On Tue, Jun 16, 2026 at 03:18:04PM +0000, jmp0-lab wrote: > -UID: 102334 > Status: O > Content-Length: 12782 > > Hi, > > I am experiencing a regression in OpenBSD 7.9 where all Linux guest VMs fail > to boot due to a vioblk bug. The same setup worked under OpenBSD 7.8. > > Hardware: >
I believe this was patched in the 7.8/7.9 errata on June 2. man syspatch -ml > vmm% dmesg > OpenBSD 7.9-beta (GENERIC.MP) #345: Tue Mar 24 04:27:49 MDT 2026 > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 12594851840 (12011MB) > avail mem = 12185497600 (11620MB) > random: good seed from bootblocks > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xafbda000 (65 entries) > bios0: vendor LENOVO version "N1CET47W (1.15 )" date 08/08/2016 > bios0: LENOVO 20FAS1VJ00 > efi0 at bios0: UEFI 2.4 > efi0: Lenovo rev 0x1150 > acpi0 at bios0: ACPI 5.0 > acpi0: sleep states S0 S3 S4 S5 > acpi0: tables DSDT FACP TCPA SSDT SSDT TPM2 UEFI SSDT SSDT ECDT HPET APIC > MCFG SSDT DBGP DBG2 BOOT BATB SLIC SSDT SSDT MSDM DMAR ASF! FPDT UEFI > acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) XHCI(S3) > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpiec0 at acpi0 > acpihpet0 at acpi0: 23999999 Hz > acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz, 2494.19 MHz, 06-4e-03, patch > 000000f0 > cpu0: cpuid 1 > edx=bfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE> > > ecx=77fafbff<SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND> > cpu0: cpuid 6 eax=27f7<SENSOR,ARAT,PTS> ecx=9<EFFFREQ> > cpu0: cpuid 7.0 > ebx=29c6fbf<FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT> > edx=bc002e00<SRBDS_CTRL,MD_CLEAR,TSXFA,IBRS,IBPB,STIBP,L1DF,SSBD> > cpu0: cpuid a vers=4, gp=4, gpwidth=48, ff=3, ffwidth=48 > cpu0: cpuid d.1 eax=f<XSAVEOPT,XSAVEC,XGETBV1,XSAVES> > cpu0: cpuid 80000001 edx=2c100800<NXE,PAGE1GB,RDTSCP,LONG> > ecx=121<LAHF,ABM,3DNOWP> > cpu0: cpuid 80000007 edx=100<ITSC> > cpu0: msr 10a=c04<RSBA,MISC_PKG_CT,ENERGY_FILT> > cpu0: MELTDOWN > cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB > 64b/line 4-way L2 cache, 4MB 64b/line 16-way L3 cache > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges > cpu0: apic clock running at 24MHz > cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE > cpu1 at mainbus0: apid 2 (application processor) > cpu1: Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz, 2494.19 MHz, 06-4e-03, patch > 000000f0 > cpu1: smt 0, core 1, package 0 > cpu2 at mainbus0: apid 1 (application processor) > cpu2: Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz, 2494.19 MHz, 06-4e-03, patch > 000000f0 > cpu2: smt 1, core 0, package 0 > cpu3 at mainbus0: apid 3 (application processor) > cpu3: Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz, 2494.19 MHz, 06-4e-03, patch > 000000f0 > cpu3: smt 1, core 1, package 0 > ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 120 pins > acpimcfg0 at acpi0 > acpimcfg0: addr 0xf8000000, bus 0-63 > acpiprt0 at acpi0: bus 0 (PCI0) > acpiprt1 at acpi0: bus -1 (PEG0) > acpiprt2 at acpi0: bus -1 (PEG1) > acpiprt3 at acpi0: bus -1 (PEG2) > acpiprt4 at acpi0: bus 2 (EXP1) > acpiprt5 at acpi0: bus -1 (EXP2) > acpiprt6 at acpi0: bus 4 (EXP3) > acpiprt7 at acpi0: bus 5 (EXP5) > acpiprt8 