Re: [Qemu-devel] Funny -m arguments can crash

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Avi Kivity <avi@redhat.com>
To: Markus Armbruster <armbru@redhat.com>
Cc: Blue Swirl <blauwirbel@gmail.com>,
	jan.kiszka@siemens.com, qemu-devel@nongnu.org,
	Anthony Liguori <anthony@codemonkey.ws>,
	peter.maydell@linaro.org
Subject: Re: [Qemu-devel] Funny -m arguments can crash
Date: Tue, 14 Aug 2012 16:25:22 +0300	[thread overview]
Message-ID: <502A51C2.6060104@redhat.com> (raw)
In-Reply-To: <87txw520cn.fsf@blackfin.pond.sub.org>

On 08/14/2012 02:12 PM, Markus Armbruster wrote:
> Avi Kivity <avi@redhat.com> writes:
> 
>> On 08/14/2012 11:44 AM, Markus Armbruster wrote:
> [...]
>>> And another one:
>>> 
>>>     $ qemu-system-x86_64 -nodefaults --enable-kvm -vnc :0 -monitor
>>> stdio -m 900k
>>>     QEMU 1.1.50 monitor - type 'help' for more information
>>>     (qemu) KVM internal error. Suberror: 1
>>>     emulation failure
>>>     EAX=000fdb78 EBX=00000000 ECX=00000000 EDX=000fdb64
>>>     ESI=00000000 EDI=000fdb64 EBP=00000000 ESP=00006f98
>>>     EIP=000e3492 EFL=00000006 [-----P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
>>>     ES =0010 00000000 ffffffff 00c09300 DPL=0 DS   [-WA]
>>>     CS =0008 00000000 ffffffff 00c09b00 DPL=0 CS32 [-RA]
>>>     SS =0010 00000000 ffffffff 00c09300 DPL=0 DS   [-WA]
>>>     DS =0010 00000000 ffffffff 00c09300 DPL=0 DS   [-WA]
>>>     FS =0010 00000000 ffffffff 00c09300 DPL=0 DS   [-WA]
>>>     GS =0010 00000000 ffffffff 00c09300 DPL=0 DS   [-WA]
>>>     LDT=0000 00000000 0000ffff 00008200 DPL=0 LDT
>>>     TR =0000 00000000 0000ffff 00008b00 DPL=0 TSS32-busy
>>>     GDT=     000fcd68 00000037
>>>     IDT=     000fdb60 00000000
>>>     CR0=00000011 CR2=00000000 CR3=00000000 CR4=00000000
>>>     DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000
>>> DR3=0000000000000000
>>>     DR6=00000000ffff0ff0 DR7=0000000000000400
>>>     EFER=0000000000000000
>>>     Code=00 00 b8 26 00 00 00 eb 95 83 c8 ff 83 c4 4c 5b 5e 5f 5d c3
>>> <57> 56 53 89 d6 39 c2 72 06 89 c7 f3 a4 eb 1b 8d 51 ff 01 d0 01 d6
>>> 89 cf 31 d2 eb 08 8a 1c
>>>     q
>>> 
>>
>> Not sure what's the problem.  57 is a push reg instruction which we
>> ought to emulate fine.
>>
>> 900k is 0xe1000, just below eip, but we ought to execute just fine from
>> unshadowed ROM.
>>
>>
>>> Breakpoint on kvm_handle_internal_error() yields backtrace:
>>> 
>>>     #0  kvm_handle_internal_error (env=0x1389b30, run=0x7ffff7ffa000)
>>>         at /work/armbru/qemu/kvm-all.c:1424
>>>     #1  0x0000000000674c5a in kvm_cpu_exec (env=0x1389b30)
>>>         at /work/armbru/qemu/kvm-all.c:1586
>>>     #2  0x000000000060e0b4 in qemu_kvm_cpu_thread_fn (arg=0x1389b30)
>>>         at /work/armbru/qemu/cpus.c:757
>>>     #3  0x0000003b0ea07d14 in start_thread () from /lib64/libpthread.so.0
>>>     #4  0x0000003b0def197d in clone () from /lib64/libc.so.6
>>> 
>>> Also seen with 904k, 908k, 964k, 968k, 972k 976k, and a whole lot more.
>>
>> Same EIP in the dump with those?
> 
> Offenders within 1s in range 868k..1028k step 4:
> 
> 900
> EIP=000e3492 EFL=00000006 [-----P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 904
> EIP=000e3492 EFL=00000006 [-----P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 908
> EIP=000e3492 EFL=00000006 [-----P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 916
> EIP=000e570e EFL=00000012 [----A--] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 964
> EIP=000f2b76 EFL=00000012 [----A--] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 968
> EIP=000f2b76 EFL=00000012 [----A--] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 972
> EIP=000fc6db EFL=00000087 [--S--PC] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 976
> EIP=000fc6db EFL=00000087 [--S--PC] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 980
> EIP=000fc6db EFL=00000087 [--S--PC] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 984
> EIP=000fc6db EFL=00000087 [--S--PC] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 988
> EIP=000fc6db EFL=00000087 [--S--PC] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 992
> EIP=000fc6db EFL=00000087 [--S--PC] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 996
> EIP=000fc6db EFL=00000087 [--S--PC] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 1000
> EIP=000fc6db EFL=00000087 [--S--PC] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 1004
> EIP=000fc6db EFL=00000087 [--S--PC] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 1008
> EIP=000fc6db EFL=00000087 [--S--PC] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 1012
> EIP=000fe69f EFL=00000087 [--S--PC] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 1016
> EIP=000fe69f EFL=00000083 [--S---C] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 1020
> EIP=0000f000 EFL=00000046 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
> 

