Bug#509733: linux-image-2.6.26-1-xen-686: mmap () fails on MMIO regions
Package: linux-image-2.6.26-1-xen-686
Severity: important
Version: 2.6.26-12
The current versions of Xen-enabled Linux kernels in Debian make
mmap () on MMIO regions fail with EINVAL. The problem is only
apparent to the Xen-enabled kernels (both i386 and amd64.)
I've prepared a Debian Lenny image for Qemu with both Xen and
non-Xen versions of the kernel which allows the problem to be
easily reproduced. I could put it on the Web if necessary.
So far, I've reproduced this problem with the following kernel
packages and versions:
linux-image-2.6.26-1-xen-686 2.6.26-12
linux-image-2.6.26-bpo.1-xen-amd64 2.6.26-11~bpo40+1
linux-image-2.6.26-bpo.1-xen-686 2.6.26-10~bpo40+1
(Along with the respective linux-modules- packages.) And with
the following Xen hypervisor versions:
xen-hypervisor-3.2-1-i386 3.2.1-2
xen-hypervisor-3.2-1-amd64 3.2.0-3~bpo4+2
xen-hypervisor-3.2-1-i386 3.2.0-3~bpo4+2
Note that this problem in particular renders X.Org X server
unusable, since it obviously requires access to the MMIO region
(or regions) of the video adapter to work. Consider, e. g.:
$ tail -n16 /var/log/Xorg.1.log
(II) LoadModule: "int10"
(II) Reloading /usr/lib/xorg/modules/libint10.so
(II) VESA(0): initializing int10
(II) VESA(0): Primary V_BIOS segment is: 0xc000
(II) VESA(0): VESA BIOS detected
(II) VESA(0): VESA VBE Version 3.0
(II) VESA(0): VESA VBE Total Mem: 16384 kB
(II) VESA(0): VESA VBE OEM: ATI ATOMBIOS
(II) VESA(0): VESA VBE OEM Software Rev: 10.54
(II) VESA(0): VESA VBE OEM Vendor: (C) 1988-2005, ATI Technologies Inc.
(II) VESA(0): VESA VBE OEM Product: RV610
(II) VESA(0): VESA VBE OEM Product Rev: 01.00
Fatal server error:
xf86MapVidMem: Could not mmap framebuffer (0xe0000000,0x1000000) (Invalid argument)
$
And then the following appears in the kernel messages buffer:
$ dmesg
...
[76187.443823] CPA: called for zero pte. vaddr = ffff880075ea4000 cpa->vaddr = ffff880075ea4000
[76187.444428] ------------[ cut here ]------------
[76187.444669] WARNING: at arch/x86/mm/pageattr-xen.c:571 __change_page_attr_set_clr+0x84/0xad5()
[76187.444989] Modules linked in: tcp_diag inet_diag it87 hwmon_vid eeprom i2c_dev bridge nfsd auth_rpcgss exportfs ac battery ipv6 nfs lockd nfs_acl sunrpc loop parport_pc parport floppy k8temp pcspkr snd_hda_intel usblp snd_pcm snd_timer snd soundcore snd_page_alloc button i2c_nforce2 i2c_core evdev ext3 jbd mbcache dm_mirror dm_log dm_snapshot dm_mod ide_generic ide_disk ide_cd_mod cdrom usb_storage sd_mod usbhid hid ff_memless amd74xx ide_core ata_generic ahci libata scsi_mod dock r8169 ehci_hcd via_rhine mii ohci_hcd thermal processor fan thermal_sys
[76187.455489] Pid: 28950, comm: Xorg Tainted: G W 2.6.26-bpo.1-xen-amd64 #1
[76187.455776]
[76187.455836] Call Trace:
[76187.456146] [<ffffffff8022cda7>] warn_on_slowpath+0x51/0x7b
[76187.456621] [<ffffffff8022d8cd>] printk+0x4e/0x56
[76187.457790] [<ffffffff8029bc57>] __d_lookup+0xb7/0x131
[76187.458239] [<ffffffff8021962f>] __change_page_attr_set_clr+0x84/0xad5
[76187.458672] [<ffffffff8021a95c>] phys_mem_access_prot_allowed+0xdb/0x247
[76187.459021] [<ffffffff8023db4e>] search_exception_tables+0x1d/0x2f
[76187.459401] [<ffffffff80218fdb>] fixup_exception+0x10/0x29
[76187.460250] [<ffffffff8021a142>] change_page_attr_set_clr+0xc2/0x1d6
[76187.461099] [<ffffffff8021a9af>] phys_mem_access_prot_allowed+0x12e/0x247
[76187.461988] [<ffffffff80386320>] xen_mmap_mem+0x2f/0x6b
[76187.462376] [<ffffffff8027a1ba>] mmap_region+0x218/0x425
[76187.463344] [<ffffffff8027a9e4>] do_mmap_pgoff+0x2e8/0x34d
[76187.464036] [<ffffffff8020fb39>] sys_mmap+0x8b/0x110
[76187.464548] [<ffffffff8020b714>] tracesys+0xab/0xb0
[76187.465192]
[76187.465309] ---[ end trace 19b4f9892ac648e5 ]---
[76187.465766] Xorg:28950 /dev/mem ioremap_change_attr failed write-back for e0000000-e1000000
...
