* [Qemu-devel] [Bug 1378554] [NEW] qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit
@ 2014-10-07 22:36 Richard Jones
2014-10-07 22:38 ` [Qemu-devel] [Bug 1378554] " Richard Jones
` (4 more replies)
0 siblings, 5 replies; 7+ messages in thread
From: Richard Jones @ 2014-10-07 22:36 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
/home/rjones/d/qemu/arm-softmmu/qemu-system-arm \
-global virtio-blk-device.scsi=off \
-nodefconfig \
-enable-fips \
-nodefaults \
-display none \
-M virt \
-machine accel=kvm:tcg \
-m 500 \
-no-reboot \
-rtc driftfix=slew \
-global kvm-pit.lost_tick_policy=discard \
-kernel /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/kernel \
-initrd /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/initrd \
-device virtio-scsi-device,id=scsi \
-drive file=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/scratch.1,cache=unsafe,format=raw,id=hd0,if=none \
-device scsi-hd,drive=hd0 \
-drive file=/home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/root,snapshot=on,id=appliance,cache=unsafe,if=none \
-device scsi-hd,drive=appliance \
-device virtio-serial-device \
-serial stdio \
-chardev socket,path=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/guestfsd.sock,id=channel0 \
-device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \
-append 'panic=1 mem=500M console=ttyAMA0 udevtimeout=6000 no_timer_check lpj=4464640 acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb selinux=0 guestfs_verbose=1 TERM=xterm-256color'
The appliance boots, but segfaults as soon as the virtio-scsi driver is
loaded:
supermin: internal insmod virtio_scsi.ko
[ 3.992963] scsi0 : Virtio SCSI HBA
libguestfs: error: appliance closed the connection unexpectedly, see earlier error messages
I captured a core dump:
Core was generated by `/home/rjones/d/qemu/arm-softmmu/qemu-system-arm -global virtio-blk-device.scsi='.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>,
req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
551 bdrv_io_unplug(req->sreq->dev->conf.bs);
(gdb) bt
#0 0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>,
req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
#1 0x0008573a in virtio_scsi_handle_cmd (vdev=0xac4d68, vq=0xafe4b8)
at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:573
#2 0x0004fdbe in access_with_adjusted_size (addr=80,
value=value@entry=0x4443e6c0, size=size@entry=4, access_size_min=1,
access_size_max=<optimized out>, access_size_max@entry=0,
access=access@entry=0x4fee9 <memory_region_write_accessor>,
mr=mr@entry=0xa53fa8) at /home/rjones/d/qemu/memory.c:480
#3 0x00054234 in memory_region_dispatch_write (size=4, data=2,
addr=<optimized out>, mr=0xa53fa8) at /home/rjones/d/qemu/memory.c:1117
#4 io_mem_write (mr=0xa53fa8, addr=<optimized out>, val=val@entry=2,
size=size@entry=4) at /home/rjones/d/qemu/memory.c:1958
#5 0x00021c88 in address_space_rw (as=0x3b96b4 <address_space_memory>,
addr=167788112, buf=buf@entry=0x4443e790 "\002", len=len@entry=4,
is_write=is_write@entry=true) at /home/rjones/d/qemu/exec.c:2135
#6 0x00021de6 in address_space_write (len=4, buf=0x4443e790 "\002",
addr=<optimized out>, as=<optimized out>)
at /home/rjones/d/qemu/exec.c:2202
#7 subpage_write (opaque=<optimized out>, addr=<optimized out>, value=2,
len=4) at /home/rjones/d/qemu/exec.c:1811
#8 0x0004fdbe in access_with_adjusted_size (addr=592,
value=value@entry=0x4443e820, size=size@entry=4, access_size_min=1,
access_size_max=<optimized out>, access_size_max@entry=0,
access=access@entry=0x4fee9 <memory_region_write_accessor>,
mr=mr@entry=0xaed980) at /home/rjones/d/qemu/memory.c:480
#9 0x00054234 in memory_region_dispatch_write (size=4, data=2,
addr=<optimized out>, mr=0xaed980) at /home/rjones/d/qemu/memory.c:1117
#10 io_mem_write (mr=0xaed980, addr=<optimized out>, val=2, size=size@entry=4)
at /home/rjones/d/qemu/memory.c:1958
#11 0x00057f24 in io_writel (retaddr=1121296542, Cannot access memory at address 0x0
addr=<optimized out>, val=2,
physaddr=592, env=0x9d6c50) at /home/rjones/d/qemu/softmmu_template.h:381
#12 helper_le_stl_mmu (env=0x9d6c50, addr=<optimized out>, val=2,
mmu_idx=<optimized out>, retaddr=1121296542)
at /home/rjones/d/qemu/softmmu_template.h:419
#13 0x42d5a0a0 in ?? ()
Cannot access memory at address 0x0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) print req
$1 = (VirtIOSCSIReq *) 0x6c03acf8
(gdb) print req->sreq
$2 = (SCSIRequest *) 0xc2c2c2c2
(gdb) print req->sreq->dev
Cannot access memory at address 0xc2c2c2c6
(gdb) print *req
$3 = {
dev = 0x6c000040,
vq = 0x6c000040,
qsgl = {
sg = 0x0,
nsg = 0,
nalloc = -1027423550,
size = 3267543746,
dev = 0xc2c2c2c2,
as = 0xc2c2c2c2
},
resp_iov = {
iov = 0xc2c2c2c2,
niov = -1027423550,
nalloc = -1027423550,
size = 3267543746
},
elem = {
index = 3267543746,
out_num = 3267543746,
in_num = 3267543746,
in_addr = {14033993530586874562 <repeats 1024 times>},
out_addr = {14033993530586874562 <repeats 1024 times>},
in_sg = {{
iov_base = 0xc2c2c2c2,
iov_len = 3267543746
} <repeats 1024 times>},
out_sg = {{
iov_base = 0xc2c2c2c2,
iov_len = 3267543746
} <repeats 1024 times>}
},
vring = 0xc2c2c2c2,
{
next = {
tqe_next = 0xc2c2c2c2,
tqe_prev = 0xc2c2c2c2
},
remaining = -1027423550
},
sreq = 0xc2c2c2c2,
resp_size = 3267543746,
mode = (SCSI_XFER_TO_DEV | unknown: 3267543744),
resp = {
cmd = {
sense_len = 3267543746,
resid = 3267543746,
status_qualifier = 49858,
status = 194 '\302',
response = 194 '\302'
},
tmf = {
response = 194 '\302'
},
an = {
event_actual = 3267543746,
response = 194 '\302'
},
event = {
event = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
reason = 3267543746
}
},
req = {
{
cmd = {
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
tag = 14033993530586874562,
task_attr = 194 '\302',
prio = 194 '\302',
crn = 194 '\302'
},
cdb = 0x6c042d73 '\302' <repeats 36 times>, <incomplete sequence \302>
},
tmf = {
type = 3267543746,
subtype = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
tag = 14033993530586874562
},
an = {
type = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
event_requested = 3267543746
}
}
}
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1378554
Title:
qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit
Status in QEMU:
New
Bug description:
/home/rjones/d/qemu/arm-softmmu/qemu-system-arm \
-global virtio-blk-device.scsi=off \
-nodefconfig \
-enable-fips \
-nodefaults \
-display none \
-M virt \
-machine accel=kvm:tcg \
-m 500 \
-no-reboot \
-rtc driftfix=slew \
-global kvm-pit.lost_tick_policy=discard \
-kernel /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/kernel \
-initrd /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/initrd \
-device virtio-scsi-device,id=scsi \
-drive file=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/scratch.1,cache=unsafe,format=raw,id=hd0,if=none \
-device scsi-hd,drive=hd0 \
-drive file=/home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/root,snapshot=on,id=appliance,cache=unsafe,if=none \
-device scsi-hd,drive=appliance \
-device virtio-serial-device \
-serial stdio \
-chardev socket,path=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/guestfsd.sock,id=channel0 \
-device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \
-append 'panic=1 mem=500M console=ttyAMA0 udevtimeout=6000 no_timer_check lpj=4464640 acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb selinux=0 guestfs_verbose=1 TERM=xterm-256color'
The appliance boots, but segfaults as soon as the virtio-scsi driver
is loaded:
supermin: internal insmod virtio_scsi.ko
[ 3.992963] scsi0 : Virtio SCSI HBA
libguestfs: error: appliance closed the connection unexpectedly, see earlier error messages
I captured a core dump:
Core was generated by `/home/rjones/d/qemu/arm-softmmu/qemu-system-arm -global virtio-blk-device.scsi='.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>,
req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
551 bdrv_io_unplug(req->sreq->dev->conf.bs);
(gdb) bt
#0 0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>,
req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
#1 0x0008573a in virtio_scsi_handle_cmd (vdev=0xac4d68, vq=0xafe4b8)
at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:573
#2 0x0004fdbe in access_with_adjusted_size (addr=80,
value=value@entry=0x4443e6c0, size=size@entry=4, access_size_min=1,
access_size_max=<optimized out>, access_size_max@entry=0,
access=access@entry=0x4fee9 <memory_region_write_accessor>,
mr=mr@entry=0xa53fa8) at /home/rjones/d/qemu/memory.c:480
#3 0x00054234 in memory_region_dispatch_write (size=4, data=2,
addr=<optimized out>, mr=0xa53fa8) at /home/rjones/d/qemu/memory.c:1117
#4 io_mem_write (mr=0xa53fa8, addr=<optimized out>, val=val@entry=2,
size=size@entry=4) at /home/rjones/d/qemu/memory.c:1958
#5 0x00021c88 in address_space_rw (as=0x3b96b4 <address_space_memory>,
addr=167788112, buf=buf@entry=0x4443e790 "\002", len=len@entry=4,
is_write=is_write@entry=true) at /home/rjones/d/qemu/exec.c:2135
#6 0x00021de6 in address_space_write (len=4, buf=0x4443e790 "\002",
addr=<optimized out>, as=<optimized out>)
at /home/rjones/d/qemu/exec.c:2202
#7 subpage_write (opaque=<optimized out>, addr=<optimized out>, value=2,
len=4) at /home/rjones/d/qemu/exec.c:1811
#8 0x0004fdbe in access_with_adjusted_size (addr=592,
value=value@entry=0x4443e820, size=size@entry=4, access_size_min=1,
access_size_max=<optimized out>, access_size_max@entry=0,
access=access@entry=0x4fee9 <memory_region_write_accessor>,
mr=mr@entry=0xaed980) at /home/rjones/d/qemu/memory.c:480
#9 0x00054234 in memory_region_dispatch_write (size=4, data=2,
addr=<optimized out>, mr=0xaed980) at /home/rjones/d/qemu/memory.c:1117
#10 io_mem_write (mr=0xaed980, addr=<optimized out>, val=2, size=size@entry=4)
at /home/rjones/d/qemu/memory.c:1958
#11 0x00057f24 in io_writel (retaddr=1121296542, Cannot access memory at address 0x0
addr=<optimized out>, val=2,
physaddr=592, env=0x9d6c50) at /home/rjones/d/qemu/softmmu_template.h:381
#12 helper_le_stl_mmu (env=0x9d6c50, addr=<optimized out>, val=2,
mmu_idx=<optimized out>, retaddr=1121296542)
at /home/rjones/d/qemu/softmmu_template.h:419
#13 0x42d5a0a0 in ?? ()
Cannot access memory at address 0x0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) print req
$1 = (VirtIOSCSIReq *) 0x6c03acf8
(gdb) print req->sreq
$2 = (SCSIRequest *) 0xc2c2c2c2
(gdb) print req->sreq->dev
Cannot access memory at address 0xc2c2c2c6
(gdb) print *req
$3 = {
dev = 0x6c000040,
vq = 0x6c000040,
qsgl = {
sg = 0x0,
nsg = 0,
nalloc = -1027423550,
size = 3267543746,
dev = 0xc2c2c2c2,
as = 0xc2c2c2c2
},
resp_iov = {
iov = 0xc2c2c2c2,
niov = -1027423550,
nalloc = -1027423550,
size = 3267543746
},
elem = {
index = 3267543746,
out_num = 3267543746,
in_num = 3267543746,
in_addr = {14033993530586874562 <repeats 1024 times>},
out_addr = {14033993530586874562 <repeats 1024 times>},
in_sg = {{
iov_base = 0xc2c2c2c2,
iov_len = 3267543746
} <repeats 1024 times>},
out_sg = {{
iov_base = 0xc2c2c2c2,
iov_len = 3267543746
} <repeats 1024 times>}
},
vring = 0xc2c2c2c2,
{
next = {
tqe_next = 0xc2c2c2c2,
tqe_prev = 0xc2c2c2c2
},
remaining = -1027423550
},
sreq = 0xc2c2c2c2,
resp_size = 3267543746,
mode = (SCSI_XFER_TO_DEV | unknown: 3267543744),
resp = {
cmd = {
sense_len = 3267543746,
resid = 3267543746,
status_qualifier = 49858,
status = 194 '\302',
response = 194 '\302'
},
tmf = {
response = 194 '\302'
},
an = {
event_actual = 3267543746,
response = 194 '\302'
},
event = {
event = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
reason = 3267543746
}
},
req = {
{
cmd = {
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
tag = 14033993530586874562,
task_attr = 194 '\302',
prio = 194 '\302',
crn = 194 '\302'
},
cdb = 0x6c042d73 '\302' <repeats 36 times>, <incomplete sequence \302>
},
tmf = {
type = 3267543746,
subtype = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
tag = 14033993530586874562
},
an = {
type = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
event_requested = 3267543746
}
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1378554/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Qemu-devel] [Bug 1378554] Re: qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit
2014-10-07 22:36 [Qemu-devel] [Bug 1378554] [NEW] qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit Richard Jones
@ 2014-10-07 22:38 ` Richard Jones
2014-10-07 23:18 ` [Qemu-devel] [Bug 1378554] [NEW] " Paolo Bonzini
` (3 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Richard Jones @ 2014-10-07 22:38 UTC (permalink / raw)
To: qemu-devel
This is qemu from git today (2014-10-07).
The hardware is 32 bit ARM (ODROID-XU Samsung Exynos 5410). It is
running Ubuntu 14.04 LTS as the main operating system, but I am NOT
using qemu from Ubuntu (which is ancient).
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1378554
Title:
qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit
Status in QEMU:
New
Bug description:
/home/rjones/d/qemu/arm-softmmu/qemu-system-arm \
-global virtio-blk-device.scsi=off \
-nodefconfig \
-enable-fips \
-nodefaults \
-display none \
-M virt \
-machine accel=kvm:tcg \
-m 500 \
-no-reboot \
-rtc driftfix=slew \
-global kvm-pit.lost_tick_policy=discard \
-kernel /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/kernel \
-initrd /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/initrd \
-device virtio-scsi-device,id=scsi \
-drive file=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/scratch.1,cache=unsafe,format=raw,id=hd0,if=none \
-device scsi-hd,drive=hd0 \
-drive file=/home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/root,snapshot=on,id=appliance,cache=unsafe,if=none \
-device scsi-hd,drive=appliance \
-device virtio-serial-device \
-serial stdio \
-chardev socket,path=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/guestfsd.sock,id=channel0 \
-device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \
-append 'panic=1 mem=500M console=ttyAMA0 udevtimeout=6000 no_timer_check lpj=4464640 acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb selinux=0 guestfs_verbose=1 TERM=xterm-256color'
The appliance boots, but segfaults as soon as the virtio-scsi driver
is loaded:
supermin: internal insmod virtio_scsi.ko
[ 3.992963] scsi0 : Virtio SCSI HBA
libguestfs: error: appliance closed the connection unexpectedly, see earlier error messages
I captured a core dump:
Core was generated by `/home/rjones/d/qemu/arm-softmmu/qemu-system-arm -global virtio-blk-device.scsi='.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>,
req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
551 bdrv_io_unplug(req->sreq->dev->conf.bs);
(gdb) bt
#0 0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>,
req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
#1 0x0008573a in virtio_scsi_handle_cmd (vdev=0xac4d68, vq=0xafe4b8)
at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:573
#2 0x0004fdbe in access_with_adjusted_size (addr=80,
value=value@entry=0x4443e6c0, size=size@entry=4, access_size_min=1,
access_size_max=<optimized out>, access_size_max@entry=0,
access=access@entry=0x4fee9 <memory_region_write_accessor>,
mr=mr@entry=0xa53fa8) at /home/rjones/d/qemu/memory.c:480
#3 0x00054234 in memory_region_dispatch_write (size=4, data=2,
addr=<optimized out>, mr=0xa53fa8) at /home/rjones/d/qemu/memory.c:1117
#4 io_mem_write (mr=0xa53fa8, addr=<optimized out>, val=val@entry=2,
size=size@entry=4) at /home/rjones/d/qemu/memory.c:1958
#5 0x00021c88 in address_space_rw (as=0x3b96b4 <address_space_memory>,
addr=167788112, buf=buf@entry=0x4443e790 "\002", len=len@entry=4,
is_write=is_write@entry=true) at /home/rjones/d/qemu/exec.c:2135
#6 0x00021de6 in address_space_write (len=4, buf=0x4443e790 "\002",
addr=<optimized out>, as=<optimized out>)
at /home/rjones/d/qemu/exec.c:2202
#7 subpage_write (opaque=<optimized out>, addr=<optimized out>, value=2,
len=4) at /home/rjones/d/qemu/exec.c:1811
#8 0x0004fdbe in access_with_adjusted_size (addr=592,
value=value@entry=0x4443e820, size=size@entry=4, access_size_min=1,
access_size_max=<optimized out>, access_size_max@entry=0,
access=access@entry=0x4fee9 <memory_region_write_accessor>,
mr=mr@entry=0xaed980) at /home/rjones/d/qemu/memory.c:480
#9 0x00054234 in memory_region_dispatch_write (size=4, data=2,
addr=<optimized out>, mr=0xaed980) at /home/rjones/d/qemu/memory.c:1117
#10 io_mem_write (mr=0xaed980, addr=<optimized out>, val=2, size=size@entry=4)
at /home/rjones/d/qemu/memory.c:1958
#11 0x00057f24 in io_writel (retaddr=1121296542, Cannot access memory at address 0x0
addr=<optimized out>, val=2,
physaddr=592, env=0x9d6c50) at /home/rjones/d/qemu/softmmu_template.h:381
#12 helper_le_stl_mmu (env=0x9d6c50, addr=<optimized out>, val=2,
mmu_idx=<optimized out>, retaddr=1121296542)
at /home/rjones/d/qemu/softmmu_template.h:419
#13 0x42d5a0a0 in ?? ()
Cannot access memory at address 0x0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) print req
$1 = (VirtIOSCSIReq *) 0x6c03acf8
(gdb) print req->sreq
$2 = (SCSIRequest *) 0xc2c2c2c2
(gdb) print req->sreq->dev
Cannot access memory at address 0xc2c2c2c6
(gdb) print *req
$3 = {
dev = 0x6c000040,
vq = 0x6c000040,
qsgl = {
sg = 0x0,
nsg = 0,
nalloc = -1027423550,
size = 3267543746,
dev = 0xc2c2c2c2,
as = 0xc2c2c2c2
},
resp_iov = {
iov = 0xc2c2c2c2,
niov = -1027423550,
nalloc = -1027423550,
size = 3267543746
},
elem = {
index = 3267543746,
out_num = 3267543746,
in_num = 3267543746,
in_addr = {14033993530586874562 <repeats 1024 times>},
out_addr = {14033993530586874562 <repeats 1024 times>},
in_sg = {{
iov_base = 0xc2c2c2c2,
iov_len = 3267543746
} <repeats 1024 times>},
out_sg = {{
iov_base = 0xc2c2c2c2,
iov_len = 3267543746
} <repeats 1024 times>}
},
vring = 0xc2c2c2c2,
{
next = {
tqe_next = 0xc2c2c2c2,
tqe_prev = 0xc2c2c2c2
},
remaining = -1027423550
},
sreq = 0xc2c2c2c2,
resp_size = 3267543746,
mode = (SCSI_XFER_TO_DEV | unknown: 3267543744),
resp = {
cmd = {
sense_len = 3267543746,
resid = 3267543746,
status_qualifier = 49858,
status = 194 '\302',
response = 194 '\302'
},
tmf = {
response = 194 '\302'
},
an = {
event_actual = 3267543746,
response = 194 '\302'
},
event = {
event = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
reason = 3267543746
}
},
req = {
{
cmd = {
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
tag = 14033993530586874562,
task_attr = 194 '\302',
prio = 194 '\302',
crn = 194 '\302'
},
cdb = 0x6c042d73 '\302' <repeats 36 times>, <incomplete sequence \302>
},
tmf = {
type = 3267543746,
subtype = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
tag = 14033993530586874562
},
an = {
type = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
event_requested = 3267543746
}
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1378554/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [Bug 1378554] [NEW] qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit
2014-10-07 22:36 [Qemu-devel] [Bug 1378554] [NEW] qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit Richard Jones
2014-10-07 22:38 ` [Qemu-devel] [Bug 1378554] " Richard Jones
@ 2014-10-07 23:18 ` Paolo Bonzini
2014-10-08 9:17 ` Richard W.M. Jones
2017-11-23 18:36 ` [Qemu-devel] [Bug 1378554] " Peter Maydell
` (2 subsequent siblings)
4 siblings, 1 reply; 7+ messages in thread
From: Paolo Bonzini @ 2014-10-07 23:18 UTC (permalink / raw)
To: Richard W.M. Jones, qemu-devel
Does this work:
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index 203e624..c6d4f2e 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -545,11 +545,12 @@ bool virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req)
{
- if (scsi_req_enqueue(req->sreq)) {
- scsi_req_continue(req->sreq);
+ SCSIRequest *sreq = req->sreq;
+ bdrv_io_unplug(sreq->dev->conf.bs);
+ if (scsi_req_enqueue(sreq)) {
+ scsi_req_continue(sreq);
}
- bdrv_io_unplug(req->sreq->dev->conf.bs);
- scsi_req_unref(req->sreq);
+ scsi_req_unref(sreq);
}
static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)
?
Paolo
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [Qemu-devel] [Bug 1378554] [NEW] qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit
2014-10-07 23:18 ` [Qemu-devel] [Bug 1378554] [NEW] " Paolo Bonzini
@ 2014-10-08 9:17 ` Richard W.M. Jones
0 siblings, 0 replies; 7+ messages in thread
From: Richard W.M. Jones @ 2014-10-08 9:17 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: qemu-devel
On Wed, Oct 08, 2014 at 01:18:04AM +0200, Paolo Bonzini wrote:
> Does this work:
>
> diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
> index 203e624..c6d4f2e 100644
> --- a/hw/scsi/virtio-scsi.c
> +++ b/hw/scsi/virtio-scsi.c
> @@ -545,11 +545,12 @@ bool virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
>
> void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req)
> {
> - if (scsi_req_enqueue(req->sreq)) {
> - scsi_req_continue(req->sreq);
> + SCSIRequest *sreq = req->sreq;
> + bdrv_io_unplug(sreq->dev->conf.bs);
> + if (scsi_req_enqueue(sreq)) {
> + scsi_req_continue(sreq);
> }
> - bdrv_io_unplug(req->sreq->dev->conf.bs);
> - scsi_req_unref(req->sreq);
> + scsi_req_unref(sreq);
> }
>
> static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)
>
> ?
Yes, that fixes it.
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Qemu-devel] [Bug 1378554] Re: qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit
2014-10-07 22:36 [Qemu-devel] [Bug 1378554] [NEW] qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit Richard Jones
2014-10-07 22:38 ` [Qemu-devel] [Bug 1378554] " Richard Jones
2014-10-07 23:18 ` [Qemu-devel] [Bug 1378554] [NEW] " Paolo Bonzini
@ 2017-11-23 18:36 ` Peter Maydell
2017-11-23 19:11 ` Peter Maydell
2017-11-23 19:20 ` Richard Jones
4 siblings, 0 replies; 7+ messages in thread
From: Peter Maydell @ 2017-11-23 18:36 UTC (permalink / raw)
To: qemu-devel
Richard, is this 3 year old bug still an issue?
** Tags added: arm
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1378554
Title:
qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit
Status in QEMU:
New
Bug description:
/home/rjones/d/qemu/arm-softmmu/qemu-system-arm \
-global virtio-blk-device.scsi=off \
-nodefconfig \
-enable-fips \
-nodefaults \
-display none \
-M virt \
-machine accel=kvm:tcg \
-m 500 \
-no-reboot \
-rtc driftfix=slew \
-global kvm-pit.lost_tick_policy=discard \
-kernel /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/kernel \
-initrd /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/initrd \
-device virtio-scsi-device,id=scsi \
-drive file=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/scratch.1,cache=unsafe,format=raw,id=hd0,if=none \
-device scsi-hd,drive=hd0 \
-drive file=/home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/root,snapshot=on,id=appliance,cache=unsafe,if=none \
-device scsi-hd,drive=appliance \
-device virtio-serial-device \
-serial stdio \
-chardev socket,path=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/guestfsd.sock,id=channel0 \
-device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \
-append 'panic=1 mem=500M console=ttyAMA0 udevtimeout=6000 no_timer_check lpj=4464640 acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb selinux=0 guestfs_verbose=1 TERM=xterm-256color'
The appliance boots, but segfaults as soon as the virtio-scsi driver
is loaded:
supermin: internal insmod virtio_scsi.ko
[ 3.992963] scsi0 : Virtio SCSI HBA
libguestfs: error: appliance closed the connection unexpectedly, see earlier error messages
I captured a core dump:
Core was generated by `/home/rjones/d/qemu/arm-softmmu/qemu-system-arm -global virtio-blk-device.scsi='.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>,
req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
551 bdrv_io_unplug(req->sreq->dev->conf.bs);
(gdb) bt
#0 0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>,
req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
#1 0x0008573a in virtio_scsi_handle_cmd (vdev=0xac4d68, vq=0xafe4b8)
at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:573
#2 0x0004fdbe in access_with_adjusted_size (addr=80,
value=value@entry=0x4443e6c0, size=size@entry=4, access_size_min=1,
access_size_max=<optimized out>, access_size_max@entry=0,
access=access@entry=0x4fee9 <memory_region_write_accessor>,
mr=mr@entry=0xa53fa8) at /home/rjones/d/qemu/memory.c:480
#3 0x00054234 in memory_region_dispatch_write (size=4, data=2,
addr=<optimized out>, mr=0xa53fa8) at /home/rjones/d/qemu/memory.c:1117
#4 io_mem_write (mr=0xa53fa8, addr=<optimized out>, val=val@entry=2,
size=size@entry=4) at /home/rjones/d/qemu/memory.c:1958
#5 0x00021c88 in address_space_rw (as=0x3b96b4 <address_space_memory>,
addr=167788112, buf=buf@entry=0x4443e790 "\002", len=len@entry=4,
is_write=is_write@entry=true) at /home/rjones/d/qemu/exec.c:2135
#6 0x00021de6 in address_space_write (len=4, buf=0x4443e790 "\002",
addr=<optimized out>, as=<optimized out>)
at /home/rjones/d/qemu/exec.c:2202
#7 subpage_write (opaque=<optimized out>, addr=<optimized out>, value=2,
len=4) at /home/rjones/d/qemu/exec.c:1811
#8 0x0004fdbe in access_with_adjusted_size (addr=592,
value=value@entry=0x4443e820, size=size@entry=4, access_size_min=1,
access_size_max=<optimized out>, access_size_max@entry=0,
access=access@entry=0x4fee9 <memory_region_write_accessor>,
mr=mr@entry=0xaed980) at /home/rjones/d/qemu/memory.c:480
#9 0x00054234 in memory_region_dispatch_write (size=4, data=2,
addr=<optimized out>, mr=0xaed980) at /home/rjones/d/qemu/memory.c:1117
#10 io_mem_write (mr=0xaed980, addr=<optimized out>, val=2, size=size@entry=4)
at /home/rjones/d/qemu/memory.c:1958
#11 0x00057f24 in io_writel (retaddr=1121296542, Cannot access memory at address 0x0
addr=<optimized out>, val=2,
physaddr=592, env=0x9d6c50) at /home/rjones/d/qemu/softmmu_template.h:381
#12 helper_le_stl_mmu (env=0x9d6c50, addr=<optimized out>, val=2,
mmu_idx=<optimized out>, retaddr=1121296542)
at /home/rjones/d/qemu/softmmu_template.h:419
#13 0x42d5a0a0 in ?? ()
Cannot access memory at address 0x0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) print req
$1 = (VirtIOSCSIReq *) 0x6c03acf8
(gdb) print req->sreq
$2 = (SCSIRequest *) 0xc2c2c2c2
(gdb) print req->sreq->dev
Cannot access memory at address 0xc2c2c2c6
(gdb) print *req
$3 = {
dev = 0x6c000040,
vq = 0x6c000040,
qsgl = {
sg = 0x0,
nsg = 0,
