qemu segfaults in virtio-scsi driver if underlying device returns -EIO
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Reported downstream in Fedora: https:/
Using qemu from git and reasonably recent nbdkit, this command injects -EIO
errors into the block device which virtio-scsi is reading from:
$ nbdkit --filter=error memory size=64M error-rate=100% \
--run 'x86_64-
nbdkit: memory[1]: error: injecting EIO error into pread
nbdkit: memory[1]: error: injecting EIO error into pread
qemu-system-x86_64: hw/scsi/
The stack trace is:
Thread 5 (Thread 0x7f33e1f8b700 (LWP 10474)):
#0 0x00007f33fe0bf371 in __GI___poll (fds=0x559b0719
at ../sysdeps/
#1 0x00007f34061df5e6 in () at /lib64/
#2 0x00007f34061df710 in g_main_
at /lib64/
#3 0x00007f34061df761 in () at /lib64/
#4 0x00007f34062086ea in () at /lib64/
#5 0x00007f33fe19b58e in start_thread (arg=<optimized out>)
at pthread_
#6 0x00007f33fe0ca593 in clone ()
at ../sysdeps/
Thread 4 (Thread 0x7f33e3fff700 (LWP 10473)):
#0 0x00007f33fe1a4a8d in __lll_lock_wait ()
at ../sysdeps/
#1 0x00007f33fe19ddf8 in __GI___
#2 0x0000559b04f6b103 in qemu_mutex_
at util/qemu-
#3 0x0000559b04b722ee in qemu_mutex_
at /home/rjones/
#4 0x0000559b04b31859 in prepare_mmio_access (mr=<optimized out>, mr=<optimized out>) at /home/rjones/
#5 0x0000559b04b381d4 in address_space_ldub (as=<optimized out>, addr=<optimized out>, attrs=..., result=
at /home/rjones/
#6 0x0000559b04c61cd0 in helper_inb (env=<optimized out>, port=<optimized out>) at /home/rjones/
#7 0x00007f33e889dc3e in code_gen_buffer ()
#8 0x0000559b04bb3b87 in cpu_tb_exec (itb=<optimized out>, cpu=0x7f33e8876100 <code_gen_
#9 0x0000559b04bb3b87 in cpu_loop_exec_tb (tb_exit=<synthetic pointer>, last_tb=<synthetic pointer>, tb=<optimized out>, cpu=0x7f33e8876100 <code_gen_
#10 0x0000559b04bb3b87 in cpu_exec (cpu=cpu@
at /home/rjones/
#11 0x0000559b04b7088f in tcg_cpu_exec (cpu=0x559b05db
at /home/rjones/
#12 0x0000559b04b72c03 in qemu_tcg_
at /home/rjones/
#13 0x0000559b04b72c03 in qemu_tcg_
at /home/rjones/
#14 0x0000559b04f6afba in qemu_thread_start (args=<optimized out>)
at util/qemu-
#15 0x00007f33fe19b58e in start_thread (arg=<optimized out>)
at pthread_
#16 0x00007f33fe0ca593 in clone ()
at ../sysdeps/
Thread 3 (Thread 0x7f33e178a700 (LWP 10475)):
#0 0x00007f33fe0bf371 in __GI___poll (fds=0x559b071a
at ../sysdeps/
#1 0x00007f34061df5e6 in () at /lib64/
#2 0x00007f34061df9a2 in g_main_loop_run () at /lib64/
#3 0x00007f34032ca90a in () at /lib64/
#4 0x00007f34062086ea in () at /lib64/
#5 0x00007f33fe19b58e in start_thread (arg=<optimized out>)
at pthread_
#6 0x00007f33fe0ca593 in clone ()
at ../sysdeps/
Thread 2 (Thread 0x7f33eb050700 (LWP 10471)):
#0 0x00007f33fe1a5400 in __GI___nanosleep (requested_
#1 0x00007f3406209e17 in g_usleep () at /lib64/
#2 0x0000559b04f7cb80 in call_rcu_thread (opaque=
at util/rcu.c:253
#3 0x0000559b04f6afba in qemu_thread_start (args=<optimized out>)
at util/qemu-
#4 0x00007f33fe19b58e in start_thread (arg=<optimized out>)
at pthread_
#5 0x00007f33fe0ca593 in clone ()
at ../sysdeps/
Thread 1 (Thread 0x7f33eb9b42c0 (LWP 10470)):
#0 0x00007f33fe00553f in __GI_raise (sig=sig@entry=6)
at ../sysdeps/
#1 0x00007f33fdfef895 in __GI_abort () at abort.c:79
#2 0x00007f33fdfef769 in __assert_fail_base (fmt=0x7f33fe156ea8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=
#3 0x00007f33fdffd9f6 in __GI___assert_fail (assertion=
#4 0x0000559b04da23c0 in scsi_req_complete (req=<optimized out>, status=<optimized out>) at hw/scsi/
#5 0x0000559b04d9cc60 in scsi_dma_
#6 0x0000559b04d9cd0f in scsi_dma_complete (opaque=
at hw/scsi/
#7 0x0000559b04c91607 in dma_complete (ret=-5, dbs=0x559b07808000)
at dma-helpers.c:116
#8 0x0000559b04c91607 in dma_blk_cb (opaque=
at dma-helpers.c:138
#9 0x0000559b04ec411e in blk_aio_complete (acb=0x559b0751
at block/block-
#10 0x0000559b04f7e32b in coroutine_
#11 0x00007f33fe01b200 in __start_context ()
at ../sysdeps/
#12 0x00007ffc0896b040 in ()
#13 0x0000000000000000 in ()
I bisected this to:
40dce4ee61c6839
commit 40dce4ee61c6839
Author: Paolo Bonzini <email address hidden>
Date: Sat Oct 13 11:52:34 2018 +0200
scsi-disk: fix rerror/
rerror=ignore was returning true from scsi_handle_
calling scsi_req_complete when rerror=ignore returns true (this is the correct thing
to do when true is returned after executing a passthrough command). Fix this by
calling it in scsi_handle_
Signed-off-by: Paolo Bonzini <email address hidden>
:040000 040000 311386b9b91d778
Changed in qemu: | |
status: | Fix Committed → Fix Released |
Kevin suggested this change, which works for me:
diff --git a/hw/scsi/ scsi-disk. c b/hw/scsi/ scsi-disk. c .0e9027c8f3 100644 scsi-disk. c scsi-disk. c rw_error( SCSIDiskReq *r, int error, bool acct_failed) ACTION_ STOP) {
scsi_ req_retry( &r->req) ;
index 6eb258d3f3.
--- a/hw/scsi/
+++ b/hw/scsi/
@@ -482,7 +482,7 @@ static bool scsi_handle_
if (action == BLOCK_ERROR_
}
- return false;
+ return true;
}
static void scsi_write_ complete_ noio(SCSIDiskRe q *r, int ret)