Bug 1020666
| Summary: | reboot guest cause qemu-kvm core dump after hot-plug not-existent image to guest | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | FuXiangChun <xfu> |
| Component: | qemu-kvm | Assignee: | Markus Armbruster <armbru> |
| Status: | CLOSED DUPLICATE | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 7.0 | CC: | acathrow, akong, hhuang, juzhang, michen, virt-maint |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-01-21 13:49:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I simplified the reproducer, and reproduced with latest upstream:
$ gdb --args upstream-qemu -nodefaults -S -display none -monitor stdio -device virtio-scsi-pci,id=bus1
[...]
(gdb) r
[...]
(qemu) device_add scsi-hd,bus=bus1.0,drive=scsi0,id=hd0
Property 'scsi-hd.drive' can't find value 'scsi0'
(qemu) system_reset
(qemu)
Program received signal SIGSEGV, Segmentation fault.
0x0000555555616307 in bdrv_getlength (bs=0x0) at /work/armbru/qemu/block.c:2959
2959 BlockDriver *drv = bs->drv;
(gdb) bt
#0 0x0000555555616307 in bdrv_getlength (bs=0x0)
at /work/armbru/qemu/block.c:2959
#1 0x00005555556163a0 in bdrv_get_geometry (bs=0x0, nb_sectors_ptr=
0x7fffffffd7a8) at /work/armbru/qemu/block.c:2976
#2 0x000055555579415b in scsi_disk_reset (dev=0x555556363430)
at /work/armbru/qemu/hw/scsi/scsi-disk.c:2119
#3 0x00005555556e5394 in device_reset (dev=0x555556363430)
at /work/armbru/qemu/hw/core/qdev.c:840
#4 0x00005555556e3624 in qdev_reset_one (dev=0x555556363430, opaque=0x0)
at /work/armbru/qemu/hw/core/qdev.c:227
#5 0x00005555556e3d6b in qdev_walk_children (dev=0x555556363430, pre_devfn=
0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn=
0x5555556e363f <qbus_reset_one>, opaque=0x0)
at /work/armbru/qemu/hw/core/qdev.c:398
#6 0x00005555556e3c3b in qbus_walk_children (bus=0x5555563674d8, pre_devfn=
0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn=
0x5555556e363f <qbus_reset_one>, opaque=0x0)
at /work/armbru/qemu/hw/core/qdev.c:356
#7 0x00005555556e3d2f in qdev_walk_children (dev=0x5555563673c0, pre_devfn=
0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn=
0x5555556e363f <qbus_reset_one>, opaque=0x0)
at /work/armbru/qemu/hw/core/qdev.c:390
#8 0x00005555556e3c3b in qbus_walk_children (bus=0x555556367358, pre_devfn=
0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn=
0x5555556e363f <qbus_reset_one>, opaque=0x0)
at /work/armbru/qemu/hw/core/qdev.c:356
#9 0x00005555556e3d2f in qdev_walk_children (dev=0x555556366ad0, pre_devfn=
0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn=
0x5555556e363f <qbus_reset_one>, opaque=0x0)
at /work/armbru/qemu/hw/core/qdev.c:390
#10 0x00005555556e3c3b in qbus_walk_children (bus=0x5555563458d0, pre_devfn=
0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn=
0x5555556e363f <qbus_reset_one>, opaque=0x0)
at /work/armbru/qemu/hw/core/qdev.c:356
#11 0x00005555556e3d2f in qdev_walk_children (dev=0x5555563524e0, pre_devfn=
0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn=
0x5555556e363f <qbus_reset_one>, opaque=0x0)
at /work/armbru/qemu/hw/core/qdev.c:390
