Bug 1262784

Summary: quit qemu-kvm during boot with data plane enabled cause segmentation fault
Product: Red Hat Enterprise Linux 7 Reporter: mazhang <mazhang>
Component: qemu-kvm-rhevAssignee: Stefan Hajnoczi <stefanha>
Status: CLOSED ERRATA QA Contact: FuXiangChun <xfu>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: huding, juzhang, knoel, michen, mrezanin, virt-maint, xfu
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Qemu-2.6.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-07 20:38:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description mazhang 2015-09-14 11:08:00 UTC 
Description of problem:
quit qemu-kvm during boot with data plane enabled cause segmentation fault

Version-Release number of selected component (if applicable):

Host:
qemu-kvm-rhev-2.3.0-22.el7.x86_64
3.10.0-314.el7.x86_64

Guest:
3.10.0-314.el7.x86_64

How reproducible:
80%

Steps to Reproduce:
1.Boot guest with following command line:
gdb --args /usr/libexec/qemu-kvm \
-M pc \
-cpu SandyBridge \
-m 2G \
-smp 4,sockets=2,cores=2,threads=1 \
-enable-kvm \
-name rhel7 \
-uuid 990ea161-6b67-47b2-b803-19fb01d30d12 \
-smbios type=1,manufacturer='Red Hat',product='RHEV Hypervisor',version=el6,serial=koTUXQrb,uuid=feebc8fd-f8b0-4e75-abc3-e63fcdb67170 \
-k en-us \
-rtc base=utc,clock=host,driftfix=slew \
-nodefaults \
-monitor stdio \
-qmp tcp:0:6773,server,nowait \
-boot menu=on \
-bios /usr/share/seabios/bios.bin \
-serial unix:/tmp/console0,server,nowait \
-spice port=5900,disable-ticketing \
-vga std \
-global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 \
-netdev tap,id=hostnet0,vhost=on \
-device virtio-net-pci,netdev=hostnet0,id=net0,mac=54:52:00:B6:40:23 \
-object iothread,id=iothread0 \
-drive file=/home/rhel7.2-64.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none,werror=stop,rerror=stop,aio=threads \
-device virtio-blk-pci,scsi=off,bus=pci.0,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1,iothread=iothread0 \

2. send "q" in hmp during boot.

3.

Actual results:
qemu-kvm segmentation fault.

q[Thread 0x7fffe5f72700 (LWP 28346) exited]


