From: Kevin Brodsky <kevin.brodsky@arm.com>
To: "Marek Marczykowski-Górecki" <marmarek@invisiblethingslab.com>
Cc: "Jürgen Groß" <jgross@suse.com>,
"Andrew Cooper" <andrew.cooper3@citrix.com>,
xen-devel <xen-devel@lists.xenproject.org>,
"Boris Ostrovsky" <boris.ostrovsky@oracle.com>
Subject: Re: kernel BUG around vmap/vfree - xen_enter_lazy_mmu()/xen_leave_lazy_mmu() - Linux 7.0-rc1
Date: Wed, 8 Apr 2026 12:38:04 +0200 [thread overview]
Message-ID: <756bcd3b-51c1-4ee4-bb09-4c0c0514764c@arm.com> (raw)
In-Reply-To: <adXBwU9KAdb2gNeB@mail-itl>
On 08/04/2026 04:47, Marek Marczykowski-Górecki wrote:
>> That may well be the case - it seems that xen_enter_lazy_mmu() is called
>> while already in lazy MMU mode (first splat), and xen_leave_lazy_mmu()
>> is called without being in lazy MMU mode (second splat). I expect this
>> is something specific to Xen, which I didn't get the chance to test.
>>
>> Looking at the series again I don't see anything obviously wrong, but I
>> think the riskiest change is commit 291b3abed657 ("x86/xen: use
>> lazy_mmu_state when context-switching") - worth trying to revert it.
> With that reverted (on top of 7.0-rc6, didn't updated to rc7 yet), I
> still got panic, although might be a bit different one:
>
> [ 8.099973] BUG: unable to handle page fault for address: ffff888008000670
> [ 8.100004] #PF: supervisor write access in kernel mode
> [ 8.100021] #PF: error_code(0x0003) - permissions violation
> [ 8.100037] PGD 3a00067 P4D 3a00067 PUD 3a01067 PMD 7cd7063 PTE 8000000008000021
> [ 8.100063] Oops: Oops: 0003 [#1] SMP PTI
> [ 8.100079] CPU: 0 UID: 0 PID: 226 Comm: kworker/0:2 Not tainted 7.0.0-0.rc6.1.qubes.1001.fc41.x86_64 #1 PREEMPT(full)
> [ 8.100110] Workqueue: events do_free_init
> [ 8.100126] RIP: 0010:native_set_pte+0x4/0x10
> [ 8.100145] Code: 00 03 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 89 37 c3 cc cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90
> [ 8.100195] RSP: 0018:ffffc90000c97c48 EFLAGS: 00010287
> [ 8.100212] RAX: e00c4f3d8b48c03e RBX: ffff888008000670 RCX: e00000000000003e
> [ 8.100234] RDX: e00c4f3d8b48c13e RSI: e00c4f3d8b48c03e RDI: ffff888008000670
> [ 8.100260] RBP: e00c4f3d8b48c13e R08: 0000000000000000 R09: 0000000000000001
> [ 8.100282] R10: 0000003b0c274b73 R11: e00000000000013e R12: ffffc90000c97cf0
> [ 8.100304] R13: ffffffffc04ce000 R14: fffc4f3d8b48cfff R15: e00000000000013e
> [ 8.100327] FS: 0000000000000000(0000) GS:ffff888094e81000(0000) knlGS:0000000000000000
> [ 8.100350] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 8.100369] CR2: ffff888008000670 CR3: 000000000242e003 CR4: 00000000001706f0
> [ 8.100394] Call Trace:
> [ 8.100404] <TASK>
> [ 8.100413] __change_page_attr+0x24f/0x350
> [ 8.100429] __change_page_attr_set_clr+0x61/0xd0
> [ 8.100446] change_page_attr_set_clr+0x103/0x1a0
> [ 8.100467] set_memory_nx+0x39/0x50
> [ 8.100481] __execmem_cache_free+0x35/0xb0
> [ 8.100496] execmem_free+0x9f/0x180
> [ 8.100510] ? nft_chain_nat_exit+0xe70/0xe70 [nft_chain_nat]
> [ 8.100531] do_free_init+0x2e/0x60
> [ 8.100545] process_one_work+0x198/0x390
> [ 8.100559] worker_thread+0x1af/0x320
> [ 8.100573] ? __pfx_worker_thread+0x10/0x10
> [ 8.103338] kthread+0xe3/0x120
> [ 8.103355] ? __pfx_kthread+0x10/0x10
> [ 8.103369] ret_from_fork+0x19e/0x260
> [ 8.103384] ? __pfx_kthread+0x10/0x10
