Description of problem: rmmod xennet crashes domU Version-Release number of selected component (if applicable): kernel 2.6.18-1.2798.fc6xen How reproducible: rmmod xennet WARNING: g.e. still in use! WARNING: leaking g.e. and page still in use! WARNING: g.e. still in use! WARNING: leaking g.e. and page still in use! ------------[ cut here ]------------ kernel BUG at net/core/dev.c:3298! invalid opcode: 0000 [#1] SMP last sysfs file: /class/net/lo/type Modules linked in: ipt_LOG xt_limit xt_state iptable_filter ip_conntrack_ftp ip_conntrack nfnetlink ip_tables x_tables xennet ipv6 dm_mirror dm_mod lp parport_pc parport pcspkr xenblk ext3 jbd ehci_hcd ohci_hcd uhci_hcd CPU: 0 EIP: 0061:[<c05acc81>] Not tainted VLI EFLAGS: 00010293 (2.6.18-1.2798.fc6xen #1) EIP is at free_netdev+0x1e/0x3b eax: 00000001 ebx: d6028400 ecx: ffffffff edx: d6028000 esi: c0acd200 edi: d90ad524 ebp: cb796000 esp: cb796f10 ds: 007b es: 007b ss: 0069 Process rmmod (pid: 2193, ti=cb796000 task=c4282dd0 task.ti=cb796000) Stack: d90a739f d90ad500 c054c4d6 c0acd2cc c0acd224 c05416a4 c0acd224 c0687728 d90ad524 c0541999 d90ad524 00000000 c0687550 c0540e3b d90ad524 00000020 00000000 c0541aac d90ad700 c0436a25 6e6e6578 d2007465 00000000 d2ffd754 Call Trace: [<d90a739f>] netfront_remove+0x16/0x1a [xennet] [<c054c4d6>] xenbus_dev_remove+0x27/0x38 [<c05416a4>] __device_release_driver+0x60/0x78 [<c0541999>] driver_detach+0x99/0xc9 [<c0540e3b>] bus_remove_driver+0x5a/0x78 [<c0541aac>] driver_unregister+0x8/0x13 [<c0436a25>] sys_delete_module+0x192/0x1b9 [<c0404ea7>] syscall_call+0x7/0xb DWARF2 unwinder stuck at syscall_call+0x7/0xb Leftover inexact backtrace: ======================= Code: 97 e6 ff e8 34 a8 05 00 e9 19 f7 e7 ff 89 c2 8b 80 94 02 00 00 85 c0 75 0d 0f b7 42 64 29 c2 89 d0 e9 d7 50 eb ff 83 f8 03 74 08 <0f> 0b e2 0c 37 c6 64 c0 c7 82 94 02 00 00 04 00 00 00 8d 82 f0 EIP: [<c05acc81>] free_netdev+0x1e/0x3b SS:ESP 0069:cb796f10
This is a deficiency in the grant table mechanism where it can't currently wait on live entries for their destruction. If upstream's plan to use copying instead of flipping gets extended to the domU=>dom0 direction this should no longer be an issue.
change QA contact
This report targets FC6, which is now end-of-life. Please re-test against Fedora 7 or later, and if the issue persists, open a new bug. Thanks