1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
semantic: 0.931
network: 0.925
other: 0.924
device: 0.915
instruction: 0.906
boot: 0.902
graphic: 0.902
vnc: 0.900
assembly: 0.881
KVM: 0.877
mistranslation: 0.867
socket: 0.826
QEMU S/390x sqxbr (128-bit IEEE 754 square root) crashes qemu-system-s390x
In porting software to guest Ubuntu 18.04 and 20.04 VMs for S/390x, I discovered
that some of my own numerical programs, and also a GNU configure script for at
least one package with CC=clang, would cause an instant crash of the VM, sometimes
also destroying recently opened files, and producing long strings of NUL characters
in /var/log/syslog in the S/390 guest O/S.
Further detective work narrowed the cause of the crash down to a single IBM S/390
instruction: sqxbr (128-bit IEEE 754 square root). Here is a one-line program
that when compiled and run on a VM hosted on QEMUcc emulator version 4.2.0
(Debian 1:4.2-3ubuntu6.1) [hosted on Ubuntu 20.04 on a Dell Precision 7920
workstation with an Intel Xeon Platinum 8253 CPU], and also on QEMU emulator
version 5.0.0, reproducibly produces a VM crash under qemu-system-s390x.
% cat bug-sqrtl-one-line.c
int main(void) { volatile long double x, r; x = 4.0L; __asm__ __volatile__("sqxbr %0, %1" : "=f" (r) : "f" (x)); return (0);}
% cc bug-sqrtl-one-line.c && ./a.out
Segmentation fault (core dumped)
The problem code may be the function float128_sqrt() defined in qemu-5.0.0/fpu/softfloat.c
starting at line 7619. I have NOT attempted to run the qemu-system-s390x executable
under a debugger. However, I observe that S/390 is the only CPU family that I know of,
except possibly for a Fujitsu SPARC-64, that has a 128-bit square root in hardware.
Thus, this instruction bug may not have been seen before.
Another way to reproduce this bug is with qemu-s390x and a cross-compiled binary:
$ s390x-linux-gnu-gcc-5 -static -o bug-sqrtl-one-line.s390x bug-sqrtl-one-line.c
$ qemu-s390x bug-sqrtl-one-line.s390x
Segmentation fault (core dumped)
Find attached the binary.
With --enable-debug,
qemu-s390x: /home/rth/qemu/qemu/include/tcg/tcg.h:687: temp_idx: Assertion `n >= 0 && n < tcg_ctx->nb_temps' failed.
which turns out to be related to a null-pointer temporary.
I confirm that the patch https://lists.gnu.org/archive/html/qemu-s390x/2020-06/msg00213.html fixes the issue, both for qemu-s390x and qemu-system-s390x.
Thanks Richard!
This bug was fixed in the package qemu - 1:5.0-5ubuntu4
---------------
qemu (1:5.0-5ubuntu4) groovy; urgency=medium
* xen: provide compat links to what libxen-dev reports where to find
the binaries (LP: #1890005)
* d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch: avoid crash on
SQXBR (LP: #1883984)
* d/p/lp-1890154-*: fix -no-reboot on s390x secure boot (LP: #1890154)
-- Christian Ehrhardt <email address hidden> Mon, 03 Aug 2020 07:15:28 +0200
Note: final upstream commit link https://git.qemu.org/?p=qemu.git;a=commit;h=9bf728a09bf7509b27543664f9cca6f4f337f608
Hello Nelson, or anyone else affected,
Accepted qemu into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.5 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.
Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
All autopkgtests for the newly accepted qemu (1:4.2-3ubuntu6.5) for focal have finished running.
The following regressions have been reported in tests triggered by the package:
ubuntu-image/1.9+20.04ubuntu1 (amd64)
systemd/245.4-4ubuntu3.2 (amd64, armhf, s390x, ppc64el)
livecd-rootfs/2.664.4 (amd64, arm64, s390x, ppc64el)
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].
https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#qemu
[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions
Thank you!
old version
sudo apt install qemu-system-s390x=1:4.2-3ubuntu6.4
...test as listed in the test instructions ...
ubuntu@focal-sqxbr:~$ ./a.out
Segmentation fault
(qemu is dead at this point)
$ sudo apt install qemu-system-s390x=1:4.2-3ubuntu6.5
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
qemu-system-s390x
1 upgraded, 0 newly installed, 0 to remove and 315 not upgraded.
Need to get 2334 kB of archives.
After this operation, 4096 B of additional disk space will be used.
Get:1 http://ports.ubuntu.com focal-proposed/main s390x qemu-system-s390x s390x 1:4.2-3ubuntu6.5 [2334 kB]
Fetched 2334 kB in 1s (3927 kB/s)
(Reading database ... 203254 files and directories currently installed.)
Preparing to unpack .../qemu-system-s390x_1%3a4.2-3ubuntu6.5_s390x.deb ...
Unpacking qemu-system-s390x (1:4.2-3ubuntu6.5) over (1:4.2-3ubuntu6.4) ...
Setting up qemu-system-s390x (1:4.2-3ubuntu6.5) ...
Processing triggers for man-db (2.9.3-2) ...
ubuntu@s1lp05:~$
ubuntu@focal-sqxbr:~$ ./a.out
(no crash)
Setting verified
The verification of the Stable Release Update for qemu has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
This bug was fixed in the package qemu - 1:4.2-3ubuntu6.5
---------------
qemu (1:4.2-3ubuntu6.5) focal; urgency=medium
* further stabilize qemu by importing patches of qemu v4.2.1
Fixes (LP: #1891203) and (LP: #1891877)
- d/p/stable/lp-1891877-*
- as part of the stabilization this also fixes an
riscv emulation issue due to the CVE-2020-13754 fixes via
d/p/ubuntu/hw-riscv-Allow-64-bit-access-to-SiFive-CLINT.patch
* fix s390x SQXBR emulation (LP: #1883984)
- d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
* fix -no-reboot for s390x protvirt guests (LP: #1890154)
- d/p/ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-*
-- Christian Ehrhardt <email address hidden> Wed, 19 Aug 2020 13:40:49 +0200
|