Bug 1042665

Summary:	Qemu segmentation fault (core dumped) if repeat hotplug/unplug virtio-scsi/virtio-blk disk in turns
Product:	Red Hat Enterprise Linux 7	Reporter:	Sibiao Luo <sluo>
Component:	qemu-kvm	Assignee:	Amos Kong <akong>
Status:	CLOSED DUPLICATE	QA Contact:	Virtualization Bugs <virt-bugs>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.0	CC:	acathrow, ailan, akong, chayang, hhuang, juzhang, michen, pbonzini, qzhang, virt-maint, xfu
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-01-15 03:20:23 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Sibiao Luo 2013-12-13 02:43:50 UTC

Description of problem:
boot up a guest normally and repeatly hotplug/unplug virtio-scsi/virtio-blk disk in turns, qemu will segmentation fault (core dumped).

Version-Release number of selected component (if applicable):
host info:
3.10.0-60.el7.x86_64
qemu-kvm-rhev-1.5.3-21.el7.x86_64
seabios-1.7.2.2-4.el7.x86_64
guest info:
3.10.0-60.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.boot up a guest with a virti-scsi data disk normally.
# /usr/libexec/qemu-kvm -M pc -cpu SandyBridge -enable-kvm -m 2048 -smp 4,sockets=2,cores=2,threads=1 -no-kvm-pit-reinjection -usb -device usb-tablet,id=input0 -name sluo -uuid 990ea161-6b67-47b2-b803-19fb01d30d30 -rtc base=localtime,clock=host,driftfix=slew -device virtio-serial-pci,id=virtio-serial0,max_ports=16,vectors=0,bus=pci.0,addr=0x3 -chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait -device virtserialport,chardev=channel1,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port1 -chardev socket,id=channel2,path=/tmp/helloworld2,server,nowait -device virtserialport,chardev=channel2,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port2 -drive file=iscsi://10.66.90.100:3260/iqn.2001-05.com.equallogic:0-8a0906-4c41f7d03-453f49b421052a57-s2-sluo-270305-1/0,if=none,id=drive-system-disk,cache=none,format=raw,aio=native,werror=stop,rerror=stop,discard=on -iscsi id=iqn0 -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x4,num_queues=4 -device scsi-block,drive=drive-system-disk,bus=scsi0.0,id=libiscsi-system-disk,bootindex=1 -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device rtl8139,netdev=hostnet0,id=rtl8139-net-pci0,mac=00:01:02:B6:40:21,bus=pci.0,addr=0x5 -device virtio-balloon-pci,id=ballooning,bus=pci.0,addr=0x6 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -drive file=iscsi://10.66.90.100:3260/iqn.2001-05.com.equallogic:0-8a0906-4fb1f7d03-455f49b421252a57-s2-sluo-270305-2/0,if=none,id=drive-data-disk,cache=none,format=raw,aio=native,werror=stop,rerror=stop,discard=on -iscsi id=iqn1 -device virtio-scsi-pci,id=scsi1,bus=pci.0,addr=0x7,num_queues=4 -device scsi-hd,drive=drive-data-disk,bus=scsi1.0,id=libiscsi-data-disk -k en-us -boot menu=on -qmp tcp:0:4444,server,nowait -serial unix:/tmp/ttyS0,server,nowait -vnc :1 -spice disable-ticketing,port=5931 -monitor unix:/tmp/monitor2,server,nowait
2.repeatly hotplug/unplug virtio-scsi/virtio-blk disk in turns.
# cat repeat_hot_pluging.sh
while true
do
    echo "device_del libiscsi-data-disk" | nc -U /tmp/monitor2
    sleep 1
    echo "device_del scsi1" | nc -U /tmp/monitor2
    sleep 1
    echo "drive_add pci_addr=auto file=/home/my-data-disk.qcow2,if=none,id=drive-data-disk,cache=none,format=qcow2,aio=native" | nc -U /tmp/monitor2
    sleep 1
    echo "device_add virtio-blk-pci,drive=drive-data-disk,id=data-disk,bus=pci.0,addr=0x7" | nc -U /tmp/monitor2
    sleep 1
    echo "device_del data-disk" | nc -U /tmp/monitor2
    sleep 1
    echo "drive_add pci_addr=auto file=iscsi://10.66.90.100:3260/iqn.2001-05.com.equallogic:0-8a0906-4fb1f7d03-455f49b421252a57-s2-sluo-270305-2/0,if=none,id=drive-data-disk,cache=none,format=raw,aio=native" | nc -U /tmp/monitor2
    sleep 2
    echo "device_add virtio-scsi-pci,id=scsi1,bus=pci.0,addr=0x7,num_queues=4" | nc -U /tmp/monitor2
    sleep 1
    echo "device_add scsi-hd,drive=drive-data-disk,bus=scsi1.0,id=libiscsi-data-disk" | nc -U /tmp/monitor2
    sleep 1
done

Actual results:
after step 2, qemu will segmentation fault (core dumped), I will paste the core dumped log later.

