This looks like some TRIM (mis)support in action. It crashes in
different paces but repeatable/reproducible (ie, it crash with different
error on my system, but the error is always the same on my system).
Running it under gdb:
(gdb) ru -m 256 -hda /stage/tmp/mjt/tmp/ppc.img -cdrom
/stage/tmp/mjt/tmp/ppc-mini.iso -boot d
...
Program received signal SIGSEGV, Segmentation fault.
pmac_ide_transfer_cb (opaque=0x571321d4, ret=0) at hw/ide/macio.c:117
117 ide_set_irq(s->bus);
(gdb) bt
#0 pmac_ide_transfer_cb (opaque=0x571321d4, ret=0) at hw/ide/macio.c:117
#1 0x565fcd74 in dma_complete (dbs=dbs@entry=0x571a2250, ret=ret@entry=0) at
dma-helpers.c:124
#2 0x565fd059 in dma_bdrv_cb (opaque=0x571a2250, ret=0) at dma-helpers.c:152
#3 0x5664fe06 in ide_trim_bh_cb (opaque=0x57282c28) at hw/ide/core.c:360
#4 0x565a15b3 in aio_bh_poll (ctx=ctx@entry=0x570e8918) at async.c:70
#5 0x565a1124 in aio_poll (ctx=ctx@entry=0x570e8918,
blocking=blocking@entry=false) at /build/kvm/git/aio-posix.c:185
#6 0x565a1488 in aio_ctx_dispatch (source=0x570e8918, callback=0,
user_data=0x0) at async.c:167
#7 0xf7f006d3 in g_main_context_dispatch () from
/lib/i386-linux-gnu/libglib-2.0.so.0
#8 0x566cd06b in glib_pollfds_poll () at main-loop.c:187
#9 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:232
#10 main_loop_wait (nonblocking=1) at /build/kvm/git/main-loop.c:468
#11 0x56597f76 in main_loop () at /build/kvm/git/vl.c:2028
#12 main (argc=9, argv=0xffffd9a4, envp=0xffffd9cc) at /build/kvm/git/vl.c:4418
(gdb) l
112 }
113
114 /* end of transfer ? */
115 if (s->nsector == 0) {
116 s->status = READY_STAT | SEEK_STAT;
117 ide_set_irq(s->bus);
118 }
119
120 /* end of DMA ? */
121 if (io->len == 0) {
(gdb) p *s
$1 = {bus = 0x0, unit = 0 '\000', drive_kind = IDE_HD, cylinders = 0,
heads = 0, sectors = 0, chs_trans = 0, nb_sectors = 0, mult_sectors = 0,
identify_set = 0, identify_data = '\000' <repeats 511 times>,
drive_serial = 0, drive_serial_str = '\000' <repeats 20 times>,
drive_model_str = '\000' <repeats 40 times>, wwn = 0, feature = 0 '\000',
error = 0 '\000', nsector = 0, sector = 0 '\000', lcyl = 0 '\000',
hcyl = 0 '\000', hob_feature = 0 '\000', hob_nsector = 0 '\000',
hob_sector = 0 '\000', hob_lcyl = 0 '\000', hob_hcyl = 0 '\000',
select = 0 '\000', status = 80 'P', lba48 = 0 '\000', bs = 0x0,
version = "\000\000\000\000\000\000\000\000", events = {
eject_request = false, new_media = false}, sense_key = 0 '\000',
asc = 0 '\000', tray_open = false, tray_locked = false,
cdrom_changed = 0 '\000', packet_transfer_size = 0,
elementary_transfer_size = 0, io_buffer_index = 0, lba = 0,
cd_sector_size = 0, atapi_dma = 0, acct = {bytes = 0, start_time_ns = 0,
type = BDRV_ACCT_READ}, pio_aiocb = 0x0, iov = {iov_base = 0x0,
iov_len = 0}, qiov = {iov = 0x0, niov = 0, nalloc = 0, size = 0},
io_buffer_offset = 0, io_buffer_size = 0, sg = {sg = 0x0, nsg = 0,
nalloc = 0, size = 0, dma = 0x0}, req_nb_sectors = 0,
end_transfer_func = 0, data_ptr = 0x0, data_end = 0x0, io_buffer = 0x0,
io_buffer_total_len = 0, cur_io_buffer_offset = 0, cur_io_buffer_len = 0,
end_transfer_fn_idx = 0 '\000', sector_write_timer = 0x0, irq_count = 0,
ext_error = 0 '\000', mdata_size = 0, mdata_storage = 0x0,
media_changed = 0, dma_cmd = IDE_DMA_READ, smart_enabled = 0 '\000',
smart_autosave = 0 '\000', smart_errors = 0,
smart_selftest_count = 0 '\000', smart_selftest_data = 0x0, ncq_queues = 0}
(gdb)
note the ide_trim_bh_cb callback in the stack trace.