> [ 8.103397] ret_from_fork_asm+0x1a/0x30
> [ 8.103412] </TASK>
> [ 8.103421] Modules linked in: xenfs nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_redir nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables binfmt_misc intel_rapl_msr intel_rapl_common ghash_clmulni_intel xen_netfront xen_privcmd xen_gntdev xen_gntalloc xen_blkback xen_evtchn fuse loop nfnetlink ip_tables overlay xen_blkfront
> [ 8.103529] CR2: ffff888008000670
> [ 8.103542] ---[ end trace 0000000000000000 ]---
> [ 8.103558] RIP: 0010:native_set_pte+0x4/0x10
> [ 8.103576] Code: 00 03 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 89 37 c3 cc cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90
> [ 8.103625] RSP: 0018:ffffc90000c97c48 EFLAGS: 00010287
> [ 8.103641] RAX: e00c4f3d8b48c03e RBX: ffff888008000670 RCX: e00000000000003e
> [ 8.103664] RDX: e00c4f3d8b48c13e RSI: e00c4f3d8b48c03e RDI: ffff888008000670
> [ 8.103686] RBP: e00c4f3d8b48c13e R08: 0000000000000000 R09: 0000000000000001
> [ 8.103708] R10: 0000003b0c274b73 R11: e00000000000013e R12: ffffc90000c97cf0
> [ 8.103730] R13: ffffffffc04ce000 R14: fffc4f3d8b48cfff R15: e00000000000013e
> [ 8.103753] FS: 0000000000000000(0000) GS:ffff888094e81000(0000) knlGS:0000000000000000
> [ 8.103775] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 8.103794] CR2: ffff888008000670 CR3: 000000000242e003 CR4: 00000000001706f0
> [ 8.103820] Kernel panic - not syncing: Fatal exception
> [ 8.103929] Kernel Offset: disabled
That is probably the same root cause indeed (lazy MMU appearing disabled
in __xet_set_pte() while it should be enabled).
>> If
>> that doesn't help, I'd suggest bisecting the following range:
>> 58852f24f956..291b3abed657
> It will take some time, as the issue doesn't happen every time.
Understood. Here are the commits that are expected to have a functional
effect on x86 (in reverse chronological order):
- 291b3abed657 ("x86/xen: use lazy_mmu_state when context-switching")
- 5ab246749569 ("mm: enable lazy_mmu sections to nest")
- 9273dfaeaca8 ("mm: bail out of lazy_mmu_mode_* in interrupt context")
- 66bdd779d344 ("x86/xen: simplify flush_lazy_mmu()")
Hope that helps, let me know if you have any further information. It
would be worth enabling CONFIG_DEBUG_VM and then checking if any WARN()
splat appears in the log.
- Kevin
next prev parent reply other threads:[~2026-04-08 10:38 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-26 13:17 kernel BUG around vmap/vfree - xen_enter_lazy_mmu()/xen_leave_lazy_mmu() - Linux 7.0-rc1 Marek Marczykowski-Górecki
2026-02-26 13:27 ` Andrew Cooper
2026-02-26 13:36 ` Marek Marczykowski-Górecki
2026-02-26 13:41 ` Jürgen Groß
2026-04-05 9:41 ` Marek Marczykowski-Górecki
2026-04-07 9:23 ` Kevin Brodsky
2026-04-08 2:47 ` Marek Marczykowski-Górecki
2026-04-08 10:38 ` Kevin Brodsky [this message]
2026-05-07 16:31 ` Jürgen Groß
2026-05-08 8:53 ` Juergen Gross
2026-05-08 9:54 ` Kevin Brodsky
2026-05-08 10:09 ` Jürgen Groß
2026-05-08 10:28 ` Andrew Cooper
2026-05-08 11:34 ` Kevin Brodsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=756bcd3b-51c1-4ee4-bb09-4c0c0514764c@arm.com \
--to=kevin.brodsky@arm.com \
--cc=andrew.cooper3@citrix.com \
--cc=boris.ostrovsky@oracle.com \
--cc=jgross@suse.com \
--cc=marmarek@invisiblethingslab.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.