RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1020666 - reboot guest cause qemu-kvm core dump after hot-plug not-existent image to guest
Summary: reboot guest cause qemu-kvm core dump after hot-plug not-existent image to guest
Keywords:
Status: CLOSED DUPLICATE of bug 1046248
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm
Version: 7.0
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Markus Armbruster
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-18 06:53 UTC by FuXiangChun
Modified: 2014-01-21 15:04 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-21 13:49:54 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description FuXiangChun 2013-10-18 06:53:31 UTC 
Description of problem:
The first boot guest, Second hot-plug a not-existent image to guest,Last reboot guest. qemu-kvm will core dump(Segmentation fault). 

Version-Release number of selected component (if applicable):
qemu-kvm-1.5.3-9.el7.x86_64
3.10.0-35.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1./usr/libexec/qemu-kvm -name 'linux-guest' -nodefaults -m 20G -smp 8,cores=4,threads=2,sockets=1 -M q35 -cpu SandyBridge \
-rtc base=utc,clock=host,driftfix=slew -k en-us -boot menu=on -monitor stdio -vnc :1 -spice disable-ticketing,port=5931 -vga qxl -qmp tcp:0:5555,server,nowait \
-drive file=/home/rng-RHEL7.0.qcow2_v3,if=none,id=drive-virtio-disk,format=qcow2,cache=none,werror=stop,rerror=stop \
-device virtio-blk-pci,scsi=off,drive=drive-virtio-disk,id=disk0,bootindex=1  -device \
virtio-scsi-pci,id=bus1 -balloon virtio -monitor unix:/tmp/monitor2,server,nowait

2. hot-plug a non-existent image to guest
(qemu)drive_add  pci_addr=auto file=/home/disk/disk0.qcow2,format=qcow2,media=disk,id=scsi0,if=none
could not open disk image /home/disk/disk0.qcow2: No such file or directory

3.Reboot guest
device_add scsi-hd,bus=bus1.0,drive=scsi0,id=hd0
Property 'scsi-hd.drive' can't find value 'scsi0'

Actual results:
(gdb) bt
#0  bdrv_getlength (bs=0x0) at block.c:2765
#1  0x00005555555daacd in bdrv_get_geometry (bs=<optimized out>, 
    nb_sectors_ptr=nb_sectors_ptr@entry=0x7fffffffdbc0) at block.c:2781
#2  0x0000555555689436 in scsi_disk_reset (dev=0x555556a2e9c0) at hw/scsi/scsi-disk.c:1982
#3  0x000055555563d839 in qdev_reset_one (dev=dev@entry=0x555556a2e9c0, opaque=opaque@entry=0x0)
    at hw/core/qdev.c:227
#4  0x000055555563cf30 in qdev_walk_children (dev=0x555556a2e9c0, 
    devfn=devfn@entry=0x55555563d820 <qdev_reset_one>, busfn=busfn@entry=0x55555563b820 <qbus_reset_one>, 
    opaque=opaque@entry=0x0) at hw/core/qdev.c:376
#5  0x000055555563d03a in qbus_walk_children (bus=bus@entry=0x555556741f20, 
    devfn=devfn@entry=0x55555563d820 <qdev_reset_one>, busfn=busfn@entry=0x55555563b820 <qbus_reset_one>, 
    opaque=opaque@entry=0x0) at hw/core/qdev.c:360
#6  0x000055555563d0ad in qbus_reset_all (bus=bus@entry=0x555556741f20) at hw/core/qdev.c:248
#7  0x0000555555777de3 in virtio_scsi_reset (vdev=<optimized out>)
    at /usr/src/debug/qemu-1.5.3/hw/scsi/virtio-scsi.c:451
#8  0x000055555577f9ae in virtio_reset (opaque=0x555556741e08) at /usr/src/debug/qemu-1.5.3/hw/virtio/virtio.c:543
#9  0x00005555556b4166 in virtio_bus_reset (bus=bus@entry=0x555556741d98) at hw/virtio/virtio-bus.c:63
#10 0x00005555556b63d1 in virtio_pci_reset (qdev=<optimized out>) at hw/virtio/virtio-pci.c:1014
#11 0x000055555563d839 in qdev_reset_one (dev=dev@entry=0x555556741610, opaque=opaque@entry=0x0)
    at hw/core/qdev.c:227
#12 0x000055555563cf30 in qdev_walk_children (dev=dev@entry=0x555556741610, 
    devfn=devfn@entry=0x55555563d820 <qdev_reset_one>, busfn=busfn@entry=0x55555563b820 <qbus_reset_one>, 
    opaque=opaque@entry=0x0) at hw/core/qdev.c:376
#13 0x000055555563cfcd in qdev_reset_all (dev=dev@entry=0x555556741610) at hw/core/qdev.c:243
#14 0x000055555567eafd in pci_device_reset (dev=0x555556741610) at hw/pci/pci.c:180
#15 0x000055555567ecb2 in pci_bus_reset (bus=0x55555666e750) at hw/pci/pci.c:226
#16 0x000055555567ecf9 in pcibus_reset (qbus=<optimized out>) at hw/pci/pci.c:233
#17 0x000055555563d010 in qbus_walk_children (bus=bus@entry=0x55555666e750, 
    devfn=devfn@entry=0x55555563d820 <qdev_reset_one>, busfn=busfn@entry=0x55555563b820 <qbus_reset_one>, 
    opaque=opaque@entry=0x0) at hw/core/qdev.c:353
#18 0x000055555563cf5a in qdev_walk_children (dev=<optimized out>, 
---Type <return> to continue, or q <return> to quit---
    devfn=devfn@entry=0x55555563d820 <qdev_reset_one>, busfn=busfn@entry=0x55555563b820 <qbus_reset_one>, 
    opaque=opaque@entry=0x0) at hw/core/qdev.c:383
#19 0x000055555563d03a in qbus_walk_children (bus=<optimized out>, devfn=0x55555563d820 <qdev_reset_one>, 
    busfn=0x55555563b820 <qbus_reset_one>, opaque=0x0) at hw/core/qdev.c:360
#20 0x000055555572b89d in qemu_devices_reset () at vl.c:1809
#21 qemu_system_reset (report=report@entry=true) at vl.c:1818
#22 0x00005555555c3f84 in main_loop_should_exit () at vl.c:1952
#23 main_loop () at vl.c:1990
#24 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4379
(gdb) 


