Bug 1049734
| Summary: | PCI: QEMU crash on illegal operation: attaching a function to a non multi-function device | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Sibiao Luo <sluo> |
| Component: | qemu-kvm | Assignee: | Marcel Apfelbaum <marcel> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 7.0 | CC: | armbru, chayang, hhuang, huding, juzhang, knoel, marcel, michen, pbonzini, qzhang, rbalakri, sluo, virt-maint, xfu |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | qemu-kvm-1.5.3-78.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 08:03:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Sibiao Luo
2014-01-08 06:04:14 UTC
Core was generated by `/usr/libexec/qemu-kvm -M pc -S -cpu SandyBridge -enable-kvm -m 4096 -smp 4,sock'.
Program terminated with signal 11, Segmentation fault.
#0 memory_region_update_coalesced_range_as (mr=mr@entry=0x7f997fa5dc10, as=as@entry=0x7f997fc21260)
at /usr/src/debug/qemu-1.5.3/memory.c:1161
1161 FOR_EACH_FLAT_RANGE(fr, as->current_map) {
(gdb) bt
#0 memory_region_update_coalesced_range_as (mr=mr@entry=0x7f997fa5dc10, as=as@entry=0x7f997fc21260)
at /usr/src/debug/qemu-1.5.3/memory.c:1161
#1 0x00007f997b116c0b in memory_region_update_coalesced_range (mr=0x7f997fa5dc10)
at /usr/src/debug/qemu-1.5.3/memory.c:1193
#2 memory_region_clear_coalescing (mr=mr@entry=0x7f997fa5dc10) at /usr/src/debug/qemu-1.5.3/memory.c:1227
#3 0x00007f997b116c64 in memory_region_destroy (mr=0x7f997fa5dc10) at /usr/src/debug/qemu-1.5.3/memory.c:1026
#4 0x00007f997b0c109d in destroy_page_desc (section_index=<optimized out>) at /usr/src/debug/qemu-1.5.3/exec.c:702
#5 destroy_l2_mapping (lp=0x7f997e242e84, level=level@entry=0) at /usr/src/debug/qemu-1.5.3/exec.c:721
#6 0x00007f997b0c1058 in destroy_l2_mapping (lp=0x7f997e241e90, level=level@entry=1)
at /usr/src/debug/qemu-1.5.3/exec.c:719
#7 0x00007f997b0c1058 in destroy_l2_mapping (lp=0x7f997e241690, level=level@entry=2)
at /usr/src/debug/qemu-1.5.3/exec.c:719
#8 0x00007f997b0c1058 in destroy_l2_mapping (lp=lp@entry=0x7f997d73aeb0, level=level@entry=3)
at /usr/src/debug/qemu-1.5.3/exec.c:719
#9 0x00007f997b0c1106 in destroy_all_mappings (d=<optimized out>) at /usr/src/debug/qemu-1.5.3/exec.c:730
#10 mem_begin (listener=0x7f997d73aeb8) at /usr/src/debug/qemu-1.5.3/exec.c:1750
#11 0x00007f997b1154b0 in memory_region_transaction_commit () at /usr/src/debug/qemu-1.5.3/memory.c:747
#12 0x00007f997b002100 in do_pci_register_device (devfn=26, name=0x7f997d71a5e0 "virtio-blk-pci", bus=0x7f997d795a30,
pci_dev=0x7f997fc21040) at hw/pci/pci.c:819
#13 pci_qdev_init (qdev=0x7f997fc21040) at hw/pci/pci.c:1709
#14 0x00007f997afbda84 in device_realize (dev=0x7f997fc21040, err=0x7fffa55fe580) at hw/core/qdev.c:178
#15 0x00007f997afbefab in device_set_realized (obj=0x7f997fc21040, value=<optimized out>, err=0x7fffa55fe690)
at hw/core/qdev.c:693
#16 0x00007f997b080c9e in property_set_bool (obj=0x7f997fc21040, v=<optimized out>, opaque=0x7f997e9c25d0,
name=<optimized out>, errp=0x7fffa55fe690) at qom/object.c:1302
#17 0x00007f997b083857 in object_property_set_qobject (obj=0x7f997fc21040, value=<optimized out>,
---Type <return> to continue, or q <return> to quit---
name=0x7f997b1f885a "realized", errp=0x7fffa55fe690) at qom/qom-qobject.c:24
#18 0x00007f997b082660 in object_property_set_bool (obj=obj@entry=0x7f997fc21040, value=value@entry=true,
name=name@entry=0x7f997b1f885a "realized", errp=errp@entry=0x7fffa55fe690) at qom/object.c:853
#19 0x00007f997afbdf9a in qdev_init (dev=dev@entry=0x7f997fc21040) at hw/core/qdev.c:163
#20 0x00007f997b06da9b in qdev_device_add (opts=opts@entry=0x7f9983a1c100) at qdev-monitor.c:538
#21 0x00007f997b06debd in do_device_add (mon=<optimized out>, qdict=<optimized out>, ret_data=<optimized out>)
at qdev-monitor.c:651
#22 0x00007f997b120490 in handle_user_command (mon=mon@entry=0x7f997d73ba80, cmdline=<optimized out>)
at /usr/src/debug/qemu-1.5.3/monitor.c:4001
#23 0x00007f997b12089b in monitor_command_cb (mon=0x7f997d73ba80, cmdline=<optimized out>, opaque=<optimized out>)
at /usr/src/debug/qemu-1.5.3/monitor.c:4624
#24 0x00007f997b084210 in readline_handle_byte (rs=0x7f997d766230, ch=<optimized out>) at readline.c:374
#25 0x00007f997b120804 in monitor_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>)
at /usr/src/debug/qemu-1.5.3/monitor.c:4610
#26 0x00007f997b071aa1 in qemu_chr_be_write (len=<optimized out>, buf=0x7fffa55fe970 "\n\b", s=0x7f997d72d930)
at qemu-char.c:167
#27 tcp_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x7f997d72d930) at qemu-char.c:2491
#28 0x00007f997a37fe06 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#29 0x00007f997b03e67a in glib_pollfds_poll () at main-loop.c:187
#30 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:232
#31 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:464