This happens when mkext2fs is being run in the guest.
So it looks like TRIM command is busted somehow, referencing an invalid
(all-zeros) structure.
Wonder why it happens only - so far - on ppc :)
Thanks,
/mjt
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1179104
Title:
client crash during debian ppc installation
Status in QEMU:
Confirmed
Status in “qemu” package in Debian:
Unknown
Bug description:
Host system:
Debian Testing/Sid
$ uname -a
Linux darkside 3.8-1-amd64 #1 SMP Debian 3.8.11-1 x86_64 GNU/Linux
With git rev 38ebb396c955ceb2ef7e246248ceb7f8bfe1b774:
I created a HDD image:
qemu-img create -f qcow2 powerpc.img 10G
I fetched this CD image (I think it's 32bit but I'm not familiar with this
architecture):
ftp://ftp.debian.org/debian/dists/wheezy/main/installer-powerpc/current/images/powerpc/netboot/mini.iso
I booted the ppc netinst iso with
ppc-softmmu/qemu-system-ppc -m 256 -hda /path/to/ppc/powerpc.img -cdrom
/path/to/ppc/mini.iso -boot d
I started the installation. After specifying the partitioning
information the qemu process aborted with the following showing in the
terminal:
*** Error in `./qemu-system-ppc': free(): invalid pointer: 0x00007fcf801aa7f8
***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7aac6)[0x7fcf7874aac6]
/lib/x86_64-linux-gnu/libc.so.6(+0x7b843)[0x7fcf7874b843]
./qemu-system-ppc(+0xfc090)[0x7fcf7fafc090]
./qemu-system-ppc(+0x15310d)[0x7fcf7fb5310d]
./qemu-system-ppc(+0xfc781)[0x7fcf7fafc781]
./qemu-system-ppc(+0xfc9fa)[0x7fcf7fafc9fa]
./qemu-system-ppc(+0x14e402)[0x7fcf7fb4e402]
./qemu-system-ppc(+0xa9f77)[0x7fcf7faa9f77]
./qemu-system-ppc(+0xa9af9)[0x7fcf7faa9af9]
./qemu-system-ppc(+0xa9e50)[0x7fcf7faa9e50]
/lib/x86_64-linux-gnu/libglib-2.0.so.0(g_main_context_dispatch+0x135)[0x7fcf7f11a355]
./qemu-system-ppc(+0x1c8238)[0x7fcf7fbc8238]
./qemu-system-ppc(main+0x10c5)[0x7fcf7fa9fc45]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7fcf786f1a55]
./qemu-system-ppc(+0xa963d)[0x7fcf7faa963d]
======= Memory map: ========
7fcf48000000-7fcf480aa000 rw-p 00000000 00:00 0
7fcf480aa000-7fcf4c000000 ---p 00000000 00:00 0
7fcf50000000-7fcf60000000 rw-p 00000000 00:00 0
7fcf60000000-7fcf60022000 rw-p 00000000 00:00 0
7fcf60022000-7fcf64000000 ---p 00000000 00:00 0
7fcf6438b000-7fcf64560000 rw-p 00000000 00:00 0
7fcf64560000-7fcf645c0000 rw-s 00000000 00:04 71172116
/SYSV00000000 (deleted)
7fcf645c0000-7fcf645cc000 r--p 00000000 08:02 1842018
/usr/share/fonts/truetype/mathematica/VeraMoBd.ttf
7fcf645d0000-7fcf645dd000 r--p 00000000 08:02 1842006
/usr/share/fonts/truetype/mathematica/VeraMono.ttf
7fcf645e0000-7fcf64690000 r--p 00000000 08:02 1835254
/usr/share/fonts/truetype/ttf-dejavu/DejaVuSans.ttf
7fcf64690000-7fcf64692000 r-xp 00000000 08:02 285548
/usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so
7fcf64692000-7fcf64891000 ---p 00002000 08:02 285548
/usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so
7fcf64891000-7fcf64892000 r--p 00001000 08:02 285548
/usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so
7fcf64892000-7fcf64893000 rw-p 00002000 08:02 285548
/usr/lib/x86_64-linux-gnu/pango/1.6.0/modules/pango-basic-fc.so
7fcf64898000-7fcf6489b000 r-xp 00000000 08:02 287612
