Beginning with 2.6.38, my system crashes when I try to start my KVM... Motherboard: Intel DQ67SW CPU: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz 00:00.0 Host bridge: Intel Corporation 2nd Generation Core Processor Family DRAM Controller (rev 09) 00:01.0 PCI bridge: Intel Corporation Xeon E3-1200/2nd Generation Core Processor Family PCI Express Root Port (rev 09) 00:02.0 VGA compatible controller: Intel Corporation Sandy Bridge Integrated Graphics Controller (rev 09) 00:16.0 Communication controller: Intel Corporation Cougar Point HECI Controller #1 (rev 04) 00:16.2 IDE interface: Intel Corporation Cougar Point IDE-r Controller (rev 04) 00:16.3 Serial controller: Intel Corporation Cougar Point KT Controller (rev 04) 00:19.0 Ethernet controller: Intel Corporation 82579LM Gigabit Network Connection (rev 04) 00:1a.0 USB Controller: Intel Corporation Cougar Point USB Enhanced Host Controller #2 (rev 04) 00:1b.0 Audio device: Intel Corporation Cougar Point High Definition Audio Controller (rev 04) 00:1c.0 PCI bridge: Intel Corporation Cougar Point PCI Express Root Port 1 (rev b4) 00:1c.6 PCI bridge: Intel Corporation Cougar Point PCI Express Root Port 7 (rev b4) 00:1d.0 USB Controller: Intel Corporation Cougar Point USB Enhanced Host Controller #1 (rev 04) 00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev a4) 00:1f.0 ISA bridge: Intel Corporation Q67 Express Chipset Family LPC Controller (rev 04) 00:1f.2 SATA controller: Intel Corporation Cougar Point 6 port SATA AHCI Controller (rev 04) 00:1f.3 SMBus: Intel Corporation Cougar Point SMBus Controller (rev 04) 01:00.0 VGA compatible controller: ATI Technologies Inc Cypress [Radeon HD 5800 Series] 01:00.1 Audio device: ATI Technologies Inc Cypress HDMI Audio [Radeon HD 5800 Series] 03:00.0 USB Controller: NEC Corporation uPD720200 USB 3.0 Host Controller (rev 03) 04:00.0 Ethernet controller: Accton Technology Corporation SMC2-1211TX (rev 10) 04:03.0 FireWire (IEEE 1394): Agere Systems FW322/323 (rev 70) Please note that the Radeon 5850 (01:00.0 above) is being passed through to the KVM. This works flawlessly in 2.6.37. pci-stub 0000:01:00.0: claimed by stub pci-stub 0000:01:00.0: claimed by stub HDA Intel 0000:01:00.1: PCI INT B disabled BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff8121e462>] rb_erase+0x132/0x310 PGD 23581c067 PUD 237aa6067 PMD 0 Oops: 0000 [#1] PREEMPT SMP last sysfs file: /sys/bus/pci/drivers/HDA Intel/unbind CPU 0 Modules linked in: pci_stub netconsole configfs cfq_iosched blk_cgroup snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss bridge stp llc ipv6 usblp coretemp hwmon snd_hda_codec_hdmi snd_hda_codec_realtek usb_storage usbhid hid snd_hda_intel snd_hda_codec i915 8250_pci drm_kms_helper firewire_ohci drm snd_hwdep snd_pcm rtc_cmos i2c_algo_bit ehci_hcd 8250_pnp snd_timer snd 8139too 8250 e1000e usbcore firewire_core rtc_core i2c_i801 sg evdev psmouse tpm_tis video ata_generic button mii snd_page_alloc serial_core crc_itu_t rtc_lib tpm tpm_bios pata_acpi Pid: 2362, comm: script Not tainted 2.6.39 #2 /DQ67SW RIP: 0010:[<ffffffff8121e462>] [<ffffffff8121e462>] rb_erase+0x132/0x310 RSP: 0018:ffff88023e203dc0 EFLAGS: 00010007 RAX: ffff8802363ceb40 RBX: ffff8802363ceb80 RCX: ffff8802363ceb81 RDX: ffff8802363ceb81 RSI: ffff8802393c5de8 RDI: 0000000000000000 RBP: ffff88023e203dd0 R08: 0000000000000001 R09: 00000000000000da R10: 0040000000000000 R11: 0000000000000000 R12: ffff8802393c5de8 R13: 0000000000000082 R14: 0000000000000fa8 R15: ffff88023d043080 FS: 0000000000000000(0000) GS:ffff88023e200000(0063) knlGS:00000000f75d1b20 CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b CR2: 0000000000000000 CR3: 00000002379fd000 CR4: 00000000000406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process script (pid: 2362, threadinfo ffff8802382a4000, task ffff8802382000c0) Stack: ffff8802393c5de0 ffff8802391886c0 ffff88023e203e00 ffffffff8124764e 0000000000000003 0000000000000004 0000000000000003 ffff8802391886c0 ffff88023e203e50 ffffffff812488f4 ffff88023e2113b0 0000000137aff0c0 Call Trace: <IRQ> [<ffffffff8124764e>] __free_iova+0x4e/0x70 [<ffffffff812488f4>] flush_unmaps+0xc4/0x170 [<ffffffff812489bd>] flush_unmaps_timeout+0x1d/0x40 [<ffffffff81076f57>] run_timer_softirq+0x127/0x240 [<ffffffff812489a0>] ? flush_unmaps+0x170/0x170 [<ffffffff81093deb>] ? clockevents_program_event+0x5b/0x90 [<ffffffff81070a98>] __do_softirq+0x98/0x120 [<ffffffff813c814c>] call_softirq+0x1c/0x30 [<ffffffff810338ad>] do_softirq+0x4d/0x80 [<ffffffff81070e26>] irq_exit+0x96/0xb0 [<ffffffff8104b5bb>] smp_apic_timer_interrupt+0x6b/0xa0 [<ffffffff813c7c93>] apic_timer_interrupt+0x13/0x20 <EOI> [<ffffffff8124933e>] ? dma_pte_clear_range+0x4e/0x150 [<ffffffff81249406>] ? dma_pte_clear_range+0x116/0x150 [<ffffffff8124a5ba>] domain_exit+0x4a/0x170 [<ffffffff8124a76d>] device_notifier+0x8d/0x90 [<ffffffff8108badc>] notifier_call_chain+0x4c/0x70 [<ffffffff8108be33>] __blocking_notifier_call_chain+0x53/0x80 [<ffffffff8108be71>] blocking_notifier_call_chain+0x11/0x20 [<ffffffff812c1445>] __device_release_driver+0xa5/0xc0 [<ffffffff812c1488>] device_release_driver+0x28/0x40 [<ffffffff812c0749>] driver_unbind+0x99/0xb0 [<ffffffff812c0067>] drv_attr_store+0x27/0x30 [<ffffffff8117ce2c>] sysfs_write_file+0xcc/0x150 [<ffffffff81116d16>] vfs_write+0xc6/0x180 [<ffffffff8111702c>] sys_write+0x4c/0x90 [<ffffffff813c81e9>] sysenter_dispatch+0x7/0x27 Code: 48 83 e2 fc 48 89 d3 48 85 c0 74 0c 48 8b 10 f6 c2 01 0f 84 ad 00 00 00 49 3b 04 24 0f 84 97 00 00 00 48 8b 7b 10 48 39 c7 74 26 8b 07 a8 01 75 9d eb 81 0f 1f 44 00 00 48 3b 78 10 0f 84 76 RIP [<ffffffff8121e462>] rb_erase+0x132/0x310 RSP <ffff88023e203dc0> CR2: 0000000000000000 ---[ end trace 162dda125a7cce0e ]--- Kernel panic - not syncing: Fatal exception in interrupt Pid: 2362, comm: script Tainted: G D 2.6.39 #2 Call Trace: <IRQ> [<ffffffff813c3856>] panic+0x9b/0x1a0 [<ffffffff810351aa>] oops_end+0xda/0xe0 [<ffffffff810543b0>] no_context+0xf0/0x260 [<ffffffff81054635>] __bad_area_nosemaphore+0x115/0x1d0 [<ffffffff810546fe>] bad_area_nosemaphore+0xe/0x10 [<ffffffff81054b68>] do_page_fault+0x268/0x420 [<ffffffff81060b6a>] ? select_task_rq_fair+0x42a/0x870 [<ffffffff813c6f0f>] page_fault+0x1f/0x30 [<ffffffff8121e462>] ? rb_erase+0x132/0x310 [<ffffffff8124764e>] __free_iova+0x4e/0x70 [<ffffffff812488f4>] flush_unmaps+0xc4/0x170 [<ffffffff812489bd>] flush_unmaps_timeout+0x1d/0x40 [<ffffffff81076f57>] run_timer_softirq+0x127/0x240 [<ffffffff812489a0>] ? flush_unmaps+0x170/0x170
Further details: This is unrelated to IOMMU. The BUG occurs when my script attempts to unbind snd-hda-intel. Skipping that step results in a functional VM. Moving to audio driver category...
Could you try to copy 2.6.37 sound/pci/hda/* files into 2.6.38 and check whether the bug still occurs? If yes, the culprit is somewhere else.
Built the kernel+modules, will test at next reboot (probably today; I have a new PSU to test). As I noticed this bug doesn't occur with qemu's "hda", I feel it relevant to mention I was *only* attempting to unbind the Radeon 5850, not the onboard sound.
2.6.28.8 with sound/pci/hda from 2.6.37.5: Oops