$
The problem could easily be traced down to the failing mmap ()
call, e. g.:
$ lspci -v | grep -A 7 -F VGA
04:00.0 VGA compatible controller: ATI Technologies Inc Unknown device 94c3 (prog-if 00 [VGA])
Subsystem: PC Partner Limited Unknown device e400
Flags: bus master, fast devsel, latency 0, IRQ 5
Memory at e0000000 (64-bit, prefetchable) [size=256M]
Memory at f3000000 (64-bit, non-prefetchable) [size=64K]
I/O ports at b000 [size=256]
[virtual] Expansion ROM at f2000000 [disabled] [size=128K]
Capabilities: <access denied>
$ cat mmap-mem.c
/*** mmap-mem.c --- mmap () on /dev/mem -*- C -*- */
/*** Code: */
#include <fcntl.h> /* for O_RDWR */
#include <stdio.h>
#include <sys/mman.h>
#define DEVMEM "/dev/mem"
int
main (int argc, char *argv[])
{
long s, l;
int fd;
void *map;
/* parse command line */
{
char *t;
if (argc != 2 + 1
|| (s = strtol (argv[1], &t, 0), t == argv[1] || *t != '\0')
|| (l = strtol (argv[2], &t, 0), t == argv[2] || *t != '\0')) {
fputs ("Usage: mmap-mem START LENGTH\n", stderr);
/* . */
return 1;
}
}
/* try to open /dev/mem */
if ((fd = open (DEVMEM, O_RDWR)) < 0) {
perror ("Failed to open () " DEVMEM);
/* . */
return 1;
}
/* invoke mmap () */
if ((map = mmap (0, (size_t)l, PROT_READ | PROT_WRITE, MAP_SHARED,
fd, (off_t)s)) == (void *)-1) {
perror ("Failed to mmap () " DEVMEM);
/* . */
return 1;
}
/* . */
return 0;
}
/*** mmap-mem.c ends here */
$ make mmap-mem
cc mmap-mem.c -o mmap-mem
$
# .../mmap-mem 0xe0000000 4096
Failed to mmap () /dev/mem: Invalid argument
#
The above produces the following in the kernel messages buffer:
$ dmesg
...
[65309.880818] CPA: called for zero pte. vaddr = ffff88003a9e4000 cpa->vaddr = ffff88003a9e4000
[65309.880818] ------------[ cut here ]------------
[65309.880818] WARNING: at arch/x86/mm/pageattr-xen.c:571 __change_page_attr_set_clr+0x84/0xad5()
[65309.880818] Modules linked in: xt_tcpudp xt_physdev iptable_filter ip_tables x_tables it87 hwmon_vid eeprom bridge nfsd auth_rpcgss exportfs ac battery ipv6 nfs lockd nfs_acl sunrpc loop parport_pc parport floppy pcspkr k8temp snd_hda_intel snd_pcm snd_timer snd soundcore snd_page_alloc usblp button i2c_nforce2 i2c_core evdev ext3 jbd mbcache dm_mirror dm_log dm_snapshot dm_mod ide_generic ide_disk ide_cd_mod cdrom usbhid hid ff_memless sd_mod usb_storage amd74xx ide_core ata_generic ahci libata scsi_mod dock r8169 via_rhine mii ohci_hcd ehci_hcd thermal processor fan thermal_sys
[65309.880818] Pid: 12110, comm: mmap-mem Tainted: G W 2.6.26-bpo.1-xen-amd64 #1
[65309.880818]
[65309.880818] Call Trace:
[65309.880818] [<ffffffff8022cda7>] warn_on_slowpath+0x51/0x7b
[65309.880818] [<ffffffff8022d8c9>] printk+0x4e/0x56
[65309.880818] [<ffffffffa0160bb4>] :jbd:journal_dirty_metadata+0xd5/0x106
[65309.880818] [<ffffffff80223a8d>] __wake_up+0x38/0x4f
[65309.880818] [<ffffffff8029bc53>] __d_lookup+0xb7/0x131
[65309.880818] [<ffffffff8021962f>] __change_page_attr_set_clr+0x84/0xad5
[65309.880818] [<ffffffff802920e0>] do_lookup+0x63/0x1c1
[65309.880818] [<ffffffff8029b24c>] dput+0x21/0x13e
[65309.880818] [<ffffffff802947fa>] __link_path_walk+0xcd5/0xe13
[65309.880818] [<ffffffff8021a142>] change_page_attr_set_clr+0xc2/0x1d6
[65309.880818] [<ffffffff80264d8b>] find_lock_page+0x1f/0xc3
[65309.880818] [<ffffffff8021a9af>] phys_mem_access_prot_allowed+0x12e/0x247
[65309.880818] [<ffffffff80386328>] xen_mmap_mem+0x2f/0x6b
[65309.880818] [<ffffffff8027a1b6>] mmap_region+0x218/0x425
[65309.880818] [<ffffffff8027a9e0>] do_mmap_pgoff+0x2e8/0x34d
[65309.880818] [<ffffffff8020fb39>] sys_mmap+0x8b/0x110
[65309.880818] [<ffffffff8020b528>] system_call+0x68/0x6d
[65309.880818] [<ffffffff8020b4c0>] system_call+0x0/0x6d
[65309.880818]
[65309.880818] ---[ end trace 70cf43b2f5bb038e ]---
[65309.880818] mmap-mem:12110 /dev/mem ioremap_change_attr failed write-back for ffffffffe0000000-ffffffffe0001000
...
$
Note, however, that mapping either ``real'' RAM or ROM regions
doesn't fail:
# .../mmap-mem 0x000f0000 4096
#
Reply to: