KVM internal error. Suberror: 1, emulation failure

KVM internal error. Suberror: 1, emulation failure

[Dave Hansen]

I'm causing qemu to spew these emulation failure messages until I kill
it.  The guest kernel being run has been hacked up pretty heavily and is
probably either accessing bad physical addresses (above the address
ranges in the e820 table) or trying to DMA to bad addresses.

What I'd really like qemu to be doing is trapping back in to the guest
kernel to have it handle this issue.  Then I'd have a better chance of
dumping out some debugging information to see where I went wrong.

host kernel: 3.10
guest kernel: Linus commit d2b4a64 + patches
qemu: v1.4.0-2835-g6453a3a

> KVM internal error. Suberror: 1
> emulation failure
> RAX=0000000000000000 RBX=00000000013c0410 RCX=0000000000000010 RDX=0000000000000010
> RSI=000000000000000a RDI=00007f6d256a73c0 RBP=ffffffffffffffff RSP=00007fffe2720ce8
> R8 =00000000ffffffff R9 =0000000000000000 R10=0000000000000022 R11=0000000000000246
> R12=00007fffe2720d58 R13=0000000000000400 R14=00007f6d256a7000 R15=0000000000000000
> RIP=00007f6d24c5a50e RFL=00010202 [-------] CPL=3 II=0 A20=1 SMM=0 HLT=0
> ES =0000 0000000000000000 ffffffff 00c00000
> CS =0033 0000000000000000 ffffffff 00a0fb00 DPL=3 CS64 [-RA]
> SS =002b 0000000000000000 ffffffff 00c0f300 DPL=3 DS   [-WA]
> DS =0000 0000000000000000 ffffffff 00c00000
> FS =0000 00007f6d2569d740 ffffffff 00c00000
> GS =0000 0000000000000000 ffffffff 00c00000
> LDT=0000 0000000000000000 ffffffff 00c00000
> TR =0040 ffff88007b190480 00002087 00008b00 DPL=0 TSS64-busy
> GDT=     ffff88007b184000 0000007f
> IDT=     ffffffffff57a000 00000fff
> CR0=80050033 CR2=00007f6d256a7000 CR3=000000006f13b000 CR4=000006e0
> DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
> DR6=00000000ffff0ff0 DR7=0000000000000400
> EFER=0000000000000d01
> Code=d7 c3 85 c0 0f 85 bc 00 00 00 48 83 ea 10 0f 8e d2 00 00 00 <66> 0f 74 4f 30 66 0f d7 c1 85 c0 0f 85 b1 00 00 00 48 31 c0 c3 66 66 66 66 2e 0f 1f 84 00
> KVM internal error. Suberror: 1
> emulation failure
> RAX=0000000000000000 RBX=00000000013c0410 RCX=0000000000000010 RDX=0000000000000010
> RSI=000000000000000a RDI=00007f6d256a73c0 RBP=ffffffffffffffff RSP=00007fffe2720ce8
> R8 =00000000ffffffff R9 =0000000000000000 R10=0000000000000022 R11=0000000000000246
> R12=00007fffe2720d58 R13=0000000000000400 R14=00007f6d256a7000 R15=0000000000000000
> RIP=00007f6d24c5a50e RFL=00010202 [-------] CPL=3 II=0 A20=1 SMM=0 HLT=0
> ES =0000 0000000000000000 ffffffff 00c00000
> CS =0033 0000000000000000 ffffffff 00a0fb00 DPL=3 CS64 [-RA]
> SS =002b 0000000000000000 ffffffff 00c0f300 DPL=3 DS   [-WA]
> DS =0000 0000000000000000 ffffffff 00c00000
> FS =0000 00007f6d2569d740 ffffffff 00c00000
> GS =0000 0000000000000000 ffffffff 00c00000
> LDT=0000 0000000000000000 ffffffff 00c00000
> TR =0040 ffff88007b190480 00002087 00008b00 DPL=0 TSS64-busy
> GDT=     ffff88007b184000 0000007f
> IDT=     ffffffffff57a000 00000fff
> CR0=80050033 CR2=00007f6d256a7000 CR3=000000006f13b000 CR4=000006e0
> DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
> DR6=00000000ffff0ff0 DR7=0000000000000400
> EFER=0000000000000d01
> Code=d7 c3 85 c0 0f 85 bc 00 00 00 48 83 ea 10 0f 8e d2 00 00 00 <66> 0f 74 4f 30 66 0f d7 c1 85 c0 0f 85 b1 00 00 00 48 31 c0 c3 66 66 66 66 2e 0f 1f 84 00