#32 0x00007f997af42ae0 in main_loop () at vl.c:1984
#33 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4343
(gdb)
(gdb) bt full
#0 memory_region_update_coalesced_range_as (mr=mr@entry=0x7f997fa5dc10, as=as@entry=0x7f997fc21260)
at /usr/src/debug/qemu-1.5.3/memory.c:1161
fr = <optimized out>
cmr = <optimized out>
tmp = <optimized out>
section = {mr = 0x33, address_space = 0x7fffa55fe328, offset_within_region = 206158430248,
size = 140735967913296, offset_within_address_space = 140735967913104, readonly = 13}
#1 0x00007f997b116c0b in memory_region_update_coalesced_range (mr=0x7f997fa5dc10)
at /usr/src/debug/qemu-1.5.3/memory.c:1193
as = 0x7f997fc21260
#2 memory_region_clear_coalescing (mr=mr@entry=0x7f997fa5dc10) at /usr/src/debug/qemu-1.5.3/memory.c:1227
cmr = <optimized out>
#3 0x00007f997b116c64 in memory_region_destroy (mr=0x7f997fa5dc10) at /usr/src/debug/qemu-1.5.3/memory.c:1026
__PRETTY_FUNCTION__ = "memory_region_destroy"
#4 0x00007f997b0c109d in destroy_page_desc (section_index=<optimized out>) at /usr/src/debug/qemu-1.5.3/exec.c:702
subpage = 0x7f997fa5dc10
section = <optimized out>
mr = 0x7f997fa5dc10
#5 destroy_l2_mapping (lp=0x7f997e242e84, level=level@entry=0) at /usr/src/debug/qemu-1.5.3/exec.c:721
i = <optimized out>
p = 0x7f997e243690
#6 0x00007f997b0c1058 in destroy_l2_mapping (lp=0x7f997e241e90, level=level@entry=1)
at /usr/src/debug/qemu-1.5.3/exec.c:719
i = <optimized out>
p = 0x7f997e242690
#7 0x00007f997b0c1058 in destroy_l2_mapping (lp=0x7f997e241690, level=level@entry=2)
---Type <return> to continue, or q <return> to quit---
at /usr/src/debug/qemu-1.5.3/exec.c:719
i = <optimized out>
p = 0x7f997e241e90
#8 0x00007f997b0c1058 in destroy_l2_mapping (lp=lp@entry=0x7f997d73aeb0, level=level@entry=3)
at /usr/src/debug/qemu-1.5.3/exec.c:719
i = <optimized out>
p = 0x7f997e241690
#9 0x00007f997b0c1106 in destroy_all_mappings (d=<optimized out>) at /usr/src/debug/qemu-1.5.3/exec.c:730
No locals.
#10 mem_begin (listener=0x7f997d73aeb8) at /usr/src/debug/qemu-1.5.3/exec.c:1750
No locals.
#11 0x00007f997b1154b0 in memory_region_transaction_commit () at /usr/src/debug/qemu-1.5.3/memory.c:747
_listener = 0x7f997d73aeb8
as = <optimized out>
#12 0x00007f997b002100 in do_pci_register_device (devfn=26, name=0x7f997d71a5e0 "virtio-blk-pci", bus=0x7f997d795a30,
pci_dev=0x7f997fc21040) at hw/pci/pci.c:819
config_read = 0x0
config_write = 0x0
pc = 0x7f997d8281f0
#13 pci_qdev_init (qdev=0x7f997fc21040) at hw/pci/pci.c:1709
pci_dev = 0x7f997fc21040
pc = 0x7f997d8281f0
__func__ = "pci_qdev_init"
bus = 0x7f997d795a30
rc = <optimized out>
is_default_rom = <optimized out>
---Type <return> to continue, or q <return> to quit---
__PRETTY_FUNCTION__ = "pci_qdev_init"
#14 0x00007f997afbda84 in device_realize (dev=0x7f997fc21040, err=0x7fffa55fe580) at hw/core/qdev.c:178
rc = <optimized out>
dc = <optimized out>
#15 0x00007f997afbefab in device_set_realized (obj=0x7f997fc21040, value=<optimized out>, err=0x7fffa55fe690)
at hw/core/qdev.c:693
dev = 0x7f997fc21040
__func__ = "device_set_realized"
dc = 0x7f997d8281f0
local_err = 0x0
#16 0x00007f997b080c9e in property_set_bool (obj=0x7f997fc21040, v=<optimized out>, opaque=0x7f997e9c25d0,
name=<optimized out>, errp=0x7fffa55fe690) at qom/object.c:1302
prop = 0x7f997e9c25d0
value = true
local_err = 0x0
#17 0x00007f997b083857 in object_property_set_qobject (obj=0x7f997fc21040, value=<optimized out>,
name=0x7f997b1f885a "realized", errp=0x7fffa55fe690) at qom/qom-qobject.c:24
mi = 0x7f997fd03a10
#18 0x00007f997b082660 in object_property_set_bool (obj=obj@entry=0x7f997fc21040, value=value@entry=true,
name=name@entry=0x7f997b1f885a "realized", errp=errp@entry=0x7fffa55fe690) at qom/object.c:853
qbool = 0x7f997fdeac10
#19 0x00007f997afbdf9a in qdev_init (dev=dev@entry=0x7f997fc21040) at hw/core/qdev.c:163
local_err = 0x0
__PRETTY_FUNCTION__ = "qdev_init"
#20 0x00007f997b06da9b in qdev_device_add (opts=opts@entry=0x7f9983a1c100) at qdev-monitor.c:538
obj = <optimized out>
---Type <return> to continue, or q <return> to quit---
k = 0x7f997d8281f0
driver = 0x7f9983a7c970 "virtio-blk-pci"
path = 0x0
id = <optimized out>
qdev = 0x7f997fc21040
bus = <optimized out>
__func__ = "qdev_device_add"
#21 0x00007f997b06debd in do_device_add (mon=<optimized out>, qdict=<optimized out>, ret_data=<optimized out>)
at qdev-monitor.c:651
local_err = 0x0
opts = 0x7f9983a1c100
dev = <optimized out>
#22 0x00007f997b120490 in handle_user_command (mon=mon@entry=0x7f997d73ba80, cmdline=<optimized out>)
at /usr/src/debug/qemu-1.5.3/monitor.c:4001
data = 0x0
qdict = 0x7f997fa267a0
cmd = 0x7f997b5d2560 <mon_cmds+1728>
__PRETTY_FUNCTION__ = "handle_user_command"
#23 0x00007f997b12089b in monitor_command_cb (mon=0x7f997d73ba80, cmdline=<optimized out>, opaque=<optimized out>)
at /usr/src/debug/qemu-1.5.3/monitor.c:4624
No locals.
