Bug 21962

Summary: BUG() in kvm_mmu_page_set_gfn() - direct gfn doesn't match page gfn
Product: Virtualization Reporter: Steve (stefan.bosak)
Component: kvmAssignee: Avi Kivity (avi)
Status: CLOSED CODE_FIX    
Severity: blocking CC: avi, gleb, mtosatti, prochazka.nicolas
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: Since 2.6.36 Subsystem:
Regression: No Bisected commit-id:
Attachments: debug patch
proposed fix
trace-cmd log file ( -e kvm , -e kvm -e kvmmu )

Description Steve 2010-11-04 00:38:51 UTC
Kernel since 2.6.36 can't be used
on HP Proliant DL 160 G5 (2x Intel Xeon CPU E5430):

This kernel bug has been occured on 2.6.37-rc1-git2:

kernel BUG at arch/x86/kvm/mmu.c 479!

static void kvm_mmu_page_set_gfn(struct kvm_mmu_page *sp, int index, gfn_t gfn)
{
        if (sp->role.direct)
->                BUG_ON(gfn != kvm_mmu_page_get_gfn(sp, index));
        else
                sp->gfns[index] = gfn;
}


invalid opcode: 0000

mmu_set_spte.clone.57.clone.60x0x4a2/0x4e0 [kvm]

All KVM virtual machines can't be correctly
used and server have to be power off.
This situation occured since 2.6.36.
Comment 1 Steve 2010-11-17 20:53:42 UTC
Could anybody test run KVM guest machine on pre-nehalem CPU please ?
Comment 2 Steve 2010-12-16 23:56:18 UTC
Bug still not been removed.

Tested on all kernels from 2.6.36 to 2.6.37-rc6.
Comment 3 Avi Kivity 2010-12-17 15:21:50 UTC
Please provide precise instructions for reproducing the bug (guest OS, workload, and configuration).
Comment 4 prochazka 2010-12-23 15:50:04 UTC
Same problem from 2.6.36 to 2.6.37rc7
only with windows seven guest install ( just after bios )
not all servers concerned ( test on 3 ( 5430 , 5330 : ok , dual core )

 kernel BUG at arch/x86/kvm/mmu.c:479!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/system/cpu/cpu1/cache/index2/shared_cpu_map
CPU 0
Modules linked in: kvm_intel kvm
Pid: 10239, comm: qemu Not tainted 2.6.37-rc7 #4 X7SBL/X7SBL
RIP: 0010:[<ffffffffa0021519>] [<ffffffffa0021519>] T.1197+0x3c9/0x3e0 [kvm]
RSP: 0018:ffff88007f90fad8 EFLAGS: 00010287
RAX: ffff88021e189b40 RBX: ffff8800cac08000 RCX: 0000000000000009
RDX: 0000000000000002 RSI: 00000000c0020000 RDI: ffff8800caf43800
RBP: ffff88007f90fb58 R08: ffff880100994008 R09: 0000000000000022
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8800caf43800
R13: 0000000000000000 R14: 00000000000e0000 R15: ffffea0000000000
FS: 00007f97c3ba4710(0000) GS:ffff8800cfc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 0000000000000000 CR3: 000000007f8df000 CR4: 00000000000426e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process qemu (pid: 10239, threadinfo ffff88007f90e000, task ffff8801008d0000)
Stack:
 00007f9700000002 00000000000e0000 0000000000132400 ffff880000000000
 ffff880000000001 00007f9700000001 ffff88007f8df7f8 00007f97f8601000
 00007f9700000005 00ff880000000000 ffff88007f90fba8 000ffffffffff000
Call Trace:
 [<ffffffffa00226bc>] __direct_map+0x15c/0x1e0 [kvm]
 [<ffffffffa00229cb>] nonpaging_page_fault+0x12b/0x170 [kvm]
 [<ffffffffa001f301>] kvm_mmu_page_fault+0x21/0x80 [kvm]
 [<ffffffffa00618bd>] handle_exception+0x30d/0x380 [kvm_intel]
 [<ffffffffa00619c9>] vmx_handle_exit+0x99/0x2f0 [kvm_intel]
 [<ffffffffa0017166>] kvm_arch_vcpu_ioctl_run+0x616/0xe20 [kvm]
 [<ffffffffa0015fc0>] ? kvm_arch_vcpu_load+0x50/0x140 [kvm]
 [<ffffffffa0005811>] kvm_vcpu_ioctl+0x561/0x860 [kvm]
 [<ffffffff81136d27>] do_vfs_ioctl+0xa7/0x560
 [<ffffffff8113722f>] sys_ioctl+0x4f/0x80
 [<ffffffff81003042>] system_call_fastpath+0x16/0x1b
Code: 85 d2 74 23 ff ca 89 93 60 07 00 00 48 63 d2 48 8b bc d3 68 07
00 00 48 89 78 20 e9 1f ff ff ff 31 c9 e9 15 ff ff ff 0f 0b eb fe <0f>
0b eb fe 0f 0b eb fe 66 66 66 66 66 66 2e 0f 1f 84 00 00 00
RIP [<ffffffffa0021519>] T.1197+0x3c9/0x3e0 [kvm]
 RSP <ffff88007f90fad8>
---[ end trace 37b50f1e9edf2574 ]---
Comment 5 Avi Kivity 2010-12-26 10:24:20 UTC
Still cannot reproduce.

