Bug 1141666

Summary: Qemu crashed if reboot guest after hot remove AC97 sound device
Product: Red Hat Enterprise Linux 7 Reporter: Qian Guo <qiguo>
Component: qemu-kvm-rhevAssignee: Gerd Hoffmann <kraxel>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: hhuang, juzhang, michen, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-rhev-2.1.2-7.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1141667 (view as bug list) Environment:
Last Closed: 2015-03-05 09:55:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1141667    

Description Qian Guo 2014-09-15 07:52:49 UTC 
Description of problem:
Qemu crashed if reboot guest after hot remove AC97 sound device

I test both rhel and windows guest(windows 7 even can not drive this AC97 sound device), and both hit such issue.

Version-Release number of selected component (if applicable):
qemu-kvm-rhev-2.1.0-3.el7.x86_64
3.10.0-158.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Boot guest with AC97 sound device:
# /usr/libexec/qemu-kvm -cpu Penryn -enable-kvm -m 4G -smp 4,sockets=1,cores=4,threads=1 -name test -rtc base=localtime,clock=host,driftfix=slew  -k en-us  -boot menu=on -spice disable-ticketing,port=5900 -vga qxl -usb -device usb-tablet -monitor stdio -drive file=/home/win7-64-sp1-virtio.qcow2,if=none,id=drive-system-disk,media=disk,format=qcow2,aio=native,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-system-disk,id=system-disk,addr=0x3 -netdev tap,vhost=on,id=hostnet0,script=/etc/qemu-ifup -device virtio-net-pci,netdev=hostnet0,id=vnet0,mac=ae:df:47:0d:87:44 -device AC97,id=a1 -qmp unix:/tmp/q1,server,nowait

2.Hot unplug the sound device 
{"execute":"device_del","arguments":{"id":"a1"}}
{"return": {}}
{"timestamp": {"seconds": 1410766965, "microseconds": 834460}, "event": "DEVICE_DELETED", "data": {"device": "a1", "path": "/machine/peripheral/a1"}}

3.Reboot guest

Actual results:
Qemu crashed:

(gdb) 
#0  AUD_set_active_in (sw=0x5555563cf798, on=0) at audio/audio.c:1261
#1  0x000055555576b522 in reset_bm_regs (s=s@entry=0x55555640f940, r=r@entry=0x5555564101b4) at hw/audio/ac97.c:326
#2  0x000055555576c290 in ac97_on_reset (opaque=0x55555640f940) at hw/audio/ac97.c:1328
#3  0x00005555557223dd in qemu_devices_reset () at vl.c:1830
#4  qemu_system_reset (report=report@entry=true) at vl.c:1843
#5  0x000055555561e0df in main_loop_should_exit () at vl.c:1974
#6  main_loop () at vl.c:2014
#7  main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4552
(gdb) bt ful
#0  AUD_set_active_in (sw=0x5555563cf798, on=0) at audio/audio.c:1261
        nb_active = 0
        s = 0x555555d1e5a0 <glob_audio_state>
        temp_sw = 0x74894c30468b4808
        hw = 0x555555621490 <mem_add>
#1  0x000055555576b522 in reset_bm_regs (s=s@entry=0x55555640f940, r=r@entry=0x5555564101b4) at hw/audio/ac97.c:326
No locals.
#2  0x000055555576c290 in ac97_on_reset (opaque=0x55555640f940) at hw/audio/ac97.c:1328
        s = 0x55555640f940
#3  0x00005555557223dd in qemu_devices_reset () at vl.c:1830
        re = <optimized out>
        nre = 0x5555563fa500
#4  qemu_system_reset (report=report@entry=true) at vl.c:1843
        mc = <optimized out>
        __func__ = "qemu_system_reset"
#5  0x000055555561e0df in main_loop_should_exit () at vl.c:1974
        r = <optimized out>
#6  main_loop () at vl.c:2014
        nonblocking = <optimized out>
        last_io = 1
#7  main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4552
        i = <optimized out>
        snapshot = 0
        linux_boot = 0
        icount_option = 0x0
        initrd_filename = 0x0
        kernel_filename = 0x0
        kernel_cmdline = <optimized out>
        boot_order = <optimized out>
        ds = <optimized out>
        cyls = 0
        heads = 0
        secs = 0
        translation = <optimized out>
---Type <return> to continue, or q <return> to quit---   
        hda_opts = <optimized out>
        opts = <optimized out>
        machine_opts = <optimized out>
        olist = <optimized out>
        optind = 35
        optarg = 0x7fffffffe6d8 "AC97,id=a1"
        loadvm = 0x0
        machine_class = <optimized out>
        cpu_model = 0x7fffffffe4ab "Penryn"
        vga_model = 0x7fffffffe55e "qxl"
        qtest_chrdev = 0x0
        qtest_log = 0x0
        pid_file = 0x0
        incoming = 0x0
        show_vnc_port = 0
        defconfig = <optimized out>
        userconfig = 94
        log_mask = <optimized out>
        log_file = 0x0
        mem_trace = {malloc = 0x555555720a90 <malloc_and_trace>, realloc = 0x555555720a70 <realloc_and_trace>, 
          free = 0x555555720a60 <free_and_trace>, calloc = 0x0, try_malloc = 0x0, try_realloc = 0x0}
        trace_events = 0x0
        trace_file = 0x0
        maxram_size = 4294967296
        ram_slots = 0
        vmstate_dump_file = 0x0
        __func__ = "main"


