Bug 1352865

Summary:	Boot guest with two virtio-scsi-pci devices and spice, QEMU core dump after executing '(qemu)__com.redhat_drive_add'
Product:	Red Hat Enterprise Linux 7	Reporter:	Pei Zhang <pezhang>
Component:	qemu-kvm-rhev	Assignee:	Markus Armbruster <armbru>
Status:	CLOSED ERRATA	QA Contact:	FuXiangChun <xfu>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	7.3	CC:	chayang, juzhang, knoel, michen, mrezanin, pezhang, virt-maint, xfu
Target Milestone:	rc	Keywords:	Regression
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	qemu-kvm-rhev-2.6.0-16.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-11-07 21:21:18 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Pei Zhang 2016-07-05 10:13:44 UTC

Description of problem:
Boot guest with two virtio-scsi-pci devices and spice, qemu will core dump after executing (qemu)__com.redhat_drive_add. 

Seams spice/virtio-scsi-pci/__com.redhat_drive_add can not work together well.

Version-Release number of selected component (if applicable):
Host:
3.10.0-456.el7.x86_64
qemu-kvm-rhev-2.6.0-11.el7.x86_64

Guest:
3.10.0-456.el7.x86_64

How reproducible:
8/10

Steps to Reproduce:
1. Boot guest with two virtio-scsi-pci devices and spice
/usr/libexec/qemu-kvm -name rhel7.3_scsi \
-m 4G \
-smp 4,sockets=1,cores=4,threads=1 \
-cpu host \
-monitor stdio \
-spice port=5902,addr=0.0.0.0,disable-ticketing,image-compression=off,seamless-migration=on \
-device virtio-scsi-pci,id=scsi0,bus=pci.0 \
-drive file=/home/rhel7.3_blk_0701.qcow2,format=qcow2,if=none,id=drive-virtio-scsi0 \
-device scsi-disk,drive=drive-virtio-scsi0,bus=scsi0.0,scsi-id=0,lun=0,id=scsi-disk0 \
-device virtio-scsi-pci,id=scsi1,bus=pci.0 \
-drive file=/home/data1.qcow2,format=qcow2,if=none,id=drive-virtio-scsi1 \
-device scsi-disk,drive=drive-virtio-scsi1,bus=scsi1.0,scsi-id=0,lun=0,id=scsi-disk1 \

2. Executing '(qemu)__com.redhat_drive_add', qemu will core dump
(qemu) __com.redhat_drive_add 
Segmentation fault (core dumped)

Actual results:
qemu core dump.

Expected results:
qemu should not core dump.

Additional info:
1. More tests related this bug:
(1) Step1 qemu commands without '-spice', qemu works well.

(2) Step1 qemu commands with 1 virtio-scsi-pci like below, qemu works welld.
...
-spice port=5902,addr=0.0.0.0,disable-ticketing,image-compression=off,seamless-migration=on \
-device virtio-scsi-pci,id=scsi0,bus=pci.0 \
-drive file=/home/rhel7.3_blk_0701.qcow2,format=qcow2,if=none,id=drive-virtio-scsi0 \
-device scsi-disk,drive=drive-virtio-scsi0,bus=scsi0.0,scsi-id=0,lun=0,id=scsi-disk0 \
-drive file=/home/data1.qcow2,format=qcow2,if=none,id=drive-virtio-scsi1 \
-device scsi-disk,drive=drive-virtio-scsi1,bus=scsi0.0,scsi-id=0,lun=1,id=scsi-disk1 \