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-bmp.so
7fcf6489b000-7fcf64a9b000 ---p 00003000 08:02 287612
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-bmp.so
7fcf64a9b000-7fcf64a9c000 r--p 00003000 08:02 287612
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-bmp.so
7fcf64a9c000-7fcf64a9d000 rw-p 00004000 08:02 287612
/usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-bmp.so
7fcf64aa0000-7fcf64b10000 r-xp 00000000 08:02 262891
/usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libqtcurve.so
7fcf64b10000-7fcf64d0f000 ---p 00070000 08:02 262891
/usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libqtcurve.so
7fcf64d0f000-7fcf64d10000 r--p 0006f000 08:02 262891
/usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libqtcurve.so
7fcf64d10000-7fcf64d12000 rw-p 00070000 08:02 262891
/usr/lib/x86_64-linux-gnu/gtk-2.0/2.10.0/engines/libqtcurve.so
7fcf64d12000-7fcf64d13000 rw-p 00000000 00:00 0
7fcf64d18000-7fcf64d24000 r-xp 00000000 08:02 788582
/lib/x86_64-linux-gnu/libnss_files-2.17.so
7fcf64d24000-7fcf64f23000 ---p 0000c000 08:02 788582
/lib/x86_64-linux-gnu/libnss_files-2.17.so
7fcf64f23000-7fcf64f24000 r--p 0000b000 08:02 788582
/lib/x86_64-linux-gnu/libnss_files-2.17.so
7fcf64f24000-7fcf64f25000 rw-p 0000c000 08:02 788582
/lib/x86_64-linux-gnu/libnss_files-2.17.so
7fcf64f28000-7fcf64f32000 r-xp 00000000 08:02 788590
/lib/x86_64-linux-gnu/libnss_nis-2.17.so
7fcf64f32000-7fcf65131000 ---p 0000a000 08:02 788590
/lib/x86_64-linux-gnu/libnss_nis-2.17.so
7fcf65131000-7fcf65132000 r--p 00009000 08:02 788590
/lib/x86_64-linux-gnu/libnss_nis-2.17.so
7fcf65132000-7fcf65133000 rw-p 0000a000 08:02 788590
/lib/x86_64-linux-gnu/libnss_nis-2.17.so
7fcf65138000-7fcf6513f000 r-xp 00000000 08:02 788550
/lib/x86_64-linux-gnu/libnss_compat-2.17.so
7fcf6513f000-7fcf6533e000 ---p 00007000 08:02 788550
/lib/x86_64-linux-gnu/libnss_compat-2.17.so
7fcf6533e000-7fcf6533f000 r--p 00006000 08:02 788550
/lib/x86_64-linux-gnu/libnss_compat-2.17.so
7fcf6533f000-7fcf65340000 rw-p 00007000 08:02 788550
/lib/x86_64-linux-gnu/libnss_compat-2.17.so
7fcf65340000-7fcf655fb000 r--p 00000000 08:02 392962
/usr/lib/locale/locale-archive
7fcf65600000-7fcf65640000 rw-p 00000000 00:00 0
7fcf65650000-7fcf65651000 r--s 00000000 08:02 927793
/var/cache/fontconfig/c05880de57d1f5e948fdfacc138775d9-le64.cache-3
7fcf65658000-7fcf65669000 r--s 00000000 08:02 927791
/var/cache/fontconfig/99323171c53ab78df6914f910138fdd6-le64.cache-3
7fcf65670000-7fcf65679000 r--s 00000000 08:02 921505
/var/cache/fontconfig/945677eb7aeaf62f1d50efc3fb3ec7d8-le64.cache-3
7fcf65680000-7fcf65683000 r--s 00000000 08:02 927785
/var/cache/fontconfig/99e8ed0e538f840c565b6ed5dad60d56-le64.cache-3
7fcf65688000-7fcf6568b000 r--s 00000000 08:02 919689
/var/cache/fontconfig/f24b2111ab8703b4e963115a8cf14259-le64.cache-3
7fcf65690000-7fcf65692000 r--s 00000000 08:02 923763
/var/cache/fontconfig/0fafd173547752dce4dee1a69e0b3c95-le64.cache-3
7fcf65698000-7fcf656a0000 r--s 00000000 08:02 919688
/var/cache/fontconfig/a6d8cf8e4ec09cdbc8633c31745a07dd-le64.cache-3Aborted
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1179104/+subscriptions
