On 04.12.2023 10:23, Jan Beulich wrote:
> On 01.12.2023 21:13, René Winther Højgaard wrote:
>> When I move a domain from pool0 with credit2 to any pool with credit(1) I
>> get the following crash.
>>
>>
>> Software: Xen-4.17.3 / Qubes OS 4.2.0-RC5
>> Firmware: Dasharo 0.9.0 - Z790P
>> Hardware: 13900K
>> (XEN) Xen BUG at common/sched/credit.c:1051(XEN) ----[ Xen-4.17.3-pre
>> x86_64 debug=y Not tainted ]----
>> (XEN) CPU: 2
>> (XEN) RIP: e008:[<ffff82d040237cfd>] credit.c#csched_free_udata+0x12/0x14
>> (XEN) RFLAGS: 0000000000010202 CONTEXT: hypervisor (d0v2)
>> (XEN) rax: ffff82d040237ceb rbx: 0000000000000014 rcx: 0000000000000013
>> (XEN) rdx: ffff831087d7ffff rsi: ffff830ad80e8da0 rdi: ffff830ad80e8da0
>> (XEN) rbp: 0000000000000000 rsp: ffff831087d7fc90 r8: ffff830e2d6a49b0
>> (XEN) r9: ffff831087d7fbe0 r10: ffff83107c481068 r11: 0000002cfd1c274a
>> (XEN) r12: ffff830ad80e8c80 r13: ffff83107c45bee0 r14: 0000000000000000
>> (XEN) r15: ffff82d0405a9288 cr0: 0000000080050033 cr4: 0000000000b526e0
>> (XEN) cr3: 00000009284d8000 cr2: 00007fb535181240
>> (XEN) fsb: 00007fb534c5f380 gsb: ffff8881b9d00000 gss: 0000000000000000
>> (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008
>> (XEN) Xen code around <ffff82d040237cfd>
>> (credit.c#csched_free_udata+0x12/0x14):
>> (XEN) 75 06 e8 19 74 ff ff c3 <0f> 0b f3 0f 1e fa 53 48 8b 5f 18 48 85 db
>> 74 2b
>> (XEN) Xen stack trace from rsp=ffff831087d7fc90:
>> (XEN) ffff82d040247503 0000001300002030 ffff830ad80e8bf0 ffff82d0405a9288
>> (XEN) ffff83107f59aa80 ffff830ad80e8c80 ffff83107c45bee0 ffff830ad80e8bf0
>> (XEN) ffff831000af1010 ffff83107c45bee0 ffff830ad80ed000 ffff83107c45bee0
>> (XEN) 0000000000000000 ffff82d04045d5d8 ffff82d0405ae680 ffff82d040235303
>> (XEN) ffff831087d7fe20 00000000fffffffe ffff82d040236ec3 ffff830ad80ed000
>> (XEN) 0000000000000000 00007fb535230010 ffff831087d7ffff 0000000000000000
>> (XEN) ffff82d04045d5d8 ffff82d040234763 00000000c0000102 0000000000000000
>> (XEN) 0000000000000000 00000000c0000102 0000000d00000000 ffffffff8101ede6
>> (XEN) 000000000000e033 0000000000011082 ffffc90046ebba90 000000000000e02b
>> (XEN) 5a33a1a65352beef feadf9effdf1beef 122ae2fa736bbeef 46023e9af174beef
>> (XEN) ffff82d040227cc6 ffff831087d7fe48 0000000000000000 0000000000011082
>> (XEN) 0000000000000000 ffff831087d7ffff 0000000000000000 ffffffff8101ede4
>> (XEN) ffff82d0403495d0 0000001500000012 0000000100000006 0000000d00000000
>> (XEN) 00007ffdf93fb3fc 0000000000431042 000000000043d990 000000000043d9b0
>> (XEN) 00007fb534eb8434 00007ffdf93fb400 0000000000000013 0000000002361838
>> (XEN) 04457fe81f7cf300 0000000002360870 ffffffffffffff80 0000000000000000
>> (XEN) 00007ffdf93fc652 000000000043d980 ffff831087d7fef8 0000000000000023
>> (XEN) ffff83107f544000 0000000000000000 0000000000000000 0000000000000000
>> (XEN) ffff82d0402dd07f ffff83107f544000 0000000000000000 0000000000000000
>> (XEN) ffff82d0402012b7 0000000000000000 ffff88811abbc100 00007ffdf93fb2c0
>> (XEN) Xen call trace:
>> (XEN) [<ffff82d040237cfd>] R credit.c#csched_free_udata+0x12/0x14
>> (XEN) [<ffff82d040247503>] S sched_move_domain+0x5b0/0x5cc
>
> Hmm, looks like sched_move_domain()'s calling of sched_free_udata() uses the
> new pool's scheduler, not that of the original pool. I'm puzzled though that
> there's no sign at all in the function of it caring about what the original
> pool was. IOW I'm not sure that the simple and obvious change to latch the
> original pool into a local and then use it on the "out_free" path is going
> to be enough. Jürgen (sorry, again you)?
Hmm, should have added "in the error case". Seeing there is old_ops, perhaps
simply
--- a/xen/common/sched/core.c
+++ b/xen/common/sched/core.c
@@ -810,7 +810,7 @@
for ( unit = old_units; unit; )
{
if ( unit->priv )
- sched_free_udata(c->sched, unit->priv);
+ sched_free_udata(ret ? c->sched : old_ops, unit->priv);
old_unit = unit;
unit = unit->next_in_list;
xfree(old_unit);
(not even compile tested)?
Jan
