[Bug 1861562] [NEW] piix crashes on mips when using multiple cpus

[Philippe Mathieu-Daudé]

Public bug reported:

Crash occurred while testing commit 330edfcc84a7:

$ qemu-system-mips64el -cpu I6400 -append "clocksource=GIC console=ttyS0" -smp 
8 -kernel vmlinux
Linux version 4.7.0-rc1 (phil@x1) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) 
) #1 SMP Sat Feb 1 13:15:19 UTC 2020
earlycon: uart8250 at I/O port 0x3f8 (options '38400n8')
bootconsole [uart8250] enabled
CPU0 revision is: 0001a900 (MIPS I6400)
FPU revision is: 20f30300
MSA revision is: 00000300
MIPS: machine is mti,malta
Software DMA cache coherency enabled
Determined physical RAM map:
 memory: 0000000008000000 @ 0000000000000000 (usable)
Zone ranges:
  DMA      [mem 0x0000000000000000-0x0000000000ffffff]
  DMA32    [mem 0x0000000001000000-0x00000000ffffffff]
  Normal   empty
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x0000000000000000-0x0000000007ffffff]
Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
VP topology {8} total 8
Primary instruction cache 64kB, VIPT, 4-way, linesize 64 bytes.
Primary data cache 64kB, 4-way, VIPT, no aliases, linesize 64 bytes
percpu: Embedded 5 pages/cpu @980000000107c000 s29664 r8192 d44064 u81920
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8163
Kernel command line: clocksource=GIC console=ttyS0
log_buf_len individual max cpu contribution: 4096 bytes
log_buf_len total cpu_extra contributions: 28672 bytes
log_buf_len min size: 32768 bytes
log_buf_len: 65536 bytes
early log buf free: 30432(92%)
PID hash table entries: 512 (order: -2, 4096 bytes)
Dentry cache hash table entries: 16384 (order: 3, 131072 bytes)
Inode-cache hash table entries: 8192 (order: 2, 65536 bytes)
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
MAAR configuration:
  [0]: 0x0000000000010000-0x0000000007ffffff speculate
  [1]: disabled
  [2]: disabled
  [3]: disabled
  [4]: disabled
  [5]: disabled
  [6]: disabled
  [7]: disabled
Memory: 121104K/131072K available (5253K kernel code, 380K rwdata, 1276K 
rodata, 304K init, 278K bss, 9968K reserved, 0K cma-reserved)
Hierarchical RCU implementation.
        Build-time adjustment of leaf fanout to 64.
NR_IRQS:256
CPU frequency 200.00 MHz
GIC frequency 100.00 MHz
clocksource: GIC: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 
19112702515 ns
clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 
19112355619 ns
sched_clock: 32 bits at 100MHz, resolution 9ns, wraps every 21474556923ns
...
Primary instruction cache 64kB, VIPT, 4-way, linesize 64 bytes.
Primary data cache 64kB, 4-way, VIPT, no aliases, linesize 64 bytes
CPU7 revision is: 0001a900 (MIPS I6400)
FPU revision is: 20f30300
MSA revision is: 00000300
Synchronize counters for CPU 7: done.
Brought up 8 CPUs
devtmpfs: initialized
clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 
19112604462750000 ns
NET: Registered protocol family 16
pm-cps: CPC does not support clock gating
vgaarb: loaded
SCSI subsystem initialized
PCI host bridge to bus 0000:00
pci_bus 0000:00: root bus resource [mem 0x10000000-0x17ffffff]
pci_bus 0000:00: root bus resource [io  0x1000-0x1fffff]
pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
pci 0000:00:00.0: [Firmware Bug]: reg 0x14: invalid BAR (can't size)
pci 0000:00:00.0: [Firmware Bug]: reg 0x18: invalid BAR (can't size)
pci 0000:00:00.0: [Firmware Bug]: reg 0x1c: invalid BAR (can't size)
pci 0000:00:00.0: [Firmware Bug]: reg 0x20: invalid BAR (can't size)
pci 0000:00:00.0: [Firmware Bug]: reg 0x24: invalid BAR (can't size)
pci 0000:00:0a.1: legacy IDE quirk: reg 0x10: [io  0x01f0-0x01f7]
pci 0000:00:0a.1: legacy IDE quirk: reg 0x14: [io  0x03f6]
pci 0000:00:0a.1: legacy IDE quirk: reg 0x18: [io  0x0170-0x0177]
pci 0000:00:0a.1: legacy IDE quirk: reg 0x1c: [io  0x0376]
Aborted (core dumped)

(gdb) bt
#0  0x00007fe1e8d37e35 in raise () at /lib64/libc.so.6
#1  0x00007fe1e8d22895 in abort () at /lib64/libc.so.6
#2  0x000055d442b388ba in acpi_gpe_ioport_get_ptr (addr=addr@entry=49312, 
ar=ar@entry=0x55d4444212d0) at hw/acpi/core.c:670
#3  0x000055d442b388ba in acpi_gpe_ioport_writeb (ar=ar@entry=0x55d4444212d0, 
addr=addr@entry=49312, val=val@entry=181) at hw/acpi/core.c:680
#4  0x000055d442d3f363 in gpe_writeb (opaque=0x55d444420800, addr=49312, 
val=181, width=<optimized out>) at hw/acpi/piix4.c:553
#5  0x000055d442b9534b in memory_region_write_accessor 
(mr=mr@entry=0x55d4444211e0, addr=49312, value=value@entry=0x7fe1ddff9ef8, 
size=size@entry=1, shift=<optimized out>, mask=mask@entry=255, attrs=...)
    at memory.c:483
#6  0x000055d442b9305e in access_with_adjusted_size (addr=addr@entry=49312, 
value=value@entry=0x7fe1ddff9ef8, size=size@entry=8, access_size_min=<optimized 
out>, access_size_max=<optimized out>, access_fn=access_fn@entry=
    0x55d442b95220 <memory_region_write_accessor>, mr=0x55d4444211e0, 
attrs=...) at memory.c:544
#7  0x000055d442b976b4 in memory_region_dispatch_write 
(mr=mr@entry=0x55d4444211e0, addr=addr@entry=49312, data=<optimized out>, 
data@entry=327163317, op=op@entry=MO_64, attrs=...) at memory.c:1475
#8  0x000055d442ba44fd in io_writex
    (env=env@entry=0x55d443ec8f60, mmu_idx=mmu_idx@entry=0, 
val=val@entry=327163317, addr=addr@entry=10376293541929074848, 
retaddr=140608199778784, op=MO_64, iotlbentry=<optimized out>, 
iotlbentry=<optimized out>)
    at accel/tcg/cputlb.c:980
#9  0x000055d442baa43c in store_helper (op=MO_64, retaddr=140608199778784, 
oi=<optimized out>, val=<optimized out>, addr=10376293541929074848, 
env=0x55d443ec8f60) at accel/tcg/cputlb.c:1788
#10 0x000055d442baa43c in helper_le_stq_mmu (env=0x55d443ec8f60, 
addr=10376293541929074848, val=327163317, oi=<optimized out>, 
retaddr=140608199778784) at accel/tcg/cputlb.c:1920
#11 0x00007fe1e5cce1e0 in code_gen_buffer ()
#12 0x000055d442bbc6d3 in cpu_tb_exec (itb=<optimized out>, cpu=0x0) at 
accel/tcg/cpu-exec.c:172
#13 0x000055d442bbc6d3 in cpu_loop_exec_tb (tb_exit=<synthetic pointer>, 
last_tb=<synthetic pointer>, tb=<optimized out>, cpu=0x0) at 
accel/tcg/cpu-exec.c:618
#14 0x000055d442bbc6d3 in cpu_exec (cpu=cpu@entry=0x55d443ec0550) at 
accel/tcg/cpu-exec.c:731
#15 0x000055d442b88580 in tcg_cpu_exec (cpu=0x55d443ec0550) at cpus.c:1405
#16 0x000055d442b8a6f4 in qemu_tcg_cpu_thread_fn (arg=arg@entry=0x55d443ec0550) 
at cpus.c:1713
#17 0x000055d442faeb7b in qemu_thread_start (args=<optimized out>) at 
util/qemu-thread-posix.c:519
#18 0x00007fe1e8ece4c0 in start_thread () at /lib64/libpthread.so.0
#19 0x00007fe1e8dfc163 in clone () at /lib64/libc.so.6

** Affects: qemu
     Importance: Undecided
         Status: New


** Tags: acpi mips

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1861562

Title:
  piix crashes on mips when using multiple cpus

Status in QEMU:
  New

Bug description:
  Crash occurred while testing commit 330edfcc84a7:

  $ qemu-system-mips64el -cpu I6400 -append "clocksource=GIC console=ttyS0" 
-smp 8 -kernel vmlinux
  Linux version 4.7.0-rc1 (phil@x1) (gcc version 6.3.0 20170516 (Debian 
6.3.0-18) ) #1 SMP Sat Feb 1 13:15:19 UTC 2020
  earlycon: uart8250 at I/O port 0x3f8 (options '38400n8')
  bootconsole [uart8250] enabled
  CPU0 revision is: 0001a900 (MIPS I6400)
  FPU revision is: 20f30300
  MSA revision is: 00000300
  MIPS: machine is mti,malta
  Software DMA cache coherency enabled
  Determined physical RAM map:
   memory: 0000000008000000 @ 0000000000000000 (usable)
  Zone ranges:
    DMA      [mem 0x0000000000000000-0x0000000000ffffff]
    DMA32    [mem 0x0000000001000000-0x00000000ffffffff]
    Normal   empty
  Movable zone start for each node
  Early memory node ranges
    node   0: [mem 0x0000000000000000-0x0000000007ffffff]
  Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
  VP topology {8} total 8
  Primary instruction cache 64kB, VIPT, 4-way, linesize 64 bytes.
  Primary data cache 64kB, 4-way, VIPT, no aliases, linesize 64 bytes
  percpu: Embedded 5 pages/cpu @980000000107c000 s29664 r8192 d44064 u81920
  Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8163
  Kernel command line: clocksource=GIC console=ttyS0
  log_buf_len individual max cpu contribution: 4096 bytes
  log_buf_len total cpu_extra contributions: 28672 bytes
  log_buf_len min size: 32768 bytes
  log_buf_len: 65536 bytes
  early log buf free: 30432(92%)
  PID hash table entries: 512 (order: -2, 4096 bytes)
  Dentry cache hash table entries: 16384 (order: 3, 131072 bytes)
  Inode-cache hash table entries: 8192 (order: 2, 65536 bytes)
  Writing ErrCtl register=00000000
  Readback ErrCtl register=00000000
  MAAR configuration:
    [0]: 0x0000000000010000-0x0000000007ffffff speculate
    [1]: disabled
    [2]: disabled
    [3]: disabled
    [4]: disabled
    [5]: disabled
    [6]: disabled
    [7]: disabled
  Memory: 121104K/131072K available (5253K kernel code, 380K rwdata, 1276K 
rodata, 304K init, 278K bss, 9968K reserved, 0K cma-reserved)
  Hierarchical RCU implementation.
          Build-time adjustment of leaf fanout to 64.
  NR_IRQS:256
  CPU frequency 200.00 MHz
  GIC frequency 100.00 MHz
  clocksource: GIC: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 
19112702515 ns
  clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 
19112355619 ns
  sched_clock: 32 bits at 100MHz, resolution 9ns, wraps every 21474556923ns
  ...
  Primary instruction cache 64kB, VIPT, 4-way, linesize 64 bytes.
  Primary data cache 64kB, 4-way, VIPT, no aliases, linesize 64 bytes
  CPU7 revision is: 0001a900 (MIPS I6400)
  FPU revision is: 20f30300
  MSA revision is: 00000300
  Synchronize counters for CPU 7: done.
  Brought up 8 CPUs
  devtmpfs: initialized
  clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 
19112604462750000 ns
  NET: Registered protocol family 16
  pm-cps: CPC does not support clock gating
  vgaarb: loaded
  SCSI subsystem initialized
  PCI host bridge to bus 0000:00
  pci_bus 0000:00: root bus resource [mem 0x10000000-0x17ffffff]
  pci_bus 0000:00: root bus resource [io  0x1000-0x1fffff]
  pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
  pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
  pci 0000:00:00.0: [Firmware Bug]: reg 0x14: invalid BAR (can't size)
  pci 0000:00:00.0: [Firmware Bug]: reg 0x18: invalid BAR (can't size)
  pci 0000:00:00.0: [Firmware Bug]: reg 0x1c: invalid BAR (can't size)
  pci 0000:00:00.0: [Firmware Bug]: reg 0x20: invalid BAR (can't size)
  pci 0000:00:00.0: [Firmware Bug]: reg 0x24: invalid BAR (can't size)
  pci 0000:00:0a.1: legacy IDE quirk: reg 0x10: [io  0x01f0-0x01f7]
  pci 0000:00:0a.1: legacy IDE quirk: reg 0x14: [io  0x03f6]
  pci 0000:00:0a.1: legacy IDE quirk: reg 0x18: [io  0x0170-0x0177]
  pci 0000:00:0a.1: legacy IDE quirk: reg 0x1c: [io  0x0376]
  Aborted (core dumped)

  (gdb) bt
  #0  0x00007fe1e8d37e35 in raise () at /lib64/libc.so.6
  #1  0x00007fe1e8d22895 in abort () at /lib64/libc.so.6
  #2  0x000055d442b388ba in acpi_gpe_ioport_get_ptr (addr=addr@entry=49312, 
ar=ar@entry=0x55d4444212d0) at hw/acpi/core.c:670
  #3  0x000055d442b388ba in acpi_gpe_ioport_writeb (ar=ar@entry=0x55d4444212d0, 
addr=addr@entry=49312, val=val@entry=181) at hw/acpi/core.c:680
  #4  0x000055d442d3f363 in gpe_writeb (opaque=0x55d444420800, addr=49312, 
val=181, width=<optimized out>) at hw/acpi/piix4.c:553
  #5  0x000055d442b9534b in memory_region_write_accessor 
(mr=mr@entry=0x55d4444211e0, addr=49312, value=value@entry=0x7fe1ddff9ef8, 
size=size@entry=1, shift=<optimized out>, mask=mask@entry=255, attrs=...)
      at memory.c:483
  #6  0x000055d442b9305e in access_with_adjusted_size (addr=addr@entry=49312, 
value=value@entry=0x7fe1ddff9ef8, size=size@entry=8, access_size_min=<optimized 
out>, access_size_max=<optimized out>, access_fn=access_fn@entry=
      0x55d442b95220 <memory_region_write_accessor>, mr=0x55d4444211e0, 
attrs=...) at memory.c:544
  #7  0x000055d442b976b4 in memory_region_dispatch_write 
(mr=mr@entry=0x55d4444211e0, addr=addr@entry=49312, data=<optimized out>, 
data@entry=327163317, op=op@entry=MO_64, attrs=...) at memory.c:1475
  #8  0x000055d442ba44fd in io_writex
      (env=env@entry=0x55d443ec8f60, mmu_idx=mmu_idx@entry=0, 
val=val@entry=327163317, addr=addr@entry=10376293541929074848, 
retaddr=140608199778784, op=MO_64, iotlbentry=<optimized out>, 
iotlbentry=<optimized out>)
      at accel/tcg/cputlb.c:980
  #9  0x000055d442baa43c in store_helper (op=MO_64, retaddr=140608199778784, 
oi=<optimized out>, val=<optimized out>, addr=10376293541929074848, 
env=0x55d443ec8f60) at accel/tcg/cputlb.c:1788
  #10 0x000055d442baa43c in helper_le_stq_mmu (env=0x55d443ec8f60, 
addr=10376293541929074848, val=327163317, oi=<optimized out>, 
retaddr=140608199778784) at accel/tcg/cputlb.c:1920
  #11 0x00007fe1e5cce1e0 in code_gen_buffer ()
  #12 0x000055d442bbc6d3 in cpu_tb_exec (itb=<optimized out>, cpu=0x0) at 
accel/tcg/cpu-exec.c:172
  #13 0x000055d442bbc6d3 in cpu_loop_exec_tb (tb_exit=<synthetic pointer>, 
last_tb=<synthetic pointer>, tb=<optimized out>, cpu=0x0) at 
accel/tcg/cpu-exec.c:618
  #14 0x000055d442bbc6d3 in cpu_exec (cpu=cpu@entry=0x55d443ec0550) at 
accel/tcg/cpu-exec.c:731
  #15 0x000055d442b88580 in tcg_cpu_exec (cpu=0x55d443ec0550) at cpus.c:1405
  #16 0x000055d442b8a6f4 in qemu_tcg_cpu_thread_fn 
(arg=arg@entry=0x55d443ec0550) at cpus.c:1713
  #17 0x000055d442faeb7b in qemu_thread_start (args=<optimized out>) at 
util/qemu-thread-posix.c:519
  #18 0x00007fe1e8ece4c0 in start_thread () at /lib64/libpthread.so.0
  #19 0x00007fe1e8dfc163 in clone () at /lib64/libc.so.6

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1861562/+subscriptions