Expected results:
It should no any core dumped.

Additional info:

Comment 1 Sibiao Luo 2013-12-13 02:44:35 UTC

Core was generated by `/usr/libexec/qemu-kvm -M pc -cpu SandyBridge -enable-kvm -m 2048 -smp 4,sockets'.
Program terminated with signal 11, Segmentation fault.
#0  bdrv_getlength (bs=0x0) at block.c:2884
2884	    BlockDriver *drv = bs->drv;
(gdb) bt
#0  bdrv_getlength (bs=0x0) at block.c:2884
#1  0x00007f0473433ccd in bdrv_get_geometry (bs=<optimized out>, nb_sectors_ptr=nb_sectors_ptr@entry=0x7f0466670990)
    at block.c:2901
#2  0x00007f04734e3f66 in scsi_disk_reset (dev=0x7f04765317b0) at hw/scsi/scsi-disk.c:1982
#3  0x00007f0473498799 in qdev_reset_one (dev=dev@entry=0x7f04765317b0, opaque=opaque@entry=0x0) at hw/core/qdev.c:227
#4  0x00007f0473497e90 in qdev_walk_children (dev=0x7f04765317b0, devfn=devfn@entry=0x7f0473498780 <qdev_reset_one>, 
    busfn=busfn@entry=0x7f0473496780 <qbus_reset_one>, opaque=opaque@entry=0x0) at hw/core/qdev.c:376
#5  0x00007f0473497f9a in qbus_walk_children (bus=bus@entry=0x7f04769db3d0, 
    devfn=devfn@entry=0x7f0473498780 <qdev_reset_one>, busfn=busfn@entry=0x7f0473496780 <qbus_reset_one>, 
    opaque=opaque@entry=0x0) at hw/core/qdev.c:360
#6  0x00007f047349800d in qbus_reset_all (bus=bus@entry=0x7f04769db3d0) at hw/core/qdev.c:248
#7  0x00007f04735d5783 in virtio_scsi_reset (vdev=<optimized out>) at /usr/src/debug/qemu-1.5.3/hw/scsi/virtio-scsi.c:451
#8  0x00007f04735dd34e in virtio_reset (opaque=0x7f04769db2b8) at /usr/src/debug/qemu-1.5.3/hw/virtio/virtio.c:543
#9  0x00007f047350ea40 in virtio_ioport_write (val=0, addr=<optimized out>, opaque=0x7f04769daac0)
    at hw/virtio/virtio-pci.c:307
#10 virtio_pci_config_write (opaque=0x7f04769daac0, addr=<optimized out>, val=0, size=<optimized out>)
    at hw/virtio/virtio-pci.c:422
#11 0x00007f04735e3a62 in access_with_adjusted_size (addr=addr@entry=18, value=value@entry=0x7f0466670b58, size=1, 
    access_size_min=<optimized out>, access_size_max=<optimized out>, 
    access=access@entry=0x7f04735e4020 <memory_region_write_accessor>, opaque=opaque@entry=0x7f04769db170)
    at /usr/src/debug/qemu-1.5.3/memory.c:364
#12 0x00007f04735e4f37 in memory_region_iorange_write (iorange=<optimized out>, offset=18, width=1, data=0)
    at /usr/src/debug/qemu-1.5.3/memory.c:439
#13 0x00007f04735e2602 in kvm_handle_io (count=1, size=1, direction=1, data=<optimized out>, port=4114)
    at /usr/src/debug/qemu-1.5.3/kvm-all.c:1497
#14 kvm_cpu_exec (env=env@entry=0x7f0474b9d2b0) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1649
#15 0x00007f047358dad5 in qemu_kvm_cpu_thread_fn (arg=0x7f0474b9d2b0) at /usr/src/debug/qemu-1.5.3/cpus.c:793
#16 0x00007f04713c7de3 in start_thread () from /lib64/libpthread.so.0
#17 0x00007f046e50e26d in clone () from /lib64/libc.so.6
(gdb) 
(gdb) bt full
#0  bdrv_getlength (bs=0x0) at block.c:2884
        drv = <optimized out>
#1  0x00007f0473433ccd in bdrv_get_geometry (bs=<optimized out>, nb_sectors_ptr=nb_sectors_ptr@entry=0x7f0466670990)
    at block.c:2901
        length = <optimized out>
#2  0x00007f04734e3f66 in scsi_disk_reset (dev=0x7f04765317b0) at hw/scsi/scsi-disk.c:1982
        s = 0x7f04765317b0
        nb_sectors = 139657180933576
#3  0x00007f0473498799 in qdev_reset_one (dev=dev@entry=0x7f04765317b0, opaque=opaque@entry=0x0) at hw/core/qdev.c:227
No locals.
#4  0x00007f0473497e90 in qdev_walk_children (dev=0x7f04765317b0, devfn=devfn@entry=0x7f0473498780 <qdev_reset_one>, 
    busfn=busfn@entry=0x7f0473496780 <qbus_reset_one>, opaque=opaque@entry=0x0) at hw/core/qdev.c:376
        bus = <optimized out>