What's the exact Windows version you use?
What is your processor?
What is the qemu command line?
Comment 6 Avi Kivity 2010-12-26 10:41:32 UTC
Also, do you have ksm enabled?  What happens if you disable it?
Comment 7 prochazka 2010-12-27 10:15:01 UTC
iso seven 32bit/64bit cause this issue.

ksm is enable in kernel 

DEV-10.98.98.1:~# cat /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 23
model name      : Intel(R) Core(TM)2 Duo CPU     E8400  @ 3.00GHz
stepping        : 10
cpu MHz         : 2992.599
cache size      : 6144 KB
physical id     : 0
siblings        : 2
core id         : 0
cpu cores       : 2
apicid          : 0
initial apicid  : 0
fpu             : yes
fpu_exception   : yes
cpuid level     : 13
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 xsave lahf_lm tpr_shadow vnmi flexpriority
bogomips        : 5985.19
clflush size    : 64
cache_alignment : 64
address sizes   : 36 bits physical, 48 bits virtual
power management:
 
processor       : 1
vendor_id       : GenuineIntel
cpu family      : 6
model           : 23
model name      : Intel(R) Core(TM)2 Duo CPU     E8400  @ 3.00GHz
stepping        : 10
cpu MHz         : 2992.599
cache size      : 6144 KB
physical id     : 0
siblings        : 2
core id         : 1
cpu cores       : 2
apicid          : 1
initial apicid  : 1
fpu             : yes
fpu_exception   : yes
cpuid level     : 13
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good aperfmperf pni dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 xsave lahf_lm tpr_shadow vnmi flexpriority
bogomips        : 5985.14
clflush size    : 64
cache_alignment : 64
address sizes   : 36 bits physical, 48 bits virtual
power management:
 
 
 
/usr/local/bin/qemu -name M_Win7 -vga std -net tap,vlan=0,name=interne,ifname=vmtap6 -net nic,vlan=0,macaddr=ac:de:48:5e:ba:36,model=e1000 -localtime -usb -usbdevice tablet -vnc 10.98.98.1:106 -monitor tcp:127.0.0.1:10106,server,nowait,nodelay  -m 768 -pidfile /var/run/qemu/M_Win7.pid -net vde,port=56,vlan=5,sock=/tmpsafe/neoswitch_bridge,name=externe -net nic,vlan=5,macaddr=ac:de:48:0c:e9:15,model=e1000 -mem-prealloc -mem-path /hugepages -rtc base=localtime -drive file=/mnt/vdisk/images/MASTER-Win7.1293166482.3787351.MASTER,index=0,media=disk,snapshot=off,cache=writeback -drive file=/swapfile-guest/swap1,if=ide,index=1,media=disk,snapshot=on,boot=off -drive file=/mnt/vdisk/iso/Windows7Pro_32BitsFr.iso,index=2,media=cdrom -boot d
Comment 8 Avi Kivity 2010-12-27 12:51:03 UTC
Created attachment 41722 [details]
debug patch

Please try with the attached debug patch, and post dmesg when you get the BUG().
Comment 9 prochazka 2010-12-27 21:28:47 UTC

kvm_mmu_page_set_gfn: gfn e0000 sp->gfn c0000000 level 2 pae 0 quadrant 0 direct 1 access 7 invalid 0 nxe 0 wp 0
------------[ cut here ]------------
kernel BUG at arch/x86/kvm/mmu.c:487!
invalid opcode: 0000 [#1] SMP 
last sysfs file: /sys/devices/system/cpu/cpu1/cache/index2/shared_cpu_map
CPU 1 
Modules linked in: kvm_intel kvm

Pid: 18995, comm: qemu Not tainted 2.6.37-rc7 #4 X7SBL/X7SBL
RIP: 0010:[<ffffffffa002159c>]  [<ffffffffa002159c>] T.1197+0x44c/0x460 [kvm]
RSP: 0018:ffff8801ff13dad8  EFLAGS: 00010292
RAX: 0000000000000074 RBX: ffff8800c905b490 RCX: 000000000003ffff
RDX: ffffffff81e241c8 RSI: 0000000000000082 RDI: 0000000000000246
RBP: ffff8801ff13db58 R08: 000000000000f7ef R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000007 R12: ffff8800a4d71800
R13: 0000000000000000 R14: 00000000000e0000 R15: ffffea0000000000
FS:  00007f7bac2f1710(0000) GS:ffff8800cfd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 0000000000000000 CR3: 00000000c92ad000 CR4: 00000000000426f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process qemu (pid: 18995, threadinfo ffff8801ff13c000, task ffff88021f631000)
Stack:
 00007f7b00000000 0000000000000001 0000000000000007 ffff880100000000
 ffff880100000000 00007f7b00000000 ffff8800c92ad7f0 00007f7bd0e01000
 00007f7b00000005 00ff880100000000 ffff8801ff13dba8 000ffffffffff000
Call Trace:
 [<ffffffffa002273c>] __direct_map+0x15c/0x1e0 [kvm]
 [<ffffffffa0022a4b>] nonpaging_page_fault+0x12b/0x170 [kvm]
 [<ffffffffa001f301>] kvm_mmu_page_fault+0x21/0x80 [kvm]
 [<ffffffffa00628bd>] handle_exception+0x30d/0x380 [kvm_intel]
 [<ffffffffa00629c9>] vmx_handle_exit+0x99/0x2f0 [kvm_intel]
 [<ffffffffa0017166>] kvm_arch_vcpu_ioctl_run+0x616/0xe20 [kvm]
 [<ffffffffa0015fc0>] ? kvm_arch_vcpu_load+0x50/0x140 [kvm]
 [<ffffffffa0005811>] kvm_vcpu_ioctl+0x561/0x860 [kvm]
 [<ffffffff8103e698>] ? __wake_up_locked_key+0x18/0x20
 [<ffffffff81136d27>] do_vfs_ioctl+0xa7/0x560
 [<ffffffff8113722f>] sys_ioctl+0x4f/0x80
 [<ffffffff81003042>] system_call_fastpath+0x16/0x1b
Code: e2 07 89 54 24 10 44 89 c2 c1 ea 0d 83 e2 01 89 54 24 08 44 89 c2 41 83 e0 0f c1 ea 05 83 e2 03 89 14 24 4c 89 f2 e8 e2 c3 98 e1 <0f> 0b eb fe 0f 0b eb fe 66 66 66 2e 0f 1f 84 00 00 00 00 00 55 
RIP  [<ffffffffa002159c>] T.1197+0x44c/0x460 [kvm]
 RSP <ffff8801ff13dad8>
---[ end trace 092cae64c622f06a ]---


NP.
Comment 10 Avi Kivity 2010-12-28 09:03:35 UTC
Created attachment 41792 [details]
proposed fix

Attached patch should fix, please test and report.
Comment 11 prochazka 2010-12-28 14:00:45 UTC
it seems ok, 
i can not reproduce bug.