Re: KVM internal error. Suberror: 1, emulation failure

[Gleb Natapov]

On Wed, Jul 17, 2013 at 09:16:33AM -0700, Dave Hansen wrote:
> I'm causing qemu to spew these emulation failure messages until I kill
> it.  The guest kernel being run has been hacked up pretty heavily and is
> probably either accessing bad physical addresses (above the address
> ranges in the e820 table) or trying to DMA to bad addresses.
> 
It tries to do MMIO from userspace using "pcmpeqb 0x30(%rdi),%xmm1"
instruction which KVM does not emulate.

> What I'd really like qemu to be doing is trapping back in to the guest
> kernel to have it handle this issue.  Then I'd have a better chance of
> dumping out some debugging information to see where I went wrong.
> 
It traps back to the guest and injects #UD otherwise you wouldn't see
it spewing this message again and again. If emulation failure happens
from guest kernel space then QEMU stops on the first one.

> host kernel: 3.10
> guest kernel: Linus commit d2b4a64 + patches
> qemu: v1.4.0-2835-g6453a3a
> 
> > KVM internal error. Suberror: 1
> > emulation failure
> > RAX=0000000000000000 RBX=00000000013c0410 RCX=0000000000000010 RDX=0000000000000010
> > RSI=000000000000000a RDI=00007f6d256a73c0 RBP=ffffffffffffffff RSP=00007fffe2720ce8
> > R8 =00000000ffffffff R9 =0000000000000000 R10=0000000000000022 R11=0000000000000246
> > R12=00007fffe2720d58 R13=0000000000000400 R14=00007f6d256a7000 R15=0000000000000000
> > RIP=00007f6d24c5a50e RFL=00010202 [-------] CPL=3 II=0 A20=1 SMM=0 HLT=0
> > ES =0000 0000000000000000 ffffffff 00c00000
> > CS =0033 0000000000000000 ffffffff 00a0fb00 DPL=3 CS64 [-RA]
> > SS =002b 0000000000000000 ffffffff 00c0f300 DPL=3 DS   [-WA]
> > DS =0000 0000000000000000 ffffffff 00c00000
> > FS =0000 00007f6d2569d740 ffffffff 00c00000
> > GS =0000 0000000000000000 ffffffff 00c00000
> > LDT=0000 0000000000000000 ffffffff 00c00000
> > TR =0040 ffff88007b190480 00002087 00008b00 DPL=0 TSS64-busy
> > GDT=     ffff88007b184000 0000007f
> > IDT=     ffffffffff57a000 00000fff
> > CR0=80050033 CR2=00007f6d256a7000 CR3=000000006f13b000 CR4=000006e0
> > DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
> > DR6=00000000ffff0ff0 DR7=0000000000000400
> > EFER=0000000000000d01
> > Code=d7 c3 85 c0 0f 85 bc 00 00 00 48 83 ea 10 0f 8e d2 00 00 00 <66> 0f 74 4f 30 66 0f d7 c1 85 c0 0f 85 b1 00 00 00 48 31 c0 c3 66 66 66 66 2e 0f 1f 84 00
> > KVM internal error. Suberror: 1
> > emulation failure
> > RAX=0000000000000000 RBX=00000000013c0410 RCX=0000000000000010 RDX=0000000000000010
> > RSI=000000000000000a RDI=00007f6d256a73c0 RBP=ffffffffffffffff RSP=00007fffe2720ce8
> > R8 =00000000ffffffff R9 =0000000000000000 R10=0000000000000022 R11=0000000000000246
> > R12=00007fffe2720d58 R13=0000000000000400 R14=00007f6d256a7000 R15=0000000000000000
> > RIP=00007f6d24c5a50e RFL=00010202 [-------] CPL=3 II=0 A20=1 SMM=0 HLT=0
> > ES =0000 0000000000000000 ffffffff 00c00000
> > CS =0033 0000000000000000 ffffffff 00a0fb00 DPL=3 CS64 [-RA]
> > SS =002b 0000000000000000 ffffffff 00c0f300 DPL=3 DS   [-WA]
> > DS =0000 0000000000000000 ffffffff 00c00000
> > FS =0000 00007f6d2569d740 ffffffff 00c00000
> > GS =0000 0000000000000000 ffffffff 00c00000
> > LDT=0000 0000000000000000 ffffffff 00c00000
> > TR =0040 ffff88007b190480 00002087 00008b00 DPL=0 TSS64-busy
> > GDT=     ffff88007b184000 0000007f
> > IDT=     ffffffffff57a000 00000fff
> > CR0=80050033 CR2=00007f6d256a7000 CR3=000000006f13b000 CR4=000006e0
> > DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
> > DR6=00000000ffff0ff0 DR7=0000000000000400
> > EFER=0000000000000d01
> > Code=d7 c3 85 c0 0f 85 bc 00 00 00 48 83 ea 10 0f 8e d2 00 00 00 <66> 0f 74 4f 30 66 0f d7 c1 85 c0 0f 85 b1 00 00 00 48 31 c0 c3 66 66 66 66 2e 0f 1f 84 00
> --
> To unsubscribe from this list: send the line "unsubscribe kvm" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
			Gleb.

