From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1MpB1z-000445-Le for qemu-devel@nongnu.org; Sat, 19 Sep 2009 21:15:59 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1MpB1v-00043c-So for qemu-devel@nongnu.org; Sat, 19 Sep 2009 21:15:59 -0400 Received: from [199.232.76.173] (port=33064 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1MpB1v-00043Z-Nf for qemu-devel@nongnu.org; Sat, 19 Sep 2009 21:15:55 -0400 Received: from lms.your-server.de ([213.133.106.252]:36999) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_3DES_EDE_CBC_SHA1:24) (Exim 4.60) (envelope-from ) id 1MpB1v-000390-1a for qemu-devel@nongnu.org; Sat, 19 Sep 2009 21:15:55 -0400 Received: from [91.41.123.66] (helo=[192.168.2.38]) by lms.your-server.de with esmtpa (Exim 4.50) id 1MpB1q-0004pI-R2 for qemu-devel@nongnu.org; Sun, 20 Sep 2009 03:15:51 +0200 Message-ID: <4AB58239.5010602@beutner.name> Date: Sun, 20 Sep 2009 03:15:37 +0200 From: Gunnar Beutner MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: [Qemu-devel] Using SCSI disks causes segfaults List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello QEMU devs, I'm seeing some rather peculiar crashes here when using emulated SCSI disks. But let me give you some general information about my QEMU installation first: QEMU version: 0.11.0-rc2, also reproduced with 0.10.6 QEMU configure flags: ./configure --prefix=/opt/qemu - --target-list=x86_64-softmmu --enable-debug KVM version: kvm-kmod-devel-88 "srcversion: 582A2669898E61DCDFACF8D" (however, this problem also happens when KVM/KQEMU is disabled) Kernel (host): Linux 2.6.30 (vanilla) x64 Kernel (vm): Linux 2.6.30 (vanilla) x64, also reproduced this using Debian lenny's kernel (2.6.26-1-amd64) What I'm trying to do is to assign two SATA disks to a virtual machine as SCSI devices. Here's how I'm starting QEMU: /opt/qemu/bin/qemu-system-x86_64 -enable-kvm -drive if=scsi,file=/dev/sda -drive if=scsi,file=/dev/sdb -net nic,model=rtl8139,macaddr=00:1d:92:f3:ad:dc -net socket,fd=200 -vnc :1,password -k de -monitor stdio -S -usbdevice tablet -m 256 -smp 1 - -boot order=n Both disks (sda, sdb) have the following partition layout: Disk /dev/sda: 500.1 GB, 500107862016 bytes 255 heads, 63 sectors/track, 60801 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0x00041e09 Device Boot Start End Blocks Id System /dev/sda1 1 523 4200997 fd Linux raid autodetect /dev/sda2 524 785 2104515 fd Linux raid autodetect /dev/sda3 786 60801 482078520 fd Linux raid autodetect The virtual machine boots a minimal Debian installation using PXE. Once that's running the following commands are executed inside the VM: mdadm --create /dev/md0 -l 1 -n 2 /dev/sda1 /dev/sdb1 mdadm --create /dev/md1 -l 1 -n 2 /dev/sda2 /dev/sdb2 mdadm --create /dev/md2 -l 1 -n 2 /dev/sda3 /dev/sdb3 mkswap /dev/md0 mkfs /dev/md1 mkfs /dev/md2 About half-way through the last "mkfs" I'm getting the following errors in the QEMU console: lsi_scsi: error: IO with unknown tag 65653 scsi-disk: Tag 0x10075 already in use scsi-disk: Tag 0x10053 already in use QEMU crashes as soon as mkfs is finished or when stopping mkfs either using CTRL+C or CTRL+S (once the previously shown errors show up in the QEMU console): lsi_scsi: error: IO with unknown tag 65813 lsi_scsi: error: IO with unknown tag 65831 lsi_scsi: error: IO with unknown tag 65845 lsi_scsi: error: IO with unknown tag 65867 /root/startqemu: line 2: 24453 Segmentation fault (core dumped) /opt/qemu/bin/qemu-system-x86_64 -enable-kvm -drive if=scsi,file=/dev/sda -drive if=scsi,file=/dev/sdb -net nic,model=rtl8139,macaddr=00:1d:92:f3:ad:dc -net socket,fd=200 -vnc :1,password -k de -monitor stdio -S -usbdevice tablet -m 256 -smp 1 - -boot order=n For some reason the number/size of md devices matters. I can't seem to (directly) reproduce the crash with just one md device or differently sized partitions. However these crashes also happen during normal operation (i.e. not just when running mkfs) at irregular intervals - at least when md devices are involved. Sometimes I am getting kernel panics (rather than QEMU segfaults) which appear to be directly related to the LSI SCSI kernel module: http://gunnar.beutner.name/try10 http://gunnar.beutner.name/try11 I've been trying to reproduce this problem for a while now and (so far) I'm getting two distinct stacktraces from the crashes: (gdb) bt full #0 0x00007f26f11b100b in memcpy () from /lib/libc.so.6 No symbol table info available. #1 0x0000000000518da4 in cpu_physical_memory_rw (addr=146219008, buf=0x0, len=4096, is_write=1) at /root/qemu-0.11.0-rc2/exec.c:3151 addr1 = 146219008 l = 4096 io_index = 0 ptr = (uint8_t *) 0x7f26e3fb1000 "À;9\230" val = 0 page = 146219008 pd = 146219008 p = (PhysPageDesc *) 0xcf1b90 #2 0x000000000057e677 in cpu_physical_memory_write (addr=146219008, buf=0x0, len=4096) at ../cpu-common.h:59 No locals. #3 0x000000000057e572 in lsi_do_dma (s=0xc7f820, out=0) at /root/qemu-0.11.0-rc2/hw/lsi53c895a.c:521 count = 4096 addr = 146219008 #4 0x000000000057f7a1 in lsi_execute_script (s=0xc7f820) at /root/qemu-0.11.0-rc2/hw/lsi53c895a.c:992 insn = 285212672 addr = 146219008 addr_high = 0 opcode = 4 insn_processed = 77 #5 0x000000000057e3cb in lsi_resume_script (s=0xc7f820) at /root/qemu-0.11.0-rc2/hw/lsi53c895a.c:476 No locals. #6 0x000000000057eb64 in lsi_command_complete (opaque=0xc7f820, reason=0, tag=65853, arg=0) at /root/qemu-0.11.0-rc2/hw/lsi53c895a.c:652 s = (LSIState *) 0xc7f820 out = 1 #7 0x00000000004bf058 in scsi_command_complete (r=0xdecaf0, status=0, sense=0) at /root/qemu-0.11.0-rc2/hw/scsi-disk.c:147 s = (SCSIDeviceState *) 0xc9ebd0 tag = 65853 #8 0x00000000004bf3fd in scsi_write_complete (opaque=0xdecaf0, ret=0) at /root/qemu-0.11.0-rc2/hw/scsi-disk.c:258 r = (SCSIRequest *) 0xdecaf0 s = (SCSIDeviceState *) 0xc9ebd0 len = 24576 n = 48 #9 0x00000000004ae0cd in posix_aio_read (opaque=0xc5fcb0) at block/raw-posix.c:553 s = (PosixAioState *) 0xc5fcb0 acb = (RawAIOCB *) 0x105ca10 pacb = (RawAIOCB **) 0xc5fcb8 ret = 0 len = 1 #10 0x000000000040d463 in main_loop_wait (timeout=5000) at /root/qemu-0.11.0-rc2/vl.c:4129 pioh = (IOHandlerRecord **) 0x40d7c2 ioh = (IOHandlerRecord *) 0xc5fd20 rfds = {fds_bits = {64, 0 }} wfds = {fds_bits = {0 }} xfds = {fds_bits = {0 }} ret = 1 nfds = 200 tv = {tv_sec = 4, tv_usec = 999995} #11 0x000000000040da97 in main_loop () at /root/qemu-0.11.0-rc2/vl.c:4347 r = 0 #12 0x0000000000411046 in main (argc=25, argv=0x7fff648784a8, envp=0x7fff64878578) at /root/qemu-0.11.0-rc2/vl.c:6142 gdbstub_dev = 0x0 boot_devices_bitmap = 8192 i = 1 snapshot = 0 linux_boot = 0 net_boot = 1 - ---Type to continue, or q to quit--- initrd_filename = 0x0 kernel_filename = 0x0 kernel_cmdline = 0x586a68 "" boot_devices = "n\000d", '\0' ds = (DisplayState *) 0xc8f740 dcl = (DisplayChangeListener *) 0x0 cyls = 0 heads = 0 secs = 0 translation = 0 net_clients = {0x7fff648794c4 "nic,model=rtl8139,macaddr=00:1d:92:f3:ad:dc", 0x7fff648794f5 "socket,fd=200", 0xd82b830
, 0x7fff64878210 "", 0x0, 0x7f26f2a055ae "\205À\017\217z\001", 0x0, 0x7f26f2affc08 "h;@", 0x7f2600000001
, 0x0, 0x100000001
, 0x7f26f2affc08 "h;@", 0x7f26f2c16358 "¸bÁò&\177", 0x7fff64878270 "\002", 0x1f2c16000
, 0x7f26f2affc08 "h;@", 0x7f26f2c16358 "¸bÁò&\177", 0x7fff64878290 "ðþÅ", 0x7f26f2c16000 "", 0x40384c "memset", 0x0, 0x7f26f2afe528 "ô\222\024ñ&\177", 0x1
, 0x0, 0x7fff00000001
, 0x7fff648782e8 "", 0xc53b745f
, 0x7f26f2a04eac "\205Àt\"A\213D$\f\205Àu\027\205í\017\037D", 0x100000000
, 0x7f26f2affb40 "°tÀò&\177", 0xa
, 0x1a
} nb_net_clients = 2 bt_opts = {0x0, 0x7f26f2affc08 "h;@", 0x7f26f2c074b0 "", 0x40384c "memset", 0x7f26f1143fd8 "", 0x400e10 "T\f", 0x100000000
, 0x10000031d
, 0xd39ad3d
, 0x7f26f2c16358 "¸bÁò&\177"} nb_bt_opts = 0 hda_index = -1 optind = 25 r = 0x7fff6487954c "-boot" optarg = 0x7fff64879552 "order=n" monitor_hd = (CharDriverState *) 0xc5fef0 monitor_device = 0x7fff64879523 "stdio" serial_devices = {0x589aa0 "vc:80Cx24C", 0x0, 0x0, 0x0} serial_device_index = 0 parallel_devices = {0x589aa0 "vc:80Cx24C", 0x0, 0x0} parallel_device_index = 0 virtio_consoles = {0x0} virtio_console_index = 0 loadvm = 0x0 machine = (QEMUMachine *) 0x844e60 cpu_model = 0x0 usb_devices = {0x7fff64879537 "tablet", 0x7f26f2a04eac "\205Àt\"A\213D$\f\205Àu\027\205í\017\037D", 0x7f26f29fc848 "à»!", 0x7f26f2affb40 "°tÀò&\177", 0xa
, 0x7f26f2a04eac "\205Àt\"A\213D$\f\205Àu\027\205í\017\037D", 0xd39ad3d
, 0x7f26f2affb40 "°tÀò&\177"} usb_devices_index = 1 fds = {-224410832, 32550} tb_size = 0 pid_file = 0x0 incoming = 0x0 fd = 0 pwd = (struct passwd *) 0x0 chroot_dir = 0x0 run_as = 0x0 env = (struct CPUX86State *) 0x0 show_vnc_port = 0 params = {0x589a5f "order", 0x589a65 "once", 0x589a6a "menu", 0x0} (gdb) - ---------------------- and (this particular crash is actually from qemu-kvm-0.11.0-rc2, not sure if the -kvm bits make any difference though): (gdb) bt full #0 0x00000000004a0dc6 in qemu_aio_release (p=0x106ca10) at block.c:1529 acb = (BlockDriverAIOCB *) 0x106ca10 pool = (AIOPool *) 0x0 #1 0x00000000004b990d in posix_aio_read (opaque=0xc71cb0) at block/raw-posix.c:567 s = (PosixAioState *) 0xc71cb0 acb = (RawAIOCB *) 0x106ca10 pacb = (RawAIOCB **) 0xc71cb8 ret = 0 offset = 128 sig = {siginfo = {ssi_signo = 12, pad = "\000\000\000\000\000\000\000\000ôX", '\0' }, buf = "\f", '\0' , "ôX", '\0' } #2 0x000000000040e301 in main_loop_wait (timeout=1000) at /root/qemu-kvm-0.11.0-rc2/vl.c:4188 pioh = (IOHandlerRecord **) 0xc6f7c8 ioh = (IOHandlerRecord *) 0xc71d20 rfds = {fds_bits = {64, 0 }} wfds = {fds_bits = {0 }} xfds = {fds_bits = {0 }} ret = 1 nfds = 200 tv = {tv_sec = 0, tv_usec = 999874} #3 0x000000000042d36e in kvm_main_loop () at /root/qemu-kvm-0.11.0-rc2/qemu-kvm.c:2079 fds = {14, 15} mask = {__val = {268443648, 0 }} sigfd = 16 #4 0x000000000040e9bb in main_loop () at /root/qemu-kvm-0.11.0-rc2/vl.c:4393 r = 0 #5 0x0000000000411f7b in main (argc=24, argv=0x7fff78551208, envp=0x7fff785512d0) at /root/qemu-kvm-0.11.0-rc2/vl.c:6263 gdbstub_dev = 0x0 boot_devices_bitmap = 8192 i = 1 snapshot = 0 linux_boot = 0 net_boot = 1 initrd_filename = 0x0 kernel_filename = 0x0 kernel_cmdline = 0x5931b0 "" boot_devices = "n\000d", '\0' ds = (DisplayState *) 0xcbd940 dcl = (DisplayChangeListener *) 0x0 cyls = 0 heads = 0 secs = 0 translation = 0 net_clients = {0x7fff785534da "nic,macaddr=00:1d:92:f3:ad:dc", 0x7fff785534fd "socket,fd=200", 0xd82b830
, 0x7fff78550f70 "", 0x0, 0x7f27390535ae "\037", 0x0, 0x7f2739149d50 "ÍA@", 0x1
, 0x0, 0x100000001
, 0x7f2739149d50 "ÍA@", 0x7f2739264358 "¸B&9'\177", 0x7fff78550fd0 "\002", 0x139264000
, 0x7f2739149d50 "ÍA@", 0x7f2739264358 "¸B&9'\177", 0x7fff78550ff0 "°zÇ", 0x7f2739264000 "", 0x403e7c "memset", 0x2b43e9ed
, 0x7fff78551000 "\b\022Ux", 0x0, 0x7f27390535ae "\037", 0x0, 0x7f27391474e0 "jªÜ3'\177", 0x1
, 0x7f2739052eac "\037D", 0x100000001
, 0x7f2739149c60 "\2009%9'\177", 0xe
, 0x23
} nb_net_clients = 2 bt_opts = {0x0, 0x7f2739149d50 "ÍA@", 0x7f2739253980 "", 0x403e7c "memset", 0x7f2736f60fd8 "", 0x401430 "D\016", 0x100000000
, 0x10000031d
, 0xd39ad3d
, 0x7f2739264358 "¸B&9'\177"} nb_bt_opts = 0 hda_index = -1 optind = 24 r = 0x7fff78553554 "-boot" optarg = 0x7fff7855355a "n" - ---Type to continue, or q to quit--- monitor_hd = (CharDriverState *) 0xc77ab0 monitor_device = 0x7fff7855352b "stdio" serial_devices = {0x5967e0 "vc:80Cx24C", 0x0, 0x0, 0x0} serial_device_index = 0 parallel_devices = {0x5967e0 "vc:80Cx24C", 0x0, 0x0} parallel_device_index = 0 virtio_consoles = {0x0} virtio_console_index = 0 loadvm = 0x0 machine = (QEMUMachine *) 0x855e80 cpu_model = 0x0 usb_devices = {0x7fff7855353f "tablet", 0x7f2739052eac "\037D", 0x7f273904a848 "\020æ", 0x7f2739149c60 "\2009%9'\177", 0xe
, 0x7f2739052eac "\037D", 0xd39ad3d
, 0x7f2739149c60 "\2009%9'\177"} usb_devices_index = 1 fds = {956605232, 32551} tb_size = 0 pid_file = 0x0 incoming = 0x0 fd = 0 pwd = (struct passwd *) 0x0 chroot_dir = 0x0 run_as = 0x0 env = (struct CPUX86State *) 0x0 show_vnc_port = 0 params = {0x5967af "order", 0x5967b5 "once", 0x5967ba "menu", 0x0} (gdb) I would love to run the md RAID in the host and use IDE instead of SCSI. However, unfortunatelly this is not an option for me as I'm trying to run an existing installation of Linux with QEMU which I cannot make any modifications to. Please let me know if you need any further details for my bug report. Best regards Gunnar Beutner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkq1gjkACgkQUdP8VAVyiv+ssgCeKJLwT3myb6DDtwpmwNflfaFI 5FcAmwcQI4w4HyqPh/B8UZ25EQqnsJkz =2z0Z -----END PGP SIGNATURE-----