[Qemu-devel] [Bug 1378554] [NEW] qemu segfault in virtio_scsi_handle

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [Bug 1378554] [NEW] qemu segfault in virtio_scsi_handle_cmd

From:	Richard Jones
Subject:	[Qemu-devel] [Bug 1378554] [NEW] qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit
Date:	Tue, 07 Oct 2014 22:36:16 -0000

Public bug reported:

/home/rjones/d/qemu/arm-softmmu/qemu-system-arm \
    -global virtio-blk-device.scsi=off \
    -nodefconfig \
    -enable-fips \
    -nodefaults \
    -display none \
    -M virt \
    -machine accel=kvm:tcg \
    -m 500 \
    -no-reboot \
    -rtc driftfix=slew \
    -global kvm-pit.lost_tick_policy=discard \
    -kernel /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/kernel \
    -initrd /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/initrd \
    -device virtio-scsi-device,id=scsi \
    -drive 
file=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/scratch.1,cache=unsafe,format=raw,id=hd0,if=none
 \
    -device scsi-hd,drive=hd0 \
    -drive 
file=/home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/root,snapshot=on,id=appliance,cache=unsafe,if=none
 \
    -device scsi-hd,drive=appliance \
    -device virtio-serial-device \
    -serial stdio \
    -chardev 
socket,path=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/guestfsd.sock,id=channel0
 \
    -device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \
    -append 'panic=1 mem=500M console=ttyAMA0 udevtimeout=6000 no_timer_check 
lpj=4464640 acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb 
selinux=0 guestfs_verbose=1 TERM=xterm-256color'

The appliance boots, but segfaults as soon as the virtio-scsi driver is
loaded:

supermin: internal insmod virtio_scsi.ko
[    3.992963] scsi0 : Virtio SCSI HBA
libguestfs: error: appliance closed the connection unexpectedly, see earlier 
error messages

I captured a core dump:

Core was generated by `/home/rjones/d/qemu/arm-softmmu/qemu-system-arm -global 
virtio-blk-device.scsi='.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>, 
    req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
551         bdrv_io_unplug(req->sreq->dev->conf.bs);
(gdb) bt
#0  0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>, 
    req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
#1  0x0008573a in virtio_scsi_handle_cmd (vdev=0xac4d68, vq=0xafe4b8)
    at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:573
#2  0x0004fdbe in access_with_adjusted_size (addr=80, 
    address@hidden, address@hidden, access_size_min=1, 
    access_size_max=<optimized out>, address@hidden, 
    address@hidden <memory_region_write_accessor>, 
    address@hidden) at /home/rjones/d/qemu/memory.c:480
#3  0x00054234 in memory_region_dispatch_write (size=4, data=2, 
    addr=<optimized out>, mr=0xa53fa8) at /home/rjones/d/qemu/memory.c:1117
#4  io_mem_write (mr=0xa53fa8, addr=<optimized out>, address@hidden, 
    address@hidden) at /home/rjones/d/qemu/memory.c:1958
#5  0x00021c88 in address_space_rw (as=0x3b96b4 <address_space_memory>, 
    addr=167788112, address@hidden "\002", address@hidden, 
    address@hidden) at /home/rjones/d/qemu/exec.c:2135
#6  0x00021de6 in address_space_write (len=4, buf=0x4443e790 "\002", 
    addr=<optimized out>, as=<optimized out>)
    at /home/rjones/d/qemu/exec.c:2202
#7  subpage_write (opaque=<optimized out>, addr=<optimized out>, value=2, 
    len=4) at /home/rjones/d/qemu/exec.c:1811
#8  0x0004fdbe in access_with_adjusted_size (addr=592, 
    address@hidden, address@hidden, access_size_min=1, 
    access_size_max=<optimized out>, address@hidden, 
    address@hidden <memory_region_write_accessor>, 
    address@hidden) at /home/rjones/d/qemu/memory.c:480
#9  0x00054234 in memory_region_dispatch_write (size=4, data=2, 
    addr=<optimized out>, mr=0xaed980) at /home/rjones/d/qemu/memory.c:1117
#10 io_mem_write (mr=0xaed980, addr=<optimized out>, val=2, address@hidden)
    at /home/rjones/d/qemu/memory.c:1958
#11 0x00057f24 in io_writel (retaddr=1121296542, Cannot access memory at 
address 0x0
addr=<optimized out>, val=2, 
    physaddr=592, env=0x9d6c50) at /home/rjones/d/qemu/softmmu_template.h:381
#12 helper_le_stl_mmu (env=0x9d6c50, addr=<optimized out>, val=2, 
    mmu_idx=<optimized out>, retaddr=1121296542)
    at /home/rjones/d/qemu/softmmu_template.h:419
#13 0x42d5a0a0 in ?? ()
Cannot access memory at address 0x0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) print req
$1 = (VirtIOSCSIReq *) 0x6c03acf8
(gdb) print req->sreq
$2 = (SCSIRequest *) 0xc2c2c2c2
(gdb) print req->sreq->dev
Cannot access memory at address 0xc2c2c2c6
(gdb) print *req
$3 = {
  dev = 0x6c000040, 
  vq = 0x6c000040, 
  qsgl = {
    sg = 0x0, 
    nsg = 0, 
    nalloc = -1027423550, 
    size = 3267543746, 
    dev = 0xc2c2c2c2, 
    as = 0xc2c2c2c2
  }, 
  resp_iov = {
    iov = 0xc2c2c2c2, 
    niov = -1027423550, 
    nalloc = -1027423550, 
    size = 3267543746
  }, 
  elem = {
    index = 3267543746, 
    out_num = 3267543746, 
    in_num = 3267543746, 
    in_addr = {14033993530586874562 <repeats 1024 times>}, 
    out_addr = {14033993530586874562 <repeats 1024 times>}, 
    in_sg = {{
        iov_base = 0xc2c2c2c2, 
        iov_len = 3267543746
      } <repeats 1024 times>}, 
    out_sg = {{
        iov_base = 0xc2c2c2c2, 
        iov_len = 3267543746
      } <repeats 1024 times>}
  }, 
  vring = 0xc2c2c2c2, 
  {
    next = {
      tqe_next = 0xc2c2c2c2, 
      tqe_prev = 0xc2c2c2c2
    }, 
    remaining = -1027423550
  }, 
  sreq = 0xc2c2c2c2, 
  resp_size = 3267543746, 
  mode = (SCSI_XFER_TO_DEV | unknown: 3267543744), 
  resp = {
    cmd = {
      sense_len = 3267543746, 
      resid = 3267543746, 
      status_qualifier = 49858, 
      status = 194 '\302', 
      response = 194 '\302'
    }, 
    tmf = {
      response = 194 '\302'
    }, 
    an = {
      event_actual = 3267543746, 
      response = 194 '\302'
    }, 
    event = {
      event = 3267543746, 
      lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>, 
      reason = 3267543746
    }
  }, 
  req = {
    {
      cmd = {
        lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>, 
        tag = 14033993530586874562, 
        task_attr = 194 '\302', 
        prio = 194 '\302', 
        crn = 194 '\302'
      }, 
      cdb = 0x6c042d73 '\302' <repeats 36 times>, <incomplete sequence \302>
    }, 
    tmf = {
      type = 3267543746, 
      subtype = 3267543746, 
      lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>, 
      tag = 14033993530586874562
    }, 
    an = {
      type = 3267543746, 
      lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>, 
      event_requested = 3267543746
    }
  }
}

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1378554

Title:
  qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit

Status in QEMU:
  New

Bug description:
  /home/rjones/d/qemu/arm-softmmu/qemu-system-arm \
      -global virtio-blk-device.scsi=off \
      -nodefconfig \
      -enable-fips \
      -nodefaults \
      -display none \
      -M virt \
      -machine accel=kvm:tcg \
      -m 500 \
      -no-reboot \
      -rtc driftfix=slew \
      -global kvm-pit.lost_tick_policy=discard \
      -kernel /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/kernel \
      -initrd /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/initrd \
      -device virtio-scsi-device,id=scsi \
      -drive 
file=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/scratch.1,cache=unsafe,format=raw,id=hd0,if=none
 \
      -device scsi-hd,drive=hd0 \
      -drive 
file=/home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/root,snapshot=on,id=appliance,cache=unsafe,if=none
 \
      -device scsi-hd,drive=appliance \
      -device virtio-serial-device \
      -serial stdio \
      -chardev 
socket,path=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/guestfsd.sock,id=channel0
 \
      -device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \
      -append 'panic=1 mem=500M console=ttyAMA0 udevtimeout=6000 no_timer_check 
lpj=4464640 acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb 
selinux=0 guestfs_verbose=1 TERM=xterm-256color'

  The appliance boots, but segfaults as soon as the virtio-scsi driver
  is loaded:

  supermin: internal insmod virtio_scsi.ko
  [    3.992963] scsi0 : Virtio SCSI HBA
  libguestfs: error: appliance closed the connection unexpectedly, see earlier 
error messages

  I captured a core dump:

  Core was generated by `/home/rjones/d/qemu/arm-softmmu/qemu-system-arm 
-global virtio-blk-device.scsi='.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>, 
      req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
  551       bdrv_io_unplug(req->sreq->dev->conf.bs);
  (gdb) bt
  #0  0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>, 
      req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
  #1  0x0008573a in virtio_scsi_handle_cmd (vdev=0xac4d68, vq=0xafe4b8)
      at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:573
  #2  0x0004fdbe in access_with_adjusted_size (addr=80, 
      address@hidden, address@hidden, access_size_min=1, 
      access_size_max=<optimized out>, address@hidden, 
      address@hidden <memory_region_write_accessor>, 
      address@hidden) at /home/rjones/d/qemu/memory.c:480
  #3  0x00054234 in memory_region_dispatch_write (size=4, data=2, 
      addr=<optimized out>, mr=0xa53fa8) at /home/rjones/d/qemu/memory.c:1117
  #4  io_mem_write (mr=0xa53fa8, addr=<optimized out>, address@hidden, 
      address@hidden) at /home/rjones/d/qemu/memory.c:1958
  #5  0x00021c88 in address_space_rw (as=0x3b96b4 <address_space_memory>, 
      addr=167788112, address@hidden "\002", address@hidden, 
      address@hidden) at /home/rjones/d/qemu/exec.c:2135
  #6  0x00021de6 in address_space_write (len=4, buf=0x4443e790 "\002", 
      addr=<optimized out>, as=<optimized out>)
      at /home/rjones/d/qemu/exec.c:2202
  #7  subpage_write (opaque=<optimized out>, addr=<optimized out>, value=2, 
      len=4) at /home/rjones/d/qemu/exec.c:1811
  #8  0x0004fdbe in access_with_adjusted_size (addr=592, 
      address@hidden, address@hidden, access_size_min=1, 
      access_size_max=<optimized out>, address@hidden, 
      address@hidden <memory_region_write_accessor>, 
      address@hidden) at /home/rjones/d/qemu/memory.c:480
  #9  0x00054234 in memory_region_dispatch_write (size=4, data=2, 
      addr=<optimized out>, mr=0xaed980) at /home/rjones/d/qemu/memory.c:1117
  #10 io_mem_write (mr=0xaed980, addr=<optimized out>, val=2, address@hidden)
      at /home/rjones/d/qemu/memory.c:1958
  #11 0x00057f24 in io_writel (retaddr=1121296542, Cannot access memory at 
address 0x0
  addr=<optimized out>, val=2, 
      physaddr=592, env=0x9d6c50) at /home/rjones/d/qemu/softmmu_template.h:381
  #12 helper_le_stl_mmu (env=0x9d6c50, addr=<optimized out>, val=2, 
      mmu_idx=<optimized out>, retaddr=1121296542)
      at /home/rjones/d/qemu/softmmu_template.h:419
  #13 0x42d5a0a0 in ?? ()
  Cannot access memory at address 0x0
  Backtrace stopped: previous frame identical to this frame (corrupt stack?)
  (gdb) print req
  $1 = (VirtIOSCSIReq *) 0x6c03acf8
  (gdb) print req->sreq
  $2 = (SCSIRequest *) 0xc2c2c2c2
  (gdb) print req->sreq->dev
  Cannot access memory at address 0xc2c2c2c6
  (gdb) print *req
  $3 = {
    dev = 0x6c000040, 
    vq = 0x6c000040, 
    qsgl = {
      sg = 0x0, 
      nsg = 0, 
      nalloc = -1027423550, 
      size = 3267543746, 
      dev = 0xc2c2c2c2, 
      as = 0xc2c2c2c2
    }, 
    resp_iov = {
      iov = 0xc2c2c2c2, 
      niov = -1027423550, 
      nalloc = -1027423550, 