Thanks .

NP
Comment 12 prochazka 2010-12-29 11:23:19 UTC
Sorry 
but now our windows guest 32bits does not work.
black screen with white cursor after bios.
No error in kvm module, 
No dmesg error.

NP
Comment 13 Avi Kivity 2010-12-29 12:12:12 UTC
Please file another bug.
Comment 14 prochazka 2010-12-29 12:26:56 UTC
Why, 
this is result of proposed fix for seven guest issue.
Without fix, xp guest is ok but not seven, with fix, seven is ok but not xp.

Regards, 
NP.
Comment 15 Avi Kivity 2010-12-29 12:41:34 UTC
What's the command line for starting xp?

Please post the output of 'info registers' and 'x/50i $eip - 30' in the qemu monitor.
Comment 16 prochazka 2010-12-29 13:54:33 UTC
very strange test : 
after bios, windows start with "run in safe mode", then black screen with white cursor, qemu/kvm seems to be blocked.
As soon as do a info registers or x/50  windows go on ...
( when just connect to qemu monitor, windows stay on black screen )

QEMU 0.13.0 monitor - type 'help' for more information
(qemu) info registers
info registers
EAX=89865a75 EBX=00000001 ECX=8003f5c0 EDX=00000987
ESI=00000000 EDI=80087000 EBP=80549ac0 ESP=80549aa0
EIP=806e4550 EFL=00000282 [--S----] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0023 00000000 ffffffff 00c0f300 DPL=3 DS   [-WA]
CS =0008 00000000 ffffffff 00c09b00 DPL=0 CS32 [-RA]
SS =0010 00000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0023 00000000 ffffffff 00c0f300 DPL=3 DS   [-WA]
FS =0030 ffdff000 00001fff 00c09300 DPL=0 DS   [-WA]
GS =0000 00000000 0000ffff 00009300 DPL=0 DS16 [-WA]
LDT=0000 00000000 ffffffff 00000000
TR =0028 80042000 000020ab 00008b00 DPL=0 TSS32-busy
GDT=     8003f000 000003ff
IDT=     8003f400 000007ff
CR0=8001003d CR2=00000000 CR3=00a49000 CR4=00000020
DR0=00000000 DR1=00000000 DR2=00000000 DR3=00000000 
DR6=ffff0ff0 DR7=00000400
EFER=0000000000000800
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=00000000000000000000000000000000 XMM01=00000000000000000000000000000000
XMM02=00000000000000000000000000000000 XMM03=00000000000000000000000000000000
XMM04=00000000000000000000000000000000 XMM05=00000000000000000000000000000000
XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000



DEV-10.98.98.1:~# socat - TCP4:127.0.0.1:10112
QEMU 0.13.0 monitor - type 'help' for more information
(qemu) x/50i $eip - 30
x/50i $eip - 30
0x00000000806e4532:  add    %al,(%eax)
0x00000000806e4534:  call   0x806d0cac
0x00000000806e4539:  xor    %eax,%eax
0x00000000806e453b:  add    $0x0,%eax
0x00000000806e4540:  sti    
0x00000000806e4541:  jmp    0x806e4550
0x00000000806e4543:  lea    0x0(%esp),%esp
0x00000000806e454a:  lea    0x0(%ebx),%ebx
0x00000000806e4550:  sub    $0x1,%eax
0x00000000806e4553:  jne    0x806e4550
0x00000000806e4555:  jmp    0x806e4550
0x00000000806e4557:  incl   -0xc(%ebp)
0x00000000806e455a:  cmpl   $0x1,-0xc(%ebp)
0x00000000806e455e:  jne    0x806e45bc
0x00000000806e4560:  pop    %eax
0x00000000806e4561:  push   $0x806e4550
0x00000000806e4566:  call   0x806d0c90
0x00000000806e456b:  mov    $0x2d0a,%ax
0x00000000806e456f:  out    %al,$0x70
0x00000000806e4571:  jmp    0x806e4573
0x00000000806e4573:  mov    %ah,%al
0x00000000806e4575:  out    %al,$0x71
0x00000000806e4577:  jmp    0x806e4579
0x00000000806e4579:  mov    $0xb,%ax
0x00000000806e457d:  out    %al,$0x70
0x00000000806e457f:  jmp    0x806e4581
0x00000000806e4581:  in     $0x71,%al
0x00000000806e4583:  jmp    0x806e4585
0x00000000806e4585:  and    $0x1,%al
0x00000000806e4587:  mov    %al,%ah
0x00000000806e4589:  or     $0x42,%ah
0x00000000806e458c:  mov    $0xb,%al
0x00000000806e458e:  out    %al,$0x70
0x00000000806e4590:  jmp    0x806e4592
0x00000000806e4592:  mov    %ah,%al
0x00000000806e4594:  out    %al,$0x71
0x00000000806e4596:  jmp    0x806e4598
0x00000000806e4598:  mov    $0xc,%al
0x00000000806e459a:  out    %al,$0x70
0x00000000806e459c:  jmp    0x806e459e
0x00000000806e459e:  in     $0x71,%al
0x00000000806e45a0:  jmp    0x806e45a2
0x00000000806e45a2:  mov    $0xd,%al
0x00000000806e45a4:  out    %al,$0x70
0x00000000806e45a6:  jmp    0x806e45a8
0x00000000806e45a8:  in     $0x71,%al
0x00000000806e45aa:  jmp    0x806e45ac
0x00000000806e45ac:  call   0x806d0cac
0x00000000806e45b1:  mov    $0x20,%al
0x00000000806e45b3:  out    %al,$0xa0
(qemu) 



/usr/local/bin/qemu -name DEMO001 -vga std -net tap,vlan=0,name=interne,ifname=vmtap12 -net nic,vlan=0,macaddr=ac:de:48:35:6e:98,model=e1000 -localtime -usb -usbdevice tablet -vnc 10.98.98.1:112 -monitor tcp:127.0.0.1:10112,server,nowait,nodelay -m 768 -pidfile /var/run/qemu/DEMO001.pid -net vde,port=62,vlan=5,sock=/tmpsafe/neoswitch_bridge,name=externe -net nic,vlan=5,macaddr=ac:de:48:74:af:ca,model=e1000 -mem-prealloc -mem-path /hugepages -rtc base=localtime -drive file=/mnt/vdisk/images/VM-DEMO001.1291988834.4291229,index=0,media=disk,snapshot=on,cache=writeback -fda fat:floppy:/mnt/vdisk/diskconf/DEMO001