Seems like crash eip always > end of memory.

It's the new flash firmware: it's set up as rom_device, and we can't
execute from that (yet).  There's a patchset to allow that, but it's not
merged yet.

If you set pc-sysfw.rom_only, it should work.

-- 
error compiling committee.c: too many arguments to function

     prev parent reply	other threads:[~2012-08-14 13:25 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-07-25 11:49 [Qemu-devel] Funny -m arguments can crash Markus Armbruster
2012-07-27 19:00 ` Blue Swirl
2012-07-28  6:41   ` Markus Armbruster
2012-07-28  8:29     ` Blue Swirl
2012-07-30 12:56       ` Markus Armbruster
2012-07-30 15:05         ` Blue Swirl
2012-08-08  9:04           ` Markus Armbruster
2012-08-08  9:16             ` Peter Maydell
2012-08-08 10:02               ` Markus Armbruster
2012-08-08  9:48             ` Avi Kivity
2012-08-13 13:41               ` Markus Armbruster
2012-08-13 13:56                 ` Avi Kivity
2012-08-13 14:02                   ` Gleb Natapov
2012-08-13 14:04                     ` Avi Kivity
2012-08-13 14:10                       ` Gleb Natapov
2012-08-13 20:35                         ` Blue Swirl
2012-08-19 19:26                   ` Kevin O'Connor
2012-08-13 14:19                 ` Anthony Liguori
2012-08-13 14:46                   ` Markus Armbruster
2012-08-14  8:44                   ` Markus Armbruster
2012-08-14 10:20                     ` Avi Kivity
2012-08-14 10:44                       ` Jan Kiszka
2012-08-14 10:51                         ` Avi Kivity
2012-08-14 11:01                           ` Jan Kiszka
2012-08-14 13:16                             ` Avi Kivity
2012-08-14 13:25                               ` Jan Kiszka
2012-08-14 13:42                                 ` Avi Kivity
2012-08-14 11:12                       ` Markus Armbruster
2012-08-14 13:25                         ` Avi Kivity [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=502A51C2.6060104@redhat.com \
    --to=avi@redhat.com \
    --cc=anthony@codemonkey.ws \
    --cc=armbru@redhat.com \
    --cc=blauwirbel@gmail.com \
    --cc=jan.kiszka@siemens.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.