Expected results:
No crash, can reboot successfully.

Additional info:
Comment 2 Gerd Hoffmann 2014-09-16 06:03:20 UTC 
http://patchwork.ozlabs.org/patch/389960/
Comment 3 Gerd Hoffmann 2014-10-27 10:07:37 UTC 
(same patch as for 1141667)
Comment 4 Miroslav Rezanina 2014-11-06 18:32:51 UTC 
Fix included in qemu-kvm-rhev-2.1.2-7.el7
Comment 6 Qian Guo 2014-11-12 10:16:27 UTC 
Reproduced this bug with qemu-kvm-rhev-2.1.0-4.el7.x86_64

Steps:
1.Boot guest with AC97 
# /usr/libexec/qemu-kvm -cpu Penryn -m 4G -smp 4,sockets=1,cores=4,threads=1 -M pc -enable-kvm -device piix3-usb-uhci,id=usb -name rhel7 -nodefaults -nodefconfig -device virtio-balloon-pci,id=balloon0 -spice disable-ticketing,port=5000 -vga qxl -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -monitor stdio -drive file=/home/rhel71029/rhel711029cp1.qcow2,if=none,media=disk,format=qcow2,rerror=stop,werror=stop,aio=native,id=scsi-disk0 -device virtio-scsi-pci,id=bus2 -device scsi-hd,bus=bus2.0,drive=scsi-disk0,id=disk0 -device AC97,id=a1 -qmp unix:/tmp/q1,server,nowait

2.Hot unplug the ac97 device
{"execute":"qmp_capabilities"}
{"return": {}}
{"execute":"device_del","arguments":{"id":"a1"}}
{"return": {}}
{"timestamp": {"seconds": 1415786017, "microseconds": 449775}, "event": "DEVICE_DELETED", "data": {"device": "a1", "path": "/machine/peripheral/a1"}}

3.reboot guest

Result, coredumpd
(gdb) bt
#0  AUD_set_active_out (sw=0x4000000, on=0) at audio/audio.c:1194
#1  0x000055555576bb52 in reset_bm_regs (s=s@entry=0x5555563c0690, r=r@entry=0x5555563c0f1c)
    at hw/audio/ac97.c:326
#2  0x000055555576c8cf in ac97_on_reset (opaque=0x5555563c0690) at hw/audio/ac97.c:1329
#3  0x0000555555722a0d in qemu_devices_reset () at vl.c:1830
#4  qemu_system_reset (report=report@entry=true) at vl.c:1843
#5  0x000055555561e61f in main_loop_should_exit () at vl.c:1974
#6  main_loop () at vl.c:2014
#7  main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4552


So this bug is reproduced.


Verify this bug with qemu-kvm-rhev-2.1.2-7.el7.x86_64

Steps as above

Result: after reboot, guest can work well,and ac97 is deleted successfully.

Verified with both windows7 and rhel7.1 guest. 

So this bug is fixed
Comment 8 errata-xmlrpc 2015-03-05 09:55:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0624.html