From mboxrd@z Thu Jan  1 00:00:00 1970
From: Avi Kivity <avi@redhat.com>
Subject: Re: kernel bug in kvm_intel
Date: Thu, 15 Oct 2009 02:10:53 +0900
Message-ID: <4AD6061D.5070306@redhat.com>
References: <4ACF9745.3050902@linux.vnet.ibm.com>	 <4AD16ACE.6040903@redhat.com>	 <1255372957.4883.49.camel@twinturbo.austin.ibm.com>	 <4AD4231F.6040608@redhat.com> <1255442640.4883.56.camel@twinturbo.austin.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: kvm@vger.kernel.org
To: habanero@linux.vnet.ibm.com
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:2825 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751464AbZJNRLe (ORCPT <rfc822;kvm@vger.kernel.org>);
	Wed, 14 Oct 2009 13:11:34 -0400
In-Reply-To: <1255442640.4883.56.camel@twinturbo.austin.ibm.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 10/13/2009 11:04 PM, Andrew Theurer wrote:
>
>> Look at the address where vmx_vcpu_run starts, add 0x26d, and show the
>> surrounding code.
>>
>> Thinking about it, it probably _is_ what you showed, due to module page
>> alignment.  But please verify this; I can't reconcile the fault address
>> (ffffffff9fe9a2b) with %rsp at the time of the fault.
>>      
> Here is the start of the function:
>
>    
>> 0000000000003884<vmx_vcpu_run>:
>>      3884:       55                      push   %rbp
>>      3885:       48 89 e5                mov    %rsp,%rbp
>>      
> and 0x26d later is 0x3af1:
>
>    
>>      3ad2:       4c 8b b1 88 01 00 00    mov    0x188(%rcx),%r14
>>      3ad9:       4c 8b b9 90 01 00 00    mov    0x190(%rcx),%r15
>>      3ae0:       48 8b 89 20 01 00 00    mov    0x120(%rcx),%rcx
>>      3ae7:       75 05                   jne    3aee<vmx_vcpu_run+0x26a>
>>      3ae9:       0f 01 c2                vmlaunch
>>      3aec:       eb 03                   jmp    3af1<vmx_vcpu_run+0x26d>
>>      3aee:       0f 01 c3                vmresume
>>      3af1:       48 87 0c 24             xchg   %rcx,(%rsp)
>>      3af5:       48 89 81 18 01 00 00    mov    %rax,0x118(%rcx)
>>      3afc:       48 89 99 30 01 00 00    mov    %rbx,0x130(%rcx)
>>      3b03:       ff 34 24                pushq  (%rsp)
>>      3b06:       8f 81 20 01 00 00       popq   0x120(%rcx)
>>      
>

Ok.  So it faults on the xchg instruction, rsp is ffff8806369ffc80 but 
the fault address is ffffffff9fe9a2b4.  So it looks like the IDT is 
corrupted.

Can you check what's around ffffffff9fe9a2b4 in System.map?

-- 
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.