Bug 525290

Summary: f12 rawhide kernel crashes as Xen PV domU on RHEL5 Xen hypervisor
Product: [Fedora] Fedora Reporter: Pasi Karkkainen <pasik>
Component: kernelAssignee: Justin M. Forbes <jforbes>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: rawhideCC: dougsland, drjones, gansalmon, itamar, jeremy, jforbes, kernel-maint, pbonzini
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 525406 (view as bug list) Environment:
Last Closed: 2009-09-25 15:25:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 524052    
Bug Blocks: 525406    

Description Pasi Karkkainen 2009-09-23 19:57:54 UTC 
Description of problem:
f12 rawhide kernel (2.6.31-33.fc12.x86_64) crashes when started on RHEL 5.4 Xen hypervisor as PV domU.

dom0 is RHEL 5.4 x86_64.

Version-Release number of selected component (if applicable):
kernel-2.6.31-33.fc12.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL 5.4 dom0
2. try to install f12/rawhide using virt-install
3. or manually try to boot the latest rawhide kernel as PV domU
  
Actual results:
kernel crashes. "xm log" says "WARNING (XendDomainInfo:965) Domain has crashed: name=debug id=1"

Expected results:
kernel boots and works normally.

Additional info:

# /usr/lib64/xen/bin/xenctx -s System.map-2.6.31-33.fc12.x86_64 1
rip: ffffffff819f8d3f xen_load_gdt_boot+0xab
rsp: ffffffff81743f08
rax: ffffffea   rbx: ffffffff81822000   rcx: 0021f527   rdx: 00000000
rsi: 800000021f527061   rdi: ffffffff81822000   rbp: ffffffff81743fa8
 r8: 00000000    r9: 00000000   r10: 00000000   r11: 00000000
r12: ffffffff81743fb8   r13: ffffffff81743f50   r14: 00000080   r15: 00000000
 cs: 0000e033    ds: 00000000    fs: 00000000    gs: 00000000

Stack:
 000000000021f527 0000000000000000 ffffffff819f8d3f 000000010000e030
 0000000000010082 ffffffff81743f48 000000000000e02b ffffffff819f8d3b
 0000000000000000 0000000000000000 0000000000000000 0000000000000000
 0000000000001822 0000008000000000 ffffffff8100cb0e 0000000000000000

Code:
20 c3 78 81 31 d2 48 89 c6 48 89 df e8 85 04 61 ff 85 c0 74 04 <0f> 0b eb fe 49 63 c7 48 81 c3 00 

Call Trace:
  [<ffffffff819f8d3f>] xen_load_gdt_boot+0xab <--
  [<ffffffff819f8d3f>] xen_load_gdt_boot+0xab
  [<ffffffff819f8d3b>] xen_load_gdt_boot+0xa7
  [<ffffffff8100cb0e>] p2m_top_index+0x9
  [<ffffffff8101f209>] switch_to_new_gdt+0x31
  [<ffffffff819f8a24>] xen_start_kernel+0x282
Comment 1 Pasi Karkkainen 2009-09-23 20:05:15 UTC 
# gdb vmlinux

(gdb) x/i 0xffffffff819f8d3f
0xffffffff819f8d3f <xen_load_gdt_boot+171>:     ud2a   

