xen+vimage kernel panic

Marko Zec zec at fer.hr
Sun Aug 19 20:47:41 UTC 2018 

On Sun, 19 Aug 2018 12:50:55 -0600
Nathan Friess <nathan.friess at gmail.com> wrote:

> Hi,
> 
> While testing out the new PVH support in a domU (which is running 
> great!), I discovered a kernel panic related to xen and vimage
> support when trying to add an xn interface into a bridge.
> 
> I'm running r337024 from svn.  Removing vimage (which seems to be
> turned on in 12-CURRENT now) allows using the bridge with no panics.
> As part of attempting to debug this I enabled vimage in my 11.2 domU
> and that also panics in the same code.
> 
> I'm not sure if the problem is a xen issue or a vimage issue so I 
> haven't submitted a PR yet.  The kernel output is listed below.
> 
> It looks like netfront_backend_changed() calls
> netfront_send_fake_arp(), which calls arp_ifinit() on the interface.
> The first line of the call stack with arprequest+0x454 corresponds to
> a call to ARPSTAT_INC(txrequests) at the end of arprequest, which
> expands to VNET_PCPUSTAT_ADD().  I tried to debug further and I got a
> little lost, but that's where I figured out that vimage is involved
> somehow.
> 
> Are there any thoughts on why the xn interface would cause a panic
> there?

The xn driver calls arp_ifinit() without setting the vnet context
first.  Perhaps the attached patch could help (not even compile
tested...)

Marko


> 
> Thanks,
> 
> Nathan
> 
> 
> 
> 
> =======
> 
> Steps to reproduce:
> 
> # ifconfig bridge create
> bridge0
> # ifconfig bridge0 addm xn0
> (panic...)
> 
> 
> ======
> 
> Kernel output:
> 
> xn0: performing interface reset due to feature change
> (... lock reversal)
> xn0: backend features: feature-sg feature-gso-tcp4
> 
> 
> Fatal trap 12: page fault while in kernel mode
> cpuid = 1; apic id = 02
> fault virtual address	= 0x28
> fault code		= supervisor read data, page not present
> instruction pointer	= 0x20:0xffffffff80d15db4
> stack pointer	        = 0x0:0xfffffe0000483840
> frame pointer	        = 0x0:0xfffffe0000483940
> code segment		= base 0x0, limit 0xfffff, type 0x1b
> 			= DPL 0, pres 1, long 1, def32 0, gran 1
> processor eflags	= interrupt enabled, resume, IOPL = 0
> current process		= 14 (xenwatch)
> [ thread pid 14 tid 100033 ]
> Stopped at      arprequest+0x454:       movq    ll+0x7(%rax),%rax
> 
> db> bt  
> Tracing pid 14 tid 100033 td 0xfffff800032f5000
> arprequest() at arprequest+0x454/frame 0xfffffe0000483940
> arp_ifinit() at arp_ifinit+0x58/frame 0xfffffe0000483980
> netfront_backend_changed() at netfront_backend_changed+0x144/frame 
> 0xfffffe0000483a40
> xenwatch_thread() at xenwatch_thread+0x182/frame 0xfffffe0000483a70
> fork_exit() at fork_exit+0x84/frame 0xfffffe0000483ab0
> fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0000483ab0
> 
> ======
> 
> _______________________________________________
> freebsd-xen at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-xen
> To unsubscribe, send any mail to "freebsd-xen-unsubscribe at freebsd.org"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: xn_vnet.diff
Type: text/x-patch
Size: 476 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-xen/attachments/20180819/613a4432/attachment.bin>

More information about the freebsd-xen mailing list