[Qemu-devel] [Bug 1378554] Re: qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit

Thu, 23 Nov 2017 11:26:47 -0800 

Ah, my mail client found the thread that tells me this was fixed in
commit 35e4e96c4d5bfcf. So we can close this.


** Changed in: qemu
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1378554

Title:
  qemu segfault in virtio_scsi_handle_cmd_req_submit on ARM 32 bit

Status in QEMU:
  Fix Released

Bug description:
  /home/rjones/d/qemu/arm-softmmu/qemu-system-arm \
      -global virtio-blk-device.scsi=off \
      -nodefconfig \
      -enable-fips \
      -nodefaults \
      -display none \
      -M virt \
      -machine accel=kvm:tcg \
      -m 500 \
      -no-reboot \
      -rtc driftfix=slew \
      -global kvm-pit.lost_tick_policy=discard \
      -kernel /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/kernel \
      -initrd /home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/initrd \
      -device virtio-scsi-device,id=scsi \
      -drive 
file=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/scratch.1,cache=unsafe,format=raw,id=hd0,if=none
 \
      -device scsi-hd,drive=hd0 \
      -drive 
file=/home/rjones/d/libguestfs/tmp/.guestfs-1001/appliance.d/root,snapshot=on,id=appliance,cache=unsafe,if=none
 \
      -device scsi-hd,drive=appliance \
      -device virtio-serial-device \
      -serial stdio \
      -chardev 
socket,path=/home/rjones/d/libguestfs/tmp/libguestfseV4fT5/guestfsd.sock,id=channel0
 \
      -device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \
      -append 'panic=1 mem=500M console=ttyAMA0 udevtimeout=6000 no_timer_check 
lpj=4464640 acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb 
selinux=0 guestfs_verbose=1 TERM=xterm-256color'

  The appliance boots, but segfaults as soon as the virtio-scsi driver
  is loaded:

  supermin: internal insmod virtio_scsi.ko
  [    3.992963] scsi0 : Virtio SCSI HBA
  libguestfs: error: appliance closed the connection unexpectedly, see earlier 
error messages

  I captured a core dump:

  Core was generated by `/home/rjones/d/qemu/arm-softmmu/qemu-system-arm 
-global virtio-blk-device.scsi='.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>, 
      req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
  551       bdrv_io_unplug(req->sreq->dev->conf.bs);
  (gdb) bt
  #0  0x000856bc in virtio_scsi_handle_cmd_req_submit (s=<optimized out>, 
      req=0x6c03acf8) at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:551
  #1  0x0008573a in virtio_scsi_handle_cmd (vdev=0xac4d68, vq=0xafe4b8)
      at /home/rjones/d/qemu/hw/scsi/virtio-scsi.c:573
  #2  0x0004fdbe in access_with_adjusted_size (addr=80, 
      value=value@entry=0x4443e6c0, size=size@entry=4, access_size_min=1, 
      access_size_max=<optimized out>, access_size_max@entry=0, 
      access=access@entry=0x4fee9 <memory_region_write_accessor>, 
      mr=mr@entry=0xa53fa8) at /home/rjones/d/qemu/memory.c:480
  #3  0x00054234 in memory_region_dispatch_write (size=4, data=2, 
      addr=<optimized out>, mr=0xa53fa8) at /home/rjones/d/qemu/memory.c:1117
  #4  io_mem_write (mr=0xa53fa8, addr=<optimized out>, val=val@entry=2, 
      size=size@entry=4) at /home/rjones/d/qemu/memory.c:1958
  #5  0x00021c88 in address_space_rw (as=0x3b96b4 <address_space_memory>, 
      addr=167788112, buf=buf@entry=0x4443e790 "\002", len=len@entry=4, 
      is_write=is_write@entry=true) at /home/rjones/d/qemu/exec.c:2135
  #6  0x00021de6 in address_space_write (len=4, buf=0x4443e790 "\002", 
      addr=<optimized out>, as=<optimized out>)
      at /home/rjones/d/qemu/exec.c:2202
  #7  subpage_write (opaque=<optimized out>, addr=<optimized out>, value=2, 
      len=4) at /home/rjones/d/qemu/exec.c:1811
  #8  0x0004fdbe in access_with_adjusted_size (addr=592, 
      value=value@entry=0x4443e820, size=size@entry=4, access_size_min=1, 
      access_size_max=<optimized out>, access_size_max@entry=0, 
      access=access@entry=0x4fee9 <memory_region_write_accessor>, 
      mr=mr@entry=0xaed980) at /home/rjones/d/qemu/memory.c:480
  #9  0x00054234 in memory_region_dispatch_write (size=4, data=2, 
      addr=<optimized out>, mr=0xaed980) at /home/rjones/d/qemu/memory.c:1117
  #10 io_mem_write (mr=0xaed980, addr=<optimized out>, val=2, size=size@entry=4)
      at /home/rjones/d/qemu/memory.c:1958
  #11 0x00057f24 in io_writel (retaddr=1121296542, Cannot access memory at 
address 0x0
  addr=<optimized out>, val=2, 
      physaddr=592, env=0x9d6c50) at /home/rjones/d/qemu/softmmu_template.h:381
  #12 helper_le_stl_mmu (env=0x9d6c50, addr=<optimized out>, val=2, 
      mmu_idx=<optimized out>, retaddr=1121296542)
      at /home/rjones/d/qemu/softmmu_template.h:419
  #13 0x42d5a0a0 in ?? ()
  Cannot access memory at address 0x0
  Backtrace stopped: previous frame identical to this frame (corrupt stack?)
  (gdb) print req
  $1 = (VirtIOSCSIReq *) 0x6c03acf8
  (gdb) print req->sreq
  $2 = (SCSIRequest *) 0xc2c2c2c2
  (gdb) print req->sreq->dev
  Cannot access memory at address 0xc2c2c2c6
  (gdb) print *req
  $3 = {
    dev = 0x6c000040, 
    vq = 0x6c000040, 
    qsgl = {
      sg = 0x0, 
      nsg = 0, 
      nalloc = -1027423550, 
      size = 3267543746, 
      dev = 0xc2c2c2c2, 
      as = 0xc2c2c2c2
    }, 
    resp_iov = {
      iov = 0xc2c2c2c2, 
      niov = -1027423550, 
      nalloc = -1027423550, 
      size = 3267543746
    }, 
    elem = {
      index = 3267543746, 
      out_num = 3267543746, 
      in_num = 3267543746, 
      in_addr = {14033993530586874562 <repeats 1024 times>}, 
      out_addr = {14033993530586874562 <repeats 1024 times>}, 
      in_sg = {{
          iov_base = 0xc2c2c2c2, 
          iov_len = 3267543746
        } <repeats 1024 times>}, 
      out_sg = {{
          iov_base = 0xc2c2c2c2, 
          iov_len = 3267543746
        } <repeats 1024 times>}
    }, 
    vring = 0xc2c2c2c2, 
    {
      next = {
        tqe_next = 0xc2c2c2c2, 
        tqe_prev = 0xc2c2c2c2
      }, 
      remaining = -1027423550
    }, 
    sreq = 0xc2c2c2c2, 
    resp_size = 3267543746, 
    mode = (SCSI_XFER_TO_DEV | unknown: 3267543744), 
    resp = {
      cmd = {
        sense_len = 3267543746, 
        resid = 3267543746, 
        status_qualifier = 49858, 
        status = 194 '\302', 
        response = 194 '\302'
      }, 
      tmf = {
        response = 194 '\302'
      }, 
      an = {
        event_actual = 3267543746, 
        response = 194 '\302'
      }, 
      event = {
        event = 3267543746, 
        lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>, 
        reason = 3267543746
      }
    }, 
    req = {
      {
        cmd = {
          lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>, 
          tag = 14033993530586874562, 
          task_attr = 194 '\302', 
          prio = 194 '\302', 
          crn = 194 '\302'
        }, 
        cdb = 0x6c042d73 '\302' <repeats 36 times>, <incomplete sequence \302>
      }, 
      tmf = {
        type = 3267543746, 
        subtype = 3267543746, 
        lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>, 
        tag = 14033993530586874562
      }, 
      an = {
        type = 3267543746, 
        lun = "\302\302\302\302\302\302\302", <incomplete sequence \302>, 
        event_requested = 3267543746
      }
    }
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1378554/+subscriptions

Reply via email to