#12 0x00005555556e3c3b in qbus_walk_children (bus=0x555556320e00, pre_devfn=
0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn=
0x5555556e363f <qbus_reset_one>, opaque=0x0)
at /work/armbru/qemu/hw/core/qdev.c:356
#13 0x00005555556e3769 in qbus_reset_all (bus=0x555556320e00)
at /work/armbru/qemu/hw/core/qdev.c:248
#14 0x00005555556e37ae in qbus_reset_all_fn (opaque=0x555556320e00)
at /work/armbru/qemu/hw/core/qdev.c:254
#15 0x000055555589feba in qemu_devices_reset () at /work/armbru/qemu/vl.c:1839
#16 0x000055555589ff26 in qemu_system_reset (report=true)
at /work/armbru/qemu/vl.c:1848
#17 0x00005555558a0454 in main_loop_should_exit ()
at /work/armbru/qemu/vl.c:1981
#18 0x00005555558a0564 in main_loop () at /work/armbru/qemu/vl.c:2021
#19 0x00005555558a7c0b in main (argc=9, argv=0x7fffffffe078, envp=
0x7fffffffe0c8) at /work/armbru/qemu/vl.c:4382
(gdb) up 2
#2 0x000055555579415b in scsi_disk_reset (dev=0x555556363430)
at /work/armbru/qemu/hw/scsi/scsi-disk.c:2119
2119 bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
(gdb) p *s
$1 = {qdev = {qdev = {parent_obj = {class = 0x5555563699a0, free =
0x7ffff76fd790 <g_free>, properties = {tqh_first = 0x555556364b80,
tqh_last = 0x5555563f3250}, ref = 1, parent = 0x0}, id =
0x5555563c5ea0 "ȇ\241\356\377\177", realized = false, opts = 0x0,
hotplugged = 1, parent_bus = 0x5555563674d8, num_gpio_out = 0,
gpio_out = 0x0, num_gpio_in = 0, gpio_in = 0x0, child_bus = {lh_first =
0x0}, num_child_bus = 0, instance_id_alias = -1,
alias_required_for_version = 0}, vmsentry = 0x0, bh = 0x0, id =
4294967295, conf = {bs = 0x0, physical_block_size = 512,
logical_block_size = 512, min_io_size = 0, opt_io_size = 0, bootindex =
-1, discard_granularity = 4294967295, cyls = 0, heads = 0, secs = 0},
unit_attention = {key = 6 '\006', asc = 41 ')', ascq = 0 '\000'},
sense_is_ua = false, sense = '\000' <repeats 95 times>, sense_len = 0,
requests = {tqh_first = 0x0, tqh_last = 0x0}, channel = 0, lun =
4294967295, blocksize = 0, type = 0, max_lba = 0}, features = 0,
media_changed = false, media_event = false, eject_request = false, wwn = 0,
max_unmap_size = 1073741824, bh = 0x0, version = 0x0, serial = 0x0, vendor =
0x0, product = 0x0, tray_open = false, tray_locked = false}
Same qemu invocation, but "info qtree" before and after the
device_add:
(qemu) info qtree
bus: main-system-bus
type System
[...]
dev: i440FX-pcihost, id ""
pci-hole64-size = 16777216.000T
short_root_bus = 0
irq 0
bus: pci.0
type PCI
dev: virtio-scsi-pci, id "bus1"
ioeventfd = off
vectors = 4
indirect_desc = on
event_idx = on
hotplug = on
param_change = on
num_queues = 1
max_sectors = 65535
cmd_per_lun = 128
addr = 02.0
romfile = <null>
rombar = 1
multifunction = off
command_serr_enable = on
class SCSI controller, addr 00:02.0, pci id 1af4:1004 (sub 1af4:0008)
bar 0: i/o at 0xffffffffffffffff [0x3e]
bar 1: mem at 0xffffffffffffffff [0xffe]
bus: virtio-bus
type virtio-pci-bus
dev: virtio-scsi-device, id ""
num_queues = 1
max_sectors = 65535
cmd_per_lun = 128
bus: bus1.0
type SCSI
dev: PIIX4_PM, id ""
[...]
