604985 – host kernel panic when coping big file to guest OS.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 604985 - host kernel panic when coping big file to guest OS.

Summary: host kernel panic when coping big file to guest OS.

Keywords:
Status:	CLOSED DUPLICATE of bug 602927
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Red Hat Kernel Manager
QA Contact:	Red Hat Kernel QE team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-06-17 08:18 UTC by YangFeng
Modified:	2015-04-20 00:26 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-06-17 13:42:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description YangFeng 2010-06-17 08:18:26 UTC

Description of problem:
host kernel panic when coping big file between host and guest OS.

Version-Release number of selected component (if applicable):

uname -a on host
Linux dhcp-91-155.nay.redhat.com.englab.nay.redhat.com 2.6.32-33.el6.x86_64 #1 SMP Thu Jun 3 13:00:03 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux

rpm -qa|grep qemu on host
qemu-img-0.12.1.2-2.73.el6.x86_64
qemu-kvm-tools-0.12.1.2-2.73.el6.x86_64
gpxe-roms-qemu-0.9.7-6.2.el6.noarch
qemu-kvm-0.12.1.2-2.73.el6.x86_64

How reproducible:
60% (Try 5 times, 3 fails)

Steps to Reproduce:
1. Start a VM with vhost on:
'qemu-kvm -name 'vm1' -monitor tcp:0:6001,server,nowait -drive file=RHEL-Server-5.5-PAE-virtio.qcow2,if=virtio,cache=none,boot=on -net nic,vlan=0,model=virtio,macaddr=02:8F:A8:D8:e7:33 -net tap,vlan=0,ifname=virtio_0_6001,script=qemu-ifup-switch,downscript=no,vhost=on -m 4096 -smp 2 -soundhw ac97 -redir tcp:5000::22 -vnc :0 -usbdevice tablet -rtc-td-hack -cpu qemu64,+sse2 -no-kvm-pit-reinjection -serial unix:/tmp/serial-20100617-121640-LV98,server,nowait'
2. Create a large file by dd on host.
'dd if=/dev/urandom of=tmp/a.out bs=1M count=4000'
3. Copy this file from host to guest by scp command.
4. Copy this file from guest to host by scp command.
  
Actual results:
Kernel panic during step 3 or 4.

Expected results:
Large file could be transferred successfully between host and guest.

Additional info:
Following is log on host.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000400
IP: [<ffffffffa0410824>] __br_deliver+0x64/0xe0 [bridge]
PGD 0 
Oops: 0000 [#1] SMP 
last sysfs file: /sys/kernel/mm/ksm/run
CPU 3 
Modules linked in: vhost_net(U) macvtap(U) macvlan(U) tun(U) sunrpc(U) cpufreq_ondemand(U) acpi_cpufreq(U) freq_table(U) bridge(U) stp(U) llc(U) ipv6(U) dm_mirror(U) dm_region_hash(U) dm_log(U) kvm_intel(U) kvm(U) snd_hda_codec_analog(U) snd_hda_intel(U) snd_hda_codec(U) snd_hwdep(U) snd_seq(U) e1000e(U) iTCO_wdt(U) ppdev(U) snd_seq_device(U) snd_pcm(U) parport_pc(U) i2c_i801(U) iTCO_vendor_support(U) parport(U) sr_mod(U) serio_raw(U) snd_timer(U) snd(U) soundcore(U) snd_page_alloc(U) dcdbas(U) cdrom(U) sg(U) ext4(U) mbcache(U) jbd2(U) dm_multipath(U) sd_mod(U) crc_t10dif(U) ata_piix(U) pata_acpi(U) ata_generic(U) radeon(U) ttm(U) drm_kms_helper(U) drm(U) i2c_algo_bit(U) i2c_core(U) dm_mod(U) [last unloaded: scsi_wait_scan]