#24 0x00007f997b084210 in readline_handle_byte (rs=0x7f997d766230, ch=<optimized out>) at readline.c:374
No locals.
#25 0x00007f997b120804 in monitor_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>)
at /usr/src/debug/qemu-1.5.3/monitor.c:4610
old_mon = 0x0
---Type <return> to continue, or q <return> to quit---
i = <optimized out>
#26 0x00007f997b071aa1 in qemu_chr_be_write (len=<optimized out>, buf=0x7fffa55fe970 "\n\b", s=0x7f997d72d930)
at qemu-char.c:167
No locals.
#27 tcp_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x7f997d72d930) at qemu-char.c:2491
chr = 0x7f997d72d930
s = 0x7f997d72da80
buf = "\n\b\000\000n\001\000\000 \000\000\000\000\000\000\000\004\000\000\000\000\000\000\000\227\000\000\000\200\000\000\000\257\351_\245\377\177\000\000~\000\000\000\000\000\000\000\300\351_\245\377\177\000\000\321\063\371z\231\177\000\000\000\001\000\000\000\000\000\000`\327\354u\231\177\000\000\000\001\000\000\000\000\000\000\000;\375\004\000\000\000\000 \000\000\000\000\000\000\000`\327\354u\231\177\000\000\000\000\020\000\000\000\000\000\000;\375\004\000\000\000\000 \000\000\000\000\000\000\000\240w\251\203\231\177\000\000\030\000\000\000\231\177\000\000`\352_\245\377\177\000\000 \352_\245\377\177\000\000\000\000\020\000\000\000\000\000p\206u}\231\177\000\000\255>\v{\231\177\000\000\231\177\000\000\000\000\000\000\000"...
len = <optimized out>
size = <optimized out>
#28 0x00007f997a37fe06 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
No symbol table info available.
#29 0x00007f997b03e67a in glib_pollfds_poll () at main-loop.c:187
context = 0x7f997d72bf40
pfds = <optimized out>
#30 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:232
ret = 2
spin_counter = 0
#31 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:464
ret = 2
---Type <return> to continue, or q <return> to quit---
timeout = 4294967295
#32 0x00007f997af42ae0 in main_loop () at vl.c:1984
nonblocking = <optimized out>
last_io = 2
#33 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4343
i = <optimized out>
snapshot = 0
linux_boot = 0
icount_option = 0x0
initrd_filename = 0x0
kernel_filename = 0x0
kernel_cmdline = 0x7f997b23d6e0 ""
boot_order = 0x7f997b1f59c6 "cad"
ds = <optimized out>
cyls = 0
heads = 0
secs = 0
translation = 0
hda_opts = <optimized out>
opts = 0x7f997d72acd0
machine_opts = <optimized out>
olist = <optimized out>
optind = 69
optarg = 0x7fffa56017d7 "unix:/tmp/monitor2,server,nowait"
loadvm = 0x0
machine = 0x7f997b5d04a0 <pc_machine_rhel700>
---Type <return> to continue, or q <return> to quit---
cpu_model = 0x7fffa5601124 "SandyBridge"
vga_model = 0x7f997b22041f "cirrus"
pid_file = 0x0
incoming = 0x0
show_vnc_port = 0
defconfig = <optimized out>
userconfig = 36
log_mask = <optimized out>
log_file = 0x0
mem_trace = {malloc = 0x7f997b0b3e90 <malloc_and_trace>, realloc = 0x7f997b0b3e50 <realloc_and_trace>,
free = 0x7f997b0b3e10 <free_and_trace>, calloc = 0x0, try_malloc = 0x0, try_realloc = 0x0}
trace_events = 0x0
trace_file = 0x0
__PRETTY_FUNCTION__ = "main"
args = {machine = 0x7f997b5d04a0 <pc_machine_rhel700>, ram_size = 4294967296,
boot_device = 0x7f997b1f59c6 "cad", kernel_filename = 0x0, kernel_cmdline = 0x7f997b23d6e0 "",
initrd_filename = 0x0, cpu_model = 0x7fffa5601124 "SandyBridge"}
(gdb)
Possibly related: bug 1003535 (thanks Marcel!) Please retest with a build that includes the fix for that bug. It hasn't been committed, yet. You can grab the fix's test build from brew task 6834194 if you don't want to wait for the fix to land. (In reply to Markus Armbruster from comment #2) > Possibly related: bug 1003535 (thanks Marcel!) > > Please retest with a build that includes the fix for that bug. It hasn't > been committed, yet. You can grab the fix's test build from brew task > 6834194 if you don't want to wait for the fix to land. It's a little pity, the taskID=6834197 build was closed. Could you help provide it and i will try it, thanks. (In reply to Markus Armbruster from comment #4) > Please try http://brewweb.devel.redhat.com/brew/taskinfo?taskID=6890149 Tried your build that still hit the same issue with the same testing as comment #0. host info: 3.10.0-66.el7.x86_64.debug qemu-kvm-1.5.3-35.el7.bz1049734.armbru1.x86_64 seabios-1.7.2.2-7.el7.x86_64 guest info: 3.10.0-66.el7.x86_64.debug Core was generated by `/usr/libexec/qemu-kvm -M pc -S -cpu SandyBridge -enable-kvm -m 4096 -smp 4,sock'. Program terminated with signal 11, Segmentation fault. #0 memory_region_update_coalesced_range_as (mr=mr@entry=0x7f19c73daa20, as=as@entry=0x7f19c1c55620) at /usr/src/debug/qemu-1.5.3/memory.c:1161 1161 FOR_EACH_FLAT_RANGE(fr, as->current_map) { (gdb) bt #0 memory_region_update_coalesced_range_as (mr=mr@entry=0x7f19c73daa20, as=as@entry=0x7f19c1c55620) at /usr/src/debug/qemu-1.5.3/memory.c:1161 #1 0x00007f19be5d793b in memory_region_update_coalesced_range (mr=0x7f19c73daa20) at /usr/src/debug/qemu-1.5.3/memory.c:1193 #2 memory_region_clear_coalescing (mr=mr@entry=0x7f19c73daa20) at /usr/src/debug/qemu-1.5.3/memory.c:1227 #3 0x00007f19be5d7994 in memory_region_destroy (mr=0x7f19c73daa20) at /usr/src/debug/qemu-1.5.3/memory.c:1026 #4 0x00007f19be58236e in destroy_page_desc (map=0x7f19c0a66d78, section_index=<optimized out>) at /usr/src/debug/qemu-1.5.3/exec.c:717 #5 destroy_l2_mapping (map=map@entry=0x7f19c0a66d78, lp=0x7f19c0b0a2e4, level=level@entry=0) at /usr/src/debug/qemu-1.5.3/exec.c:737 #6 0x00007f19be58232b in destroy_l2_mapping (map=map@entry=0x7f19c0a66d78, lp=0x7f19c0b092f0, level=level@entry=1) at /usr/src/debug/qemu-1.5.3/exec.c:735 #7 0x00007f19be58232b in destroy_l2_mapping (map=map@entry=0x7f19c0a66d78, lp=0x7f19c0b08af0, level=level@entry=2) at /usr/src/debug/qemu-1.5.3/exec.c:735 #8 0x00007f19be58232b in destroy_l2_mapping (map=map@entry=0x7f19c0a66d78, lp=lp@entry=0x7f19c0a66d70, level=level@entry=3) at /usr/src/debug/qemu-1.5.3/exec.c:735 #9 0x00007f19be5823de in destroy_all_mappings (d=<optimized out>) at /usr/src/debug/qemu-1.5.3/exec.c:746 #10 mem_begin (listener=0x7f19c0a66da0) at /usr/src/debug/qemu-1.5.3/exec.c:1769 #11 0x00007f19be5d61e0 in memory_region_transaction_commit () at /usr/src/debug/qemu-1.5.3/memory.c:747 #12 0x00007f19be4c4400 in do_pci_register_device (devfn=26, name=0x7f19c0a465e0 "virtio-blk-pci", bus=0x7f19c0abfcc0, pci_dev=0x7f19c1c55400) at hw/pci/pci.c:819 #13 pci_qdev_init (qdev=0x7f19c1c55400) at hw/pci/pci.c:1709 #14 0x00007f19be47fd64 in device_realize (dev=0x7f19c1c55400, err=0x7fff1da0c4c0) at hw/core/qdev.c:178 #15 0x00007f19be48128b in device_set_realized (obj=0x7f19c1c55400, value=<optimized out>, err=0x7fff1da0c5d0) at hw/core/qdev.c:693 #16 0x00007f19be541a1e in property_set_bool (obj=0x7f19c1c55400, v=<optimized out>, opaque=0x7f19c2df9ae0, ---Type <return> to continue, or q <return> to quit--- name=<optimized out>, errp=0x7fff1da0c5d0) at qom/object.c:1302 #17 0x00007f19be5445d7 in object_property_set_qobject (obj=0x7f19c1c55400, value=<optimized out>, name=0x7f19be6b9ada "realized", errp=0x7fff1da0c5d0) at qom/qom-qobject.c:24 #18 0x00007f19be5433e0 in object_property_set_bool (obj=obj@entry=0x7f19c1c55400, value=value@entry=true, name=name@entry=0x7f19be6b9ada "realized", errp=errp@entry=0x7fff1da0c5d0) at qom/object.c:853 #19 0x00007f19be48027a in qdev_init (dev=dev@entry=0x7f19c1c55400) at hw/core/qdev.c:163 #20 0x00007f19be52f8fb in qdev_device_add (opts=opts@entry=0x7f19c582c520) at qdev-monitor.c:538 #21 0x00007f19be52fd1d in do_device_add (mon=<optimized out>, qdict=<optimized out>, ret_data=<optimized out>) at qdev-monitor.c:651 #22 0x00007f19be5e11c0 in handle_user_command (mon=mon@entry=0x7f19c0a89f70, cmdline=<optimized out>) at /usr/src/debug/qemu-1.5.3/monitor.c:4001 #23 0x00007f19be5e15cb in monitor_command_cb (mon=0x7f19c0a89f70, cmdline=<optimized out>, opaque=<optimized out>) at /usr/src/debug/qemu-1.5.3/monitor.c:4624 #24 0x00007f19be544f90 in readline_handle_byte (rs=0x7f19c0a93290, ch=<optimized out>) at readline.c:374 #25 0x00007f19be5e1534 in monitor_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>) at /usr/src/debug/qemu-1.5.3/monitor.c:4610 #26 0x00007f19be533901 in qemu_chr_be_write (len=<optimized out>, buf=0x7fff1da0c8b0 "\nČ \035\377\177", s=0x7f19c0a59950) at qemu-char.c:167 #27 tcp_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x7f19c0a59950) at qemu-char.c:2491 #28 0x00007f19bd83fe06 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0 #29 0x00007f19be500e0a in glib_pollfds_poll () at main-loop.c:187 #30 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:232 #31 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:464 #32 0x00007f19be402ab0 in main_loop () at vl.c:1984 #33 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4343 (gdb) Best Regards, sluo Can you please provide the output of lspci (it is a linux guest, I hope) before your script start running? Thanks! Marcel (In reply to Marcel Apfelbaum from comment #6) > Can you please provide the output of lspci (it is a linux guest, I hope) > before > your script start running? > guest ]# lspci 00:00.0 Host bridge: Intel Corporation 440FX - 82441FX PMC [Natoma] (rev 02) 00:01.0 ISA bridge: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II] 00:01.1 IDE interface: Intel Corporation 82371SB PIIX3 IDE [Natoma/Triton II] 00:01.2 USB controller: Intel Corporation 82371SB PIIX3 USB [Natoma/Triton II] (rev 01) 00:01.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 03) 00:02.0 VGA compatible controller: Cirrus Logic GD 5446 00:03.0 Communication controller: Red Hat, Inc Virtio console 00:04.0 SCSI storage controller: Red Hat, Inc Virtio block device 00:05.0 Ethernet controller: Red Hat, Inc Virtio network device 00:06.0 Unclassified device [00ff]: Red Hat, Inc Virtio memory balloon 00:07.0 SCSI storage controller: Red Hat, Inc Virtio SCSI host ]# sh repeat_add.sh Formatting '/tmp/resize31.qcow2', fmt=qcow2 size=1048576 encryption=off cluster_size=65536 lazy_refcounts=off __com.redhat_drive_add id=drv31,file=/tmp/resize31.qcow2 QEMU 1.5.3 monitor - type 'help' for more information (qemu) __com.redhat_drive_add id=drv31,file=/tmp/resize31.qcow2 (qemu) device_add virtio-blk-pci,id=dev31,drive=drv31,addr=0x3.1,multifunction=on QEMU 1.5.3 monitor - type 'help' for more information (qemu) device_add virtio-blk-pci,id=dev31,drive=drv31,addr=0x3.1,multifunction=on PCI: single function device can't be populated in function 3.1 Device initialization failed. Device 'virtio-blk-pci' could not be initialized (qemu) Formatting '/tmp/resize32.qcow2', fmt=qcow2 size=1048576 encryption=off cluster_size=65536 lazy_refcounts=off __com.redhat_drive_add id=drv32,file=/tmp/resize32.qcow2 QEMU 1.5.3 monitor - type 'help' for more information (qemu) __com.redhat_drive_add id=drv32,file=/tmp/resize32.qcow2 (qemu) device_add virtio-blk-pci,id=dev32,drive=drv32,addr=0x3.2,multifunction=on QEMU 1.5.3 monitor - type 'help' for more information (qemu) device_add virtio-blk-pci,id=dev32,drive=drv32,addr=0x3.2,multifunction=on Formatting '/tmp/resize33.qcow2', fmt=qcow2 size=1048576 encryption=off cluster_size=65536 lazy_refcounts=off __com.redhat_drive_add id=drv33,file=/tmp/resize33.qcow2 Ncat: Connection refused. device_add virtio-blk-pci,id=dev33,drive=drv33,addr=0x3.3,multifunction=on Ncat: Connection refused. Formatting '/tmp/resize34.qcow2', fmt=qcow2 size=1048576 encryption=off cluster_size=65536 lazy_refcounts=off ^C QEMU 1.5.3 monitor - type 'help' for more information (qemu) (/usr/libexec/qemu-kvm:13181): SpiceWorker-Warning **: red_worker.c:11464:dev_destroy_primary_surface: double destroy of primary surface (/usr/libexec/qemu-kvm:13181): SpiceWorker-Warning **: red_worker.c:9650:red_create_surface: condition `surface->context.canvas' reached (qemu) main_channel_link: add main channel client main_channel_handle_parsed: net test: latency 120.224000 ms, bitrate 15515151515 bps (14796.401515 Mbps) inputs_connect: inputs channel client create red_dispatcher_set_cursor_peer: (qemu) c (qemu) Segmentation fault (core dumped) Best Regards, sluo Simplified reproducer:
1. qemu-kvm -nodefaults -S -display none -monitor stdio -device virtio-serial-pci -drive if=none,id=drv0,file=tmp.qcow2
The contents of tmp.qcow2 doesn't matter.
