qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] Using SCSI disks causes segfaults


From: Gunnar Beutner
Subject: [Qemu-devel] Using SCSI disks causes segfaults
Date: Sun, 20 Sep 2009 03:15:37 +0200
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello QEMU devs,

I'm seeing some rather peculiar crashes here when using emulated SCSI
disks. But let me give you some general information about my QEMU
installation first:

QEMU version: 0.11.0-rc2, also reproduced with 0.10.6
QEMU configure flags: ./configure --prefix=/opt/qemu
- --target-list=x86_64-softmmu --enable-debug
KVM version: kvm-kmod-devel-88 "srcversion: 582A2669898E61DCDFACF8D"
(however, this problem also happens when KVM/KQEMU is disabled)
Kernel (host): Linux 2.6.30 (vanilla) x64
Kernel (vm): Linux 2.6.30 (vanilla) x64, also reproduced this using
Debian lenny's kernel (2.6.26-1-amd64)

What I'm trying to do is to assign two SATA disks to a virtual machine
as SCSI devices. Here's how I'm starting QEMU:

/opt/qemu/bin/qemu-system-x86_64 -enable-kvm -drive
if=scsi,file=/dev/sda -drive if=scsi,file=/dev/sdb -net
nic,model=rtl8139,macaddr=00:1d:92:f3:ad:dc -net socket,fd=200 -vnc
:1,password -k de -monitor stdio -S -usbdevice tablet -m 256 -smp 1
- -boot order=n

Both disks (sda, sdb) have the following partition layout:

Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00041e09

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1               1         523     4200997   fd  Linux raid
autodetect
/dev/sda2             524         785     2104515   fd  Linux raid
autodetect
/dev/sda3             786       60801   482078520   fd  Linux raid
autodetect

The virtual machine boots a minimal Debian installation using PXE. Once
that's running the following commands are executed inside the VM:

mdadm --create /dev/md0 -l 1 -n 2 /dev/sda1 /dev/sdb1
mdadm --create /dev/md1 -l 1 -n 2 /dev/sda2 /dev/sdb2
mdadm --create /dev/md2 -l 1 -n 2 /dev/sda3 /dev/sdb3

mkswap /dev/md0
mkfs /dev/md1
mkfs /dev/md2

About half-way through the last "mkfs" I'm getting the following errors
in the QEMU console:

lsi_scsi: error: IO with unknown tag 65653
scsi-disk: Tag 0x10075 already in use
scsi-disk: Tag 0x10053 already in use

QEMU crashes as soon as mkfs is finished or when stopping mkfs either
using CTRL+C or CTRL+S (once the previously shown errors show up in the
QEMU console):

lsi_scsi: error: IO with unknown tag 65813
lsi_scsi: error: IO with unknown tag 65831
lsi_scsi: error: IO with unknown tag 65845
lsi_scsi: error: IO with unknown tag 65867
/root/startqemu: line 2: 24453 Segmentation fault      (core dumped)
/opt/qemu/bin/qemu-system-x86_64 -enable-kvm -drive
if=scsi,file=/dev/sda -drive if=scsi,file=/dev/sdb -net
nic,model=rtl8139,macaddr=00:1d:92:f3:ad:dc -net socket,fd=200 -vnc
:1,password -k de -monitor stdio -S -usbdevice tablet -m 256 -smp 1
- -boot order=n

For some reason the number/size of md devices matters. I can't seem to
(directly) reproduce the crash with just one md device or differently
sized partitions.

However these crashes also happen during normal operation (i.e. not just
when running mkfs) at irregular intervals - at least when md devices are
involved. Sometimes I am getting kernel panics (rather than QEMU
segfaults) which appear to be directly related to the LSI SCSI kernel
module:

http://gunnar.beutner.name/try10
http://gunnar.beutner.name/try11

I've been trying to reproduce this problem for a while now and (so far)
I'm getting two distinct stacktraces from the crashes:

(gdb) bt full
#0  0x00007f26f11b100b in memcpy () from /lib/libc.so.6
No symbol table info available.
#1  0x0000000000518da4 in cpu_physical_memory_rw (addr=146219008,
buf=0x0, len=4096, is_write=1) at /root/qemu-0.11.0-rc2/exec.c:3151
        addr1 = 146219008
        l = 4096
        io_index = 0
        ptr = (uint8_t *) 0x7f26e3fb1000 "À;9\230"
        val = 0
        page = 146219008
        pd = 146219008
        p = (PhysPageDesc *) 0xcf1b90
#2  0x000000000057e677 in cpu_physical_memory_write (addr=146219008,
buf=0x0, len=4096) at ../cpu-common.h:59
No locals.
#3  0x000000000057e572 in lsi_do_dma (s=0xc7f820, out=0) at
/root/qemu-0.11.0-rc2/hw/lsi53c895a.c:521
        count = 4096
        addr = 146219008
#4  0x000000000057f7a1 in lsi_execute_script (s=0xc7f820) at
/root/qemu-0.11.0-rc2/hw/lsi53c895a.c:992
        insn = 285212672
        addr = 146219008
        addr_high = 0
        opcode = 4
        insn_processed = 77
#5  0x000000000057e3cb in lsi_resume_script (s=0xc7f820) at
/root/qemu-0.11.0-rc2/hw/lsi53c895a.c:476
No locals.
#6  0x000000000057eb64 in lsi_command_complete (opaque=0xc7f820,
reason=0, tag=65853, arg=0) at /root/qemu-0.11.0-rc2/hw/lsi53c895a.c:652
        s = (LSIState *) 0xc7f820
        out = 1
#7  0x00000000004bf058 in scsi_command_complete (r=0xdecaf0, status=0,
sense=0) at /root/qemu-0.11.0-rc2/hw/scsi-disk.c:147
        s = (SCSIDeviceState *) 0xc9ebd0
        tag = 65853
#8  0x00000000004bf3fd in scsi_write_complete (opaque=0xdecaf0, ret=0)
at /root/qemu-0.11.0-rc2/hw/scsi-disk.c:258
        r = (SCSIRequest *) 0xdecaf0
        s = (SCSIDeviceState *) 0xc9ebd0
        len = 24576
        n = 48
#9  0x00000000004ae0cd in posix_aio_read (opaque=0xc5fcb0) at
block/raw-posix.c:553
        s = (PosixAioState *) 0xc5fcb0
        acb = (RawAIOCB *) 0x105ca10
        pacb = (RawAIOCB **) 0xc5fcb8
        ret = 0
        len = 1
#10 0x000000000040d463 in main_loop_wait (timeout=5000) at
/root/qemu-0.11.0-rc2/vl.c:4129
        pioh = (IOHandlerRecord **) 0x40d7c2
        ioh = (IOHandlerRecord *) 0xc5fd20
        rfds = {fds_bits = {64, 0 <repeats 15 times>}}
        wfds = {fds_bits = {0 <repeats 16 times>}}
        xfds = {fds_bits = {0 <repeats 16 times>}}
        ret = 1
        nfds = 200
        tv = {tv_sec = 4, tv_usec = 999995}
#11 0x000000000040da97 in main_loop () at /root/qemu-0.11.0-rc2/vl.c:4347
        r = 0
#12 0x0000000000411046 in main (argc=25, argv=0x7fff648784a8,
envp=0x7fff64878578) at /root/qemu-0.11.0-rc2/vl.c:6142
        gdbstub_dev = 0x0
        boot_devices_bitmap = 8192
        i = 1
        snapshot = 0
        linux_boot = 0
        net_boot = 1
- ---Type <return> to continue, or q <return> to quit---
        initrd_filename = 0x0
        kernel_filename = 0x0
        kernel_cmdline = 0x586a68 ""
        boot_devices = "n\000d", '\0' <repeats 29 times>
        ds = (DisplayState *) 0xc8f740
        dcl = (DisplayChangeListener *) 0x0
        cyls = 0
        heads = 0
        secs = 0
        translation = 0
        net_clients = {0x7fff648794c4
"nic,model=rtl8139,macaddr=00:1d:92:f3:ad:dc", 0x7fff648794f5
"socket,fd=200",
  0xd82b830 <Address 0xd82b830 out of bounds>, 0x7fff64878210 "", 0x0,
0x7f26f2a055ae "\205À\017\217z\001", 0x0, 0x7f26f2affc08 "h;@",
  0x7f2600000001 <Address 0x7f2600000001 out of bounds>, 0x0,
0x100000001 <Address 0x100000001 out of bounds>, 0x7f26f2affc08 "h;@",
  0x7f26f2c16358 "¸bÁò&\177", 0x7fff64878270 "\002", 0x1f2c16000
<Address 0x1f2c16000 out of bounds>, 0x7f26f2affc08 "h;@",
0x7f26f2c16358 "¸bÁò&\177",
  0x7fff64878290 "ðþÅ", 0x7f26f2c16000 "", 0x40384c "memset", 0x0,
0x7f26f2afe528 "ô\222\024ñ&\177", 0x1 <Address 0x1 out of bounds>, 0x0,
  0x7fff00000001 <Address 0x7fff00000001 out of bounds>, 0x7fff648782e8
"", 0xc53b745f <Address 0xc53b745f out of bounds>,
  0x7f26f2a04eac "\205Àt\"A\213D$\f\205Àu\027\205í\017\037D",
0x100000000 <Address 0x100000000 out of bounds>, 0x7f26f2affb40 "°tÀò&\177",
  0xa <Address 0xa out of bounds>, 0x1a <Address 0x1a out of bounds>}
        nb_net_clients = 2
        bt_opts = {0x0, 0x7f26f2affc08 "h;@", 0x7f26f2c074b0 "",
0x40384c "memset", 0x7f26f1143fd8 "", 0x400e10 "T\f",
  0x100000000 <Address 0x100000000 out of bounds>, 0x10000031d <Address
0x10000031d out of bounds>, 0xd39ad3d <Address 0xd39ad3d out of bounds>,
  0x7f26f2c16358 "¸bÁò&\177"}
        nb_bt_opts = 0
        hda_index = -1
        optind = 25
        r = 0x7fff6487954c "-boot"
        optarg = 0x7fff64879552 "order=n"
        monitor_hd = (CharDriverState *) 0xc5fef0
        monitor_device = 0x7fff64879523 "stdio"
        serial_devices = {0x589aa0 "vc:80Cx24C", 0x0, 0x0, 0x0}
        serial_device_index = 0
        parallel_devices = {0x589aa0 "vc:80Cx24C", 0x0, 0x0}
        parallel_device_index = 0
        virtio_consoles = {0x0}
        virtio_console_index = 0
        loadvm = 0x0
        machine = (QEMUMachine *) 0x844e60
        cpu_model = 0x0
        usb_devices = {0x7fff64879537 "tablet", 0x7f26f2a04eac
"\205Àt\"A\213D$\f\205Àu\027\205í\017\037D", 0x7f26f29fc848 "à»!",
  0x7f26f2affb40 "°tÀò&\177", 0xa <Address 0xa out of bounds>,
0x7f26f2a04eac "\205Àt\"A\213D$\f\205Àu\027\205í\017\037D",
  0xd39ad3d <Address 0xd39ad3d out of bounds>, 0x7f26f2affb40 "°tÀò&\177"}
        usb_devices_index = 1
        fds = {-224410832, 32550}
        tb_size = 0
        pid_file = 0x0
        incoming = 0x0
        fd = 0
        pwd = (struct passwd *) 0x0
        chroot_dir = 0x0
        run_as = 0x0
        env = (struct CPUX86State *) 0x0
        show_vnc_port = 0
        params = {0x589a5f "order", 0x589a65 "once", 0x589a6a "menu", 0x0}
(gdb)

