Resetting or reading coverage counters crashes xen
Description:
Coverage hypercalls crash xen:
(XEN) ----[ Xen-4.18-unstable x86_64 debug=y gcov=y Not tainted ]----
(XEN) CPU: 1
(XEN) RIP: e008:[<ffff82d0402568b2>] gcov_info_reset+0x83/0xa5
(XEN) RFLAGS: 0000000000010202 CONTEXT: hypervisor (d0v0)
(XEN) rax: 0000000000000000 rbx: ffff82d0405f7c60 rcx: 0000000000000000
(XEN) rdx: ffff82d04054ea00 rsi: 0000000000000000 rdi: ffff82d0405f7c60
(XEN) rbp: ffff83003f97fcc8 rsp: ffff83003f97fca0 r8: ffff82d04073eee0
(XEN) r9: 0000000000000000 r10: ffff83003f9bfc50 r11: 0000000000000000
(XEN) r12: 0000000000000000 r13: ffff82d0405f7cc0 r14: 0000000000000000
(XEN) r15: ffff82d0405f7c60 cr0: 0000000080050033 cr4: 0000000000362660
(XEN) cr3: 000000003eaeb000 cr2: ffff82d04054ea00
(XEN) fsb: 0000000000000000 gsb: 0000000000000000 gss: 0000000000000000
(XEN) ds: e02b es: e02b fs: e02b gs: e02b ss: e010 cs: e008
(XEN) Xen code around <ffff82d0402568b2> (gcov_info_reset+0x83/0xa5):
(XEN) 1d 44 89 f0 49 8b 57 68 <4c> 8b 24 c2 49 83 c4 18 48 83 05 c6 bd 4d 00 01
(XEN) Xen stack trace from rsp=ffff83003f97fca0:
(XEN) ffff82d0405f7c60 0000000000000000 0000000000000001 ffff82d0405735d8
(XEN) ffff82d040723100 ffff83003f97fce0 ffff82d040256766 ffff83003f97fdc8
(XEN) ffff83003f97fd00 ffff82d040256261 ffff83003f97ffff ffff83003f97ffff
(XEN) ffff83003f97fe70 ffff82d040254a9d ffff83003f97fd28 ffff82d040242189
(XEN) 0000000000000002 ffff83003f97fd40 0000000000000046 0000000000000000
(XEN) 000000000010df58 ffff82d04028255c 0101000000000046 0000000000000046
(XEN) ffff82d040573638 ffff83003f97fdc8 ffff82d040457e40 ffff83003f97fd90
(XEN) ffff82d040242189 0000000000000013 ffff83003f97fda0 ffff82d040242206
(XEN) ffff83003f97fe70 ffff82d04027dc1a ffff820040000860 0000000000000013
(XEN) 0000001500000014 0000000000000002 0000000000000000 0000000000000000
(XEN) 0000000000000000 0000000000000000 0000000000000000 0000000000000000
(XEN) 0000000000000000 0000000000000000 0000000000000000 0000000000000000
(XEN) 0000000000000000 0000000000000000 0000000000000000 0000000000000000
(XEN) 0000000000000000 ffff83003f97fef8 0000000000000023 ffff83003f92e000
(XEN) deadbeefdeadf00d 000000000010df58 ffff83003f97fee8 ffff82d04038cd89
(XEN) 0000000000000015 00000000ffffffff deadbeefdeadf00d 0000000000000000
(XEN) ffff83003f97ffff 0000000000000000 ffff83003f97fee8 ffff82d0403f0686
(XEN) ffff83003f92e000 0000000000000000 0000000000000000 0000000000000000
(XEN) 0000000000000000 00007cffc06800e7 ffff82d0402012bd 0000000000000000
(XEN) 0000000000000000 0000000000000000 0000000000000000 0000000000000000
(XEN) Xen call trace:
(XEN) [<ffff82d0402568b2>] R gcov_info_reset+0x83/0xa5
(XEN) [<ffff82d040256766>] F common/coverage/gcov.c#gcov_reset_all_counters+0x28/0x4e
(XEN) [<ffff82d040256261>] F sysctl_cov_op+0x9b/0xad
(XEN) [<ffff82d040254a9d>] F do_sysctl+0x582/0x1c8e
(XEN) [<ffff82d04038cd89>] F pv_hypercall+0x860/0x91f
(XEN) [<ffff82d0402012bd>] F lstar_enter+0x13d/0x150
(XEN)
(XEN) Pagetable walk from ffff82d04054ea00:
(XEN) L4[0x105] = 000000003fd70063 ffffffffffffffff
(XEN) L3[0x141] = 000000003fd6d063 ffffffffffffffff
(XEN) L2[0x002] = 000000003ffff063 ffffffffffffffff
(XEN) L1[0x14e] = 0000000000000000 ffffffffffffffff
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 1:
(XEN) FATAL PAGE FAULT
(XEN) [error_code=0000]
(XEN) Faulting linear address: ffff82d04054ea00
(XEN) ****************************************
(XEN)This is due to some of the coverage information being in the .init code or data sections which are freed in init_done.
Reproduction instructions
Build xen with CONFIG_COVERAGE=y. Run it and in dom0 execute xencov read or xencov reset.
Edited by Javi Merino