2. Monitor command "info pci" shows:
Bus 0, device 0, function 0:
Host bridge: PCI device 8086:1237
id ""
Bus 0, device 1, function 0:
ISA bridge: PCI device 8086:7000
id ""
Bus 0, device 1, function 1:
IDE controller: PCI device 8086:7010
BAR4: I/O at 0xffffffffffffffff [0x000e].
id ""
Bus 0, device 1, function 3:
Bridge: PCI device 8086:7113
IRQ 0.
id ""
Bus 0, device 2, function 0:
Class 1920: PCI device 1af4:1003
IRQ 0.
BAR0: I/O at 0xffffffffffffffff [0x001e].
BAR1: 32 bit memory at 0xffffffffffffffff [0x00000ffe].
id ""
The mandatory chipset devices are in slot 0 and 1, as usual. The
virtio-serial-pci device is in slot 2. All other slots are unused.
3. Plug virtio-blk-pci into slot 2.1, and watch it fail:
(qemu) device_add virtio-blk-pci,drive=drv0,addr=0x2.1,multifunction=on
PCI: single function device can't be populated in function 2.1
Device initialization failed.
Device 'virtio-blk-pci' could not be initialized
4. Do it again, and watch it crash:
(qemu) device_add virtio-blk-pci,drive=drv0,addr=0x2.1,multifunction=on
Segmentation fault (core dumped)
Backtrace matches the one in comment#1:
#0 0x00005555557e5e14 in memory_region_update_coalesced_range_as (as=0x5555566e9840, mr=0x5555566f51a0) at /work/armbru/qemu-kvm-rhel7/memory.c:1156
#1 memory_region_update_coalesced_range (mr=mr@entry=0x5555566f51a0) at /work/armbru/qemu-kvm-rhel7/memory.c:1188
#2 0x00005555557e988d in memory_region_clear_coalescing (mr=mr@entry=0x5555566f51a0) at /work/armbru/qemu-kvm-rhel7/memory.c:1222
#3 0x00005555557e98d7 in memory_region_destroy (mr=0x5555566f51a0) at /work/armbru/qemu-kvm-rhel7/memory.c:1027
#4 0x00005555557911de in destroy_page_desc (map=0x5555565175c8, section_index=<optimized out>) at /work/armbru/qemu-kvm-rhel7/exec.c:719
#5 destroy_l2_mapping (map=map@entry=0x5555565175c8, lp=0x5555566b13f0, level=level@entry=0) at /work/armbru/qemu-kvm-rhel7/exec.c:739
#6 0x000055555579119b in destroy_l2_mapping (map=map@entry=0x5555565175c8, lp=0x5555566b0bf0, level=level@entry=1) at /work/armbru/qemu-kvm-rhel7/exec.c:737
#7 0x000055555579119b in destroy_l2_mapping (map=map@entry=0x5555565175c8, lp=0x5555566b03f0, level=level@entry=2) at /work/armbru/qemu-kvm-rhel7/exec.c:737
#8 0x000055555579119b in destroy_l2_mapping (map=map@entry=0x5555565175c8, lp=lp@entry=0x5555565175c0, level=level@entry=3) at /work/armbru/qemu-kvm-rhel7/exec.c:737
#9 0x000055555579124e in destroy_all_mappings (d=<optimized out>) at /work/armbru/qemu-kvm-rhel7/exec.c:748
#10 mem_begin (listener=0x5555565175e8) at /work/armbru/qemu-kvm-rhel7/exec.c:1776
#11 0x00005555557e7fa0 in memory_region_transaction_commit () at /work/armbru/qemu-kvm-rhel7/memory.c:748
#12 memory_region_transaction_commit () at /work/armbru/qemu-kvm-rhel7/memory.c:740
#13 0x00005555556cf64a in do_pci_register_device (devfn=17, name=0x5555565015e0 "virtio-blk-pci", bus=0x5555566be3d0, pci_dev=0x5555566e9450) at /work/armbru/qemu-kvm-rhel7/hw/pci/pci.c:819
#14 pci_qdev_init (qdev=0x5555566e9450) at /work/armbru/qemu-kvm-rhel7/hw/pci/pci.c:1709
#15 0x000055555568a8c4 in device_realize (dev=0x5555566e9450, err=0x7fffffffc8b0) at /work/armbru/qemu-kvm-rhel7/hw/core/qdev.c:178
#16 0x000055555568bf23 in device_set_realized (obj=0x5555566e9450, value=true, err=0x7fffffffc9e8) at /work/armbru/qemu-kvm-rhel7/hw/core/qdev.c:693
#17 0x000055555574caae in property_set_bool (obj=0x5555566e9450, v=<optimized out>, opaque=0x5555566e62d0, name=<optimized out>, errp=0x7fffffffc9e8) at /work/armbru/qemu-kvm-rhel7/qom/object.c:1302
#18 0x000055555574fb65 in object_property_set_qobject (obj=0x5555566e9450, value=<optimized out>, name=0x5555558bb26b "realized", errp=0x7fffffffc9e8) at /work/armbru/qemu-kvm-rhel7/qom/qom-qobject.c:24
#19 0x000055555574e7de in object_property_set_bool (obj=obj@entry=0x5555566e9450, value=value@entry=true, name=name@entry=0x5555558bb26b "realized", errp=errp@entry=0x7fffffffc9e8) at /work/armbru/qemu-kvm-rhel7/qom/object.c:853