(qemu) device_add scsi-hd,bus=bus1.0,drive=scsi0,id=hd0
Property 'scsi-hd.drive' can't find value 'scsi0'
(qemu) info qtree
bus: main-system-bus
type System
[...]
dev: i440FX-pcihost, id ""
pci-hole64-size = 16777216.000T
short_root_bus = 0
irq 0
bus: pci.0
type PCI
dev: virtio-scsi-pci, id "bus1"
ioeventfd = off
vectors = 4
indirect_desc = on
event_idx = on
hotplug = on
param_change = on
num_queues = 1
max_sectors = 65535
cmd_per_lun = 128
addr = 02.0
romfile = <null>
rombar = 1
multifunction = off
command_serr_enable = on
class SCSI controller, addr 00:02.0, pci id 1af4:1004 (sub 1af4:0008)
bar 0: i/o at 0xffffffffffffffff [0x3e]
bar 1: mem at 0xffffffffffffffff [0xffe]
bus: virtio-bus
type virtio-pci-bus
dev: virtio-scsi-device, id ""
num_queues = 1
max_sectors = 65535
cmd_per_lun = 128
bus: bus1.0
type SCSI
dev: scsi-hd, id "���C1"
drive = <null>
logical_block_size = 512
physical_block_size = 512
min_io_size = 0
opt_io_size = 0
bootindex = -1
discard_granularity = 4294967295
ver = <null>
serial = <null>
vendor = <null>
product = <null>
removable = off
dpofua = off
wwn = 0x0
max_unmap_size = 1073741824
cyls = 0
heads = 0
secs = 0
channel = 0
scsi-id = 4294967295
lun = 4294967295
[...]
Even though the device_add failed, it added a scsi-hd device to SCSI
bus "bus1.0"! Many of its properties are obvious crap.
Additional reproducers: 1. qemu -nodefaults -S -display none -monitor stdio -device lsi device_add scsi-hd,drive=scsi0,id=hd0 system_reset 2. qemu -nodefaults -S -display none -monitor stdio device_add e1000,netdev=xxx info qtree This is almost certainly a core qdev bug. Possibly duplicate of 1046248. Amos, can you confirm it's a dupe of 1046248? Yes, it's same issue. | (qemu) device_add scsi-hd,bus=bus1.0,drive=scsi0,id=hd0 | Property 'scsi-hd.drive' can't find value 'scsi0' Failed to hotplug the device. We didn't add the dev to QOM tree, but we already create a link for the unexisted dev. | (qemu) system_reset Try to walk qdev children, the link exists, so try to free a unexisted dev. Then Crash. *** This bug has been marked as a duplicate of bug 1046248 *** Thank you, Amos! |
Description of problem: The first boot guest, Second hot-plug a not-existent image to guest,Last reboot guest. qemu-kvm will core dump(Segmentation fault). Version-Release number of selected component (if applicable): qemu-kvm-1.5.3-9.el7.x86_64 3.10.0-35.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1./usr/libexec/qemu-kvm -name 'linux-guest' -nodefaults -m 20G -smp 8,cores=4,threads=2,sockets=1 -M q35 -cpu SandyBridge \ -rtc base=utc,clock=host,driftfix=slew -k en-us -boot menu=on -monitor stdio -vnc :1 -spice disable-ticketing,port=5931 -vga qxl -qmp tcp:0:5555,server,nowait \ -drive file=/home/rng-RHEL7.0.qcow2_v3,if=none,id=drive-virtio-disk,format=qcow2,cache=none,werror=stop,rerror=stop \ -device virtio-blk-pci,scsi=off,drive=drive-virtio-disk,id=disk0,bootindex=1 -device \ virtio-scsi-pci,id=bus1 -balloon virtio -monitor unix:/tmp/monitor2,server,nowait 2. hot-plug a non-existent image to guest (qemu)drive_add pci_addr=auto file=/home/disk/disk0.qcow2,format=qcow2,media=disk,id=scsi0,if=none could not open disk image /home/disk/disk0.qcow2: No such