Program received signal SIGSEGV, Segmentation fault.
0x0000555555807ce1 in qcow2_get_cluster_offset (bs=bs@entry=0x555556a3e000, offset=offset@entry=3084115968, num=num@entry=0x55555d079d84, 
    cluster_offset=cluster_offset@entry=0x55555d079d88) at block/qcow2-cluster.c:486
486	    if (!l2_offset) {
Missing separate debuginfos, use: debuginfo-install alsa-lib-1.0.28-2.el7.x86_64 boost-system-1.53.0-24.el7.x86_64 boost-thread-1.53.0-24.el7.x86_64 bzip2-libs-1.0.6-13.el7.x86_64 celt051-0.5.1.3-8.el7.x86_64 cyrus-sasl-lib-2.1.26-19.2.el7.x86_64 cyrus-sasl-md5-2.1.26-19.2.el7.x86_64 cyrus-sasl-plain-2.1.26-19.2.el7.x86_64 cyrus-sasl-scram-2.1.26-19.2.el7.x86_64 dbus-libs-1.6.12-13.el7.x86_64 elfutils-libelf-0.163-2.el7.x86_64 elfutils-libs-0.163-2.el7.x86_64 flac-libs-1.3.0-5.el7_1.x86_64 glib2-2.42.2-4.el7.x86_64 glibc-2.17-105.el7.x86_64 glusterfs-api-3.7.1-11.el7.x86_64 glusterfs-libs-3.7.1-11.el7.x86_64 gmp-6.0.0-11.el7.x86_64 gnutls-3.3.8-12.el7_1.1.x86_64 gperftools-libs-2.4-2.el7.x86_64 gsm-1.0.13-11.el7.x86_64 json-c-0.11-4.el7_0.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.13.2-9.el7.x86_64 libICE-1.0.9-2.el7.x86_64 libSM-1.2.2-2.el7.x86_64 libX11-1.6.3-2.el7.x86_64 libXau-1.0.8-2.1.el7.x86_64 libXext-1.3.3-3.el7.x86_64 libXi-1.7.4-2.el7.x86_64 libXtst-1.2.2-2.1.el7.x86_64 libacl-2.2.51-12.el7.x86_64 libaio-0.3.109-13.el7.x86_64 libasyncns-0.8-7.el7.x86_64 libattr-2.4.46-12.el7.x86_64 libcap-2.22-8.el7.x86_64 libcom_err-1.42.9-7.el7.x86_64 libcurl-7.29.0-25.el7.x86_64 libdb-5.3.21-17.el7_0.1.x86_64 libffi-3.0.13-16.el7.x86_64 libgcc-4.8.5-4.el7.x86_64 libgcrypt-1.5.3-12.el7_1.1.x86_64 libgpg-error-1.12-3.el7.x86_64 libibverbs-1.1.8-6.el7.x86_64 libidn-1.28-4.el7.x86_64 libiscsi-1.9.0-6.el7.x86_64 libjpeg-turbo-1.2.90-5.el7.x86_64 libnl-1.1.4-3.el7.x86_64 libogg-1.3.0-7.el7.x86_64 libpng-1.5.13-5.el7.x86_64 librados2-0.80.7-3.el7.x86_64 librbd1-0.80.7-3.el7.x86_64 librdmacm-1.0.21-1.el7.x86_64 libseccomp-2.2.1-1.el7.x86_64 libselinux-2.2.2-6.el7.x86_64 libsndfile-1.0.25-10.el7.x86_64 libssh2-1.4.3-10.el7.x86_64 libstdc++-4.8.5-4.el7.x86_64 libtasn1-3.8-2.el7.x86_64 libunwind-1.1-5.el7.x86_64 libusbx-1.0.15-4.el7.x86_64 libuuid-2.23.2-26.el7.x86_64 libvorbis-1.3.3-8.el7.x86_64 libxcb-1.11-4.el7.x86_64 lzo-2.06-8.el7.x86_64 nettle-2.7.1-4.el7.x86_64 nspr-4.10.8-1.el7_1.x86_64 nss-3.19.1-15.el7.x86_64 nss-softokn-freebl-3.16.2.3-14.el7.x86_64 nss-util-3.19.1-4.el7.x86_64 numactl-libs-2.0.9-5.el7_1.x86_64 openldap-2.4.40-5.el7.x86_64 openssl-libs-1.0.1e-42.el7_1.9.x86_64 p11-kit-0.20.7-3.el7.x86_64 pcre-8.32-15.el7.x86_64 pixman-0.32.6-3.el7.x86_64 pulseaudio-libs-6.0-6.el7.x86_64 snappy-1.1.0-3.el7.x86_64 spice-server-0.12.4-13.el7.x86_64 systemd-libs-219-13.el7.x86_64 tcp_wrappers-libs-7.6-77.el7.x86_64 trousers-0.3.13-1.el7.x86_64 usbredir-0.6-7.el7.x86_64 xz-libs-5.1.2-12alpha.el7.x86_64 zlib-1.2.7-15.el7.x86_64
(gdb) bt full
#0  0x0000555555807ce1 in qcow2_get_cluster_offset (bs=bs@entry=0x555556a3e000, offset=offset@entry=3084115968, num=num@entry=0x55555d079d84, 
    cluster_offset=cluster_offset@entry=0x55555d079d88) at block/qcow2-cluster.c:486
        s = 0x5555569e4a80
        l2_index = <optimized out>
        l1_index = 5
        l2_offset = <error reading variable l2_offset (Cannot access memory at address 0x28)>
        l2_table = 0x555556a3e000
        l1_bits = <optimized out>
        c = <optimized out>
        index_in_cluster = 112
        nb_clusters = <optimized out>
