Bug 847549

Summary: Addng a zero-length virtio-scsi disk causes: qemu-kvm: hw/scsi-bus.c:1568: scsi_req_complete: Assertion `req->status == -1' failed.
Product: [Fedora] Fedora Reporter: Richard W.M. Jones <rjones>
Component: qemuAssignee: Paolo Bonzini <pbonzini>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: amit.shah, berrange, cfergeau, crobinso, dwmw2, itamar, knoel, pbonzini, rjones, scottt.tw, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 857125 887881 (view as bug list) Environment:
Last Closed: 2013-02-27 14:34:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 857125, 887881    

Description Richard W.M. Jones 2012-08-12 21:58:37 UTC
Description of problem:

Running libguestfs-test-tool fails (qemu segfaults).

22:54:40:119689634 E: [00533ms] /usr/bin/qemu-kvm     -global virtio-blk-pci.scsi=off     -nodefconfig     -nodefaults     -nographic     -device virtio-scsi-pci,id=scsi     -drive file=/dev/null,id=hd0,if=none     -device scsi-hd,drive=hd0     -drive file=/var/tmp/.guestfs-1000/root.3874,snapshot=on,id=appliance,if=none,cache=unsafe     -device scsi-hd,drive=appliance     -machine accel=kvm:tcg     -m 500     -no-reboot     -no-hpet     -device virtio-serial     -serial stdio     -device sga     -chardev socket,path=/tmp/libguestfsO1CQMz/guestfsd.sock,id=channel0     -device virtserialport,chardev=channel0,name=org.libguestfs.channel.0     -kernel /var/tmp/.guestfs-1000/kernel.3874     -initrd /var/tmp/.guestfs-1000/initrd.3874     -append 'panic=1 console=ttyS0 udevtimeout=600 no_timer_check acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb selinux=0 guestfs_verbose=1 TERM=xterm 'x1b[1;256rx1b[256;256Hx1b[6n
22:54:40:124193628 E: Google, Inc.
22:54:40:129550570 E: Serial Graphics Adapter 07/22/12
22:54:40:136794246 E: SGABIOS $Id: sgabios.S 8 2010-04-22 00:03:40Z nlaredo $ (mockbuild@) Sun Jul 22 03:47:50 UTC 2012
22:54:40:144736551 E: Term: 80x24
22:54:40:150752394 E: 4 0
SeaBIOS (version 1.7.0-20120722_040125-)
22:54:40:158402412 E: 
22:54:40:162644877 E: qemu-kvm: hw/scsi-bus.c:1568: scsi_req_complete: Assertion `req->status == -1' failed.
22:54:41:555131890 E: libguestfs: child_cleanup: 0x1a49c20: child process died
22:54:41:558603265 E: libguestfs: sending SIGTERM to process 3906
22:54:41:601319497 E: libguestfs: error: qemu terminated by signal 6 (Aborted)
22:54:41:604828447 E: libguestfs: error: guestfs_launch failed, see earlier error messages
22:54:41:608403009 E: libguestfs: closing guestfs handle 0x1a49c20 (state 0)
22:54:41:618166509 I: Finished with exitcode 1

Version-Release number of selected component (if applicable):

The immediate cause of this was when I updated sgabios to:
sgabios-0-0.20110623SVN.fc18.x86_64

The f17 sgabios worked OK.

How reproducible:

100%

Steps to Reproduce:
1. Run: libguestfs-test-tool

Comment 1 Richard W.M. Jones 2012-08-12 21:59:32 UTC
CC Paolo, since it seems to be connected to virtio-scsi in some way.

Comment 2 Richard W.M. Jones 2012-08-12 22:21:33 UTC
OK, more subtle than I suspected.

The problem is that I'm adding /dev/null as a virtio-scsi
drive (for testing purposes).  If I add a regular file instead,
it hits bug 847548 instead.

sgabios-0-1.1.20110622svn.fc19.x86_64
qemu-1.2-0.1.20120806git3e430569.fc18.x86_64
kernel-3.6.0-0.rc1.git3.2.bz844485.2.fc19.x86_64