- ----------------------
and (this particular crash is actually from qemu-kvm-0.11.0-rc2, not
sure if the -kvm bits make any difference though):

(gdb) bt full
#0  0x00000000004a0dc6 in qemu_aio_release (p=0x106ca10) at block.c:1529
        acb = (BlockDriverAIOCB *) 0x106ca10
        pool = (AIOPool *) 0x0
#1  0x00000000004b990d in posix_aio_read (opaque=0xc71cb0) at
block/raw-posix.c:567
        s = (PosixAioState *) 0xc71cb0
        acb = (RawAIOCB *) 0x106ca10
        pacb = (RawAIOCB **) 0xc71cb8
        ret = 0
        offset = 128
        sig = {siginfo = {ssi_signo = 12, pad =
"\000\000\000\000\000\000\000\000ôX", '\0' <repeats 113 times>},
  buf = "\f", '\0' <repeats 11 times>, "ôX", '\0' <repeats 113 times>}
#2  0x000000000040e301 in main_loop_wait (timeout=1000) at
/root/qemu-kvm-0.11.0-rc2/vl.c:4188
        pioh = (IOHandlerRecord **) 0xc6f7c8
        ioh = (IOHandlerRecord *) 0xc71d20
        rfds = {fds_bits = {64, 0 <repeats 15 times>}}
        wfds = {fds_bits = {0 <repeats 16 times>}}
        xfds = {fds_bits = {0 <repeats 16 times>}}
        ret = 1
        nfds = 200
        tv = {tv_sec = 0, tv_usec = 999874}
#3  0x000000000042d36e in kvm_main_loop () at
/root/qemu-kvm-0.11.0-rc2/qemu-kvm.c:2079
        fds = {14, 15}
        mask = {__val = {268443648, 0 <repeats 15 times>}}
        sigfd = 16
#4  0x000000000040e9bb in main_loop () at
/root/qemu-kvm-0.11.0-rc2/vl.c:4393
        r = 0
#5  0x0000000000411f7b in main (argc=24, argv=0x7fff78551208,
envp=0x7fff785512d0) at /root/qemu-kvm-0.11.0-rc2/vl.c:6263
        gdbstub_dev = 0x0
        boot_devices_bitmap = 8192
        i = 1
        snapshot = 0
        linux_boot = 0
        net_boot = 1
        initrd_filename = 0x0
        kernel_filename = 0x0
        kernel_cmdline = 0x5931b0 ""
        boot_devices = "n\000d", '\0' <repeats 29 times>
        ds = (DisplayState *) 0xcbd940
        dcl = (DisplayChangeListener *) 0x0
        cyls = 0
        heads = 0
        secs = 0
        translation = 0
        net_clients = {0x7fff785534da "nic,macaddr=00:1d:92:f3:ad:dc",
0x7fff785534fd "socket,fd=200", 0xd82b830 <Address 0xd82b830 out of bounds>,
  0x7fff78550f70 "", 0x0, 0x7f27390535ae "\037", 0x0, 0x7f2739149d50
"ÍA@", 0x1 <Address 0x1 out of bounds>, 0x0,
  0x100000001 <Address 0x100000001 out of bounds>, 0x7f2739149d50 "ÍA@",
0x7f2739264358 "¸B&9'\177", 0x7fff78550fd0 "\002",
  0x139264000 <Address 0x139264000 out of bounds>, 0x7f2739149d50 "ÍA@",
0x7f2739264358 "¸B&9'\177", 0x7fff78550ff0 "°zÇ", 0x7f2739264000 "",
  0x403e7c "memset", 0x2b43e9ed <Address 0x2b43e9ed out of bounds>,
0x7fff78551000 "\b\022Ux", 0x0, 0x7f27390535ae "\037", 0x0,
0x7f27391474e0 "jªÜ3'\177",
  0x1 <Address 0x1 out of bounds>, 0x7f2739052eac "\037D", 0x100000001
<Address 0x100000001 out of bounds>, 0x7f2739149c60 "\2009%9'\177",
  0xe <Address 0xe out of bounds>, 0x23 <Address 0x23 out of bounds>}
        nb_net_clients = 2
        bt_opts = {0x0, 0x7f2739149d50 "ÍA@", 0x7f2739253980 "",
0x403e7c "memset", 0x7f2736f60fd8 "", 0x401430 "D\016",
  0x100000000 <Address 0x100000000 out of bounds>, 0x10000031d <Address
0x10000031d out of bounds>, 0xd39ad3d <Address 0xd39ad3d out of bounds>,
  0x7f2739264358 "¸B&9'\177"}
        nb_bt_opts = 0
        hda_index = -1
        optind = 24
        r = 0x7fff78553554 "-boot"
        optarg = 0x7fff7855355a "n"
- ---Type <return> to continue, or q <return> to quit---
        monitor_hd = (CharDriverState *) 0xc77ab0
        monitor_device = 0x7fff7855352b "stdio"
        serial_devices = {0x5967e0 "vc:80Cx24C", 0x0, 0x0, 0x0}
        serial_device_index = 0
        parallel_devices = {0x5967e0 "vc:80Cx24C", 0x0, 0x0}
        parallel_device_index = 0
        virtio_consoles = {0x0}
        virtio_console_index = 0
        loadvm = 0x0
        machine = (QEMUMachine *) 0x855e80
        cpu_model = 0x0
        usb_devices = {0x7fff7855353f "tablet", 0x7f2739052eac "\037D",
0x7f273904a848 "\020æ", 0x7f2739149c60 "\2009%9'\177",
  0xe <Address 0xe out of bounds>, 0x7f2739052eac "\037D", 0xd39ad3d
<Address 0xd39ad3d out of bounds>, 0x7f2739149c60 "\2009%9'\177"}
        usb_devices_index = 1
        fds = {956605232, 32551}
        tb_size = 0
        pid_file = 0x0
        incoming = 0x0
        fd = 0
        pwd = (struct passwd *) 0x0
        chroot_dir = 0x0
        run_as = 0x0
        env = (struct CPUX86State *) 0x0
        show_vnc_port = 0
        params = {0x5967af "order", 0x5967b5 "once", 0x5967ba "menu", 0x0}
(gdb)

I would love to run the md RAID in the host and use IDE instead of SCSI.
However, unfortunatelly this is not an option for me as I'm trying to
run an existing installation of Linux with QEMU which I cannot make any
modifications to.

Please let me know if you need any further details for my bug report.

Best regards
Gunnar Beutner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkq1gjkACgkQUdP8VAVyiv+ssgCeKJLwT3myb6DDtwpmwNflfaFI
5FcAmwcQI4w4HyqPh/B8UZ25EQqnsJkz
=2z0Z
-----END PGP SIGNATURE-----




reply via email to

[Prev in Thread] Current Thread [Next in Thread]