DEV-10.98.98.1:~# cat /proc/cpuinfo 
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 23
model name      : Intel(R) Xeon(R) CPU           E5420  @ 2.50GHz
stepping        : 6
cpu MHz         : 2493.926
cache size      : 6144 KB
physical id     : 0
siblings        : 4
core id         : 0
cpu cores       : 4
apicid          : 0
initial apicid  : 0
fpu             : yes
fpu_exception   : yes
cpuid level     : 10
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm dca sse4_1 lahf_lm dts tpr_shadow vnmi flexpriority
bogomips        : 4987.85
clflush size    : 64
cache_alignment : 64
address sizes   : 38 bits physical, 48 bits virtual
Comment 17 Avi Kivity 2010-12-29 15:52:37 UTC
Please repeat the test, but issue the 'stop' command first, so Windows doesn't resume.

Also, please install udis86 and udis86-devel, install trace-cmd from git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/trace-cmd.git
and qemu using 'trace-cmd record -b 200000 -e kvm qemu...'.  When qemu hangs, kill it, and post trace.dat from the current directory.

Preferably run the kernel from kvm.git master, it has more trace data.

Make sure CONFIG_TRACEPOINTS is enabled.
Comment 18 Avi Kivity 2010-12-29 15:53:24 UTC
Oh, and please run the trace twice, the second time use 'trace-cmd record -b 200000 -e kvm -e kvmmmu qemu...'.  That provides even more trace data.
Comment 19 prochazka 2010-12-30 07:38:31 UTC
Created attachment 41902 [details]
trace-cmd log file ( -e kvm , -e kvm -e kvmmu )
Comment 20 Avi Kivity 2010-12-30 09:56:45 UTC
Looks like Windows RTC code.  Are you 100% sure it's related to the patch?

Please try without -mem-path.

What qemu version are you using?
Comment 21 Avi Kivity 2010-12-30 10:03:44 UTC
Please dump more instructions:

x/400i 0x806e4400
Comment 22 Avi Kivity 2010-12-30 10:16:25 UTC
When you say "Windows go on", do you mean it successfully booted?
Comment 23 prochazka 2010-12-30 10:31:04 UTC
Before trace-cmd <= #16 comment , i'm using qemukvm 0.13
After I'm using qemukvm last git  : same result.

Yes i'm sure that 's related to patch, without it's working with XP guest from 2.6.34.7,2.6.36.1 ... 2.6.37rcX

same issue without -mem-prealloc -mem-path /hugepages 

1 - Run vm, boot bios ok 
2 - windows boot display "Demarrer Normalement" ( windows safe mode) because my image is not shutdown correcty , i press enter
3 - black screen , white cursor in top left screen ( same result with a proper windows image ) 

4 - if i do a info registers in qemu monitor, windows then continue its boot process and windows is ready to play

- with this patch version ( kvm module) , windows seven seems to work, linux also.