#20 0x00005555557395bf in qdev_device_add (opts=opts@entry=0x5555566fbac0) at /work/armbru/qemu-kvm-rhel7/qdev-monitor.c:551
#21 0x00005555557399aa in do_device_add (mon=<optimized out>, qdict=<optimized out>, ret_data=<optimized out>) at /work/armbru/qemu-kvm-rhel7/qdev-monitor.c:668
#22 0x00005555557f364e in handle_user_command (mon=mon@entry=0x55555651c780, cmdline=<optimized out>) at /work/armbru/qemu-kvm-rhel7/monitor.c:4001
#23 0x00005555557f3aeb in monitor_command_cb (mon=0x55555651c780, cmdline=<optimized out>, opaque=<optimized out>) at /work/armbru/qemu-kvm-rhel7/monitor.c:4624
#24 0x00005555557505a3 in readline_handle_byte (rs=0x555556684290, ch=<optimized out>) at /work/armbru/qemu-kvm-rhel7/readline.c:374
#25 0x00005555557f3834 in monitor_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>) at /work/armbru/qemu-kvm-rhel7/monitor.c:4610
#26 0x000055555573cc92 in qemu_chr_be_write (len=<optimized out>, buf=0x7fffffffcbf0 "\r\323IVUU", s=0x555556514e80) at /work/armbru/qemu-kvm-rhel7/qemu-char.c:167
#27 fd_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x555556514e80) at /work/armbru/qemu-kvm-rhel7/qemu-char.c:850
#28 0x00007ffff74f3a55 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#29 0x000055555570d728 in glib_pollfds_poll () at /work/armbru/qemu-kvm-rhel7/main-loop.c:187
#30 os_host_main_loop_wait (timeout=<optimized out>) at /work/armbru/qemu-kvm-rhel7/main-loop.c:232
#31 main_loop_wait (nonblocking=<optimized out>) at /work/armbru/qemu-kvm-rhel7/main-loop.c:464
#32 0x0000555555608511 in main_loop () at /work/armbru/qemu-kvm-rhel7/vl.c:1988
Latest upstream does *not* crash in step 4.
Correction: latest upstream *does* crash in step 4. But sometimes it takes more than two of the device_add to crash it. In the scenario described above, a function is added to 00.03.1, but there is already a *non* multi-function device at 00.03.0 (see lspci print). This is not allowed by the PCI spec. Adding the device function to a free slot or to a multi-function device solves the problem. However, there is a bug in the above error flow described above. The resolution is already posted upstream and will be backported soon. In the mean time I suggest renaming the BZ and changing the priority/severity. (In reply to Marcel Apfelbaum from comment #10) > In the scenario described above, a function is added to 00.03.1, > but there is already a *non* multi-function device at 00.03.0 > (see lspci print). This is not allowed by the PCI spec. > > Adding the device function to a free slot or to a multi-function > device solves the problem. > > However, there is a bug in the above error flow described above. > The resolution is already posted upstream and will be backported soon. > > In the mean time I suggest renaming the BZ and changing the > priority/severity. Ok, please do it, thanks. The upstream commit was: 306077640a652e090779498aadbeb0c605feaacd Fix included in qemu-kvm-1.5.3-78.el7 Reproduce this issue using the following version:
kernel-3.10.0-196.el7.x86_64
qemu-kvm-1.5.3-31.el7.x86_64
Steps to Reproduce:
1. start a vm
# /usr/libexec/qemu-kvm -nodefaults -S -display none -monitor stdio -device virtio-serial-pci -drive if=none,id=drv0,file=tmp.qcow2
2. Monitor command "info pci" shows:
(qemu) info pci
Bus 0, device 0, function 0:
Host bridge: PCI device 8086:1237
id ""
Bus 0, device 1, function 0:
ISA bridge: PCI device 8086:7000
id ""
Bus 0, device 1, function 1:
IDE controller: PCI device 8086:7010
BAR4: I/O at 0xffffffffffffffff [0x000e].
id ""
Bus 0, device 1, function 3:
Bridge: PCI device 8086:7113
IRQ 0.
id ""
Bus 0, device 2, function 0:
Class 1920: PCI device 1af4:1003
IRQ 0.
BAR0: I/O at 0xffffffffffffffff [0x001e].
BAR1: 32 bit memory at 0xffffffffffffffff [0x00000ffe].
id ""
3. Plug virtio-blk-pci into slot 2.1, and watch it fail:
(qemu) device_add virtio-blk-pci,drive=drv0,addr=0x2.1,multifunction=on
PCI: single function device can't be populated in function 2.1
Device initialization failed.