Modules linked in: vhost_net(U) macvtap(U) macvlan(U) tun(U) sunrpc(U) cpufreq_ondemand(U) acpi_cpufreq(U) freq_table(U) bridge(U) stp(U) llc(U) ipv6(U) dm_mirror(U) dm_region_hash(U) dm_log(U) kvm_intel(U) kvm(U) snd_hda_codec_analog(U) snd_hda_intel(U) snd_hda_codec(U) snd_hwdep(U) snd_seq(U) e1000e(U) iTCO_wdt(U) ppdev(U) snd_seq_device(U) snd_pcm(U) parport_pc(U) i2c_i801(U) iTCO_vendor_support(U) parport(U) sr_mod(U) serio_raw(U) snd_timer(U) snd(U) soundcore(U) snd_page_alloc(U) dcdbas(U) cdrom(U) sg(U) ext4(U) mbcache(U) jbd2(U) dm_multipath(U) sd_mod(U) crc_t10dif(U) ata_piix(U) pata_acpi(U) ata_generic(U) radeon(U) ttm(U) drm_kms_helper(U) drm(U) i2c_algo_bit(U) i2c_core(U) dm_mod(U) [last unloaded: scsi_wait_scan]
Pid: 3030, comm: ssh Tainted: G        W  2.6.32-33.el6.x86_64 #1 OptiPlex 760                 
RIP: 0010:[<ffffffffa0410824>]  [<ffffffffa0410824>] __br_deliver+0x64/0xe0 [bridge]
RSP: 0018:ffff88011f91d8b8  EFLAGS: 00010296
RAX: 0000000000000000 RBX: ffff88011d57e6c0 RCX: ffff88011ff82740
RDX: ffff88011f2a289c RSI: 0000000000000282 RDI: ffff88011f2a289c
RBP: ffff88011f91d8d8 R08: ffff88011f2a289c R09: ffff880008af66e8
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88011e88cbc0
R13: ffff88011e88cbf8 R14: ffff88011da5c8fe R15: ffff88011d57e000
FS:  00007f27f0ee07c0(0000) GS:ffff8800282c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000400 CR3: 000000012102f000 CR4: 00000000000426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process ssh (pid: 3030, threadinfo ffff88011f91c000, task ffff8801091a8100)
Stack:
 ffff880180000000 ffffffff814aff0c ffff88011e88cbc0 ffff88011d57e6c0
<0> ffff88011f91d8e8 ffffffffa04108d5 ffff88011f91d918 ffffffffa040f5ac
<0> ffff88011e88cbc0 ffff88003714c380 ffffffff818bffa0 ffff8800afd783e8
Call Trace:
 [<ffffffff814aff0c>] ? packet_rcv+0x5c/0x440
 [<ffffffffa04108d5>] br_deliver+0x35/0x40 [bridge]
 [<ffffffffa040f5ac>] br_dev_xmit+0xbc/0x100 [bridge]
 [<ffffffff8141279a>] dev_hard_start_xmit+0x20a/0x370
 [<ffffffff81415d86>] dev_queue_xmit+0x3c6/0x4a0
 [<ffffffff81451d9c>] ip_finish_output+0x13c/0x310
 [<ffffffff81452028>] ip_output+0xb8/0xc0
 [<ffffffff81450f7f>] ? __ip_local_out+0x9f/0xb0
 [<ffffffff81450fb5>] ip_local_out+0x25/0x30
 [<ffffffff81451800>] ip_queue_xmit+0x190/0x420
 [<ffffffff81154b8b>] ? __kmalloc_node+0x7b/0x100
 [<ffffffff814664b1>] tcp_transmit_skb+0x3f1/0x790
 [<ffffffff81468827>] tcp_write_xmit+0x1e7/0x9e0
 [<ffffffff814694b0>] __tcp_push_pending_frames+0x30/0xe0
 [<ffffffff8145886e>] tcp_push+0x6e/0x90
 [<ffffffff81459818>] tcp_sendmsg+0x668/0xa30
 [<ffffffff81402591>] sock_aio_write+0x151/0x160
 [<ffffffff8116986a>] do_sync_write+0xfa/0x140
 [<ffffffff81090a50>] ? autoremove_wake_function+0x0/0x40
 [<ffffffff81206d3f>] ? selinux_file_permission+0xbf/0x150