at acpi0: bus -1 (RP09) > acpibtn0 at acpi0: LID_(wakeup) > acpibtn1 at acpi0: SLPB(wakeup) > acpipci0 at acpi0 PCI0: 0x00000000 0x00000011 0x00000001 > acpicmos0 at acpi0 > "LEN0071" at acpi0 not configured > "LEN004B" at acpi0 not configured > acpibat0 at acpi0: BAT0 model "00HW023" serial 1718 type LiP oem "SMP" > acpibat1 at acpi0: BAT1 model "01AV405" serial 6888 type LION oem "SANYO" > acpiac0 at acpi0: AC unit online > acpithinkpad0 at acpi0: version 2.0 > "PNP0C14" at acpi0 not configured > "PNP0C14" at acpi0 not configured > "PNP0C14" at acpi0 not configured > "INT0E0C" at acpi0 not configured > tpm0 at acpi0 TPM_: unsupported TPM2 start method 2 > acpicpu0 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), > C1(1000@1 mwait.1), PSS > acpicpu1 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), > C1(1000@1 mwait.1), PSS > acpicpu2 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), > C1(1000@1 mwait.1), PSS > acpicpu3 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), > C1(1000@1 mwait.1), PSS > acpipwrres0 at acpi0: PUBS, resource for XHCI > acpipwrres1 at acpi0: PG00, resource for PEG0 > acpipwrres2 at acpi0: PG01, resource for PEG1 > acpipwrres3 at acpi0: PG02, resource for PEG2 > acpipwrres4 at acpi0: WRST > acpipwrres5 at acpi0: WRST > acpitz0 at acpi0 > acpitz0: critical temperature is 128 degC > acpivideo0 at acpi0: GFX0 > acpivout0 at acpivideo0: DD1F > cpu0: using VERW MDS workaround (except on vmm entry) > cpu0: Enhanced SpeedStep 2494 MHz: speeds: 2701, 2700, 2600, 2500, 2300, > 2100, 1900, 1800, 1600, 1400, 1300, 1100, 800, 700, 600, 400 MHz > pci0 at mainbus0 bus 0 > pchb0 at pci0 dev 0 function 0 "Intel Core 6G Host" rev 0x08 > inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 520" rev 0x07 > drm0 at inteldrm0 > inteldrm0: msi, SKYLAKE, gen 9 > "Intel Core GMM" rev 0x00 at pci0 dev 8 function 0 not configured > xhci0 at pci0 dev 20 function 0 "Intel 100 Series xHCI" rev 0x21: msi, xHCI > 1.0 > usb0 at xhci0: USB revision 3.0 > uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 > addr 1 > pchtemp0 at pci0 dev 20 function 2 "Intel 100 Series Thermal" rev 0x21 > "Intel 100 Series MEI" rev 0x21 at pci0 dev 22 function 0 not configured > ppb0 at pci0 dev 28 function 0 "Intel 100 Series PCIE" rev 0xf1: msi > pci1 at ppb0 bus 2 > rtsx0 at pci1 dev 0 function 0 "Realtek RTS522A Card Reader" rev 0x01: msi > sdmmc0 at rtsx0: 4-bit, dma > ppb1 at pci0 dev 28 function 2 "Intel 100 Series PCIE" rev 0xf1: msi > pci2 at ppb1 bus 4 > iwm0 at pci2 dev 0 function 0 "Intel AC 8260" rev 0x3a, msi > ppb2 at pci0 dev 28 function 4 "Intel 100 Series PCIE" rev 0xf1: msi > pci3 at ppb2 bus 5 > nvme0 at pci3 dev 0 function 0 "Samsung SM951/PM951" rev 0x01: msix, NVMe 1.1 > nvme0: SAMSUNG MZVPV256HDGL-000L7, firmware 5L6QBXW7, serial S27MNY0H813527 > scsibus1 at nvme0: 2 targets, initiator 0 > sd0 at scsibus1 targ 1 lun 0: <NVMe, SAMSUNG MZVPV256, 5L6Q> > sd0: 244198MB, 512 bytes/sector, 500118192 sectors > pcib0 at pci0 dev 31 function 0 "Intel 100 Series LPC" rev 0x21 > "Intel 100 Series PMC" rev 0x21 at pci0 dev 31 function 2 not configured > azalia0 at pci0 dev 31 function 3 "Intel 100 Series HD Audio" rev 0x21: msi > azalia0: codecs: Realtek ALC293, Intel/0x2809, using Realtek ALC293 > audio0 at azalia0 > ichiic0 at pci0 dev 31 function 4 "Intel 100 Series SMBus" rev 0x21: apic 2 > int 16 > iic0 at ichiic0 > em0 at pci0 dev 31 function 6 "Intel I219-LM" rev 0x21: msi, address > c8:5b:76:63:00:1d > isa0 at pcib0 > isadma0 at isa0 > pckbc0 at isa0 port 0x60/5 irq 1 irq 12 > pckbd0 at pckbc0 (kbd slot) > wskbd0 at pckbd0: console keyboard > pms0 at pckbc0 (aux slot) > wsmouse0 at pms0 mux 0 > wsmouse1 at pms0 mux 0 > pms0: Synaptics clickpad, firmware 8.2, 0x1e2b1 0x943300 0x334940 0xf003a3 > 0x12e800 > pcppi0 at isa0 port 0x61 > spkr0 at pcppi0 > vmm0 at mainbus0: VMX/EPT > efifb at mainbus0 not configured > uhidev0 at uhub0 port 1 configuration 1 interface 0 "Dell Dell Smart Card > Reader Keyboard" rev 2.00/2.01 addr 2 > uhidev0: iclass 3/1 > ukbd0 at uhidev0: 8 variable keys, 6 key codes > wskbd1 at ukbd0 mux 1 > ugen0 at uhub0 port 1 configuration 1 "Dell Dell Smart Card Reader Keyboard" > rev 2.00/2.01 addr 2 > umb0 at uhub0 port 2 "Huawei Technologies Co., Ltd. HUAWEI Mobile" rev > 2.10/1.02 addr 3 > uhidev1 at uhub0 port 4 configuration 1 interface 0 "Logitech USB Receiver" > rev 2.00/24.11 addr 4 > uhidev1: iclass 3/1 > ukbd1 at uhidev1: 8 variable keys, 6 key codes > wskbd2 at ukbd1 mux 1 > uhidev2 at uhub0 port 4 configuration 1 interface 1 "Logitech USB Receiver" > rev 2.00/24.11 addr 4 > uhidev2: iclass 3/1, 8 report ids > ums0 at uhidev2 reportid 2: 16 buttons, Z and W dir > wsmouse2 at ums0 mux 0 > ucc0 at uhidev2 reportid 3: 767 usages, 20 keys, array > wskbd3 at ucc0 mux 1 > uhid0 at uhidev2 reportid 4: input=1, output=0, feature=0 > uhid1 at uhidev2 reportid 8: input=1, output=0, feature=0 > uhidev3 at uhub0 port 4 configuration 1 interface 2 "Logitech USB Receiver" > rev 2.00/24.11 addr 4 > uhidev3: iclass 3/0, 33 report ids > uhidpp0 at uhidev3 device 1 trackball "MX Ergo" > uhid2 at uhidev3 reportid 32: input=14, output=14, feature=0 > uhid3 at uhidev3 reportid 33: input=31, output=31, feature=0 > ugen1 at uhub0 port 9 "Validity Sensors product 0x0090" rev 2.00/1.64 addr 5 > umass0 at uhub0 port 15 configuration 1 interface 0 "Western Digital Elements > 10B8" rev 3.00/10.12 addr 6 > umass0: using SCSI over Bulk-Only > scsibus2 at umass0: 2 targets, initiator 0 > sd1 at scsibus2 targ 1 lun 0: <WD, Elements 10B8, 1012> > serial.105810b835375330595A > sd1: 953837MB, 512 bytes/sector, 1953458176 sectors > vscsi0 at root > scsibus3 at vscsi0: 256 targets > softraid0 at root > scsibus4 at softraid0: 256 targets > sd2 at scsibus4 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> > sd2: 243938MB, 512 bytes/sector, 499585087 sectors > root on sd2a (0b43be3ae5e7b003.a) swap on sd2b dump on sd2b > inteldrm0: 1920x1080, 32bpp > wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation), using wskbd0 > wskbd1: connecting to wsdisplay0 > wskbd2: connecting to wsdisplay0 > wskbd3: connecting to wsdisplay0 > wsdisplay0: screen 1-5 added (std, vt100 emulation) > iwm0: hw rev 0x200, fw ver 36.ca7b901d.0, address e4:a7:a0:87:02:71 > sd3 at scsibus4 targ 2 lun 0: <OPENBSD, SR CRYPTO, 006> > sd3: 953836MB, 512 bytes/sector, 1953457584 sectors > sd3 detached > sd3 at scsibus4 targ 2 lun 0: <OPENBSD, SR CRYPTO, 006> > sd3: 953836MB, 512 bytes/sector, 1953457584 sectors > sd3 detached > wskbd1: disconnecting from wsdisplay0 > wskbd1 detached > ukbd0 detached > uhidev0 detached > ugen0 detached > uhidev0 at uhub0 port 1 configuration 1 interface 0 "Dell Dell Smart Card > Reader Keyboard" rev 2.00/2.01 addr 2 > uhidev0: iclass 3/1 > ukbd0 at uhidev0: 8 variable keys, 6 key codes > wskbd1 at ukbd0 mux 1 > wskbd1: connecting to wsdisplay0 > ugen0 at uhub0 port 1 configuration 1 "Dell Dell Smart Card Reader Keyboard" > rev 2.00/2.01 addr 2 > sd3 at scsibus4 targ 2 lun 0: <OPENBSD, SR CRYPTO, 006> > sd3: 953836MB, 512 bytes/sector, 1953457584 sectors > sd3 detached > > > > vmm% dmesg | grep -E '(VMX/EPT|SVM/RVI)' > vmm0 at mainbus0: VMX/EPT > vmm0 at mainbus0: VMX/EPT > vmm0 at mainbus0: VMX/EPT > vmm0 at mainbus0: VMX/EPT > vmm0 at mainbus0: VMX/EPT > > Problem: > > All Linux distributions tested fail to boot under vmd(8). The following > errors appear in /var/log/daemon immediately after VM start: > > vmd[XXXX]: vioblk_notifyq: unsupported vioblk command 1723871590 > vmd[XXXX]: vioblk_notifyq: unchained cmd descriptor > > The vioblk handler drops the I/O request without sending any response to the > guest. This causes the Linux virtio_blk driver to block indefinitely in > D-state, as confirmed by the guest kernel hung task trace. > > > Reproduction: > > vm.conf: > > vm "linux" { > memory 2G > disk "/var/vmm/disk.raw" > local interface > } > > Tested guest distributions (all fail identically): > - Debian 12.5 genericcloud amd64 (kernel 6.1.x), raw format > - Debian 11.x genericcloud amd64 (kernel 5.10.x), raw format > - Alpine Linux 3.17.3 virt amd64 (kernel 5.15.x), ISO as disk > - Ubuntu 26.04 live server amd64 (kernel 6.14.x) > > For Debian guests, the guest kernel reports a hung task after 120 seconds: > > [243.000] task:systemd-udevd state:D > Call Trace: > virtblk_probe+0x4c7/0x810 [virtio_blk] > __device_add_disk > bdev_disk_changed > efi_partition / msdos_partition > read_part_sector > do_read_cache_page > folio_wait_bit_common > io_schedule <-- blocked here indefinitely > > The virtio_blk driver submits a read request (partition table scan) which > OpenBSD VMM drops without writing to the status descriptor or notifying the > used ring. The guest waits forever for a completion that never arrives. > > For Alpine virt (virtio_blk compiled into kernel, not a module), the hang > occurs before serial console is initialized, resulting in a black screen. > > Suspected cause: > > The 7.9 change "Use 32-bit direct kernel launch for both amd64 and i386 in > vmd(8)" may have altered the virtio device initialization sequence in a way > that breaks descriptor chain handling in vioblk_notifyq(). > > Specifically, vioblk_notifyq() logs "unchained cmd descriptor" and returns > without sending any response when it encounters a descriptor without the > VRING_DESC_F_NEXT flag. Modern Linux virtio_blk drivers (5.10+) negotiate > VIRTIO_F_RING_INDIRECT_DESC and submit I/O requests using indirect descriptor > tables, where the top-level descriptor intentionally lacks NEXT. The VMM > appears to not h