        err = <optimized out>
#5  0x00007f0473497f9a in qbus_walk_children (bus=bus@entry=0x7f04769db3d0, 
    devfn=devfn@entry=0x7f0473498780 <qdev_reset_one>, busfn=busfn@entry=0x7f0473496780 <qbus_reset_one>, 
    opaque=opaque@entry=0x0) at hw/core/qdev.c:360
        kid = 0x7f047650e0d0
        err = <optimized out>
#6  0x00007f047349800d in qbus_reset_all (bus=bus@entry=0x7f04769db3d0) at hw/core/qdev.c:248
No locals.
#7  0x00007f04735d5783 in virtio_scsi_reset (vdev=<optimized out>) at /usr/src/debug/qemu-1.5.3/hw/scsi/virtio-scsi.c:451
        s = 0x7f04769db2b8
        __func__ = "virtio_scsi_reset"
        vs = 0x7f04769db2b8
#8  0x00007f04735dd34e in virtio_reset (opaque=0x7f04769db2b8) at /usr/src/debug/qemu-1.5.3/hw/virtio/virtio.c:543
        vdev = 0x7f04769db2b8
        k = 0x7f0474c4c460
        __func__ = "virtio_reset"
        i = <optimized out>
#9  0x00007f047350ea40 in virtio_ioport_write (val=0, addr=<optimized out>, opaque=0x7f04769daac0)
    at hw/virtio/virtio-pci.c:307
        proxy = 0x7f04769daac0
        vdev = 0x7f04769db2b8
        pa = <optimized out>
#10 virtio_pci_config_write (opaque=0x7f04769daac0, addr=<optimized out>, val=0, size=<optimized out>)
    at hw/virtio/virtio-pci.c:422
        proxy = 0x7f04769daac0
#11 0x00007f04735e3a62 in access_with_adjusted_size (addr=addr@entry=18, value=value@entry=0x7f0466670b58, size=1, 
    access_size_min=<optimized out>, access_size_max=<optimized out>, 
    access=access@entry=0x7f04735e4020 <memory_region_write_accessor>, opaque=opaque@entry=0x7f04769db170)
    at /usr/src/debug/qemu-1.5.3/memory.c:364
        access_mask = 255
        access_size = 1
        i = <optimized out>
#12 0x00007f04735e4f37 in memory_region_iorange_write (iorange=<optimized out>, offset=18, width=1, data=0)
    at /usr/src/debug/qemu-1.5.3/memory.c:439
        mrio = <optimized out>
        mr = 0x7f04769db170
        __PRETTY_FUNCTION__ = "memory_region_iorange_write"
#13 0x00007f04735e2602 in kvm_handle_io (count=1, size=1, direction=1, data=<optimized out>, port=4114)
    at /usr/src/debug/qemu-1.5.3/kvm-all.c:1497
        i = 0
        ptr = 0x7f0473365000 <Address 0x7f0473365000 out of bounds>
#14 kvm_cpu_exec (env=env@entry=0x7f0474b9d2b0) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1649
        cpu = 0x7f0474b9d1a0
        __func__ = "kvm_cpu_exec"
        run = 0x7f0473364000
        ret = <optimized out>
        run_ret = <optimized out>
#15 0x00007f047358dad5 in qemu_kvm_cpu_thread_fn (arg=0x7f0474b9d2b0) at /usr/src/debug/qemu-1.5.3/cpus.c:793
        cpu = 0x7f0474b9d1a0
        __func__ = "qemu_kvm_cpu_thread_fn"
        r = <optimized out>
#16 0x00007f04713c7de3 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#17 0x00007f046e50e26d in clone () from /lib64/libc.so.6
No symbol table info available.
(gdb)

Comment 2 Amos Kong 2014-01-14 02:32:22 UTC

If you can provide the script error next time, it's appreciated.

You should use an unique "id" when you execute monitor command, so it's actually not repeated hotplug. I always use a increased number as the suffix of id.

It seems a same issue as bug 1046248.

Comment 4 Sibiao Luo 2014-01-15 03:15:59 UTC

Hi akong,
   
   I tried your private build which did not meet this issue any more, thanks for your helps.

host info:
# uname -r && rpm -q qemu-kvm
3.10.0-66.el7.x86_64.debug
qemu-kvm-1.5.3-32.el7.qdev.x86_64
guest info:
# uname -r
3.10.0-66.el7.x86_64.debug

Best Regards,
sluo

Comment 5 Amos Kong 2014-01-15 03:20:23 UTC


*** This bug has been marked as a duplicate of bug 1046248 ***