NP.
Comment 24 prochazka 2010-12-30 10:33:03 UTC
QEMU 0.13.50 monitor - type 'help' for more information
(qemu) stop
stop
(qemu) x/400i 0x806e4400
x/400i 0x806e4400
0x00000000806e4400:  add    $0xc1,%al
0x00000000806e4402:  loopne 0x806e4414
0x00000000806e4404:  mov    0x2(%ecx),%ax
0x00000000806e4408:  mov    0x38(%eax),%ecx
0x00000000806e440b:  mov    %ecx,0x38(%edx)
0x00000000806e440e:  mov    %ecx,0x4(%edx)
0x00000000806e4411:  movl   $0x806d0f08,0x20(%edx)
0x00000000806e4418:  movl   $0x0,0x24(%edx)
0x00000000806e441f:  movw   $0x8,0x4c(%edx)
0x00000000806e4425:  movw   $0x30,0x58(%edx)
0x00000000806e442b:  mov    %ss,0x50(%edx)
0x00000000806e442e:  movw   $0x23,0x48(%edx)
0x00000000806e4434:  movw   $0x23,0x54(%edx)
0x00000000806e443a:  movw   $0x10,0x8(%edx)
0x00000000806e4440:  movw   $0x0,0x60(%edx)
0x00000000806e4446:  movw   $0x0,0x64(%edx)
0x00000000806e444c:  movw   $0x20ad,0x66(%edx)
0x00000000806e4452:  mov    0xffdff03c,%ecx
0x00000000806e4458:  lea    0xa0(%ecx),%eax
0x00000000806e445e:  mov    %eax,%ecx
0x00000000806e4460:  movb   $0x89,0x5(%ecx)
0x00000000806e4464:  mov    %edx,%eax
0x00000000806e4466:  mov    %ax,0x2(%ecx)
0x00000000806e446a:  shr    $0x10,%eax
0x00000000806e446d:  mov    %ah,0x7(%ecx)
0x00000000806e4470:  mov    %al,0x4(%ecx)
0x00000000806e4473:  mov    $0x68,%eax
0x00000000806e4478:  mov    %ax,(%ecx)
0x00000000806e447b:  ret    $0x4
0x00000000806e447e:  int3   
0x00000000806e447f:  int3   
0x00000000806e4480:  int3   
0x00000000806e4481:  int3   
0x00000000806e4482:  int3   
0x00000000806e4483:  int3   
0x00000000806e4484:  int3   
0x00000000806e4485:  int3   
0x00000000806e4486:  int3   
0x00000000806e4487:  int3   
0x00000000806e4488:  int3   
0x00000000806e4489:  int3   
0x00000000806e448a:  int3   
0x00000000806e448b:  int3   
0x00000000806e448c:  int3   
0x00000000806e448d:  int3   
0x00000000806e448e:  int3   
0x00000000806e448f:  int3   
0x00000000806e4490:  push   %ebp
0x00000000806e4491:  mov    %esp,%ebp
0x00000000806e4493:  sub    $0xc,%esp
0x00000000806e4496:  pushf  
0x00000000806e4497:  cli    
0x00000000806e4498:  xor    %eax,%eax
0x00000000806e449a:  in     $0xa1,%al
0x00000000806e449c:  shl    $0x8,%eax
0x00000000806e449f:  in     $0x21,%al
0x00000000806e44a1:  push   %eax
0x00000000806e44a2:  mov    $0xfffffefb,%eax
0x00000000806e44a7:  out    %al,$0x21
0x00000000806e44a9:  shr    $0x8,%eax
0x00000000806e44ac:  out    %al,$0xa1
0x00000000806e44ae:  sidtl  -0x8(%ebp)
0x00000000806e44b2:  mov    -0x6(%ebp),%ecx
0x00000000806e44b5:  mov    $0x38,%eax
0x00000000806e44ba:  shl    $0x3,%eax
0x00000000806e44bd:  add    %eax,%ecx
0x00000000806e44bf:  pushl  (%ecx)
0x00000000806e44c1:  pushl  0x4(%ecx)
0x00000000806e44c4:  push   %ecx
0x00000000806e44c5:  mov    $0x806e4557,%eax
0x00000000806e44ca:  mov    %ax,(%ecx)
0x00000000806e44cd:  movw   $0x8,0x2(%ecx)
0x00000000806e44d3:  movw   $0x8e00,0x4(%ecx)
0x00000000806e44d9:  shr    $0x10,%eax
0x00000000806e44dc:  mov    %ax,0x6(%ecx)
0x00000000806e44e0:  movl   $0x0,-0xc(%ebp)
0x00000000806e44e7:  call   0x806d0c90
0x00000000806e44ec:  mov    $0x2d0a,%ax
0x00000000806e44f0:  out    %al,$0x70
0x00000000806e44f2:  jmp    0x806e44f4
0x00000000806e44f4:  mov    %ah,%al
0x00000000806e44f6:  out    %al,$0x71
0x00000000806e44f8:  jmp    0x806e44fa
0x00000000806e44fa:  mov    $0xb,%ax
0x00000000806e44fe:  out    %al,$0x70
0x00000000806e4500:  jmp    0x806e4502
0x00000000806e4502:  in     $0x71,%al
0x00000000806e4504:  jmp    0x806e4506
0x00000000806e4506:  and    $0x1,%al
0x00000000806e4508:  mov    %al,%ah
0x00000000806e450a:  or     $0x42,%ah
0x00000000806e450d:  mov    $0xb,%al
0x00000000806e450f:  out    %al,$0x70
0x00000000806e4511:  jmp    0x806e4513
0x00000000806e4513:  mov    %ah,%al
0x00000000806e4515:  out    %al,$0x71
0x00000000806e4517:  jmp    0x806e4519
0x00000000806e4519:  mov    $0xc,%al
0x00000000806e451b:  out    %al,$0x70
0x00000000806e451d:  jmp    0x806e451f
0x00000000806e451f:  in     $0x71,%al
0x00000000806e4521:  jmp    0x806e4523
0x00000000806e4523:  mov    $0xd,%al
0x00000000806e4525:  out    %al,$0x70
0x00000000806e4527:  jmp    0x806e4529
0x00000000806e4529:  in     $0x71,%al
0x00000000806e452b:  jmp    0x806e452d
0x00000000806e452d:  movl   $0x0,-0xc(%ebp)
0x00000000806e4534:  call   0x806d0cac
0x00000000806e4539:  xor    %eax,%eax
0x00000000806e453b:  add    $0x0,%eax
0x00000000806e4540:  sti    
0x00000000806e4541:  jmp    0x806e4550
0x00000000806e4543:  lea    0x0(%esp),%esp
0x00000000806e454a:  lea    0x0(%ebx),%ebx
0x00000000806e4550:  sub    $0x1,%eax
0x00000000806e4553:  jne    0x806e4550
0x00000000806e4555:  jmp    0x806e4550
0x00000000806e4557:  incl   -0xc(%ebp)
0x00000000806e455a:  cmpl   $0x1,-0xc(%ebp)
0x00000000806e455e:  jne    0x806e45bc
0x00000000806e4560:  pop    %eax
0x00000000806e4561:  push   $0x806e4550
0x00000000806e4566:  call   0x806d0c90
0x00000000806e456b:  mov    $0x2d0a,%ax
0x00000000806e456f:  out    %al,$0x70
0x00000000806e4571:  jmp    0x806e4573
0x00000000806e4573:  mov    %ah,%al
0x00000000806e4575:  out    %al,$0x71
0x00000000806e4577:  jmp    0x806e4579
0x00000000806e4579:  mov    $0xb,%ax
0x00000000806e457d:  out    %al,$0x70
0x00000000806e457f:  jmp    0x806e4581