Re: KVM internal error. Suberror: 1, emulation failure

[Paolo Bonzini]

Il 17/07/2013 18:16, Dave Hansen ha scritto:
> I'm causing qemu to spew these emulation failure messages until I kill
> it.  The guest kernel being run has been hacked up pretty heavily and is
> probably either accessing bad physical addresses (above the address
> ranges in the e820 table) or trying to DMA to bad addresses.
> 
> What I'd really like qemu to be doing is trapping back in to the guest
> kernel to have it handle this issue.  Then I'd have a better chance of
> dumping out some debugging information to see where I went wrong.

This is happening because the kernel is executing a PCMPEQB instruction
on an invalid memory address.  This instruction is not yet emulated by
KVM.  If you want QEMU to trap back to the guest kernel, you can add
emulation of the instruction to arch/x86/kvm/emulate.c.

If you do not really care about the guest doing something sane, you can
use a stub emulation function that is just "return emulate_ud(ctxt)".
That alone could be a good starting point to attach a kernel debugger to
the guest.

Paolo

> host kernel: 3.10
> guest kernel: Linus commit d2b4a64 + patches
> qemu: v1.4.0-2835-g6453a3a
> 
>> > KVM internal error. Suberror: 1
>> > emulation failure
>> > RAX=0000000000000000 RBX=00000000013c0410 RCX=0000000000000010 RDX=0000000000000010
>> > RSI=000000000000000a RDI=00007f6d256a73c0 RBP=ffffffffffffffff RSP=00007fffe2720ce8
>> > R8 =00000000ffffffff R9 =0000000000000000 R10=0000000000000022 R11=0000000000000246
>> > R12=00007fffe2720d58 R13=0000000000000400 R14=00007f6d256a7000 R15=0000000000000000
>> > RIP=00007f6d24c5a50e RFL=00010202 [-------] CPL=3 II=0 A20=1 SMM=0 HLT=0
>> > ES =0000 0000000000000000 ffffffff 00c00000
>> > CS =0033 0000000000000000 ffffffff 00a0fb00 DPL=3 CS64 [-RA]
>> > SS =002b 0000000000000000 ffffffff 00c0f300 DPL=3 DS   [-WA]
>> > DS =0000 0000000000000000 ffffffff 00c00000
>> > FS =0000 00007f6d2569d740 ffffffff 00c00000
>> > GS =0000 0000000000000000 ffffffff 00c00000
>> > LDT=0000 0000000000000000 ffffffff 00c00000
>> > TR =0040 ffff88007b190480 00002087 00008b00 DPL=0 TSS64-busy
>> > GDT=     ffff88007b184000 0000007f
>> > IDT=     ffffffffff57a000 00000fff
>> > CR0=80050033 CR2=00007f6d256a7000 CR3=000000006f13b000 CR4=000006e0
>> > DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
>> > DR6=00000000ffff0ff0 DR7=0000000000000400
>> > EFER=0000000000000d01
>> > Code=d7 c3 85 c0 0f 85 bc 00 00 00 48 83 ea 10 0f 8e d2 00 00 00 <66> 0f 74 4f 30 66 0f d7 c1 85 c0 0f 85 b1 00 00 00 48 31 c0 c3 66 66 66 66 2e 0f 1f 84 00
>> > KVM internal error. Suberror: 1
>> > emulation failure
>> > RAX=0000000000000000 RBX=00000000013c0410 RCX=0000000000000010 RDX=0000000000000010