0xffffffff819f8c94 <xen_load_gdt_boot>: push   %rbp
0xffffffff819f8c95 <xen_load_gdt_boot+1>:       mov    %rsp,%rbp
0xffffffff819f8c98 <xen_load_gdt_boot+4>:       push   %r15
0xffffffff819f8c9a <xen_load_gdt_boot+6>:       xor    %r15d,%r15d
0xffffffff819f8c9d <xen_load_gdt_boot+9>:       push   %r14
0xffffffff819f8c9f <xen_load_gdt_boot+11>:      push   %r13
0xffffffff819f8ca1 <xen_load_gdt_boot+13>:      push   %r12
0xffffffff819f8ca3 <xen_load_gdt_boot+15>:      mov    %rdi,%r12
0xffffffff819f8ca6 <xen_load_gdt_boot+18>:      push   %rbx
0xffffffff819f8ca7 <xen_load_gdt_boot+19>:      sub    $0x18,%rsp
0xffffffff819f8cab <xen_load_gdt_boot+23>:      movzwl (%rdi),%eax
0xffffffff819f8cae <xen_load_gdt_boot+26>:      mov    0x2(%rdi),%rbx
0xffffffff819f8cb2 <xen_load_gdt_boot+30>:      inc    %eax
0xffffffff819f8cb4 <xen_load_gdt_boot+32>:      mov    %eax,%r14d
0xffffffff819f8cb7 <xen_load_gdt_boot+35>:      mov    %eax,-0x34(%rbp)
0xffffffff819f8cba <xen_load_gdt_boot+38>:      lea    0xfff(%r14),%rax
0xffffffff819f8cc1 <xen_load_gdt_boot+45>:      shr    $0xc,%rax
0xffffffff819f8cc5 <xen_load_gdt_boot+49>:      lea    0x1e(,%rax,8),%rax
0xffffffff819f8ccd <xen_load_gdt_boot+57>:      and    $0x7f0,%eax
0xffffffff819f8cd2 <xen_load_gdt_boot+62>:      sub    %rax,%rsp
0xffffffff819f8cd5 <xen_load_gdt_boot+65>:      lea    0xf(%rsp),%r13
0xffffffff819f8cda <xen_load_gdt_boot+70>:      and    $0xfffffffffffffff0,%r13
0xffffffff819f8cde <xen_load_gdt_boot+74>:      test   $0xfff,%ebx
0xffffffff819f8ce4 <xen_load_gdt_boot+80>:      je     0xffffffff819f8d55 <xen_load_gdt_boot+193>
0xffffffff819f8ce6 <xen_load_gdt_boot+82>:      ud2a   
0xffffffff819f8ce8 <xen_load_gdt_boot+84>:      jmp    0xffffffff819f8ce8 <xen_load_gdt_boot+84>
0xffffffff819f8cea <xen_load_gdt_boot+86>:      mov    %rbx,%rdi
0xffffffff819f8ced <xen_load_gdt_boot+89>:      callq  0xffffffff8103ecfc <__phys_addr>
0xffffffff819f8cf2 <xen_load_gdt_boot+94>:      mov    %rax,%rsi
0xffffffff819f8cf5 <xen_load_gdt_boot+97>:      shr    $0xc,%rsi
0xffffffff819f8cf9 <xen_load_gdt_boot+101>:     mov    %rsi,%rdi
0xffffffff819f8cfc <xen_load_gdt_boot+104>:     mov    %rsi,-0x40(%rbp)
0xffffffff819f8d00 <xen_load_gdt_boot+108>:     callq  0xffffffff8100b397 <pfn_to_mfn>
0xffffffff819f8d05 <xen_load_gdt_boot+113>:     mov    -0x40(%rbp),%rsi
0xffffffff819f8d09 <xen_load_gdt_boot+117>:     mov    %rax,%rcx
0xffffffff819f8d0c <xen_load_gdt_boot+120>:     mov    $0x8000000000000161,%rax
0xffffffff819f8d16 <xen_load_gdt_boot+130>:
    and    -0x1e362d(%rip),%rax        # 0xffffffff818156f0 <__supported_pte_mask>
0xffffffff819f8d1d <xen_load_gdt_boot+137>:     mov    %rsi,%rdi
0xffffffff819f8d20 <xen_load_gdt_boot+140>:     shl    $0xc,%rdi
0xffffffff819f8d24 <xen_load_gdt_boot+144>:     or     %rax,%rdi
0xffffffff819f8d27 <xen_load_gdt_boot+147>:     callq  *0xffffffff8178c320
0xffffffff819f8d2e <xen_load_gdt_boot+154>:     xor    %edx,%edx
0xffffffff819f8d30 <xen_load_gdt_boot+156>:     mov    %rax,%rsi
0xffffffff819f8d33 <xen_load_gdt_boot+159>:     mov    %rbx,%rdi
0xffffffff819f8d36 <xen_load_gdt_boot+162>:     callq  0xffffffff810091c0 <hypercall_page+448>
0xffffffff819f8d3b <xen_load_gdt_boot+167>:     test   %eax,%eax
0xffffffff819f8d3d <xen_load_gdt_boot+169>:     je     0xffffffff819f8d43 <xen_load_gdt_boot+175>
0xffffffff819f8d3f <xen_load_gdt_boot+171>:     ud2a   
0xffffffff819f8d41 <xen_load_gdt_boot+173>:     jmp    0xffffffff819f8d41 <xen_load_gdt_boot+173>
0xffffffff819f8d43 <xen_load_gdt_boot+175>:     movslq %r15d,%rax
0xffffffff819f8d46 <xen_load_gdt_boot+178>:     add    $0x1000,%rbx
0xffffffff819f8d4d <xen_load_gdt_boot+185>:     inc    %r15d
0xffffffff819f8d50 <xen_load_gdt_boot+188>:     mov    %rcx,0x0(%r13,%rax,8)
0xffffffff819f8d55 <xen_load_gdt_boot+193>:     mov    %r14,%rax
0xffffffff819f8d58 <xen_load_gdt_boot+196>:     add    0x2(%r12),%rax
0xffffffff819f8d5d <xen_load_gdt_boot+201>:     cmp    %rax,%rbx
0xffffffff819f8d60 <xen_load_gdt_boot+204>:     jb     0xffffffff819f8cea <xen_load_gdt_boot+86>
0xffffffff819f8d62 <xen_load_gdt_boot+206>:     mov    -0x34(%rbp),%esi
0xffffffff819f8d65 <xen_load_gdt_boot+209>:     mov    %r13,%rdi
0xffffffff819f8d68 <xen_load_gdt_boot+212>:     shr    $0x3,%esi
(gdb)
Comment 2 Chuck Ebbert 2009-09-24 03:23:17 UTC 
                if (HYPERVISOR_update_va_mapping((unsigned long)va, pte, 0))
                        BUG();

return value was -EINVAL
Comment 3 Pasi Karkkainen 2009-09-24 08:52:19 UTC 
I forgot to mention that there's no console output at all, because the kernel crashes so early.
Comment 4 Pasi Karkkainen 2009-09-25 13:51:05 UTC 
Patch for this problem is here: https://bugzilla.redhat.com/show_bug.cgi?id=525406

Please apply it for next rawhide kernel.
Comment 5 Justin M. Forbes 2009-09-25 15:25:07 UTC 
This patch has been applied to the rawhide kernel.