Bug 1242383

Summary: w/ virtio-1 enabled for virtio-net-pci, qemu coredumped if shutdown guest after delete the tap interface
Product: Red Hat Enterprise Linux 7 Reporter: Qian Guo <qiguo>
Component: qemu-kvm-rhevAssignee: jason wang <jasowang>
Status: CLOSED DUPLICATE QA Contact: Virtualization Bugs <virt-bugs>
Severity: low Docs Contact:
Priority: low    
Version: 7.2CC: jasowang, juzhang, knoel, michen, mst, virt-maint, zhengtli
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-26 05:47:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Qian Guo 2015-07-13 08:51:55 UTC 
Description of problem:
Tried w/o virtio-1, won't hit such issue

after delete tap device:

(qemu) 2015-07-13T08:32:36.300555Z qemu-kvm: TUNSETVNETLE ioctl() failed: File descriptor in bad state.

then try to shutdown guest:

Program received signal SIGABRT, Aborted.
0x00007ffff071a5d7 in raise () from /lib64/libc.so.6


Version-Release number of selected component (if applicable):
kernel-3.10.0-294.el7.x86_64
qemu-kvm-rhev-2.3.0-9.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Boot guest, cli refer to the additional info.

2.Delete the corresponding tap interface in host:
# ip link delete tap0

3.Try to shutdown the guest.
# shutdown -h now

Actual results:
qemu core dumped:

(gdb) bt
#0  0x00007ffff071a5d7 in raise () from /lib64/libc.so.6
#1  0x00007ffff071bcc8 in abort () from /lib64/libc.so.6
#2  0x00005555557a795b in tap_fd_set_vnet_le (fd=<optimized out>, is_le=<optimized out>) at net/tap-linux.c:215
#3  0x000055555563f94a in vhost_net_set_vnet_endian (peer=<optimized out>, set=set@entry=false, 
    dev=0x5555574b7f40) at /usr/src/debug/qemu-2.3.0/hw/net/vhost_net.c:207
#4  0x00005555556401ff in vhost_net_set_vnet_endian (set=false, peer=<optimized out>, dev=0x5555574b7f40)
    at /usr/src/debug/qemu-2.3.0/hw/net/vhost_net.c:372
#5  vhost_net_stop (dev=dev@entry=0x5555574b7f40, ncs=0x5555569d85a0, total_queues=total_queues@entry=1)
    at /usr/src/debug/qemu-2.3.0/hw/net/vhost_net.c:371
#6  0x000055555563c355 in virtio_net_vhost_status (status=15 '\017', n=0x5555574b7f40)
    at /usr/src/debug/qemu-2.3.0/hw/net/virtio-net.c:154
#7  virtio_net_set_status (vdev=<optimized out>, status=<optimized out>)
    at /usr/src/debug/qemu-2.3.0/hw/net/virtio-net.c:166
#8  0x000055555564c1ec in virtio_set_status (vdev=0x5555574b7f40, val=<optimized out>)
    at /usr/src/debug/qemu-2.3.0/hw/virtio/virtio.c:574
#9  0x00005555556d2f82 in vm_state_notify (running=running@entry=0, state=state@entry=RUN_STATE_SHUTDOWN)
    at vl.c:1497
#10 0x000055555560d942 in do_vm_stop (state=RUN_STATE_SHUTDOWN) at /usr/src/debug/qemu-2.3.0/cpus.c:606
#11 vm_stop (state=state@entry=RUN_STATE_SHUTDOWN) at /usr/src/debug/qemu-2.3.0/cpus.c:1300
#12 0x00005555555e4656 in main_loop_should_exit () at vl.c:1754
#13 main_loop () at vl.c:1802
#14 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4373


