Bug 834262

Summary: RHEL6 guest kernel panic when try to format rw floppy with -drive ... -global ...
Product: Red Hat Enterprise Linux 6 Reporter: Joy Pu <ypu>
Component: kernelAssignee: John Snow <jsnow>
Status: CLOSED WONTFIX QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3CC: areis, chayang, juzhang, mkenneth, phrdina, rbalakri, rpacheco, shuang, virt-bugs, virt-maint, ypu
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-03 19:44:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joy Pu 2012-06-21 11:31:51 UTC 
Description of problem:
Try to format a floppy with mkfs to ext3 with -drive ... -global ... will casue guest kernel panic. The same operate with -fda works well.
call trace:
2012-06-21 18:03:48: Floppy drive(s): fd0 is 1.44M
2012-06-21 18:03:48: FDC 0 is a S82078B
2012-06-21 18:03:49: BUG: unable to handle kernel NULL pointer dereference at 0000000000000035
2012-06-21 18:03:49: IP: [<ffffffffa011e6ab>] setup_rw_floppy+0x6b/0x380 [floppy]
2012-06-21 18:03:49: PGD bafd4067 PUD bb4f5067 PMD 0
2012-06-21 18:03:49: Oops: 0000 [#1] SMP
2012-06-21 18:03:49: last sysfs file: /sys/devices/platform/floppy.0/block/fd0/dev
2012-06-21 18:03:49: CPU 1
2012-06-21 18:03:49: Modules linked in: floppy sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 uinput microcode sg i2c_piix4 i2c_core ext4 mbcache jbd2 virtio_net sd_mod crc_t10dif virtio_pci virtio_ring virtio pata_acpi ata_generic ata_piix dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mperf]
2012-06-21 18:03:49:
2012-06-21 18:03:49: Pid: 0, comm: swapper Not tainted 2.6.32-279.el6.x86_64 #1 Red Hat KVM
2012-06-21 18:03:49: RIP: 0010:[<ffffffffa011e6ab>]  [<ffffffffa011e6ab>] setup_rw_floppy+0x6b/0x380 [floppy]
2012-06-21 18:03:49: RSP: 0018:ffff880002303e20  EFLAGS: 00010246
2012-06-21 18:03:49: RAX: 0000000000000000 RBX: 00000000000000d9 RCX: 0000000000000000
2012-06-21 18:03:49: RDX: 0000000000000014 RSI: 0000000000000246 RDI: 00000000ffffffff
2012-06-21 18:03:49: RBP: ffff880002303e40 R08: ffff88000230e0e0 R09: 0000000e12fb4800
2012-06-21 18:03:49: R10: 0000000000000000 R11: 0000000000000013 R12: 0000000000000000
2012-06-21 18:03:49: R13: 0000000000000008 R14: 0000000000000009 R15: ffffffffa011e640
2012-06-21 18:03:49: FS:  00007f5a90c63840(0000) GS:ffff880002300000(0000) knlGS:0000000000000000
2012-06-21 18:03:49: CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
2012-06-21 18:03:49: CR2: 0000000000000035 CR3: 00000000bca29000 CR4: 00000000000006e0
2012-06-21 18:03:49: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
2012-06-21 18:03:49: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
2012-06-21 18:03:49: Process swapper (pid: 0, threadinfo ffff8800be8fe000, task ffff8800be8fd540)
2012-06-21 18:03:49: Stack:
2012-06-21 18:03:49:  ffff8800be8d8000 ffffffffa0123d20 ffff880002303e90 0000000000000000
2012-06-21 18:03:49: <d> ffff880002303ed0 ffffffff8107e897 000000000001356c ffff8800be8d9c20
2012-06-21 18:03:49: <d> ffff8800be8d9820 ffff8800be8d9420 ffff8800be8fffd8 ffff8800be8fffd8
2012-06-21 18:03:49: Call Trace:
2012-06-21 18:03:49:  <IRQ>
2012-06-21 18:03:49:  [<ffffffff8107e897>] run_timer_softirq+0x197/0x340
2012-06-21 18:03:49:  [<ffffffff8102b40d>] ? lapic_next_event+0x1d/0x30
2012-06-21 18:03:49:  [<ffffffff81073ec1>] __do_softirq+0xc1/0x1e0
2012-06-21 18:03:49:  [<ffffffff81096c50>] ? hrtimer_interrupt+0x140/0x250
2012-06-21 18:03:49:  [<ffffffff8100c24c>] call_softirq+0x1c/0x30
2012-06-21 18:03:49:  [<ffffffff8100de85>] do_softirq+0x65/0xa0
2012-06-21 18:03:49:  [<ffffffff81073ca5>] irq_exit+0x85/0x90
2012-06-21 18:03:49:  [<ffffffff81505be0>] smp_apic_timer_interrupt+0x70/0x9b
2012-06-21 18:03:49:  [<ffffffff8100bc13>] apic_timer_interrupt+0x13/0x20
2012-06-21 18:03:49:  <EOI>
2012-06-21 18:03:49:  [<ffffffff810387cb>] ? native_safe_halt+0xb/0x10
2012-06-21 18:03:49:  [<ffffffff810149cd>] default_idle+0x4d/0xb0
2012-06-21 18:03:49:  [<ffffffff81009e06>] cpu_idle+0xb6/0x110
2012-06-21 18:03:49:  [<ffffffff814f6cdf>] start_secondary+0x22a/0x26d
2012-06-21 18:03:49: Code: e5 08 75 6c 45 31 e4 45 31 f6 80 78 35 00 74 24 49 63 d6 41 83 c6 01 0f be 7c 10 36 e8 0f e0 ff ff 41 09 c4 48 8b 05 d5 6e 00 00 <0f> b6 50 35 44 39 f2 7f dc 0f b6 05 59 79 00 00 48 c1 e0 07 f6
2012-06-21 18:03:49: RIP  [<ffffffffa011e6ab>] setup_rw_floppy+0x6b/0x380 [floppy]
2012-06-21 18:03:49:  RSP <ffff880002303e20>
2012-06-21 18:03:49: CR2: 0000000000000035




