Comment 1 for bug 1179104

This looks like some TRIM (mis)support in action. It crashes in different paces but repeatable/reproducible (ie, it crash with different error on my system, but the error is always the same on my system). Running it under gdb:

(gdb) ru -m 256 -hda /stage/tmp/mjt/tmp/ppc.img -cdrom /stage/tmp/mjt/tmp/ppc-mini.iso -boot d
...
Program received signal SIGSEGV, Segmentation fault.
pmac_ide_transfer_cb (opaque=0x571321d4, ret=0) at hw/ide/macio.c:117
117 ide_set_irq(s->bus);
(gdb) bt
#0 pmac_ide_transfer_cb (opaque=0x571321d4, ret=0) at hw/ide/macio.c:117
#1 0x565fcd74 in dma_complete (dbs=dbs@entry=0x571a2250, ret=ret@entry=0) at dma-helpers.c:124
#2 0x565fd059 in dma_bdrv_cb (opaque=0x571a2250, ret=0) at dma-helpers.c:152
#3 0x5664fe06 in ide_trim_bh_cb (opaque=0x57282c28) at hw/ide/core.c:360
#4 0x565a15b3 in aio_bh_poll (ctx=ctx@entry=0x570e8918) at async.c:70
#5 0x565a1124 in aio_poll (ctx=ctx@entry=0x570e8918, blocking=blocking@entry=false) at /build/kvm/git/aio-posix.c:185
#6 0x565a1488 in aio_ctx_dispatch (source=0x570e8918, callback=0, user_data=0x0) at async.c:167
#7 0xf7f006d3 in g_main_context_dispatch () from /lib/i386-linux-gnu/libglib-2.0.so.0
#8 0x566cd06b in glib_pollfds_poll () at main-loop.c:187
#9 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:232
#10 main_loop_wait (nonblocking=1) at /build/kvm/git/main-loop.c:468
#11 0x56597f76 in main_loop () at /build/kvm/git/vl.c:2028
#12 main (argc=9, argv=0xffffd9a4, envp=0xffffd9cc) at /build/kvm/git/vl.c:4418
(gdb) l
112 }
113
114 /* end of transfer ? */
115 if (s->nsector == 0) {
116 s->status = READY_STAT | SEEK_STAT;
117 ide_set_irq(s->bus);
118 }
119
120 /* end of DMA ? */
121 if (io->len == 0) {
(gdb) p *s
$1 = {bus = 0x0, unit = 0 '\000', drive_kind = IDE_HD, cylinders = 0,
  heads = 0, sectors = 0, chs_trans = 0, nb_sectors = 0, mult_sectors = 0,
  identify_set = 0, identify_data = '\000' <repeats 511 times>,
  drive_serial = 0, drive_serial_str = '\000' <repeats 20 times>,
  drive_model_str = '\000' <repeats 40 times>, wwn = 0, feature = 0 '\000',
  error = 0 '\000', nsector = 0, sector = 0 '\000', lcyl = 0 '\000',
  hcyl = 0 '\000', hob_feature = 0 '\000', hob_nsector = 0 '\000',
  hob_sector = 0 '\000', hob_lcyl = 0 '\000', hob_hcyl = 0 '\000',
  select = 0 '\000', status = 80 'P', lba48 = 0 '\000', bs = 0x0,
  version = "\000\000\000\000\000\000\000\000", events = {
    eject_request = false, new_media = false}, sense_key = 0 '\000',
  asc = 0 '\000', tray_open = false, tray_locked = false,
  cdrom_changed = 0 '\000', packet_transfer_size = 0,
  elementary_transfer_size = 0, io_buffer_index = 0, lba = 0,
  cd_sector_size = 0, atapi_dma = 0, acct = {bytes = 0, start_time_ns = 0,
    type = BDRV_ACCT_READ}, pio_aiocb = 0x0, iov = {iov_base = 0x0,
    iov_len = 0}, qiov = {iov = 0x0, niov = 0, nalloc = 0, size = 0},
  io_buffer_offset = 0, io_buffer_size = 0, sg = {sg = 0x0, nsg = 0,
    nalloc = 0, size = 0, dma = 0x0}, req_nb_sectors = 0,
  end_transfer_func = 0, data_ptr = 0x0, data_end = 0x0, io_buffer = 0x0,
  io_buffer_total_len = 0, cur_io_buffer_offset = 0, cur_io_buffer_len = 0,
  end_transfer_fn_idx = 0 '\000', sector_write_timer = 0x0, irq_count = 0,
  ext_error = 0 '\000', mdata_size = 0, mdata_storage = 0x0,
  media_changed = 0, dma_cmd = IDE_DMA_READ, smart_enabled = 0 '\000',
  smart_autosave = 0 '\000', smart_errors = 0,
  smart_selftest_count = 0 '\000', smart_selftest_data = 0x0, ncq_queues = 0}
(gdb)

note the ide_trim_bh_cb callback in the stack trace.

This happens when mkext2fs is being run in the guest.

So it looks like TRIM command is busted somehow, referencing an invalid (all-zeros) structure.

Wonder why it happens only - so far - on ppc :)

Thanks,

/mjt