      size = 3267543746
    }, 
    elem = {
      index = 3267543746, 
      out_num = 3267543746, 
      in_num = 3267543746, 
      in_addr = {14033993530586874562 <repeats 1024 times>}, 
      out_addr = {14033993530586874562 <repeats 1024 times>}, 
      in_sg = {{
          iov_base = 0xc2c2c2c2, 
          iov_len = 3267543746
        } <repeats 1024 times>}, 
      out_sg = {{
          iov_base = 0xc2c2c2c2, 
          iov_len = 3267543746
        } <repeats 1024 times>}
    }, 
    vring = 0xc2c2c2c2, 
    {
      next = {
        tqe_next = 0xc2c2c2c2, 
        tqe_prev = 0xc2c2c2c2
      }, 
      remaining = -1027423550
    }, 
    sreq = 0xc2c2c2c2, 
    resp_size = 3267543746, 
    mode = (SCSI_XFER_TO_DEV | unknown: 3267543744), 
    resp = {
      cmd = {
        sense_len = 3267543746, 
        resid = 3267543746, 
        status_qualifier = 49858, 
        status = 194 '\302', 
        response = 194 '\302'
      }, 
      tmf = {
        response = 194 '\302'
      }, 
      an = {
        event_actual = 3267543746, 
        response = 194 '\302'
      }, 
      event = {
        event = 3267543746, 
        lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>, 
        reason = 3267543746
      }
    }, 
    req = {
      {
        cmd = {
          lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>, 
          tag = 14033993530586874562, 
          task_attr = 194 '\302', 
          prio = 194 '\302', 
          crn = 194 '\302'
        }, 
        cdb = 0x6c042d73 '\302' <repeats 36 times>, <incomplete sequence \302>
      }, 
      tmf = {
        type = 3267543746, 
        subtype = 3267543746, 
        lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>, 
        tag = 14033993530586874562
      }, 
      an = {
        type = 3267543746, 
        lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>, 
        event_requested = 3267543746
      }
    }
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1378554/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH v14 00/14] qemu-img: Implement commit like QMP, Max Reitz, 2014/10/24
- [Qemu-devel] [PATCH v14 01/14] qcow2: Allow "full" discard, Max Reitz, 2014/10/24
- [Qemu-devel] [PATCH v14 03/14] qcow2: Optimize bdrv_make_empty(), Max Reitz, 2014/10/24
- [Qemu-devel] [PATCH v14 02/14] qcow2: Implement bdrv_make_empty(), Max Reitz, 2014/10/24
- [Qemu-devel] [PATCH v14 04/14] blockjob: Introduce block_job_complete_sync(), Max Reitz, 2014/10/24
- [Qemu-devel] [PATCH v14 06/14] iotests: Omit length/offset test in 040 and 041, Max Reitz, 2014/10/24
- [Qemu-devel] [PATCH v14 05/14] blockjob: Add "ready" field, Max Reitz, 2014/10/24
- [Qemu-devel] [PATCH v14 07/14] block/mirror: Improve progress report, Max Reitz, 2014/10/24
- [Qemu-devel] [PATCH v14 08/14] qemu-img: Implement commit like QMP, Max Reitz, 2014/10/24
- [Qemu-devel] [PATCH v14 09/14] qemu-img: Empty image after commit, Max Reitz, 2014/10/24
- [Qemu-devel] [PATCH v14 10/14] qemu-img: Enable progress output for commit, Max Reitz, 2014/10/24

Prev by Date: Re: [Qemu-devel] [PATCH v5 11/33] target-arm: arrayfying fieldoffset for banking
Next by Date: [Qemu-devel] [Bug 1378554] Re: qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit
Previous by thread: [Qemu-devel] [PATCH v3 00/15] target-mips: add features required in MIPS64R6
Next by thread: [Qemu-devel] [PATCH v14 01/14] qcow2: Allow "full" discard
Index(es):
- Date
- Thread