3c0000
(XEN) Xen call trace:
(XEN)    [<ffff82c48011d8e4>] poll_timer_fn+0x11/0x22
(XEN)    [<ffff82c4801203ea>] execute_timer+0x2e/0x4c
(XEN)    [<ffff82c4801205c6>] timer_softirq_action+0x1be/0x377
(XEN)    [<ffff82c48011e400>] do_softirq+0x6a/0x77
(XEN)    [<ffff82c48014b6cb>] idle_loop+0x7a/0x81
(XEN) Pagetable walk from 0000000000000000:
(XEN)  L4[0x000] = 000000006a45c067 00000000000107a3
(XEN)  L3[0x000] = 000000006a4ef067 0000000000010710
(XEN)  L2[0x000] = 0000000000000000 ffffffffffffffff
(XEN) ****************************************
(XEN) Panic on CPU 2:
(XEN) [error_code=0002]
(XEN) Faulting linear address: 0000000000000000
(XEN) **************************************** 

Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>