2. gdb info
(qemu) __com.redhat_drive_add

Program received signal SIGSEGV, Segmentation fault.
0x00007fffec602536 in __strcmp_sse42 () from /lib64/libc.so.6
...
(gdb) bt 
#0  0x00007fffec602536 in __strcmp_sse42 () from /lib64/libc.so.6
#1  0x0000555555984d24 in qdict_find (qdict=qdict@entry=0x555556bddf80, key=key@entry=0x555555a19622 "id", 
    bucket=<optimized out>) at qobject/qdict.c:110
#2  0x0000555555985106 in qdict_haskey (qdict=qdict@entry=0x555556bddf80, key=key@entry=0x555555a19622 "id")
    at qobject/qdict.c:168
#3  0x00005555557c0b11 in simple_drive_add (qdict=0x555556bddf80, ret_data=<optimized out>, errp=0x0)
    at device-hotplug.c:128
#4  0x00005555556f7e5e in handle_hmp_command (mon=mon@entry=0x555556bddf80, cmdline=0x555557d2c016 "")
    at /usr/src/debug/qemu-2.6.0/monitor.c:2920
#5  0x00005555556f94e7 in monitor_command_cb (opaque=0x555556bddf80, cmdline=<optimized out>, 
    readline_opaque=<optimized out>) at /usr/src/debug/qemu-2.6.0/monitor.c:3969
#6  0x0000555555998dff in readline_handle_byte (rs=0x555557d2c000, ch=<optimized out>) at util/readline.c:393
#7  0x00005555556f8097 in monitor_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>)
    at /usr/src/debug/qemu-2.6.0/monitor.c:3952
#8  0x00005555557c556f in fd_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x555556bf5c20)
    at qemu-char.c:1033
#9  0x00007fffed301d7a in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#10 0x00005555558f9b50 in glib_pollfds_poll () at main-loop.c:213
#11 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:258
#12 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:506
#13 0x00005555556c28cf in main_loop () at vl.c:1934
#14 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4667

Comment 1 Pei Zhang 2016-07-05 10:19:03 UTC

Additional info(continued):
3. With step1 qemu commands, qmp works well.
{"execute":"__com.redhat_drive_add", "arguments":{"file":"/home/data2.qcow2","id":"test31"}}
{"return": {}}

Comment 3 Markus Armbruster 2016-07-21 14:16:41 UTC

I suspect this is duplicate of bug 1341531.  We fixed that one in
qemu-kvm-rhev-2.6.0-12.el7.  Could you please retest this bug with that
version?  If it appears to be fixed there, also testing the version before
would be nice.

Comment 4 Pei Zhang 2016-07-22 09:40:03 UTC

(In reply to Markus Armbruster from comment #3)
> I suspect this is duplicate of bug 1341531.  We fixed that one in
> qemu-kvm-rhev-2.6.0-12.el7.  Could you please retest this bug with that
> version?  If it appears to be fixed there, also testing the version before
> would be nice.

Hi Markus,

This issue still exits in the latest qemu version. And the issue was first show up at qemu-kvm-rhev-2.6.0-1.el7.x86_64.

Testing results summary:
(1)qemu-kvm-rhev-2.6.0-15.el7.x86_64   core dump
(2)qemu-kvm-rhev-2.6.0-12.el7.x86_64   core dump
(3)qemu-kvm-rhev-2.6.0-1.el7.x86_64    core dump
(4)qemu-kvm-rhev-2.5.0-4.el7.x86_64    work

Best Regards,
Pei

Comment 6 Markus Armbruster 2016-07-22 13:45:13 UTC

I think I see what's wrong.  Thanks!

Comment 7 Miroslav Rezanina 2016-07-26 06:56:52 UTC

Fix included in qemu-kvm-rhev-2.6.0-16.el7

Comment 9 FuXiangChun 2016-09-08 07:11:30 UTC

Reproduced this bug with qemu-kvm-rhev-2.6.0-15.el7.x86_64.

cli: line 8: 37443 Segmentation fault      (core dumped) /usr/libexec/qemu-kvm -monitor stdio -boot menu=on -m 2G -vnc :1 -drive file=ff.raw,if=none,id=fdc0-0-0,media=disk,snapshot=off,readonly=off,format=raw -global isa-fdc.driveA=fdc0-0-0 -spice port=5902,addr=0.0.0.0,disable-ticketing,image-compression=off,seamless-migration=on -device virtio-scsi-pci,id=scsi0,bus=pci.0 -drive file=rbd:libvirt-pool/rhel.raw:mon_host=10.66.144.26,format=raw,if=none,id=drive-virtio-scsi0 -device scsi-disk,drive=drive-virtio-scsi0,bus=scsi0.0,scsi-id=0,lun=0,id=scsi-disk0 -device virtio-scsi-pci,id=scsi1,bus=pci.0 -drive file=/home/data1.qcow2,format=qcow2,if=none,id=drive-virtio-scsi1 -device scsi-disk,drive=drive-virtio-scsi1,bus=scsi1.0,scsi-id=0,lun=0,id=scsi-disk1

Verified the bug with qemu-kvm-rhev-2.6.0-23.el7.x86_64.

qemu-kvm-rhev and guest work well when execute "__com.redhat_drive_add".

So,this bug is fixed.

Comment 11 errata-xmlrpc 2016-11-07 21:21:18 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2673.html