Bug 1672029

Summary: qemu-kvm segement fault when read a disconnected virtio disk with rerror=stop
Product: Red Hat Enterprise Linux 7 Reporter: Han Han <hhan>
Component: qemu-kvmAssignee: Ademar Reis <areis>
Status: CLOSED DEFERRED QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.7CC: virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1672028 Environment:
Last Closed: 2019-02-04 16:44:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1478227, 1672028, 1672031    
Bug Blocks:    

Description Han Han 2019-02-03 10:05:53 UTC 
reproduced on:
libvirt-4.5.0-10.el7_6.3.x86_64
qemu-kvm-rhev-2.12.0-21.el7.x86_64

+++ This bug was initially created as a clone of Bug #1672028 +++

Description of problem:
As subject

Version-Release number of selected component (if applicable):
qemu-kvm-2.12.0-60.module+el8+2749+88f75c21.x86_64
libvirt-4.5.0-20.module+el8+2724+8292f19c.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Prepare a qemu-nbd server:
# qemu-nbd -t /tmp/scsi
WARNING: Image format was not specified for '/tmp/scsi' and probing guessed raw.
         Automatically detecting the format is dangerous for raw images,

2. Start a vm with nbd disk, set rerror=stop:
Disk xml:
    <disk type='network' device='disk'>
      <driver name='qemu' type='raw' rerror_policy='stop'/>
      <source protocol='nbd'>
        <host name='localhost' port='10809'/>
      </source>
      <target dev='sda' bus='sata'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>


Qemu cmdline:
/usr/libexec/qemu-kvm -name guest=a1,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-7-a1/master-key.aes -machine pc-i440fx-rhel7.6.0,accel=kvm,usb=off,dump-guest-core=off -cpu Skylake-Server-IBRS,ss=on,hypervisor=on,tsc_adjust=on,clflushopt=on,umip=on,pku=on,stibp=on,ssbd=on -m 1024 -realtime mlock=off -smp 2,sockets=2,cores=1,threads=1 -uuid 833e62e6-d894-4670-bc98-6f36f3d83f89 -no-user-config -nodefaults -chardev socket,id=charmonitor,fd=30,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=delay -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x4.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x4 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x4.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x4.0x2 -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x8 -drive file=/var/lib/avocado/data/avocado-vt/images/jeos-27-x86_64-clone.qcow2,format=qcow2,if=none,id=drive-virtio-disk0 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -drive file=nbd:localhost:10809,format=raw,if=none,id=drive-virtio-disk1,rerror=stop -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x7,drive=drive-virtio-disk1,id=virtio-disk1 -netdev tap,fd=32,id=hostnet0,vhost=on,vhostfd=33 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:02:91:4a,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device usb-tablet,id=input0,bus=usb.0,port=1 -vnc 127.0.0.1:0 -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6 -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -msg timestamp=on


3. Kill the nbd-server and do some reading from the disk
# killall qemu-nbd

(vm) # dd if=/dev/vdb of=file

VM will crash

Backtrace:
(gdb) bt
#0  0x000055b39fd1e0de in aio_co_schedule (ctx=0x55b3a1b28c40, co=0x0) at util/async.c:444                                                                                 
#1  0x000055b39fc67b49 in bdrv_attach_aio_context (bs=0x55b3a1b7abc0, new_context=new_context@entry=0x55b3a1b28c40) at block.c:4969                                        
#2  0x000055b39fc67b27 in bdrv_attach_aio_context (bs=bs@entry=0x55b3a1b74580, new_context=new_context@entry=0x55b3a1b28c40) at block.c:4966                               
#3  0x000055b39fc67c51 in bdrv_set_aio_context (bs=0x55b3a1b74580, new_context=0x55b3a1b28c40) at block.c:5002                                                             
#4  0x000055b39fc98f1c in blk_set_aio_context (blk=<optimized out>, new_context=<optimized out>) at block/block-backend.c:1909                                             
#5  0x000055b39fa63a02 in virtio_blk_data_plane_stop (vdev=<optimized out>)
    at /usr/src/debug/qemu-kvm-2.12.0-60.module+el8+2749+88f75c21.x86_64/hw/block/dataplane/virtio-blk.c:286                                                               
#6  0x000055b39fc001ff in virtio_bus_stop_ioeventfd (bus=0x55b3a2c88438) at hw/virtio/virtio-bus.c:246                                                                     
#7  0x000055b39fa8bd9e in virtio_vmstate_change (opaque=0x55b3a2c884b0, running=0, state=<optimized out>)                                                                  
    at /usr/src/debug/qemu-kvm-2.12.0-60.module+el8+2749+88f75c21.x86_64/hw/virtio/virtio.c:2219                                                                           
#8  0x000055b39fb19a9f in vm_state_notify (running=0, state=RUN_STATE_IO_ERROR) at vl.c:1643                                                                               
#9  0x000055b39fa2d17a in do_vm_stop (state=RUN_STATE_IO_ERROR, send_stop=<optimized out>) at /usr/src/debug/qemu-kvm-2.12.0-60.module+el8+2749+88f75c21.x86_64/cpus.c:1012
#10 0x000055b39f9ea531 in main_loop_should_exit () at vl.c:1950
#11 main_loop () at vl.c:1968
#12 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4789  



Actual results:
As above

Expected results:
No segment fault

Additional info:
No reproduced on scsi,ide,sata disk