Hi folks, I have written an extremely simple reproducer. Xen 4.5.1. Linux 4.1.3. Config attached. Reproducer attached. Makefile attached.
It results in the COMPLETE lockup of the system when it receives a network packet over the Xen PV network interface. The lockup is 100% reliable. As in the messages above, it puts this -- "while (native_apic_mem_read(APIC_ICR) & APIC_ICR_BUSY)" into a busy loop that never exits. It is triggered by a simple printk in softirq. Thanks, Jason
Makefile
Description: Binary data
#include <linux/init.h>
#include <linux/module.h>
#include <linux/net.h>
#include <linux/if.h>
#include <net/udp_tunnel.h>
static struct socket *s = NULL;
static int receive(struct sock *sk, struct sk_buff *skb)
{
net_info_ratelimited("The printing of this message will crash a Xen PV guest.\n");
dev_kfree_skb(skb);
return 0;
}
static int __init mod_init(void)
{
int ret;
struct udp_port_cfg port = {
.family = AF_INET,
.local_ip = { htonl(INADDR_ANY) },
.local_udp_port = htons(32812),
.use_udp_checksums = 1
};
struct udp_tunnel_sock_cfg tunnel = {
.encap_type = 1,
.encap_rcv = receive
};
ret = udp_sock_create4(&init_net, &port, &s);
if (ret)
return ret;
setup_udp_tunnel_sock(&init_net, s, &tunnel);
return ret;
}
static void __exit mod_exit(void)
{
if (s)
udp_tunnel_sock_release(s);
}
module_init(mod_init);
module_exit(mod_exit);
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Send a UDP packet to port 32812");
MODULE_AUTHOR("Jason A. Donenfeld <ja...@zx2c4.com>");
4.1.3-domU-config
Description: Binary data
_______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