(gdb) bt ful
#0  0x00007ffff071a5d7 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007ffff071bcc8 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00005555557a795b in tap_fd_set_vnet_le (fd=<optimized out>, is_le=<optimized out>) at net/tap-linux.c:215
        arg = 0
#3  0x000055555563f94a in vhost_net_set_vnet_endian (peer=<optimized out>, set=set@entry=false, 
    dev=0x5555574b7f40) at /usr/src/debug/qemu-2.3.0/hw/net/vhost_net.c:207
        r = <optimized out>
#4  0x00005555556401ff in vhost_net_set_vnet_endian (set=false, peer=<optimized out>, dev=0x5555574b7f40)
    at /usr/src/debug/qemu-2.3.0/hw/net/vhost_net.c:372
        r = 0
#5  vhost_net_stop (dev=dev@entry=0x5555574b7f40, ncs=0x5555569d85a0, total_queues=total_queues@entry=1)
    at /usr/src/debug/qemu-2.3.0/hw/net/vhost_net.c:371
        qbus = 0x5555574b7ed0
        __func__ = "vhost_net_stop"
        vbus = <optimized out>
        k = 0x55555696eb00
        i = <optimized out>
        r = <optimized out>
        __PRETTY_FUNCTION__ = "vhost_net_stop"
#6  0x000055555563c355 in virtio_net_vhost_status (status=15 '\017', n=0x5555574b7f40)
    at /usr/src/debug/qemu-2.3.0/hw/net/virtio-net.c:154
        vdev = 0x5555574b7f40
        nc = 0x5555569d85a0
        queues = 1
#7  virtio_net_set_status (vdev=<optimized out>, status=<optimized out>)
    at /usr/src/debug/qemu-2.3.0/hw/net/virtio-net.c:166
---Type <return> to continue, or q <return> to quit---  
        n = 0x5555574b7f40
        __func__ = "virtio_net_set_status"
        q = <optimized out>
        i = <optimized out>
        queue_status = <optimized out>
#8  0x000055555564c1ec in virtio_set_status (vdev=0x5555574b7f40, val=<optimized out>)
    at /usr/src/debug/qemu-2.3.0/hw/virtio/virtio.c:574
        k = 0x55555695b040
        __func__ = "virtio_set_status"
#9  0x00005555556d2f82 in vm_state_notify (running=running@entry=0, state=state@entry=RUN_STATE_SHUTDOWN)
    at vl.c:1497
        e = <optimized out>
        next = 0x555556a38fa0
#10 0x000055555560d942 in do_vm_stop (state=RUN_STATE_SHUTDOWN) at /usr/src/debug/qemu-2.3.0/cpus.c:606
        ret = 0
#11 vm_stop (state=state@entry=RUN_STATE_SHUTDOWN) at /usr/src/debug/qemu-2.3.0/cpus.c:1300
No locals.
#12 0x00005555555e4656 in main_loop_should_exit () at vl.c:1754
        r = <optimized out>
#13 main_loop () at vl.c:1802
        nonblocking = <optimized out>
        last_io = 1
#14 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4373
        i = <optimized out>
        snapshot = <optimized out>
        linux_boot = <optimized out>
        initrd_filename = <optimized out>
        kernel_filename = <optimized out>
---Type <return> to continue, or q <return> to quit---
        kernel_cmdline = <optimized out>
        boot_order = 0x555555877347 "cad"
        boot_once = 0x0
        cyls = <optimized out>
        heads = <optimized out>
        secs = <optimized out>
        translation = <optimized out>
        hda_opts = <optimized out>
        opts = <optimized out>
        machine_opts = <optimized out>
        icount_opts = <optimized out>
        olist = <optimized out>
        optind = 88
        optarg = 0x5555569dd4a0 "pc-i440fx-rhel7.2.0"
        loadvm = <optimized out>
        machine_class = <optimized out>
        cpu_model = <optimized out>
        vga_model = 0x0
        qtest_chrdev = <optimized out>
        qtest_log = <optimized out>
        pid_file = <optimized out>
        incoming = <optimized out>
        show_vnc_port = <optimized out>
        defconfig = <optimized out>
        userconfig = 190
        log_mask = <optimized out>
        log_file = <optimized out>
        mem_trace = {malloc = 0x5555556d1a50 <malloc_and_trace>, realloc = 0x5555556d1a30 <realloc_and_trace>, 
---Type <return> to continue, or q <return> to quit---
          free = 0x5555556d1a20 <free_and_trace>, calloc = 0x0, try_malloc = 0x0, try_realloc = 0x0}
        trace_events = <optimized out>
        trace_file = <optimized out>
        maxram_size = <optimized out>
        ram_slots = <optimized out>
        vmstate_dump_file = <optimized out>
        main_loop_err = 0x0
        __func__ = "main"
(gdb) 

Expected results:
No core dumped occurs.

Additional info:
1.w/o virtio-1, can not hit such issue.
2.cli:
/usr/libexec/qemu-kvm -name rhel7.0 -S -machine pc-i440fx-rhel7.2.0,accel=kvm,usb=off,vmport=off -cpu Penryn -m 4096 -realtime mlock=off -smp 4,sockets=4,cores=1,threads=1 -uuid fbf54917-5833-48f2-b3fb-5ce2ad294d93 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/rhel7.0.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x6.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x6 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x6.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x6.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/home/rhel7.2.qcow2,snapshot=off,if=none,id=drive-virtio-disk0,format=qcow2 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x7,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,vhost=on,script=/etc/qemu-ifup,id=hostnet0 -device virtio-net-pci,disable-modern=off,disable-legacy=on,netdev=hostnet0,id=net0,mac=52:54:00:0b:02:8f,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/rhel7.0.org.qemu.guest_agent.0,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 -chardev spicevmc,id=charchannel1,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=com.redhat.spice.0 -device usb-tablet,id=input0 -spice port=5900,disable-ticketing,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vgamem_mb=16,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=charredir0,id=redir0 -chardev spicevmc,id=charredir1,name=usbredir -device usb-redir,chardev=charredir1,id=redir1 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x8 -msg timestamp=on -monitor stdio
Comment 2 jason wang 2015-07-14 02:14:44 UTC 
Not a usual case, will try to fix.
Comment 3 jason wang 2015-07-14 02:27:46 UTC 
In fact, qemu can't recover from host mis configuration. We've already had similar bugs. This needs to be addressed when upstream support need_reset.
So lower the propriety and severity.

Not 7.2 material.
Comment 9 jason wang 2016-12-26 05:47:33 UTC 

*** This bug has been marked as a duplicate of bug 1151306 ***