 [<ffffffff811fa356>] ? security_file_permission+0x16/0x20
 [<ffffffff81169c34>] vfs_write+0x184/0x1a0
 [<ffffffff810d3782>] ? audit_syscall_entry+0x252/0x280
 [<ffffffff8116a5a1>] sys_write+0x51/0x90
 [<ffffffff81013172>] system_call_fastpath+0x16/0x1b
Code: c9 49 c7 c1 30 06 41 a0 4c 89 e2 be 03 00 00 00 bf 07 00 00 00 c7 04 24 00 00 00 80 e8 f6 7d 02 e1 83 f8 01 74 31 49 8b 44 24 20 <48> 8b 80 00 04 00 00 48 85 c0 74 0e 48 8b 80 b8 00 00 00 48 8b 
RIP  [<ffffffffa0410824>] __br_deliver+0x64/0xe0 [bridge]
 RSP <ffff88011f91d8b8>
CR2: 0000000000000400
---[ end trace a7919e7f17c0a727 ]---
Kernel panic - not syncing: Fatal exception in interrupt
Pid: 3030, comm: ssh Tainted: G      D W  2.6.32-33.el6.x86_64 #1
Call Trace:
 [<ffffffff814d72ad>] panic+0x78/0x137
 [<ffffffff814db3f2>] oops_end+0xf2/0x100
 [<ffffffff8104545b>] no_context+0xfb/0x260
 [<ffffffff810456e5>] __bad_area_nosemaphore+0x125/0x1e0
 [<ffffffff810457b3>] bad_area_nosemaphore+0x13/0x20
 [<ffffffff814dcec8>] do_page_fault+0x2a8/0x3a0
 [<ffffffff814da735>] page_fault+0x25/0x30
 [<ffffffffa0410824>] ? __br_deliver+0x64/0xe0 [bridge]
 [<ffffffffa0410858>] ? __br_deliver+0x98/0xe0 [bridge]
 [<ffffffff814aff0c>] ? packet_rcv+0x5c/0x440
 [<ffffffffa04108d5>] br_deliver+0x35/0x40 [bridge]
 [<ffffffffa040f5ac>] br_dev_xmit+0xbc/0x100 [bridge]
 [<ffffffff8141279a>] dev_hard_start_xmit+0x20a/0x370
 [<ffffffff81415d86>] dev_queue_xmit+0x3c6/0x4a0
 [<ffffffff81451d9c>] ip_finish_output+0x13c/0x310
 [<ffffffff81452028>] ip_output+0xb8/0xc0
 [<ffffffff81450f7f>] ? __ip_local_out+0x9f/0xb0
 [<ffffffff81450fb5>] ip_local_out+0x25/0x30
 [<ffffffff81451800>] ip_queue_xmit+0x190/0x420
 [<ffffffff81154b8b>] ? __kmalloc_node+0x7b/0x100
 [<ffffffff814664b1>] tcp_transmit_skb+0x3f1/0x790
 [<ffffffff81468827>] tcp_write_xmit+0x1e7/0x9e0
 [<ffffffff814694b0>] __tcp_push_pending_frames+0x30/0xe0
 [<ffffffff8145886e>] tcp_push+0x6e/0x90
 [<ffffffff81459818>] tcp_sendmsg+0x668/0xa30
 [<ffffffff81402591>] sock_aio_write+0x151/0x160
 [<ffffffff8116986a>] do_sync_write+0xfa/0x140
 [<ffffffff81090a50>] ? autoremove_wake_function+0x0/0x40
 [<ffffffff81206d3f>] ? selinux_file_permission+0xbf/0x150
 [<ffffffff811fa356>] ? security_file_permission+0x16/0x20
 [<ffffffff81169c34>] vfs_write+0x184/0x1a0
 [<ffffffff810d3782>] ? audit_syscall_entry+0x252/0x280
 [<ffffffff8116a5a1>] sys_write+0x51/0x90
 [<ffffffff81013172>] system_call_fastpath+0x16/0x1b
[drm:drm_fb_helper_panic] *ERROR* panic occurred, switching back to text console

Comment 2 RHEL Program Management 2010-06-17 08:33:36 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 3 Herbert Xu 2010-06-17 13:42:33 UTC


*** This bug has been marked as a duplicate of bug 602927 ***

Note You need to log in before you can comment on or make changes to this bug.