Bug 1003232

Summary:	qemu-kvm core dumped when hot plug virtio-serial and transfer character [TestOnly]
Product:	Red Hat Enterprise Linux 6	Reporter:	mazhang <mazhang>
Component:	qemu-kvm	Assignee:	Amit Shah <amit.shah>
Status:	CLOSED ERRATA	QA Contact:	Virtualization Bugs <virt-bugs>
Severity:	high	Docs Contact:
Priority:	high
Version:	6.5	CC:	acathrow, amit.shah, bsarathy, chayang, flang, juzhang, mazhang, michen, mkenneth, mrezanin, qzhang, tlavigne, virt-maint
Target Milestone:	rc	Keywords:	TestOnly
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-11-21 07:12:45 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	985205
Bug Blocks:

Description mazhang 2013-09-01 06:22:43 UTC

Description of problem:
hot plug virtio-serial port and pci device, transfer some characters, and reconnect, transfer data again, qemu-kvm will core dumped.

Version-Release number of selected component (if applicable):

host:RHEL6.5-20130820.2
qemu-kvm-0.12.1.2-2.398.el6.x86_64
kernel-2.6.32-414.el6.x86_64

guest:
win7-64
virtio-win-prewhql-0.1-68


How reproducible:
5/5

Steps to Reproduce:
1.CLI:
#gdb --args /usr/libexec/qemu-kvm \
-M pc \
-cpu Opteron_G4 \
-m 2G \
-smp 4,sockets=2,cores=2,threads=1,maxcpus=16 \
-enable-kvm \
-name win7 \
-uuid 990ea161-6b67-47b2-b803-19fb01d30d12 \
-smbios type=1,manufacturer='Red Hat',product='RHEV Hypervisor',version=el6,serial=koTUXQrb,uuid=feebc8fd-f8b0-4e75-abc3-e63fcdb67170 \
-k en-us \
-rtc base=localtime,clock=host,driftfix=slew \
-no-kvm-pit-reinjection \
-monitor stdio \
-boot menu=on \
-bios /usr/share/seabios/bios.bin \
-qmp tcp:0:6666,server,nowait \
-serial unix:/tmp/monitor-unix,server,nowait \
-nodefconfig \
-nodefaults \
-drive file=/home/win7-64-new.raw,if=none,id=drive-scsi-disk,format=raw,cache=none,werror=stop,rerror=stop \
-device virtio-scsi-pci,id=scsi0 \
-device scsi-disk,drive=drive-scsi-disk,bus=scsi0.0,scsi-id=0,lun=0,id=scsi-disk,bootindex=1 \
-global PIIX4_PM.disable_s3=0 \
-global PIIX4_PM.disable_s4=0 \
-vga cirrus \
-vnc :0 \
-netdev tap,id=hostnet0,vhost=on \
-device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:39:13:2c \
-device virtio-serial-pci,id=virtio-serial0,max_ports=16 \
-chardev socket,id=channel0,path=/tmp/channel0,server,nowait \

2.Hot plug virtio-serial pci and port.
#telnet localhost 6666
[root@amd-2427-32-1 ~]# telnet localhost 6666
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
{"QMP": {"version": {"qemu": {"micro": 1, "minor": 12, "major": 0}, "package": "(qemu-kvm-0.12.1.2)"}, "capabilities": []}}
{"execute": "qmp_capabilities"}
{"return": {}}
{"execute":"device_add","arguments":{"driver":"virtio-serial-pci","id":"virtio-serial0"}}
{"return": {}}
{"execute":"device_add","arguments":{"driver":"virtserialport","bus":"virtio-serial0.0","chardev":"channel0","name":"org.linux-kvm.port.0","id":"port0"}}
{"return": {}}

3.Transfer some characters from guest to host.
(host)# nc -U /tmp/channel0
(guest)# echo abcd >> \\.\Global\.\org.linux-kvm.port.0
/*this time virtio serial works well.

4. Ctrl+c stop connect and reconnect, then transfer character again.
(host)# nc -U /tmp/channel0
(guest)# echo abcd >> \\.\Global\.\org.linux-kvm.port.0
/*qemu-kvm will core dumped

Actual results:
qemu-kvm will core dumped.

(gdb) bt full
#0  0x00007ffff77096fd in write () from /lib64/libpthread.so.0
No symbol table info available.
#1  0x00007ffff7277651 in ?? () from /lib64/libglib-2.0.so.0
No symbol table info available.
#2  0x00007ffff7228387 in g_io_channel_write_chars () from /lib64/libglib-2.0.so.0
No symbol table info available.
#3  0x00007ffff7e53e6e in io_channel_send (fd=0x7ffff8844ba0, buf=0x7fffd224cd60, len=9) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:721
        bytes_written = 0
        offset = <value optimized out>
        status = <value optimized out>
        __PRETTY_FUNCTION__ = "io_channel_send"
#4  0x00007ffff7f24464 in flush_buf (port=0x7ffff91be820, buf=0x7fffd224cd60 "asdsdf \r\n", len=9) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/virtio-console.c:58
        vcon = 0x7ffff91be820
        ret = <value optimized out>
#5  0x00007ffff7de3cec in do_flush_queued_data (port=0x7ffff91be820, vq=0x7ffff91b0410, vdev=0x7ffff8844190) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/virtio-serial-bus.c:193
        buf_size = <value optimized out>
        ret = <value optimized out>
        i = 0
        info = 0x7ffff82dc460
        __PRETTY_FUNCTION__ = "do_flush_queued_data"
#6  0x00007ffff7e018f1 in qemu_bh_poll () at /usr/src/debug/qemu-kvm-0.12.1.2/async.c:70
        bh = <value optimized out>
        bhp = <value optimized out>
        next = 0x7fffe8000da0
        ret = 1
        nesting = 1
#7  0x00007ffff7dca079 in main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4096
        ioh = <value optimized out>
        rfds = {fds_bits = {8589934592, 0 <repeats 15 times>}}
        wfds = {fds_bits = {8589934592, 0 <repeats 15 times>}}
        xfds = {fds_bits = {0 <repeats 16 times>}}
        ret = <value optimized out>
        nfds = 33
        tv = {tv_sec = 0, tv_usec = 999991}
#8  0x00007ffff7decd3a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2245
        fds = {23, 24}
        mask = {__val = {268443712, 0 <repeats 15 times>}}
        sigfd = 25
#9  0x00007ffff7dcccf9 in main_loop (argc=55, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4266
        r = <value optimized out>
#10 main (argc=55, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6644
        gdbstub_dev = 0x0
        i = <value optimized out>
        snapshot = 0
        linux_boot = 0
        initrd_filename = 0x0
        kernel_filename = 0x0
        kernel_cmdline = 0x7ffff7f9092f ""
---Type <return> to continue, or q <return> to quit---
        boot_devices = "cad", '\000' <repeats 29 times>
        ds = <value optimized out>
        dcl = <value optimized out>
        cyls = 0
        heads = 0
        secs = 0
        translation = 0
        hda_opts = 0x7ffff82f0170
        opts = <value optimized out>
        olist = <value optimized out>
        optind = 55
        optarg = 0x7fffffffe755 "socket,id=channel0,path=/tmp/channel0,server,nowait"
        loadvm = 0x0
        machine = 0x7ffff82e9680
        cpu_model = 0x7fffffffe380 "Opteron_G4"
        fds = {-137187184, 32767}
        tb_size = 0
        pid_file = 0x0
        incoming = 0x0
        fd = 0
        pwd = 0x0
        chroot_dir = 0x0
        run_as = 0x0
        env = <value optimized out>
        show_vnc_port = 0
        defconfig = <value optimized out>
        defconfig_verbose = <value optimized out>

Expected results:
no core dumped.

Additional info:

Comment 3 mazhang 2013-09-02 05:20:24 UTC

qemu-kvm-389 also hit this problem.

(gdb) bt
#0  0x00007ffff772d6fd in write () from /lib64/libpthread.so.0
#1  0x00007ffff749e651 in ?? () from /lib64/libglib-2.0.so.0
#2  0x00007ffff744f387 in g_io_channel_write_chars () from /lib64/libglib-2.0.so.0
#3  0x00007ffff7e5481e in io_channel_send (fd=0x7ffff86e4b10, buf=0x7fffd27cfce0, len=7)
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:726
#4  0x00007ffff7f24df4 in flush_buf (port=0x7ffff9bc1440, buf=0x7fffd27cfce0 "abc  \r\n", len=7)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/virtio-console.c:58
#5  0x00007ffff7de835c in do_flush_queued_data (port=0x7ffff9bc1440, vq=0x7ffff9b921a0, vdev=0x7ffff87811c0)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/virtio-serial-bus.c:193
#6  0x00007ffff7e05d21 in qemu_bh_poll () at /usr/src/debug/qemu-kvm-0.12.1.2/async.c:70
#7  0x00007ffff7dce989 in main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4090
#8  0x00007ffff7df13aa in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2244
#9  0x00007ffff7dd2248 in main_loop (argc=55, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4260
#10 main (argc=55, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6631

Comment 4 mazhang 2013-09-02 05:34:15 UTC

qemu-kvm-387 also hit this problem.

Comment 8 Amit Shah 2013-10-09 16:45:22 UTC

bug 985205 moved to ON_QA status.

Comment 9 mazhang 2013-10-17 11:38:40 UTC

qemu-kvm-0.12.1.2-2.412.el6.x86_64 can not hit this problem.

host:
qemu-kvm-0.12.1.2-2.412.el6.x86_64
kernel-2.6.32-423.el6.x86_64

guest:
win7-64
virtio-win-prewhql-72

Steps is the same as comment#0 .

Result:
Guest works well, can able transfer data by virtio serial.

Comment 11 errata-xmlrpc 2013-11-21 07:12:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1553.html