$ guestfish -a /dev/null run -v
libguestfs: [00000ms] febootstrap-supermin-helper --verbose -f checksum '/usr/lib64/guestfs/supermin.d' x86_64
supermin helper [00000ms] whitelist = (not specified), host_cpu = x86_64, kernel = (null), initrd = (null), appliance = (null)
supermin helper [00000ms] inputs[0] = /usr/lib64/guestfs/supermin.d
checking modpath /lib/modules/3.4.0-1.fc17.x86_64.debug is a directory
checking modpath /lib/modules/3.3.4-5.fc17.x86_64.debug is a directory
checking modpath /lib/modules/3.6.0-0.rc0.git6.1.fc18.x86_64 is a directory
picked vmlinuz-3.6.0-0.rc0.git6.1.fc18.x86_64 because modpath /lib/modules/3.6.0-0.rc0.git6.1.fc18.x86_64 exists
checking modpath /lib/modules/3.6.0-0.rc1.git3.2.bz844485.2.fc19.x86_64 is a directory
picked vmlinuz-3.6.0-0.rc1.git3.2.bz844485.2.fc19.x86_64 because modpath /lib/modules/3.6.0-0.rc1.git3.2.bz844485.2.fc19.x86_64 exists
checking modpath /lib/modules/3.3.7-2.fc17.x86_64.debug is a directory
supermin helper [00003ms] finished creating kernel
supermin helper [00003ms] visiting /usr/lib64/guestfs/supermin.d
supermin helper [00003ms] visiting /usr/lib64/guestfs/supermin.d/base.img
supermin helper [00003ms] visiting /usr/lib64/guestfs/supermin.d/daemon.img
supermin helper [00003ms] visiting /usr/lib64/guestfs/supermin.d/hostfiles
supermin helper [00101ms] visiting /usr/lib64/guestfs/supermin.d/init.img
supermin helper [00101ms] adding kernel modules
supermin helper [00297ms] finished creating appliance
libguestfs: [00317ms] begin testing qemu features
libguestfs: [00512ms] finished testing qemu features
libguestfs: accept_from_daemon: 0x1c89c20 g->state = 1
[00519ms] /usr/bin/qemu-kvm \
    -global virtio-blk-pci.scsi=off \
    -nodefconfig \
    -nodefaults \
    -nographic \
    -device virtio-scsi-pci,id=scsi \
    -drive file=/dev/null,id=hd0,if=none \
    -device scsi-hd,drive=hd0 \
    -drive file=/var/tmp/.guestfs-1000/root.1781,snapshot=on,id=appliance,if=none,cache=unsafe \
    -device scsi-hd,drive=appliance \
    -machine accel=kvm:tcg \
    -m 500 \
    -no-reboot \
    -no-hpet \
    -device virtio-serial \
    -serial stdio \
    -device sga \
    -chardev socket,path=/tmp/libguestfs15kgwV/guestfsd.sock,id=channel0 \
    -device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \
    -kernel /var/tmp/.guestfs-1000/kernel.1781 \
    -initrd /var/tmp/.guestfs-1000/initrd.1781 \
    -append 'panic=1 console=ttyS0 udevtimeout=600 no_timer_check acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb selinux=0 guestfs_verbose=1 TERM=xterm '\x1b[1;256r\x1b[256;256H\x1b[6n
Google, Inc.
Serial Graphics Adapter 08/12/12
SGABIOS $Id: sgabios.S 8 2010-04-22 00:03:40Z nlaredo $ (rjones.annexia.org) Sun Aug 12 22:14:04 UTC 2012
Term: 80x24
4 0
SeaBIOS (version 1.7.0-20120722_040125-)

qemu-kvm: hw/scsi-bus.c:1568: scsi_req_complete: Assertion `req->status == -1' failed.
libguestfs: child_cleanup: 0x1c89c20: child process died
libguestfs: sending SIGTERM to process 1792
libguestfs: error: qemu terminated by signal 6 (Aborted)
libguestfs: error: guestfs_launch failed, see earlier error messages
libguestfs: closing guestfs handle 0x1c89c20 (state 0)

Comment 3 Richard W.M. Jones 2012-08-12 22:23:24 UTC
A zero-length regular file also hits this bug:

rm /tmp/test.img
touch /tmp/test.img
guestfish -a /tmp/test.img run -v

Comment 4 Richard W.M. Jones 2012-08-14 07:22:37 UTC
This is with qemu 1.2-0.1.20120806git3e430569.fc18.x86_64
from Fedora 18.

MALLOC_PERTURB_ is set, which may explain the unusual req pointer.

Program terminated with signal 11, Segmentation fault.
#0  scsi_req_continue (req=0x2d2d2d2d2d2d2d2d) at hw/scsi-bus.c:1497
(gdb) bt
#0  scsi_req_continue (req=0x2d2d2d2d2d2d2d2d) at hw/scsi-bus.c:1497
#1  0x00007f394aaefd72 in virtio_scsi_handle_cmd (vdev=0x7f394c60d590, vq=
    0x7f394c874460) at /usr/src/debug/qemu-kvm-1.2/hw/virtio-scsi.c:516
#2  0x00007f394aafa9c3 in memory_region_iorange_write (
    iorange=<optimized out>, offset=16, width=2, data=<optimized out>)
    at /usr/src/debug/qemu-kvm-1.2/memory.c:427
#3  0x00007f394aaf72e6 in kvm_handle_io (count=1, size=2, direction=1, 
    data=<optimized out>, port=49168)
    at /usr/src/debug/qemu-kvm-1.2/kvm-all.c:1382
#4  kvm_cpu_exec (env=env@entry=0x7f394c5d8e20)
    at /usr/src/debug/qemu-kvm-1.2/kvm-all.c:1527
#5  0x00007f394aaa3fe1 in qemu_kvm_cpu_thread_fn (arg=0x7f394c5d8e20)
    at /usr/src/debug/qemu-kvm-1.2/cpus.c:756
#6  0x00007f3948b2ed15 in start_thread () from /lib64/libpthread.so.0
#7  0x00007f39451bf96d in clone () from /lib64/libc.so.6

Comment 5 Richard W.M. Jones 2012-08-15 15:12:35 UTC
I've added a workaround to libguestfs, which is that we silently
replace /dev/null in our tests with a 4K temporary file.

However this is still a bug in qemu ...

Comment 6 Paolo Bonzini 2012-09-11 10:49:36 UTC
I think it's fixed upstream, will test shortly.

Comment 7 Cole Robinson 2012-12-14 23:23:14 UTC
I can reproduce with qemu.git (and F18 qemu-kvm FWIW):

$ cat test.sh 

rm test.img
touch test.img
./x86_64-softmmu/qemu-system-x86_64 \
    -global virtio-blk-pci.scsi=off \
    -nodefconfig \
    -nodefaults \
    -nographic \
    -device virtio-scsi-pci,id=scsi \
    -drive file=`pwd`/test.img,id=hd0,if=none \
    -device scsi-hd,drive=hd0 \
    -machine accel=kvm:tcg \
    -m 500 \
    -no-reboot \
    -no-hpet \
    -device virtio-serial \
    -serial stdio \
    -device sga \

#0  0x00007f1af1cc7aee in scsi_req_continue (req=0x7f1ad8000b10)
    at hw/scsi-bus.c:1515
#1  0x00007f1af1dd7c02 in virtio_scsi_handle_cmd (vdev=0x7f1af2bab520, vq=
    0x7f1af2bbe230) at /home/crobinso/src/qemu/hw/virtio-scsi.c:519
#2  0x00007f1af1de1d32 in access_with_adjusted_size (addr=addr@entry=16, 
    value=value@entry=0x7f1ae6fa5af8, size=2, access_size_min=<optimized out>, 
    access_size_max=<optimized out>, access=access@entry=
    0x7f1af1de2350 <memory_region_write_accessor>, opaque=opaque@entry=
    0x7f1af2bbafc0) at /home/crobinso/src/qemu/memory.c:364
#3  0x00007f1af1de33a7 in memory_region_iorange_write (
    iorange=<optimized out>, offset=16, width=2, data=2)
    at /home/crobinso/src/qemu/memory.c:439
#4  0x00007f1af1de01d6 in kvm_handle_io (count=1, size=2, direction=1, 
    data=<optimized out>, port=49168) at /home/crobinso/src/qemu/kvm-all.c:1426
#5  kvm_cpu_exec (env=env@entry=0x7f1af2b3a8f0)
    at /home/crobinso/src/qemu/kvm-all.c:1571
#6  0x00007f1af1d86c41 in qemu_kvm_cpu_thread_fn (arg=0x7f1af2b3a8f0)
    at /home/crobinso/src/qemu/cpus.c:757
#7  0x00007f1aefda7d15 in start_thread () from /lib64/libpthread.so.0
#8  0x00007f1aebff246d in clone () from /lib64/libc.so.6


Paolo, any thoughts?

Comment 10 Fedora Update System 2013-02-02 22:33:18 UTC
qemu-1.2.2-6.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/qemu-1.2.2-6.fc18

Comment 11 Fedora Update System 2013-02-12 04:58:12 UTC
qemu-1.2.2-6.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.