nalloc = -1027423550,
size = 3267543746,
dev = 0xc2c2c2c2,
as = 0xc2c2c2c2
},
resp_iov = {
iov = 0xc2c2c2c2,
niov = -1027423550,
nalloc = -1027423550,
size = 3267543746
},
elem = {
index = 3267543746,
out_num = 3267543746,
in_num = 3267543746,
in_addr = {14033993530586874562 <repeats 1024 times>},
out_addr = {14033993530586874562 <repeats 1024 times>},
in_sg = {{
iov_base = 0xc2c2c2c2,
iov_len = 3267543746
} <repeats 1024 times>},
out_sg = {{
iov_base = 0xc2c2c2c2,
iov_len = 3267543746
} <repeats 1024 times>}
},
vring = 0xc2c2c2c2,
{
next = {
tqe_next = 0xc2c2c2c2,
tqe_prev = 0xc2c2c2c2
},
remaining = -1027423550
},
sreq = 0xc2c2c2c2,
resp_size = 3267543746,
mode = (SCSI_XFER_TO_DEV | unknown: 3267543744),
resp = {
cmd = {
sense_len = 3267543746,
resid = 3267543746,
status_qualifier = 49858,
status = 194 '\302',
response = 194 '\302'
},
tmf = {
response = 194 '\302'
},
an = {
event_actual = 3267543746,
response = 194 '\302'
},
event = {
event = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
reason = 3267543746
}
},
req = {
{
cmd = {
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
tag = 14033993530586874562,
task_attr = 194 '\302',
prio = 194 '\302',
crn = 194 '\302'
},
cdb = 0x6c042d73 '\302' <repeats 36 times>, <incomplete sequence \302>
},
tmf = {
type = 3267543746,
subtype = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
tag = 14033993530586874562
},
an = {
type = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
event_requested = 3267543746
}
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1378554/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Qemu-devel] [Bug 1378554] Re: qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit
2014-10-07 22:36 [Qemu-devel] [Bug 1378554] [NEW] qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit Richard Jones
` (2 preceding siblings ...)
2017-11-23 18:36 ` [Qemu-devel] [Bug 1378554] " Peter Maydell
@ 2017-11-23 19:11 ` Peter Maydell
2017-11-23 19:20 ` Richard Jones
4 siblings, 0 replies; 7+ messages in thread
From: Peter Maydell @ 2017-11-23 19:11 UTC (permalink / raw)
To: qemu-devel
Ah, my mail client found the thread that tells me this was fixed in
commit 35e4e96c4d5bfcf. So we can close this.
** Changed in: qemu
Status: New => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1378554
Title:
qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit
Status in QEMU:
Fix Released
Bug description:
/home/rjones/d/qemu/arm-softmmu/qemu-system-arm \
-global virtio-blk-device.scsi=off \
-nodefconfig \
-enable-fips \
-nodefaults \
-display none \
-M virt \
-machine accel=kvm:tcg \
-m 500 \
-no-reboot \
-rtc driftfix=slew \
-global kvm-pit.lost_tick_policy=discard \
-kernel /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/kernel \
-initrd /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/initrd \
-device virtio-scsi-device,id=scsi \
-drive file=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/scratch.1,cache=unsafe,format=raw,id=hd0,if=none \
-device scsi-hd,drive=hd0 \
-drive file=/home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/root,snapshot=on,id=appliance,cache=unsafe,if=none \
-device scsi-hd,drive=appliance \
-device virtio-serial-device \
-serial stdio \
-chardev socket,path=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/guestfsd.sock,id=channel0 \
-device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \
-append 'panic=1 mem=500M console=ttyAMA0 udevtimeout=6000 no_timer_check lpj=4464640 acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb selinux=0 guestfs_verbose=1 TERM=xterm-256color'
The appliance boots, but segfaults as soon as the virtio-scsi driver
is loaded:
supermin: internal insmod virtio_scsi.ko
[ 3.992963] scsi0 : Virtio SCSI HBA
libguestfs: error: appliance closed the connection unexpectedly, see earlier error messages
I captured a core dump:
Core was generated by `/home/rjones/d/qemu/arm-softmmu/qemu-system-arm -global virtio-blk-device.scsi='.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>,
req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
551 bdrv_io_unplug(req->sreq->dev->conf.bs);
(gdb) bt
#0 0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>,
req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
#1 0x0008573a in virtio_scsi_handle_cmd (vdev=0xac4d68, vq=0xafe4b8)
at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:573
#2 0x0004fdbe in access_with_adjusted_size (addr=80,
value=value@entry=0x4443e6c0, size=size@entry=4, access_size_min=1,
access_size_max=<optimized out>, access_size_max@entry=0,
access=access@entry=0x4fee9 <memory_region_write_accessor>,
mr=mr@entry=0xa53fa8) at /home/rjones/d/qemu/memory.c:480
#3 0x00054234 in memory_region_dispatch_write (size=4, data=2,
addr=<optimized out>, mr=0xa53fa8) at /home/rjones/d/qemu/memory.c:1117
#4 io_mem_write (mr=0xa53fa8, addr=<optimized out>, val=val@entry=2,
size=size@entry=4) at /home/rjones/d/qemu/memory.c:1958
#5 0x00021c88 in address_space_rw (as=0x3b96b4 <address_space_memory>,
addr=167788112, buf=buf@entry=0x4443e790 "\002", len=len@entry=4,
is_write=is_write@entry=true) at /home/rjones/d/qemu/exec.c:2135
#6 0x00021de6 in address_space_write (len=4, buf=0x4443e790 "\002",
addr=<optimized out>, as=<optimized out>)
at /home/rjones/d/qemu/exec.c:2202
#7 subpage_write (opaque=<optimized out>, addr=<optimized out>, value=2,
len=4) at /home/rjones/d/qemu/exec.c:1811
#8 0x0004fdbe in access_with_adjusted_size (addr=592,
value=value@entry=0x4443e820, size=size@entry=4, access_size_min=1,
access_size_max=<optimized out>, access_size_max@entry=0,
access=access@entry=0x4fee9 <memory_region_write_accessor>,
mr=mr@entry=0xaed980) at /home/rjones/d/qemu/memory.c:480
#9 0x00054234 in memory_region_dispatch_write (size=4, data=2,
addr=<optimized out>, mr=0xaed980) at /home/rjones/d/qemu/memory.c:1117
#10 io_mem_write (mr=0xaed980, addr=<optimized out>, val=2, size=size@entry=4)
at /home/rjones/d/qemu/memory.c:1958
#11 0x00057f24 in io_writel (retaddr=1121296542, Cannot access memory at address 0x0
addr=<optimized out>, val=2,
physaddr=592, env=0x9d6c50) at /home/rjones/d/qemu/softmmu_template.h:381
#12 helper_le_stl_mmu (env=0x9d6c50, addr=<optimized out>, val=2,
mmu_idx=<optimized out>, retaddr=1121296542)
at /home/rjones/d/qemu/softmmu_template.h:419
#13 0x42d5a0a0 in ?? ()
Cannot access memory at address 0x0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) print req
$1 = (VirtIOSCSIReq *) 0x6c03acf8
(gdb) print req->sreq
$2 = (SCSIRequest *) 0xc2c2c2c2
(gdb) print req->sreq->dev
Cannot access memory at address 0xc2c2c2c6
(gdb) print *req
$3 = {
dev = 0x6c000040,
vq = 0x6c000040,
qsgl = {
sg = 0x0,
nsg = 0,
nalloc = -1027423550,
size = 3267543746,
dev = 0xc2c2c2c2,
as = 0xc2c2c2c2
},
resp_iov = {
iov = 0xc2c2c2c2,
niov = -1027423550,
nalloc = -1027423550,
size = 3267543746
},
elem = {
index = 3267543746,
out_num = 3267543746,
in_num = 3267543746,
in_addr = {14033993530586874562 <repeats 1024 times>},
out_addr = {14033993530586874562 <repeats 1024 times>},
in_sg = {{
iov_base = 0xc2c2c2c2,
iov_len = 3267543746
} <repeats 1024 times>},
out_sg = {{
iov_base = 0xc2c2c2c2,
iov_len = 3267543746
} <repeats 1024 times>}
},
vring = 0xc2c2c2c2,
{
next = {
tqe_next = 0xc2c2c2c2,
tqe_prev = 0xc2c2c2c2
},
remaining = -1027423550
},
sreq = 0xc2c2c2c2,
resp_size = 3267543746,
mode = (SCSI_XFER_TO_DEV | unknown: 3267543744),
resp = {
cmd = {
sense_len = 3267543746,
resid = 3267543746,
status_qualifier = 49858,
status = 194 '\302',
response = 194 '\302'
},
tmf = {
response = 194 '\302'
},
an = {
event_actual = 3267543746,
response = 194 '\302'
},
event = {
event = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
reason = 3267543746
}
},
req = {
{
cmd = {
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
tag = 14033993530586874562,
task_attr = 194 '\302',
prio = 194 '\302',
crn = 194 '\302'
},
cdb = 0x6c042d73 '\302' <repeats 36 times>, <incomplete sequence \302>
},
tmf = {
type = 3267543746,
subtype = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
tag = 14033993530586874562
},
an = {
type = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
event_requested = 3267543746
}
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1378554/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Qemu-devel] [Bug 1378554] Re: qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit
2014-10-07 22:36 [Qemu-devel] [Bug 1378554] [NEW] qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit Richard Jones
` (3 preceding siblings ...)
2017-11-23 19:11 ` Peter Maydell
@ 2017-11-23 19:20 ` Richard Jones
4 siblings, 0 replies; 7+ messages in thread
From: Richard Jones @ 2017-11-23 19:20 UTC (permalink / raw)
To: qemu-devel
Yes, qemu's working fine on aarch64 so this must have been fixed.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1378554
Title:
qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit
Status in QEMU:
Fix Released
Bug description:
/home/rjones/d/qemu/arm-softmmu/qemu-system-arm \
-global virtio-blk-device.scsi=off \
-nodefconfig \
-enable-fips \
-nodefaults \
-display none \
-M virt \
-machine accel=kvm:tcg \
-m 500 \
-no-reboot \
-rtc driftfix=slew \
-global kvm-pit.lost_tick_policy=discard \
-kernel /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/kernel \
-initrd /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/initrd \
-device virtio-scsi-device,id=scsi \
-drive file=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/scratch.1,cache=unsafe,format=raw,id=hd0,if=none \
-device scsi-hd,drive=hd0 \
-drive file=/home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/root,snapshot=on,id=appliance,cache=unsafe,if=none \
-device scsi-hd,drive=appliance \
-device virtio-serial-device \
-serial stdio \
-chardev socket,path=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/guestfsd.sock,id=channel0 \
-device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \
-append 'panic=1 mem=500M console=ttyAMA0 udevtimeout=6000 no_timer_check lpj=4464640 acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb selinux=0 guestfs_verbose=1 TERM=xterm-256color'
The appliance boots, but segfaults as soon as the virtio-scsi driver
is loaded:
supermin: internal insmod virtio_scsi.ko
[ 3.992963] scsi0 : Virtio SCSI HBA
libguestfs: error: appliance closed the connection unexpectedly, see earlier error messages
I captured a core dump:
Core was generated by `/home/rjones/d/qemu/arm-softmmu/qemu-system-arm -global virtio-blk-device.scsi='.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>,
req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
551 bdrv_io_unplug(req->sreq->dev->conf.bs);
(gdb) bt
#0 0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>,
req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
#1 0x0008573a in virtio_scsi_handle_cmd (vdev=0xac4d68, vq=0xafe4b8)
at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:573
#2 0x0004fdbe in access_with_adjusted_size (addr=80,
value=value@entry=0x4443e6c0, size=size@entry=4, access_size_min=1,
access_size_max=<optimized out>, access_size_max@entry=0,
access=access@entry=0x4fee9 <memory_region_write_accessor>,
mr=mr@entry=0xa53fa8) at /home/rjones/d/qemu/memory.c:480
#3 0x00054234 in memory_region_dispatch_write (size=4, data=2,
addr=<optimized out>, mr=0xa53fa8) at /home/rjones/d/qemu/memory.c:1117
#4 io_mem_write (mr=0xa53fa8, addr=<optimized out>, val=val@entry=2,
size=size@entry=4) at /home/rjones/d/qemu/memory.c:1958
#5 0x00021c88 in address_space_rw (as=0x3b96b4 <address_space_memory>,
addr=167788112, buf=buf@entry=0x4443e790 "\002", len=len@entry=4,
is_write=is_write@entry=true) at /home/rjones/d/qemu/exec.c:2135
#6 0x00021de6 in address_space_write (len=4, buf=0x4443e790 "\002",
addr=<optimized out>, as=<optimized out>)
at /home/rjones/d/qemu/exec.c:2202
#7 subpage_write (opaque=<optimized out>, addr=<optimized out>, value=2,
len=4) at /home/rjones/d/qemu/exec.c:1811
#8 0x0004fdbe in access_with_adjusted_size (addr=592,
value=value@entry=0x4443e820, size=size@entry=4, access_size_min=1,
access_size_max=<optimized out>, access_size_max@entry=0,
access=access@entry=0x4fee9 <memory_region_write_accessor>,
mr=mr@entry=0xaed980) at /home/rjones/d/qemu/memory.c:480
#9 0x00054234 in memory_region_dispatch_write (size=4, data=2,
addr=<optimized out>, mr=0xaed980) at /home/rjones/d/qemu/memory.c:1117
#10 io_mem_write (mr=0xaed980, addr=<optimized out>, val=2, size=size@entry=4)
at /home/rjones/d/qemu/memory.c:1958
#11 0x00057f24 in io_writel (retaddr=1121296542, Cannot access memory at address 0x0
addr=<optimized out>, val=2,
physaddr=592, env=0x9d6c50) at /home/rjones/d/qemu/softmmu_template.h:381
#12 helper_le_stl_mmu (env=0x9d6c50, addr=<optimized out>, val=2,
mmu_idx=<optimized out>, retaddr=1121296542)
at /home/rjones/d/qemu/softmmu_template.h:419
#13 0x42d5a0a0 in ?? ()
Cannot access memory at address 0x0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) print req
$1 = (VirtIOSCSIReq *) 0x6c03acf8
(gdb) print req->sreq
$2 = (SCSIRequest *) 0xc2c2c2c2
(gdb) print req->sreq->dev
Cannot access memory at address 0xc2c2c2c6
(gdb) print *req
$3 = {
dev = 0x6c000040,
vq = 0x6c000040,
qsgl = {
sg = 0x0,
nsg = 0,
nalloc = -1027423550,
size = 3267543746,
dev = 0xc2c2c2c2,
as = 0xc2c2c2c2
},
resp_iov = {
iov = 0xc2c2c2c2,
niov = -1027423550,
nalloc = -1027423550,
size = 3267543746
},
elem = {
index = 3267543746,
out_num = 3267543746,
in_num = 3267543746,
in_addr = {14033993530586874562 <repeats 1024 times>},
out_addr = {14033993530586874562 <repeats 1024 times>},
in_sg = {{
iov_base = 0xc2c2c2c2,
iov_len = 3267543746
} <repeats 1024 times>},
out_sg = {{
iov_base = 0xc2c2c2c2,
iov_len = 3267543746
} <repeats 1024 times>}
},
vring = 0xc2c2c2c2,
{
next = {
tqe_next = 0xc2c2c2c2,
tqe_prev = 0xc2c2c2c2
},
remaining = -1027423550
},
sreq = 0xc2c2c2c2,
resp_size = 3267543746,
mode = (SCSI_XFER_TO_DEV | unknown: 3267543744),
resp = {
cmd = {
sense_len = 3267543746,
resid = 3267543746,
status_qualifier = 49858,
status = 194 '\302',
response = 194 '\302'
},
tmf = {
response = 194 '\302'
},
an = {
event_actual = 3267543746,
response = 194 '\302'
},
event = {
event = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
reason = 3267543746
}
},
req = {
{
cmd = {
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
tag = 14033993530586874562,
task_attr = 194 '\302',
prio = 194 '\302',
crn = 194 '\302'
},
cdb = 0x6c042d73 '\302' <repeats 36 times>, <incomplete sequence \302>
},
tmf = {
type = 3267543746,
subtype = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
tag = 14033993530586874562
},
an = {
type = 3267543746,
lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>,
event_requested = 3267543746
}
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1378554/+subscriptions
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-11-23 19:35 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-10-07 22:36 [Qemu-devel] [Bug 1378554] [NEW] qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit Richard Jones
2014-10-07 22:38 ` [Qemu-devel] [Bug 1378554] " Richard Jones
2014-10-07 23:18 ` [Qemu-devel] [Bug 1378554] [NEW] " Paolo Bonzini
2014-10-08 9:17 ` Richard W.M. Jones
2017-11-23 18:36 ` [Qemu-devel] [Bug 1378554] " Peter Maydell
2017-11-23 19:11 ` Peter Maydell
2017-11-23 19:20 ` Richard Jones
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.