file or directory 3.Reboot guest device_add scsi-hd,bus=bus1.0,drive=scsi0,id=hd0 Property 'scsi-hd.drive' can't find value 'scsi0' Actual results: (gdb) bt #0 bdrv_getlength (bs=0x0) at block.c:2765 #1 0x00005555555daacd in bdrv_get_geometry (bs=<optimized out>, nb_sectors_ptr=nb_sectors_ptr@entry=0x7fffffffdbc0) at block.c:2781 #2 0x0000555555689436 in scsi_disk_reset (dev=0x555556a2e9c0) at hw/scsi/scsi-disk.c:1982 #3 0x000055555563d839 in qdev_reset_one (dev=dev@entry=0x555556a2e9c0, opaque=opaque@entry=0x0) at hw/core/qdev.c:227 #4 0x000055555563cf30 in qdev_walk_children (dev=0x555556a2e9c0, devfn=devfn@entry=0x55555563d820 <qdev_reset_one>, busfn=busfn@entry=0x55555563b820 <qbus_reset_one>, opaque=opaque@entry=0x0) at hw/core/qdev.c:376 #5 0x000055555563d03a in qbus_walk_children (bus=bus@entry=0x555556741f20, devfn=devfn@entry=0x55555563d820 <qdev_reset_one>, busfn=busfn@entry=0x55555563b820 <qbus_reset_one>, opaque=opaque@entry=0x0) at hw/core/qdev.c:360 #6 0x000055555563d0ad in qbus_reset_all (bus=bus@entry=0x555556741f20) at hw/core/qdev.c:248 #7 0x0000555555777de3 in virtio_scsi_reset (vdev=<optimized out>) at /usr/src/debug/qemu-1.5.3/hw/scsi/virtio-scsi.c:451 #8 0x000055555577f9ae in virtio_reset (opaque=0x555556741e08) at /usr/src/debug/qemu-1.5.3/hw/virtio/virtio.c:543 #9 0x00005555556b4166 in virtio_bus_reset (bus=bus@entry=0x555556741d98) at hw/virtio/virtio-bus.c:63 #10 0x00005555556b63d1 in virtio_pci_reset (qdev=<optimized out>) at hw/virtio/virtio-pci.c:1014 #11 0x000055555563d839 in qdev_reset_one (dev=dev@entry=0x555556741610, opaque=opaque@entry=0x0) at hw/core/qdev.c:227 #12 0x000055555563cf30 in qdev_walk_children (dev=dev@entry=0x555556741610, devfn=devfn@entry=0x55555563d820 <qdev_reset_one>, busfn=busfn@entry=0x55555563b820 <qbus_reset_one>, opaque=opaque@entry=0x0) at hw/core/qdev.c:376 #13 0x000055555563cfcd in qdev_reset_all (dev=dev@entry=0x555556741610) at hw/core/qdev.c:243 #14 0x000055555567eafd in pci_device_reset (dev=0x555556741610) at hw/pci/pci.c:180 #15 0x000055555567ecb2 in pci_bus_reset (bus=0x55555666e750) at hw/pci/pci.c:226 #16 0x000055555567ecf9 in pcibus_reset (qbus=<optimized out>) at hw/pci/pci.c:233 #17 0x000055555563d010 in qbus_walk_children (bus=bus@entry=0x55555666e750, devfn=devfn@entry=0x55555563d820 <qdev_reset_one>, busfn=busfn@entry=0x55555563b820 <qbus_reset_one>, opaque=opaque@entry=0x0) at hw/core/qdev.c:353 #18 0x000055555563cf5a in qdev_walk_children (dev=<optimized out>, ---Type <return> to continue, or q <return> to quit--- devfn=devfn@entry=0x55555563d820 <qdev_reset_one>, busfn=busfn@entry=0x55555563b820 <qbus_reset_one>, opaque=opaque@entry=0x0) at hw/core/qdev.c:383 #19 0x000055555563d03a in qbus_walk_children (bus=<optimized out>, devfn=0x55555563d820 <qdev_reset_one>, busfn=0x55555563b820 <qbus_reset_one>, opaque=0x0) at hw/core/qdev.c:360 #20 0x000055555572b89d in qemu_devices_reset () at vl.c:1809 #21 qemu_system_reset (report=report@entry=true) at vl.c:1818 #22 0x00005555555c3f84 in main_loop_should_exit () at vl.c:1952 #23 main_loop () at vl.c:1990 #24 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4379 (gdb) Expected results: qemu-kvm works well Additional info: