Bug 213142 - rmmod xennet crashes domU
Summary: rmmod xennet crashes domU
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel-xen
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Herbert Xu
QA Contact: Virtualization Bugs
Depends On:
Blocks: 216249
TreeView+ depends on / blocked
Reported: 2006-10-30 22:54 UTC by Itamar Reis Peixoto
Modified: 2009-12-14 20:38 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2008-02-26 23:36:14 UTC

Attachments (Terms of Use)

Description Itamar Reis Peixoto 2006-10-30 22:54:50 UTC
Description of problem:

rmmod xennet crashes domU

Version-Release number of selected component (if applicable):
kernel 2.6.18-1.2798.fc6xen 

How reproducible:
rmmod xennet

WARNING: g.e. still in use!
WARNING: leaking g.e. and page still in use!
WARNING: g.e. still in use!
WARNING: leaking g.e. and page still in use!
------------[ cut here ]------------
kernel BUG at net/core/dev.c:3298!
invalid opcode: 0000 [#1]
last sysfs file: /class/net/lo/type
Modules linked in: ipt_LOG xt_limit xt_state iptable_filter ip_conntrack_ftp
ip_conntrack nfnetlink ip_tables x_tables xennet ipv6 dm_mirror dm_mod lp
parport_pc parport pcspkr xenblk ext3 jbd ehci_hcd ohci_hcd uhci_hcd
CPU:    0
EIP:    0061:[<c05acc81>]    Not tainted VLI
EFLAGS: 00010293   (2.6.18-1.2798.fc6xen #1) 
EIP is at free_netdev+0x1e/0x3b
eax: 00000001   ebx: d6028400   ecx: ffffffff   edx: d6028000
esi: c0acd200   edi: d90ad524   ebp: cb796000   esp: cb796f10
ds: 007b   es: 007b   ss: 0069
Process rmmod (pid: 2193, ti=cb796000 task=c4282dd0 task.ti=cb796000)
Stack: d90a739f d90ad500 c054c4d6 c0acd2cc c0acd224 c05416a4 c0acd224 c0687728 
       d90ad524 c0541999 d90ad524 00000000 c0687550 c0540e3b d90ad524 00000020 
       00000000 c0541aac d90ad700 c0436a25 6e6e6578 d2007465 00000000 d2ffd754 
Call Trace:
 [<d90a739f>] netfront_remove+0x16/0x1a [xennet]
 [<c054c4d6>] xenbus_dev_remove+0x27/0x38
 [<c05416a4>] __device_release_driver+0x60/0x78
 [<c0541999>] driver_detach+0x99/0xc9
 [<c0540e3b>] bus_remove_driver+0x5a/0x78
 [<c0541aac>] driver_unregister+0x8/0x13
 [<c0436a25>] sys_delete_module+0x192/0x1b9
 [<c0404ea7>] syscall_call+0x7/0xb
DWARF2 unwinder stuck at syscall_call+0x7/0xb

Leftover inexact backtrace:

Code: 97 e6 ff e8 34 a8 05 00 e9 19 f7 e7 ff 89 c2 8b 80 94 02 00 00 85 c0 75 0d
0f b7 42 64 29 c2 89 d0 e9 d7 50 eb ff 83 f8 03 74 08 <0f> 0b e2 0c 37 c6 64 c0
c7 82 94 02 00 00 04 00 00 00 8d 82 f0 
EIP: [<c05acc81>] free_netdev+0x1e/0x3b SS:ESP 0069:cb796f10

Comment 1 Herbert Xu 2006-10-31 02:12:50 UTC
This is a deficiency in the grant table mechanism where it can't currently wait
on  live entries for their destruction.  If upstream's plan to use copying
instead of flipping gets extended to the domU=>dom0 direction this should no
longer be an issue.

Comment 2 Red Hat Bugzilla 2007-07-25 01:34:31 UTC
change QA contact

Comment 3 Chris Lalancette 2008-02-26 23:36:14 UTC
This report targets FC6, which is now end-of-life.

Please re-test against Fedora 7 or later, and if the issue persists, open a new bug.


Note You need to log in before you can comment on or make changes to this bug.