Bug 847549 - Addng a zero-length virtio-scsi disk causes: qemu-kvm: hw/scsi-bus.c:1568: scsi_req_complete: Assertion `req->status == -1' failed.
Addng a zero-length virtio-scsi disk causes: qemu-kvm: hw/scsi-bus.c:1568: sc...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: qemu (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Paolo Bonzini
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 857125 887881
  Show dependency treegraph
 
Reported: 2012-08-12 17:58 EDT by Richard W.M. Jones
Modified: 2013-02-27 09:34 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 857125 887881 (view as bug list)
Environment:
Last Closed: 2013-02-27 09:34:43 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Richard W.M. Jones 2012-08-12 17:58:37 EDT
Description of problem:

Running libguestfs-test-tool fails (qemu segfaults).

22:54:40:119689634 E: [00533ms] /usr/bin/qemu-kvm     -global virtio-blk-pci.scsi=off     -nodefconfig     -nodefaults     -nographic     -device virtio-scsi-pci,id=scsi     -drive file=/dev/null,id=hd0,if=none     -device scsi-hd,drive=hd0     -drive file=/var/tmp/.guestfs-1000/root.3874,snapshot=on,id=appliance,if=none,cache=unsafe     -device scsi-hd,drive=appliance     -machine accel=kvm:tcg     -m 500     -no-reboot     -no-hpet     -device virtio-serial     -serial stdio     -device sga     -chardev socket,path=/tmp/libguestfsO1CQMz/guestfsd.sock,id=channel0     -device virtserialport,chardev=channel0,name=org.libguestfs.channel.0     -kernel /var/tmp/.guestfs-1000/kernel.3874     -initrd /var/tmp/.guestfs-1000/initrd.3874     -append 'panic=1 console=ttyS0 udevtimeout=600 no_timer_check acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb selinux=0 guestfs_verbose=1 TERM=xterm 'x1b[1;256rx1b[256;256Hx1b[6n
22:54:40:124193628 E: Google, Inc.
22:54:40:129550570 E: Serial Graphics Adapter 07/22/12
22:54:40:136794246 E: SGABIOS $Id: sgabios.S 8 2010-04-22 00:03:40Z nlaredo $ (mockbuild@) Sun Jul 22 03:47:50 UTC 2012
22:54:40:144736551 E: Term: 80x24
22:54:40:150752394 E: 4 0
SeaBIOS (version 1.7.0-20120722_040125-)
22:54:40:158402412 E: 
22:54:40:162644877 E: qemu-kvm: hw/scsi-bus.c:1568: scsi_req_complete: Assertion `req->status == -1' failed.
22:54:41:555131890 E: libguestfs: child_cleanup: 0x1a49c20: child process died
22:54:41:558603265 E: libguestfs: sending SIGTERM to process 3906
22:54:41:601319497 E: libguestfs: error: qemu terminated by signal 6 (Aborted)
22:54:41:604828447 E: libguestfs: error: guestfs_launch failed, see earlier error messages
22:54:41:608403009 E: libguestfs: closing guestfs handle 0x1a49c20 (state 0)
22:54:41:618166509 I: Finished with exitcode 1

Version-Release number of selected component (if applicable):

The immediate cause of this was when I updated sgabios to:
sgabios-0-0.20110623SVN.fc18.x86_64

The f17 sgabios worked OK.

How reproducible:

100%

Steps to Reproduce:
1. Run: libguestfs-test-tool
Comment 1 Richard W.M. Jones 2012-08-12 17:59:32 EDT
CC Paolo, since it seems to be connected to virtio-scsi in some way.
Comment 2 Richard W.M. Jones 2012-08-12 18:21:33 EDT
OK, more subtle than I suspected.

The problem is that I'm adding /dev/null as a virtio-scsi
drive (for testing purposes).  If I add a regular file instead,
it hits bug 847548 instead.

sgabios-0-1.1.20110622svn.fc19.x86_64
qemu-1.2-0.1.20120806git3e430569.fc18.x86_64
kernel-3.6.0-0.rc1.git3.2.bz844485.2.fc19.x86_64