Version-Release number of selected component (if applicable):
host kernel: 2.6.32-279.el6.x86_64
# rpm -qa |grep qemu
qemu-kvm-0.12.1.2-2.295.el6.x86_64
qemu-guest-agent-0.12.1.2-2.295.el6.x86_64
qemu-img-0.12.1.2-2.295.el6.x86_64
gpxe-roms-qemu-0.9.7-6.9.el6.noarch
qemu-kvm-tools-0.12.1.2-2.295.el6.x86_64

guest kernel:
2.6.32-279.el6.x86_64


How reproducible:
always

Steps to Reproduce:
1. boot up guest with floppy:

2. modprobe floppy in guest
#modprobe floppy

3. try to format floppy, then guest will panic
# mkfs -t ext3 /dev/fd0

  
Actual results:
guest kernel panic

Expected results:
guest can format and use the floppy device

Additional info:
1. command line:
qemu-kvm -name 'vm1' -nodefaults -chardev socket,id=qmp_monitor_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20120620-161910-TN37,server,nowait -mon chardev=qmp_monitor_id_qmpmonitor1,mode=control -chardev socket,id=serial_id_20120620-161910-TN37,path=/tmp/serial-20120620-161910-TN37,server,nowait -device isa-serial,chardev=serial_id_20120620-161910-TN37 -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=0x4 -drive file='/root/autotest-devel/client/tests/kvm/images/RHEL-Server-6.3-64-virtio.qcow2',index=0,if=none,id=drive-ide0-0-0,media=disk,cache=none,boot=off,snapshot=off,format=qcow2,aio=native -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 -device virtio-net-pci,netdev=idWL6Tg4,mac=9a:3d:45:f3:62:8b,id=ndev00idWL6Tg4,bus=pci.0,addr=0x3 -netdev tap,id=idWL6Tg4,vhost=on,fd=22 -m 3096 -smp 2,cores=1,threads=1,sockets=2 -cpu 'Opteron_G2' -drive file='/root/autotest-devel/client/tests/kvm/images/test_floppy.img',if=none,id=fdc0-0-0,media=disk,snapshot=off,readonly=off,format=raw -global isa-fdc.driveA=fdc0-0-0 -device usb-tablet,id=usb-tablet1,bus=usb1.0 -vnc :0 -vga std -rtc base=utc,clock=host,driftfix=slew -M rhel6.3.0 -boot order=cdn,once=c,menu=off    -no-kvm-pit-reinjection -bios /usr/share/seabios/bios-pm.bin -enable-kvm 

2. host cpu
processor	: 1
vendor_id	: AuthenticAMD
cpu family	: 15
model		: 107
model name	: AMD Athlon(tm) Dual Core Processor 5400B
stepping	: 2
cpu MHz		: 2800.000
cache size	: 512 KB
physical id	: 0
siblings	: 2
core id		: 1
cpu cores	: 2
apicid		: 1
initial apicid	: 1
fpu		: yes
fpu_exception	: yes
cpuid level	: 1
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow rep_good extd_apicid pni cx16 lahf_lm cmp_legacy svm extapic cr8_legacy 3dnowprefetch lbrv
bogomips	: 5611.56
TLB size	: 1024 4K pages
clflush size	: 64
cache_alignment	: 64
address sizes	: 40 bits physical, 48 bits virtual
power management: ts fid vid ttp tm stc 100mhzsteps
Comment 2 Ademar Reis 2012-06-29 15:15:13 UTC 
Is this configuration supported by libvirt, or are you calling qemu by hand with a custom config? (just so that we have a better idea of the priority of this bug)
Comment 3 Joy Pu 2012-07-02 02:37:19 UTC 
Hi Ademar

Try to boot guest with floppy by virsh with this xml:
    <disk type='file' device='floppy'>
      <driver name='qemu' type='raw'/>
      <source file='/home/kvm_autotest_root/images/fd1.img'/>
      <target dev='fda' bus='fdc'/>
      <readonly/>

And the commadline part is using -drive ... -global...:
 -drive file=/home/kvm_autotest_root/images/fd1.img,if=none,id=drive-fdc0-0-0,readonly=on,format=raw -global isa-fdc.driveA=drive-fdc0-0-0
Comment 6 Ademar Reis 2012-09-05 13:05:15 UTC 

*** This bug has been marked as a duplicate of bug 815472 ***
Comment 7 Ademar Reis 2012-09-05 13:16:48 UTC 
(In reply to comment #6)
> 
> *** This bug has been marked as a duplicate of bug 815472 ***

Actually, I'll do the other way: I'll mark Bug 815472 as a dupe of this one (this one contains more details).
Comment 8 Ademar Reis 2012-09-05 13:17:39 UTC 
*** Bug 815472 has been marked as a duplicate of this bug. ***
Comment 10 juzhang 2014-05-22 01:44:39 UTC 
Hi Ypu,

Could you have a try and update the testing result in the bz?

Best Regards,
Junyi
Comment 11 Joy Pu 2014-06-12 06:23:11 UTC 
Now it is hard to reproduce it. Reproduce it once out put of 600 times testing.

Steps to Reproduce:
1. boot up guest with floppy wiht -drive -global:

2. modprobe floppy in guest
#modprobe floppy

3. try to format floppy, then guest will panic
# mkfs -t ext3 /dev/fd0

4. mount it to the guest:
mount /dev/fd0 /mnt/

Guest will panic after this. Output from serial port and call trace:

2014-06-11 13:28:24: Floppy drive(s): fd0 is 1.44M
2014-06-11 13:28:24: FDC 0 is a S82078B
2014-06-11 13:28:25: BUG: unable to handle kernel NULL pointer dereference at 0000000000000035
2014-06-11 13:28:25: IP: [<ffffffffa00e2a0b>] setup_rw_floppy+0x6b/0x380 [floppy]
2014-06-11 13:28:25: PGD 0
2014-06-11 13:28:25: Oops: 0000 [#1] SMP
2014-06-11 13:28:25: last sysfs file: /sys/module/mbcache/initstate
2014-06-11 13:28:25: CPU 3
2014-06-11 13:28:25: Modules linked in: ext2 floppy 8021q garp stp llc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 uinput microcode snd_intel8x0 snd_ac97_codec ac97_bus snd_seq snd_seq_device snd_pcm snd_timer snd soundcore snd_page_alloc i2c_piix4 i2c_core ext4 jbd2 mbcache virtio_net virtio_blk virtio_pci virtio_ring virtio pata_acpi ata_generic ata_piix dm_mirror dm_region_hash dm_log dm_mod [last unloaded: speedstep_lib]
2014-06-11 13:28:25: 
2014-06-11 13:28:25: Pid: 22, comm: events/3 Not tainted 2.6.32-431.20.2.el6.x86_64 #1 Red Hat KVM
2014-06-11 13:28:25: RIP: 0010:[<ffffffffa00e2a0b>]  [<ffffffffa00e2a0b>] setup_rw_floppy+0x6b/0x380 [floppy]
2014-06-11 13:28:25: RSP: 0018:ffff88011dc79d90  EFLAGS: 00010246
2014-06-11 13:28:25: RAX: 0000000000000000 RBX: 00000000000000da RCX: 000000000000000b
2014-06-11 13:28:25: RDX: 0000000000000000 RSI: 0000000000000246 RDI: 00000000ffffffff
2014-06-11 13:28:25: RBP: ffff88011dc79db0 R08: 20c49ba5e353f7cf R09: 0000000000000000
2014-06-11 13:28:25: R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
2014-06-11 13:28:25: R13: 0000000000000008 R14: 0000000000000009 R15: ffff880028399448
2014-06-11 13:28:25: FS:  0000000000000000(0000) GS:ffff880028380000(0000) knlGS:0000000000000000
2014-06-11 13:28:25: CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
2014-06-11 13:28:25: CR2: 0000000000000035 CR3: 0000000001a85000 CR4: 00000000000406e0
2014-06-11 13:28:25: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
2014-06-11 13:28:25: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
2014-06-11 13:28:25: Process events/3 (pid: 22, threadinfo ffff88011dc78000, task ffff88011dc77500)
2014-06-11 13:28:25: Stack:
2014-06-11 13:28:25:  0000000000000000 0000000000000400 0000000000000000 ffff88011dc79fd8
2014-06-11 13:28:25: <d> ffff88011dc79de0 ffffffffa00e2ffe ffff880028399440 0000000000000202
2014-06-11 13:28:25: <d> ffff880028399440 ffff880028399440 ffff88011dc79e30 ffffffffa00e3585
2014-06-11 13:28:25: Call Trace:
2014-06-11 13:28:25:  [<ffffffffa00e2ffe>] floppy_ready+0x2de/0x730 [floppy]
2014-06-11 13:28:25:  [<ffffffffa00e3585>] floppy_start+0x135/0x160 [floppy]
2014-06-11 13:28:25:  [<ffffffffa00e3450>] ? floppy_start+0x0/0x160 [floppy]
2014-06-11 13:28:25:  [<ffffffff81094a20>] worker_thread+0x170/0x2a0
2014-06-11 13:28:25:  [<ffffffff8109afa0>] ? autoremove_wake_function+0x0/0x40
2014-06-11 13:28:25:  [<ffffffff810948b0>] ? worker_thread+0x0/0x2a0
2014-06-11 13:28:25:  [<ffffffff8109abf6>] kthread+0x96/0xa0
2014-06-11 13:28:25:  [<ffffffff8100c20a>] child_rip+0xa/0x20
2014-06-11 13:28:25:  [<ffffffff8109ab60>] ? kthread+0x0/0xa0
2014-06-11 13:28:25:  [<ffffffff8100c200>] ? child_rip+0x0/0x20
2014-06-11 13:28:25: Code: e5 08 75 6c 45 31 e4 45 31 f6 80 78 35 00 74 24 49 63 d6 41 83 c6 01 0f be 7c 10 36 e8 0f be ff ff 41 09 c4 48 8b 05 95 4c 00 00 <0f> b6 50 35 44 39 f2 7f dc 0f b6 05 19 57 00 00 48 c1 e0 07 f6
2014-06-11 13:28:25: RIP  [<ffffffffa00e2a0b>] setup_rw_floppy+0x6b/0x380 [floppy]
2014-06-11 13:28:25:  RSP <ffff88011dc79d90>
2014-06-11 13:28:25: CR2: 0000000000000035


kernel version:
host:
2.6.32-471
guest:
2.6.32-431.20.2

qemu version:
0.12.1.2-2.427
Comment 12 Ademar Reis 2015-07-03 19:44:18 UTC 
(In reply to Joy Pu from comment #11)
> Now it is hard to reproduce it. Reproduce it once out put of 600 times
> testing.
> 

Given this is such an old bug, on a corner case of a non-critical feature and so hard to reproduce, I'm closing it as WONTFIX.