1009285 – -device usb-storage,serial=... crashes with SCSI generic drive

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1009285 - -device usb-storage,serial=... crashes with SCSI generic drive

Summary: -device usb-storage,serial=... crashes with SCSI generic drive

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Markus Armbruster
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1013478
TreeView+	depends on / blocked

Reported:	2013-09-18 06:36 UTC by Markus Armbruster
Modified:	2014-06-18 03:37 UTC (History)
CC List:	6 users (show)
Fixed In Version:	qemu-kvm-1.5.3-10.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1013478 (view as bug list)
Environment:
Last Closed:	2014-06-13 10:35:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Markus Armbruster 2013-09-18 06:36:40 UTC

Description of problem:
Attempting to set usb-storage property serial crashes when property
drive refers to a SCSI generic device.

How reproducible:
Always

Steps to Reproduce:
1. qemu-kvm -nodefaults -display none -S -usb -drive if=none,file=/dev/sg1,id=usb-drv0 -device usb-storage,id=usb-msd0,drive=usb-drv0,serial=123

Actual results:
qemu-kvm: -device usb-storage,id=usb-msd0,drive=usb-drv0,serial=123: Property '.serial' not found
Aborted (core dumped)

Expected results:
Property serial is ignored.

Additional info:
Need upstream commit c24e751.

Comment 1 Markus Armbruster 2013-09-18 06:37:58 UTC

I suspect the crash was introduced by the patch for bug 947411.

Comment 3 Sibiao Luo 2013-09-30 07:49:21 UTC

Reproduce this issue on kernel-3.10.0-28.el7.x86_64 and qemu-kvm-rhev-1.5.3-6.el7.x86_64 that attempt to set usb-storage property serial crashes when property drive refers to a SCSI generic device.

host info:
# uname -r && rpm -q qemu-kvm-rhev
3.10.0-28.el7.x86_64
qemu-kvm-rhev-1.5.3-6.el7.x86_64


Steps:
1.insert a USB stick to host and get the displays mapping between Linux sg and other SCSI devices.
# sg_map
/dev/sg0  /dev/sda
/dev/sg1  /dev/sr0
/dev/sg2  /dev/sdb
2.boot guest with setting usb-storage property serial when property drive refers to a SCSI generic device.
# /usr/libexec/qemu-kvm -nodefaults -vga qxl -S -usb -drive if=none,file=/dev/sg2,id=usb-drv0 -device usb-storage,id=usb-msd0,drive=usb-drv0,serial=0x123 -monitor stdio

Results:
after step 2, QEMU core dump and quit.
(gdb) bt
#0  0x00007ffff32e3999 in raise () from /lib64/libc.so.6
#1  0x00007ffff32e50a8 in abort () from /lib64/libc.so.6
#2  0x000055555584f2ea in assert_no_error (err=<optimized out>) at qobject/qerror.c:128
#3  0x000055555563cdb6 in qdev_prop_set_string (dev=dev@entry=0x55555655f720, name=name@entry=0x55555586fad2 "serial", 
    value=value@entry=0x55555656a230 "0x123") at hw/core/qdev-properties.c:1049
#4  0x000055555568af60 in scsi_bus_legacy_add_drive (bus=bus@entry=0x555556592398, bdrv=bdrv@entry=0x5555564d3430, 
    unit=unit@entry=0, removable=<optimized out>, bootindex=-1, serial=0x55555656a230 "0x123") at hw/scsi/scsi-bus.c:227
#5  0x000055555569f4ae in usb_msd_initfn_storage (dev=0x555556590cb0) at hw/usb/dev-storage.c:627
#6  0x0000555555694ffb in usb_device_init (dev=0x555556590cb0) at hw/usb/bus.c:97
#7  usb_qdev_init (qdev=0x555556590cb0) at hw/usb/bus.c:214
#8  0x000055555563dda1 in device_realize (dev=0x555556590cb0, err=0x7fffffffde50) at hw/core/qdev.c:178
#9  0x000055555563f30b in device_set_realized (obj=0x555556590cb0, value=<optimized out>, err=0x7fffffffdf60)
    at hw/core/qdev.c:699
#10 0x00005555556fd5fe in property_set_bool (obj=0x555556590cb0, v=<optimized out>, opaque=0x5555565675f0, 
    name=<optimized out>, errp=0x7fffffffdf60) at qom/object.c:1301
#11 0x00005555556ffee7 in object_property_set_qobject (obj=0x555556590cb0, value=<optimized out>, 
    name=0x55555587112d "realized", errp=0x7fffffffdf60) at qom/qom-qobject.c:24
#12 0x00005555556fee80 in object_property_set_bool (obj=obj@entry=0x555556590cb0, value=value@entry=true, 
    name=name@entry=0x55555587112d "realized", errp=errp@entry=0x7fffffffdf60) at qom/object.c:852
#13 0x000055555563e2ba in qdev_init (dev=dev@entry=0x555556590cb0) at hw/core/qdev.c:163
#14 0x00005555556ea95b in qdev_device_add (opts=0x5555564ce9d0) at qdev-monitor.c:497
#15 0x000055555572f839 in device_init_func (opts=<optimized out>, opaque=<optimized out>) at vl.c:2353
#16 0x000055555585f14b in qemu_opts_foreach (list=<optimized out>, func=func@entry=0x55555572f820 <device_init_func>, 
    opaque=opaque@entry=0x0, abort_on_failure=abort_on_failure@entry=1) at util/qemu-option.c:1164
#17 0x00005555555c4cd6 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4352
(gdb) bt full
#0  0x00007ffff32e3999 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007ffff32e50a8 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x000055555584f2ea in assert_no_error (err=<optimized out>) at qobject/qerror.c:128
No locals.
#3  0x000055555563cdb6 in qdev_prop_set_string (dev=dev@entry=0x55555655f720, name=name@entry=0x55555586fad2 "serial", 
    value=value@entry=0x55555656a230 "0x123") at hw/core/qdev-properties.c:1049
        errp = 0x55555655fca0
#4  0x000055555568af60 in scsi_bus_legacy_add_drive (bus=bus@entry=0x555556592398, bdrv=bdrv@entry=0x5555564d3430, 
    unit=unit@entry=0, removable=<optimized out>, bootindex=-1, serial=0x55555656a230 "0x123") at hw/scsi/scsi-bus.c:227
        driver = <optimized out>
        dev = 0x55555655f720
        __func__ = "scsi_bus_legacy_add_drive"
#5  0x000055555569f4ae in usb_msd_initfn_storage (dev=0x555556590cb0) at hw/usb/dev-storage.c:627
        s = 0x555556590cb0
        bs = 0x5555564d3430
        scsi_dev = <optimized out>
#6  0x0000555555694ffb in usb_device_init (dev=0x555556590cb0) at hw/usb/bus.c:97
        klass = <optimized out>
#7  usb_qdev_init (qdev=0x555556590cb0) at hw/usb/bus.c:214
        dev = 0x555556590cb0
        __func__ = "usb_qdev_init"
        rc = <optimized out>
#8  0x000055555563dda1 in device_realize (dev=0x555556590cb0, err=0x7fffffffde50) at hw/core/qdev.c:178
        rc = <optimized out>
        dc = <optimized out>
#9  0x000055555563f30b in device_set_realized (obj=0x555556590cb0, value=<optimized out>, err=0x7fffffffdf60)
    at hw/core/qdev.c:699
        dev = 0x555556590cb0
        __func__ = "device_set_realized"
        dc = 0x555556567880
        local_err = 0x0
#10 0x00005555556fd5fe in property_set_bool (obj=0x555556590cb0, v=<optimized out>, opaque=0x5555565675f0, 
    name=<optimized out>, errp=0x7fffffffdf60) at qom/object.c:1301
        prop = 0x5555565675f0
        value = true
        local_err = 0x0
#11 0x00005555556ffee7 in object_property_set_qobject (obj=0x555556590cb0, value=<optimized out>, 
    name=0x55555587112d "realized", errp=0x7fffffffdf60) at qom/qom-qobject.c:24
        mi = 0x55555659f090
#12 0x00005555556fee80 in object_property_set_bool (obj=obj@entry=0x555556590cb0, value=value@entry=true, 
    name=name@entry=0x55555587112d "realized", errp=errp@entry=0x7fffffffdf60) at qom/object.c:852
        qbool = 0x55555656a250
#13 0x000055555563e2ba in qdev_init (dev=dev@entry=0x555556590cb0) at hw/core/qdev.c:163
        local_err = 0x0
        __PRETTY_FUNCTION__ = "qdev_init"
#14 0x00005555556ea95b in qdev_device_add (opts=0x5555564ce9d0) at qdev-monitor.c:497
        obj = <optimized out>
        k = 0x555556567880
        driver = 0x5555564ceaa0 "usb-storage"
        path = 0x0
        id = <optimized out>
        qdev = 0x555556590cb0
        bus = <optimized out>
        __func__ = "qdev_device_add"
#15 0x000055555572f839 in device_init_func (opts=<optimized out>, opaque=<optimized out>) at vl.c:2353
        dev = <optimized out>
#16 0x000055555585f14b in qemu_opts_foreach (list=<optimized out>, func=func@entry=0x55555572f820 <device_init_func>, 
    opaque=opaque@entry=0x0, abort_on_failure=abort_on_failure@entry=1) at util/qemu-option.c:1164
        loc = {kind = LOC_CMDLINE, num = 2, ptr = 0x7fffffffe518, prev = 0x55555645ab00 <std_loc>}
        opts = 0x5555564ce9d0
        rc = 0
#17 0x00005555555c4cd6 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4352
        i = <optimized out>
        snapshot = 0
        linux_boot = 0
        icount_option = 0x0
        initrd_filename = 0x0
        kernel_filename = 0x0
        kernel_cmdline = 0x5555558b4d90 ""
        boot_devices = '\000' <repeats 32 times>
        ds = <optimized out>
        cyls = 0
        heads = 0
        secs = 0
        translation = 0
        hda_opts = <optimized out>
        opts = <optimized out>
        machine_opts = <optimized out>
        olist = <optimized out>
        optind = 12
        optarg = 0x7fffffffe820 "stdio"
        loadvm = 0x0
        machine = 0x555555c3e8c0 <pc_machine_rhel700>
        cpu_model = 0x0
        vga_model = 0x7fffffffe7a6 "qxl"
        pid_file = 0x0
        incoming = 0x0
        show_vnc_port = 1
        defconfig = <optimized out>
        userconfig = true
        log_mask = 0x0
        log_file = 0x0
        mem_trace = {malloc = 0x555555730230 <malloc_and_trace>, realloc = 0x5555557301f0 <realloc_and_trace>, 
          free = 0x5555557301b0 <free_and_trace>, calloc = 0x0, try_malloc = 0x0, try_realloc = 0x0}
        trace_events = 0x0
        trace_file = 0x0
        __PRETTY_FUNCTION__ = "main"
        args = {ram_size = 134217728, boot_device = 0x55555586e0e6 "cad", kernel_filename = 0x0, 
          kernel_cmdline = 0x5555558b4d90 "", initrd_filename = 0x0, cpu_model = 0x0}
(gdb)

Comment 4 Miroslav Rezanina 2013-10-17 10:01:06 UTC

Fix included in qemu-kvm-1.5.3-10.el7

Comment 6 Xu Han 2013-11-05 08:10:57 UTC

Reproduce this bug with components:
qemu-kvm-rhev-1.5.3-8.el7.x86_64

Steps:
1.insert a USB stick to host and get the displays mapping between Linux sg and other SCSI devices.
# sg_map
/dev/sg0  /dev/sda
/dev/sg1  /dev/sr0
/dev/sg2  /dev/sdb

2.boot guest with setting usb-storage property serial when property drive refers to a SCSI generic device.
# /usr/libexec/qemu-kvm -nodefaults -vga qxl -S -usb -drive if=none,file=/dev/sg2,id=usb-drv0 -device usb-storage,id=usb-msd0,drive=usb-drv0,serial=0x123 -monitor stdio

Result:
after step 2, QEMU core dump and quit.
(qemu) qemu-kvm: -device usb-storage,id=usb-msd0,drive=usb-drv0,serial=0x123: Property '.serial' not found
Aborted (core dumped)

Verify this bug with component:
qemu-kvm-rhev-1.5.3-11.el7.x86_64

Same steps as above.

Result:
after step 2, QEMU not core dump.
(qemu) c
(qemu) info status 
VM status: running

According to above test result, this bug has been fixed.

Comment 8 Ludek Smid 2014-06-13 10:35:45 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.