$ guestfish -a /dev/null run -v
libguestfs: [00000ms] febootstrap-supermin-helper --verbose -f checksum '/usr/lib64/guestfs/supermin.d' x86_64
supermin helper [00000ms] whitelist = (not specified), host_cpu = x86_64, kernel = (null), initrd = (null), appliance = (null)
supermin helper [00000ms] inputs[0] = /usr/lib64/guestfs/supermin.d
checking modpath /lib/modules/3.4.0-1.fc17.x86_64.debug is a directory
checking modpath /lib/modules/3.3.4-5.fc17.x86_64.debug is a directory
checking modpath /lib/modules/3.6.0-0.rc0.git6.1.fc18.x86_64 is a directory
picked vmlinuz-3.6.0-0.rc0.git6.1.fc18.x86_64 because modpath /lib/modules/3.6.0-0.rc0.git6.1.fc18.x86_64 exists
checking modpath /lib/modules/3.6.0-0.rc1.git3.2.bz844485.2.fc19.x86_64 is a directory
picked vmlinuz-3.6.0-0.rc1.git3.2.bz844485.2.fc19.x86_64 because modpath /lib/modules/3.6.0-0.rc1.git3.2.bz844485.2.fc19.x86_64 exists
checking modpath /lib/modules/3.3.7-2.fc17.x86_64.debug is a directory
supermin helper [00003ms] finished creating kernel
supermin helper [00003ms] visiting /usr/lib64/guestfs/supermin.d
supermin helper [00003ms] visiting /usr/lib64/guestfs/supermin.d/base.img
supermin helper [00003ms] visiting /usr/lib64/guestfs/supermin.d/daemon.img
supermin helper [00003ms] visiting /usr/lib64/guestfs/supermin.d/hostfiles
supermin helper [00101ms] visiting /usr/lib64/guestfs/supermin.d/init.img
supermin helper [00101ms] adding kernel modules
supermin helper [00297ms] finished creating appliance
libguestfs: [00317ms] begin testing qemu features
libguestfs: [00512ms] finished testing qemu features
libguestfs: accept_from_daemon: 0x1c89c20 g->state = 1
[00519ms] /usr/bin/qemu-kvm \
    -global virtio-blk-pci.scsi=off \
    -nodefconfig \
    -nodefaults \
    -nographic \
    -device virtio-scsi-pci,id=scsi \
    -drive file=/dev/null,id=hd0,if=none \
    -device scsi-hd,drive=hd0 \
    -drive file=/var/tmp/.guestfs-1000/root.1781,snapshot=on,id=appliance,if=none,cache=unsafe \
    -device scsi-hd,drive=appliance \
    -machine accel=kvm:tcg \
    -m 500 \
    -no-reboot \
    -no-hpet \
    -device virtio-serial \
    -serial stdio \
    -device sga \
    -chardev socket,path=/tmp/libguestfs15kgwV/guestfsd.sock,id=channel0 \
    -device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \
    -kernel /var/tmp/.guestfs-1000/kernel.1781 \
    -initrd /var/tmp/.guestfs-1000/initrd.1781 \
    -append 'panic=1 console=ttyS0 udevtimeout=600 no_timer_check acpi=off printk.time=1 cgroup_disable=memory root=/dev/sdb selinux=0 guestfs_verbose=1 TERM=xterm '\x1b[1;256r\x1b[256;256H\x1b[6n
Google, Inc.
Serial Graphics Adapter 08/12/12
SGABIOS $Id: sgabios.S 8 2010-04-22 00:03:40Z nlaredo $ (rjones@trick.home.annexia.org) Sun Aug 12 22:14:04 UTC 2012
Term: 80x24
4 0
SeaBIOS (version 1.7.0-20120722_040125-)

qemu-kvm: hw/scsi-bus.c:1568: scsi_req_complete: Assertion `req->status == -1' failed.
libguestfs: child_cleanup: 0x1c89c20: child process died
libguestfs: sending SIGTERM to process 1792
libguestfs: error: qemu terminated by signal 6 (Aborted)
libguestfs: error: guestfs_launch failed, see earlier error messages
libguestfs: closing guestfs handle 0x1c89c20 (state 0)
Comment 3 Richard W.M. Jones 2012-08-12 18:23:24 EDT
A zero-length regular file also hits this bug:

rm /tmp/test.img
touch /tmp/test.img
guestfish -a /tmp/test.img run -v
Comment 4 Richard W.M. Jones 2012-08-14 03:22:37 EDT
This is with qemu 1.2-0.1.20120806git3e430569.fc18.x86_64
from Fedora 18.

MALLOC_PERTURB_ is set, which may explain the unusual req pointer.

Program terminated with signal 11, Segmentation fault.
#0  scsi_req_continue (req=0x2d2d2d2d2d2d2d2d) at hw/scsi-bus.c:1497
(gdb) bt
#0  scsi_req_continue (req=0x2d2d2d2d2d2d2d2d) at hw/scsi-bus.c:1497
#1  0x00007f394aaefd72 in virtio_scsi_handle_cmd (vdev=0x7f394c60d590, vq=
    0x7f394c874460) at /usr/src/debug/qemu-kvm-1.2/hw/virtio-scsi.c:516
#2  0x00007f394aafa9c3 in memory_region_iorange_write (
    iorange=<optimized out>, offset=16, width=2, data=<optimized out>)
    at /usr/src/debug/qemu-kvm-1.2/memory.c:427
#3  0x00007f394aaf72e6 in kvm_handle_io (count=1, size=2, direction=1, 
    data=<optimized out>, port=49168)
    at /usr/src/debug/qemu-kvm-1.2/kvm-all.c:1382
#4  kvm_cpu_exec (env=env@entry=0x7f394c5d8e20)
    at /usr/src/debug/qemu-kvm-1.2/kvm-all.c:1527
#5  0x00007f394aaa3fe1 in qemu_kvm_cpu_thread_fn (arg=0x7f394c5d8e20)
    at /usr/src/debug/qemu-kvm-1.2/cpus.c:756
#6  0x00007f3948b2ed15 in start_thread () from /lib64/libpthread.so.0
#7  0x00007f39451bf96d in clone () from /lib64/libc.so.6
Comment 5 Richard W.M. Jones 2012-08-15 11:12:35 EDT
I've added a workaround to libguestfs, which is that we silently
replace /dev/null in our tests with a 4K temporary file.

However this is still a bug in qemu ...
Comment 6 Paolo Bonzini 2012-09-11 06:49:36 EDT
I think it's fixed upstream, will test shortly.
Comment 7 Cole Robinson 2012-12-14 18:23:14 EST
I can reproduce with qemu.git (and F18 qemu-kvm FWIW):

$ cat test.sh 

rm test.img
touch test.img
./x86_64-softmmu/qemu-system-x86_64 \
    -global virtio-blk-pci.scsi=off \
    -nodefconfig \
    -nodefaults \
    -nographic \
    -device virtio-scsi-pci,id=scsi \
    -drive file=`pwd`/test.img,id=hd0,if=none \
    -device scsi-hd,drive=hd0 \
    -machine accel=kvm:tcg \
    -m 500 \
    -no-reboot \
    -no-hpet \
    -device virtio-serial \
    -serial stdio \
    -device sga \

#0  0x00007f1af1cc7aee in scsi_req_continue (req=0x7f1ad8000b10)
    at hw/scsi-bus.c:1515
#1  0x00007f1af1dd7c02 in virtio_scsi_handle_cmd (vdev=0x7f1af2bab520, vq=
    0x7f1af2bbe230) at /home/crobinso/src/qemu/hw/virtio-scsi.c:519
#2  0x00007f1af1de1d32 in access_with_adjusted_size (addr=addr@entry=16, 
    value=value@entry=0x7f1ae6fa5af8, size=2, access_size_min=<optimized out>, 
    access_size_max=<optimized out>, access=access@entry=
    0x7f1af1de2350 <memory_region_write_accessor>, opaque=opaque@entry=
    0x7f1af2bbafc0) at /home/crobinso/src/qemu/memory.c:364
#3  0x00007f1af1de33a7 in memory_region_iorange_write (
    iorange=<optimized out>, offset=16, width=2, data=2)
    at /home/crobinso/src/qemu/memory.c:439
#4  0x00007f1af1de01d6 in kvm_handle_io (count=1, size=2, direction=1, 
    data=<optimized out>, port=49168) at /home/crobinso/src/qemu/kvm-all.c:1426
#5  kvm_cpu_exec (env=env@entry=0x7f1af2b3a8f0)
    at /home/crobinso/src/qemu/kvm-all.c:1571
#6  0x00007f1af1d86c41 in qemu_kvm_cpu_thread_fn (arg=0x7f1af2b3a8f0)
    at /home/crobinso/src/qemu/cpus.c:757
#7  0x00007f1aefda7d15 in start_thread () from /lib64/libpthread.so.0
#8  0x00007f1aebff246d in clone () from /lib64/libc.so.6


Paolo, any thoughts?
Comment 10 Fedora Update System 2013-02-02 17:33:18 EST
qemu-1.2.2-6.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/qemu-1.2.2-6.fc18
Comment 11 Fedora Update System 2013-02-11 23:58:12 EST
qemu-1.2.2-6.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.