Device 'virtio-blk-pci' could not be initialized
4. Do it again, and watch it crash:
(qemu) device_add virtio-blk-pci,drive=drv0,addr=0x2.1,multifunction=on
Segmentation fault (core dumped)
(gdb) bt
#0 memory_region_update_coalesced_range_as (mr=mr@entry=0x5555567188d0, as=as@entry=0x55555670cf90) at /usr/src/debug/qemu-1.5.3/memory.c:1161
#1 0x00005555557d04bb in memory_region_update_coalesced_range (mr=0x5555567188d0) at /usr/src/debug/qemu-1.5.3/memory.c:1193
#2 memory_region_clear_coalescing (mr=mr@entry=0x5555567188d0) at /usr/src/debug/qemu-1.5.3/memory.c:1227
#3 0x00005555557d0514 in memory_region_destroy (mr=0x5555567188d0) at /usr/src/debug/qemu-1.5.3/memory.c:1026
#4 0x000055555577a94d in destroy_page_desc (section_index=<optimized out>) at /usr/src/debug/qemu-1.5.3/exec.c:702
#5 destroy_l2_mapping (lp=0x5555566ed280, level=level@entry=0) at /usr/src/debug/qemu-1.5.3/exec.c:721
#6 0x000055555577a908 in destroy_l2_mapping (lp=0x5555566eca80, level=level@entry=1) at /usr/src/debug/qemu-1.5.3/exec.c:719
#7 0x000055555577a908 in destroy_l2_mapping (lp=0x5555566ec280, level=level@entry=2) at /usr/src/debug/qemu-1.5.3/exec.c:719
#8 0x000055555577a908 in destroy_l2_mapping (lp=lp@entry=0x555556542eb0, level=level@entry=3) at /usr/src/debug/qemu-1.5.3/exec.c:719
#9 0x000055555577a9b6 in destroy_all_mappings (d=<optimized out>) at /usr/src/debug/qemu-1.5.3/exec.c:730
#10 mem_begin (listener=0x555556542eb8) at /usr/src/debug/qemu-1.5.3/exec.c:1750
#11 0x00005555557ced60 in memory_region_transaction_commit () at /usr/src/debug/qemu-1.5.3/memory.c:747
#12 0x00005555556bd3a0 in do_pci_register_device (devfn=17, name=0x555556524560 "virtio-blk-pci", bus=0x5555566d4cd0, pci_dev=0x55555670cd00) at hw/pci/pci.c:819
#13 pci_qdev_init (qdev=0x55555670cd00) at hw/pci/pci.c:1709
#14 0x0000555555678d24 in device_realize (dev=0x55555670cd00, err=0x7fffffffccd0) at hw/core/qdev.c:178
#15 0x000055555567a24b in device_set_realized (obj=0x55555670cd00, value=<optimized out>, err=0x7fffffffcde0) at hw/core/qdev.c:693
#16 0x000055555573a54e in property_set_bool (obj=0x55555670cd00, v=<optimized out>, opaque=0x55555670d6b0, name=<optimized out>, errp=0x7fffffffcde0) at qom/object.c:1302
#17 0x000055555573d107 in object_property_set_qobject (obj=0x55555670cd00, value=<optimized out>, name=0x5555558b1dba "realized", errp=0x7fffffffcde0) at qom/qom-qobject.c:24
#18 0x000055555573bf10 in object_property_set_bool (obj=obj@entry=0x55555670cd00, value=value@entry=true, name=name@entry=0x5555558b1dba "realized", errp=errp@entry=0x7fffffffcde0) at qom/object.c:853
#19 0x000055555567923a in qdev_init (dev=dev@entry=0x55555670cd00) at hw/core/qdev.c:163
#20 0x000055555572842b in qdev_device_add (opts=opts@entry=0x555556713850) at qdev-monitor.c:538
#21 0x000055555572884d in do_device_add (mon=<optimized out>, qdict=<optimized out>, ret_data=<optimized out>) at qdev-monitor.c:651
#22 0x00005555557d9d40 in handle_user_command (mon=mon@entry=0x555556559160, cmdline=<optimized out>) at /usr/src/debug/qemu-1.5.3/monitor.c:4001
#23 0x00005555557da14b in monitor_command_cb (mon=0x555556559160, cmdline=<optimized out>, opaque=<optimized out>) at /usr/src/debug/qemu-1.5.3/monitor.c:4624
#24 0x000055555573dac0 in readline_handle_byte (rs=0x5555566ab630, ch=<optimized out>) at readline.c:374
#25 0x00005555557da0b4 in monitor_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>) at /usr/src/debug/qemu-1.5.3/monitor.c:4610
#26 0x000055555572c26b in qemu_chr_be_write (len=<optimized out>, buf=0x7fffffffd050 "\r\323\377\377\377\177", s=0x555556540750) at qemu-char.c:167
#27 fd_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x555556540750) at qemu-char.c:850
#28 0x00007ffff74e39ba in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#29 0x00005555556f991a in glib_pollfds_poll () at main-loop.c:187
#30 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:232
#31 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:464
#32 0x0000555555601050 in main_loop () at vl.c:1984
#33 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4343
Test this issue using the following version:
kernel-3.10.0-196.el7.x86_64
qemu-kvm-1.5.3-78.el7.x86_64
Steps to Reproduce:
1. start a vm
# /usr/libexec/qemu-kvm -nodefaults -S -display none -monitor stdio -device virtio-serial-pci -drive if=none,id=drv0,file=tmp.qcow2
2. Monitor command "info pci" shows:
(qemu) info pci
Bus 0, device 0, function 0:
Host bridge: PCI device 8086:1237
id ""
Bus 0, device 1, function 0:
ISA bridge: PCI device 8086:7000
id ""
Bus 0, device 1, function 1:
IDE controller: PCI device 8086:7010
BAR4: I/O at 0xffffffffffffffff [0x000e].
id ""
Bus 0, device 1, function 3:
Bridge: PCI device 8086:7113
IRQ 0.
id ""
Bus 0, device 2, function 0:
Class 1920: PCI device 1af4:1003
IRQ 0.
BAR0: I/O at 0xffffffffffffffff [0x001e].
BAR1: 32 bit memory at 0xffffffffffffffff [0x00000ffe].
id ""
3. Plug virtio-blk-pci into slot 2.1, and watch it fail:
(qemu) device_add virtio-blk-pci,drive=drv0,addr=0x2.1,multifunction=on
PCI: single function device can't be populated in function 2.1
Device initialization failed.
Device 'virtio-blk-pci' could not be initialized
4. Do it again, and watch it fail:
(qemu) device_add virtio-blk-pci,drive=drv0,addr=0x2.1,multifunction=on
PCI: single function device can't be populated in function 2.1
Device initialization failed.
Device 'virtio-blk-pci' could not be initialized
I also test the scenarios of comment 0, qemu-kvm does not crash.
Also test qemu-kvm-rhev-2.1.2-7.el7.x86_64 using the steps of comment 18, qemu-kvm does not crash. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0349.html |