0x00000000806e4581:  in     $0x71,%al
0x00000000806e4583:  jmp    0x806e4585
0x00000000806e4585:  and    $0x1,%al
0x00000000806e4587:  mov    %al,%ah
0x00000000806e4589:  or     $0x42,%ah
0x00000000806e458c:  mov    $0xb,%al
0x00000000806e458e:  out    %al,$0x70
0x00000000806e4590:  jmp    0x806e4592
0x00000000806e4592:  mov    %ah,%al
0x00000000806e4594:  out    %al,$0x71
0x00000000806e4596:  jmp    0x806e4598
0x00000000806e4598:  mov    $0xc,%al
0x00000000806e459a:  out    %al,$0x70
0x00000000806e459c:  jmp    0x806e459e
0x00000000806e459e:  in     $0x71,%al
0x00000000806e45a0:  jmp    0x806e45a2
0x00000000806e45a2:  mov    $0xd,%al
0x00000000806e45a4:  out    %al,$0x70
0x00000000806e45a6:  jmp    0x806e45a8
0x00000000806e45a8:  in     $0x71,%al
0x00000000806e45aa:  jmp    0x806e45ac
0x00000000806e45ac:  call   0x806d0cac
0x00000000806e45b1:  mov    $0x20,%al
0x00000000806e45b3:  out    %al,$0xa0
0x00000000806e45b5:  mov    $0x62,%al
0x00000000806e45b7:  out    %al,$0x20
0x00000000806e45b9:  xor    %eax,%eax
0x00000000806e45bb:  iret   
0x00000000806e45bc:  neg    %eax
0x00000000806e45be:  xor    %edx,%edx
0x00000000806e45c0:  mov    $0x1e848,%ecx
0x00000000806e45c5:  div    %ecx
0x00000000806e45c7:  cmp    $0x0,%edx
0x00000000806e45ca:  je     0x806e45cd
0x00000000806e45cc:  inc    %eax
0x00000000806e45cd:  mov    %eax,0xffdff04c
0x00000000806e45d2:  mov    %eax,0x806d8c24
0x00000000806e45d7:  pop    %eax
0x00000000806e45d8:  push   $0x806e4638
0x00000000806e45dd:  mov    $0x13,%eax
0x00000000806e45e2:  call   0x806d0c90
0x00000000806e45e7:  mov    $0x2d0a,%ax
0x00000000806e45eb:  out    %al,$0x70
0x00000000806e45ed:  jmp    0x806e45ef
0x00000000806e45ef:  mov    %ah,%al
0x00000000806e45f1:  out    %al,$0x71
0x00000000806e45f3:  jmp    0x806e45f5
0x00000000806e45f5:  mov    $0xb,%ax
0x00000000806e45f9:  out    %al,$0x70
0x00000000806e45fb:  jmp    0x806e45fd
0x00000000806e45fd:  in     $0x71,%al
0x00000000806e45ff:  jmp    0x806e4601
0x00000000806e4601:  and    $0x1,%al
0x00000000806e4603:  mov    %al,%ah
0x00000000806e4605:  or     $0x2,%ah
0x00000000806e4608:  mov    $0xb,%al
0x00000000806e460a:  out    %al,$0x70
0x00000000806e460c:  jmp    0x806e460e
0x00000000806e460e:  mov    %ah,%al
0x00000000806e4610:  out    %al,$0x71
0x00000000806e4612:  jmp    0x806e4614
0x00000000806e4614:  mov    $0xc,%al
0x00000000806e4616:  out    %al,$0x70
0x00000000806e4618:  jmp    0x806e461a
0x00000000806e461a:  in     $0x71,%al
0x00000000806e461c:  jmp    0x806e461e
0x00000000806e461e:  call   0x806d0cac
0x00000000806e4623:  mov    $0x8,%eax
0x00000000806e4628:  mov    $0x20,%al
0x00000000806e462a:  out    %al,$0xa0
0x00000000806e462c:  mov    $0x62,%al
0x00000000806e462e:  out    %al,$0x20
0x00000000806e4630:  andw   $0xfdff,0x8(%esp)
0x00000000806e4637:  iret   
0x00000000806e4638:  pop    %ecx
0x00000000806e4639:  popl   0x4(%ecx)
0x00000000806e463c:  popl   (%ecx)
0x00000000806e463e:  pop    %eax
0x00000000806e463f:  out    %al,$0x21
0x00000000806e4641:  shr    $0x8,%eax
0x00000000806e4644:  out    %al,$0xa1
0x00000000806e4646:  popf   
0x00000000806e4647:  mov    %ebp,%esp
0x00000000806e4649:  pop    %ebp
0x00000000806e464a:  ret    $0x4
0x00000000806e464d:  lea    0x0(%ecx),%ecx
0x00000000806e4650:  movw   $0xc98b,0x806d12a3
0x00000000806e4659:  ret    
0x00000000806e465a:  int3   
0x00000000806e465b:  int3   
0x00000000806e465c:  int3   
0x00000000806e465d:  int3   
0x00000000806e465e:  int3   
0x00000000806e465f:  int3   
0x00000000806e4660:  push   $0x806d9930
0x00000000806e4665:  call   *0x806d03e0
0x00000000806e466b:  push   $0x1
0x00000000806e466d:  push   $0x1
0x00000000806e466f:  push   $0x806d9920
0x00000000806e4674:  call   *0x806d03dc
0x00000000806e467a:  push   $0x0
0x00000000806e467c:  call   0x806d9cbe
0x00000000806e4681:  push   $0x0
0x00000000806e4683:  mov    %eax,0x806d9934
0x00000000806e4688:  call   0x806d9cbe
0x00000000806e468d:  mov    %eax,0x806d9910
0x00000000806e4692:  mov    $0x806d9908,%eax
0x00000000806e4697:  mov    %eax,0x806d990c
0x00000000806e469c:  mov    %eax,0x806d9908
0x00000000806e46a1:  mov    0x806d03d4,%eax
0x00000000806e46a6:  movl   $0x806d9d78,0x10(%eax)
0x00000000806e46ad:  mov    0x806d03d4,%eax
0x00000000806e46b2:  movl   $0x806d1ff6,0x4(%eax)
0x00000000806e46b9:  mov    0x806d03d4,%eax
0x00000000806e46be:  movl   $0x806d200e,0x8(%eax)
0x00000000806e46c5:  mov    0x806d03d8,%eax
0x00000000806e46ca:  movl   $0x806d2026,0x28(%eax)
0x00000000806e46d1:  mov    0x806d03d8,%eax
0x00000000806e46d6:  movl   $0x806d1f8a,0x2c(%eax)
0x00000000806e46dd:  mov    0x806d03d8,%eax
0x00000000806e46e2:  movl   $0x806d1fc0,0x30(%eax)
0x00000000806e46e9:  mov    0x806d03d4,%eax
0x00000000806e46ee:  movl   $0x806d20d6,0x1c(%eax)
0x00000000806e46f5:  mov    0x806d03d4,%eax
0x00000000806e46fa:  movl   $0x806da7fc,0x20(%eax)
0x00000000806e4701:  mov    0x806d03d4,%eax
0x00000000806e4706:  cmpl   $0x0,0x28(%eax)
0x00000000806e470a:  jne    0x806e4713
0x00000000806e470c:  movl   $0x806d21e6,0x28(%eax)
0x00000000806e4713:  ret    
0x00000000806e4714:  int3   
0x00000000806e4715:  int3   
0x00000000806e4716:  int3   
0x00000000806e4717:  int3   
0x00000000806e4718:  int3   
0x00000000806e4719:  int3   
0x00000000806e471a:  mov    %edi,%edi
0x00000000806e471c:  push   %ebp
0x00000000806e471d:  mov    %esp,%ebp
0x00000000806e471f:  sub    $0x10,%esp
0x00000000806e4722:  mov    0xc(%ebp),%eax
0x00000000806e4725:  xor    %dl,%dl
0x00000000806e4727:  test   %eax,%eax
0x00000000806e4729:  mov    %eax,0xc(%ebp)
0x00000000806e472c:  je     0x806e480a
0x00000000806e4732:  push   %ebx
0x00000000806e4733:  push   %esi
0x00000000806e4734:  mov    0x8(%ebp),%esi
0x00000000806e4737:  push   %edi
0x00000000806e4738:  jmp    0x806e473d
0x00000000806e473a:  mov    0xc(%ebp),%eax
0x00000000806e473d:  mov    0x10(%ebp),%ebx
0x00000000806e4740:  jmp    0x806e47f2
0x00000000806e4745:  mov    0x10(%eax),%ecx
0x00000000806e4748:  mov    0x10(%ebx),%edi
0x00000000806e474b:  mov    %ecx,-0x8(%ebp)
0x00000000806e474e:  mov    0x14(%eax),%ecx
0x00000000806e4751:  mov    %ecx,-0x4(%ebp)
0x00000000806e4754:  mov    0x18(%eax),%ecx
0x00000000806e4757:  mov    %ecx,-0x10(%ebp)
0x00000000806e475a:  mov    0x1c(%eax),%ecx
0x00000000806e475d:  mov    %ecx,-0xc(%ebp)
0x00000000806e4760:  mov    0x14(%ebx),%ecx
0x00000000806e4763:  cmp    %ecx,-0x4(%ebp)
0x00000000806e4766:  jg     0x806e4775
0x00000000806e4768:  jl     0x806e476f
0x00000000806e476a:  cmp    %edi,-0x8(%ebp)
0x00000000806e476d:  jae    0x806e4775
0x00000000806e476f:  mov    %edi,-0x8(%ebp)
0x00000000806e4772:  mov    %ecx,-0x4(%ebp)
0x00000000806e4775:  mov    0x1c(%ebx),%edi
0x00000000806e4778:  cmp    %edi,-0xc(%ebp)
0x00000000806e477b:  mov    0x18(%ebx),%ecx
0x00000000806e477e:  jl     0x806e478d
0x00000000806e4780:  jg     0x806e4787
0x00000000806e4782:  cmp    %ecx,-0x10(%ebp)
0x00000000806e4785:  jbe    0x806e478d
0x00000000806e4787:  mov    %ecx,-0x10(%ebp)
0x00000000806e478a:  mov    %edi,-0xc(%ebp)
0x00000000806e478d:  mov    -0x4(%ebp),%ecx
0x00000000806e4790:  cmp    -0xc(%ebp),%ecx
0x00000000806e4793:  jg     0x806e47f0
0x00000000806e4795:  jl     0x806e479f
0x00000000806e4797:  mov    -0x8(%ebp),%ecx
0x00000000806e479a:  cmp    -0x10(%ebp),%ecx
0x00000000806e479d:  ja     0x806e47f0
0x00000000806e479f:  test   %dl,%dl
0x00000000806e47a1:  je     0x806e47c4
0x00000000806e47a3:  push   $0x206c6148
0x00000000806e47a8:  push   $0x20
0x00000000806e47aa:  push   $0x0
0x00000000806e47ac:  call   *0x806d03b8
0x00000000806e47b2:  mov    %eax,%edi
0x00000000806e47b4:  push   $0x8
0x00000000806e47b6:  xor    %eax,%eax
0x00000000806e47b8:  mov    %edi,(%esi)
0x00000000806e47ba:  pop    %ecx
0x00000000806e47bb:  rep stos %eax,%es:(%edi)
0x00000000806e47bd:  mov    (%esi),%esi
0x00000000806e47bf:  and    %eax,(%esi)
0x00000000806e47c1:  mov    0xc(%ebp),%eax
0x00000000806e47c4:  mov    -0x8(%ebp),%ecx
0x00000000806e47c7:  mov    %ecx,0x10(%esi)
0x00000000806e47ca:  mov    -0x4(%ebp),%ecx
0x00000000806e47cd:  mov    %ecx,0x14(%esi)
0x00000000806e47d0:  mov    -0x10(%ebp),%ecx
0x00000000806e47d3:  mov    %ecx,0x18(%esi)
0x00000000806e47d6:  mov    -0xc(%ebp),%ecx
0x00000000806e47d9:  mov    %ecx,0x1c(%esi)
0x00000000806e47dc:  mov    0x8(%ebx),%ecx
0x00000000806e47df:  mov    %ecx,0x8(%esi)
0x00000000806e47e2:  mov    0xc(%ebx),%ecx
0x00000000806e47e5:  mov    %ecx,0xc(%esi)
0x00000000806e47e8:  mov    0x4(%ebx),%ecx
0x00000000806e47eb:  mov    $0x1,%dl
0x00000000806e47ed:  mov    %ecx,0x4(%esi)
0x00000000806e47f0:  mov    (%ebx),%ebx
0x00000000806e47f2:  test   %ebx,%ebx
0x00000000806e47f4:  jne    0x806e4745
0x00000000806e47fa:  mov    (%eax),%eax
0x00000000806e47fc:  test   %eax,%eax
0x00000000806e47fe:  mov    %eax,0xc(%ebp)
0x00000000806e4801:  jne    0x806e473a
0x00000000806e4807:  pop    %edi
0x00000000806e4808:  pop    %esi
0x00000000806e4809:  pop    %ebx
0x00000000806e480a:  leave  
0x00000000806e480b:  ret    $0xc
0x00000000806e480e:  int3   
0x00000000806e480f:  int3   
0x00000000806e4810:  int3   
0x00000000806e4811:  int3   
0x00000000806e4812:  int3   
0x00000000806e4813:  int3   
0x00000000806e4814:  mov    %edi,%edi
0x00000000806e4816:  push   %ebp
0x00000000806e4817:  mov    %esp,%ebp
0x00000000806e4819:  push   %edi
0x00000000806e481a:  push   $0x206c6148
0x00000000806e481f:  push   $0x20
0x00000000806e4821:  push   $0x0
0x00000000806e4823:  call   *0x806d03b8
0x00000000806e4829:  mov    %eax,%edx
0x00000000806e482b:  xor    %eax,%eax
0x00000000806e482d:  push   $0x8
0x00000000806e482f:  pop    %ecx
0x00000000806e4830:  mov    %edx,%edi
0x00000000806e4832:  rep stos %eax,%es:(%edi)
0x00000000806e4834:  mov    0x8(%ebp),%eax
0x00000000806e4837:  mov    (%eax),%ecx
0x00000000806e4839:  mov    %ecx,(%edx)
0x00000000806e483b:  mov    %edx,(%eax)
0x00000000806e483d:  mov    0x18(%ebp),%eax
0x00000000806e4840:  mov    %eax,0x10(%edx)
0x00000000806e4843:  mov    0x1c(%ebp),%eax
0x00000000806e4846:  mov    %eax,0x14(%edx)
0x00000000806e4849:  mov    0x20(%ebp),%eax
0x00000000806e484c:  mov    %eax,0x18(%edx)
0x00000000806e484f:  mov    0x24(%ebp),%eax
0x00000000806e4852:  mov    %eax,0x1c(%edx)
0x00000000806e4855:  mov    0x10(%ebp),%eax
0x00000000806e4858:  mov    %eax,0x8(%edx)
0x00000000806e485b:  mov    0x14(%ebp),%eax
0x00000000806e485e:  mov    %eax,0xc(%edx)
0x00000000806e4861:  mov    0xc(%ebp),%eax
0x00000000806e4864:  mov    %eax,0x4(%edx)
0x00000000806e4867:  pop    %edi
(qemu) 


=> if i do a cont here, windows continue boot process
Comment 25 Avi Kivity 2010-12-30 11:18:38 UTC
Please try with the following switches (separately):

-no-kvm-pit
-no-kvm-pit-reinjection
Comment 26 prochazka 2010-12-30 11:32:18 UTC
-no-kvm-pit   : not ok 
-no-kvm-pit-reinjection : not ok
 -no-kvm-pit -no-kvm-pit-reinjection : not ok


NP
Comment 27 prochazka 2010-12-30 11:39:10 UTC
-no-kvm-irqchip   : ok 

NP
Comment 28 Gleb 2010-12-30 12:56:48 UTC
Can you move share/qemu/vapic.bin to some other file and test?
Comment 29 prochazka 2010-12-30 13:05:00 UTC
mv /usr/local/share/qemu/vapic.bin /tmp/   : not ok 
-no-kvm-irqchip   : ok
Comment 30 Avi Kivity 2010-12-30 13:13:13 UTC
Please build a kernel from

  repository git://git.kernel.org/pub/scm/virt/kvm/kvm.git
  branch bz21962.debug-patch-2

with your current .config, and regenerate trace.dat (just -e kvm, no need for -e kvmmmu).
Comment 31 Gleb 2010-12-30 13:16:12 UTC
Can you repeat trace command from comment #17, but this time do not kill vm when it hangs. Instead issue "info cpus" in monitor and after guest continues kill it and post trace here.
Comment 32 prochazka 2010-12-30 13:43:00 UTC
#31 : 
(qemu) info cpus 
info cpus
* CPU #0: pc=0x00000000806e4550 thread_id=27970 

get trace at : http://www.neogap.com/tmp/trace.dat.gz

( after info cpus, guest continues ( before it was hanging)
Comment 33 prochazka 2010-12-30 15:01:56 UTC
for #30 
get trace at : http://www.neogap.com/tmp/trace-bz21962.dat.gz


(qemu) info cpus
info cpus
* CPU #0: pc=0x00000000806e4550 thread_id=12232
Comment 34 Avi Kivity 2010-12-31 09:16:11 UTC
(In reply to comment #33)
> for #30 
> get trace at : http://www.neogap.com/tmp/trace-bz21962.dat.gz
> 
> 
> (qemu) info cpus
> info cpus
> * CPU #0: pc=0x00000000806e4550 thread_id=12232

Added an additional test patch.  Please pull from the same branch and report.  If it fails again, please post a new trace.
Comment 35 prochazka 2010-12-31 11:21:12 UTC
Hi, 
It seems to be ok now.
I think these bugs are closed.

Thanks for this job.
Nicolas.
Comment 36 Avi Kivity 2010-12-31 14:10:30 UTC
Great, thanks for the patient testing.
Comment 37 Steve 2011-01-03 22:32:09 UTC
Thank you for your time.

Now every linux guest machine with kernel below 2.6.36,
*BSD, Windows (32/64) can run on prenehalem CPUs after
use 2.6.37-rc8-git3 kernel on host system.

Please try to boot linux guest with kernel above 2.6.36
(machine hang up - have to be killed). I tested 2.6.37-rc8-git3
on guest but same result. Guest kernel have to be below
version 2.6.36.
Comment 38 Avi Kivity 2011-01-04 10:40:29 UTC
On 01/04/2011 12:32 AM, bugzilla-daemon@bugzilla.kernel.org wrote:
> --- Comment #37 from Steve<stefan.bosak@gmail.com>   2011-01-03 22:32:09 ---
> Thank you for your time.
>
> Now every linux guest machine with kernel below 2.6.36,
> *BSD, Windows (32/64) can run on prenehalem CPUs after
> use 2.6.37-rc8-git3 kernel on host system.
>
> Please try to boot linux guest with kernel above 2.6.36
> (machine hang up - have to be killed). I tested 2.6.37-rc8-git3
> on guest but same result. Guest kernel have to be below
> version 2.6.36.
>

Please file a new bug.  Provide 'info registers' and 'x/30i $eip - 20' 
at the point the guest hangs.