        nb_available = 267904
        nb_needed = 120
        ret = <optimized out>
#1  0x00005555557ffed5 in qcow2_co_readv (bs=0x555556a3e000, sector_num=6023664, remaining_sectors=8, qiov=0x5555583c6038) at block/qcow2.c:1166
        s = 0x5555569e4a80
        index_in_cluster = <optimized out>
        n1 = <optimized out>
        ret = <optimized out>
        cur_nr_sectors = 8
        cluster_offset = 0
        bytes_done = 0
        hd_qiov = {iov = 0x5555569279e0, niov = 0, nalloc = 1, size = 0}
        cluster_data = 0x0
        __PRETTY_FUNCTION__ = "qcow2_co_readv"
        __FUNCTION__ = "qcow2_co_readv"
#2  0x00005555557e250d in bdrv_aligned_preadv (bs=bs@entry=0x555556a3e000, req=req@entry=0x55555d079f00, offset=offset@entry=3084115968, bytes=bytes@entry=4096, 
    align=align@entry=512, qiov=qiov@entry=0x5555583c6038, flags=flags@entry=0) at block.c:3090
        total_sectors = 41943040
        max_nb_sectors = 35919376
        drv = 0x555555c98200 <bdrv_qcow2>
        ret = <optimized out>
        sector_num = 6023664
        nb_sectors = 8
        __PRETTY_FUNCTION__ = "bdrv_aligned_preadv"
#3  0x00005555557e2813 in bdrv_co_do_preadv (bs=bs@entry=0x555556a3e000, offset=3084115968, bytes=4096, qiov=0x5555583c6038, flags=(unknown: 0)) at block.c:3193
        drv = <optimized out>
        req = {bs = 0x555556a3e000, offset = 3084115968, bytes = 4096, is_write = false, serialising = false, overlap_offset = 3084115968, overlap_bytes = 4096, list = {
            le_next = 0x0, le_prev = 0x555556a41290}, co = 0x555556a1b180, wait_queue = {entries = {tqh_first = 0x0, tqh_last = 0x55555d079f40}}, waiting_for = 0x0}
        align = 512
        head_buf = 0x0
        tail_buf = 0x0
        local_qiov = {iov = 0x0, niov = 0, nalloc = 0, size = 0}
        use_local_qiov = false
        ret = <optimized out>
#4  0x00005555557e38ff in bdrv_co_do_readv (flags=<optimized out>, qiov=<optimized out>, nb_sectors=<optimized out>, sector_num=<optimized out>, bs=0x555556a3e000) at block.c:3215
No locals.
---Type <return> to continue, or q <return> to quit---
#5  bdrv_co_do_rw (opaque=0x5555569991f0) at block.c:4994
        acb = 0x5555569991f0
        bs = 0x555556a3e000
#6  0x00005555557ed82a in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at coroutine-ucontext.c:80
        self = 0x555556a1b180
        co = 0x555556a1b180
#7  0x00007ffff0700110 in ?? () from /lib64/libc.so.6
No symbol table info available.
#8  0x00007fffffffd0e0 in ?? ()
No symbol table info available.
#9  0x0000000000000000 in ?? ()
No symbol table info available.


Expected results:
quit without fault.

Additional info:
without iothread enable, qemu-kvm works well.
Comment 2 Stefan Hajnoczi 2016-06-03 23:36:03 UTC 
I am unable to reproduce this in qemu-kvm-rhev-2.6.0-4.el7 for RHEL 7.3.
Comment 4 FuXiangChun 2016-09-08 10:59:06 UTC 
verified with qemu-kvm-rhev-2.6.0-23

/usr/libexec/qemu-kvm -boot menu=on -m 2G -vnc :1 -object iothread,id=iothread0 -drive file=rbd:libvirt-pool/rhel.raw:mon_host=10.66.144.26,format=raw,if=none,id=drive-scsi-disk0,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,id=scsi0,iothread=iothread0,dirve=drive-scsi-disk0 -qmp tcp:0:6666,server,nowait  -monitor stdio

{"execute": "query-iothreads"}
{"return": [{"thread-id": 38840, "id": "iothread0"}]}

(qemu) q

result:works
Comment 7 errata-xmlrpc 2016-11-07 20:38:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2673.html