>> > RSI=000000000000000a RDI=00007f6d256a73c0 RBP=ffffffffffffffff RSP=00007fffe2720ce8
>> > R8 =00000000ffffffff R9 =0000000000000000 R10=0000000000000022 R11=0000000000000246
>> > R12=00007fffe2720d58 R13=0000000000000400 R14=00007f6d256a7000 R15=0000000000000000
>> > RIP=00007f6d24c5a50e RFL=00010202 [-------] CPL=3 II=0 A20=1 SMM=0 HLT=0
>> > ES =0000 0000000000000000 ffffffff 00c00000
>> > CS =0033 0000000000000000 ffffffff 00a0fb00 DPL=3 CS64 [-RA]
>> > SS =002b 0000000000000000 ffffffff 00c0f300 DPL=3 DS   [-WA]
>> > DS =0000 0000000000000000 ffffffff 00c00000
>> > FS =0000 00007f6d2569d740 ffffffff 00c00000
>> > GS =0000 0000000000000000 ffffffff 00c00000
>> > LDT=0000 0000000000000000 ffffffff 00c00000
>> > TR =0040 ffff88007b190480 00002087 00008b00 DPL=0 TSS64-busy
>> > GDT=     ffff88007b184000 0000007f
>> > IDT=     ffffffffff57a000 00000fff
>> > CR0=80050033 CR2=00007f6d256a7000 CR3=000000006f13b000 CR4=000006e0
>> > DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
>> > DR6=00000000ffff0ff0 DR7=0000000000000400
>> > EFER=0000000000000d01
>> > Code=d7 c3 85 c0 0f 85 bc 00 00 00 48 83 ea 10 0f 8e d2 00 00 00 <66> 0f 74 4f 30 66 0f d7 c1 85 c0 0f 85 b1 00 00 00 48 31 c0 c3 66 66 66 66 2e 0f 1f 84 00

Re: KVM internal error. Suberror: 1, emulation failure

[Gleb Natapov]

On Thu, Jul 18, 2013 at 07:58:31AM +0200, Paolo Bonzini wrote:
> Il 17/07/2013 18:16, Dave Hansen ha scritto:
> > I'm causing qemu to spew these emulation failure messages until I kill
> > it.  The guest kernel being run has been hacked up pretty heavily and is
> > probably either accessing bad physical addresses (above the address
> > ranges in the e820 table) or trying to DMA to bad addresses.
> > 
> > What I'd really like qemu to be doing is trapping back in to the guest
> > kernel to have it handle this issue.  Then I'd have a better chance of
> > dumping out some debugging information to see where I went wrong.
> 
> This is happening because the kernel is executing a PCMPEQB instruction
> on an invalid memory address.  This instruction is not yet emulated by
> KVM.  If you want QEMU to trap back to the guest kernel, you can add
> emulation of the instruction to arch/x86/kvm/emulate.c.
> 
> If you do not really care about the guest doing something sane, you can
> use a stub emulation function that is just "return emulate_ud(ctxt)".
> That alone could be a good starting point to attach a kernel debugger to
> the guest.
> 
This is the behaviour that he currently gets (assuming there is no bug
somewhere, run ftrace to check), see my other reply. Not sure what he does
in his #UD handler that emulation error reappear. Restart offending process?

--
			Gleb.