Expected results:
qemu-kvm works well

Additional info:
Comment 3 Markus Armbruster 2014-01-16 13:15:10 UTC 
I simplified the reproducer, and reproduced with latest upstream:

$ gdb --args upstream-qemu -nodefaults -S -display none -monitor stdio -device virtio-scsi-pci,id=bus1
[...]
(gdb) r
[...]
(qemu) device_add scsi-hd,bus=bus1.0,drive=scsi0,id=hd0
Property 'scsi-hd.drive' can't find value 'scsi0'
(qemu) system_reset 
(qemu) 
Program received signal SIGSEGV, Segmentation fault.
0x0000555555616307 in bdrv_getlength (bs=0x0) at /work/armbru/qemu/block.c:2959
2959	    BlockDriver *drv = bs->drv;
(gdb) bt
#0  0x0000555555616307 in bdrv_getlength (bs=0x0)
    at /work/armbru/qemu/block.c:2959
#1  0x00005555556163a0 in bdrv_get_geometry (bs=0x0, nb_sectors_ptr=
    0x7fffffffd7a8) at /work/armbru/qemu/block.c:2976
#2  0x000055555579415b in scsi_disk_reset (dev=0x555556363430)
    at /work/armbru/qemu/hw/scsi/scsi-disk.c:2119
#3  0x00005555556e5394 in device_reset (dev=0x555556363430)
    at /work/armbru/qemu/hw/core/qdev.c:840
#4  0x00005555556e3624 in qdev_reset_one (dev=0x555556363430, opaque=0x0)
    at /work/armbru/qemu/hw/core/qdev.c:227
#5  0x00005555556e3d6b in qdev_walk_children (dev=0x555556363430, pre_devfn=
    0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn=
    0x5555556e363f <qbus_reset_one>, opaque=0x0)
    at /work/armbru/qemu/hw/core/qdev.c:398
#6  0x00005555556e3c3b in qbus_walk_children (bus=0x5555563674d8, pre_devfn=
    0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn=
    0x5555556e363f <qbus_reset_one>, opaque=0x0)
    at /work/armbru/qemu/hw/core/qdev.c:356
#7  0x00005555556e3d2f in qdev_walk_children (dev=0x5555563673c0, pre_devfn=
    0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn=
    0x5555556e363f <qbus_reset_one>, opaque=0x0)
    at /work/armbru/qemu/hw/core/qdev.c:390
#8  0x00005555556e3c3b in qbus_walk_children (bus=0x555556367358, pre_devfn=
    0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn=
    0x5555556e363f <qbus_reset_one>, opaque=0x0)
    at /work/armbru/qemu/hw/core/qdev.c:356
#9  0x00005555556e3d2f in qdev_walk_children (dev=0x555556366ad0, pre_devfn=
    0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn=
    0x5555556e363f <qbus_reset_one>, opaque=0x0)
    at /work/armbru/qemu/hw/core/qdev.c:390
#10 0x00005555556e3c3b in qbus_walk_children (bus=0x5555563458d0, pre_devfn=
    0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn=
    0x5555556e363f <qbus_reset_one>, opaque=0x0)
    at /work/armbru/qemu/hw/core/qdev.c:356
#11 0x00005555556e3d2f in qdev_walk_children (dev=0x5555563524e0, pre_devfn=
    0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn=
    0x5555556e363f <qbus_reset_one>, opaque=0x0)
    at /work/armbru/qemu/hw/core/qdev.c:390
#12 0x00005555556e3c3b in qbus_walk_children (bus=0x555556320e00, pre_devfn=
    0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn=
    0x5555556e363f <qbus_reset_one>, opaque=0x0)
    at /work/armbru/qemu/hw/core/qdev.c:356
#13 0x00005555556e3769 in qbus_reset_all (bus=0x555556320e00)
    at /work/armbru/qemu/hw/core/qdev.c:248
#14 0x00005555556e37ae in qbus_reset_all_fn (opaque=0x555556320e00)
    at /work/armbru/qemu/hw/core/qdev.c:254
#15 0x000055555589feba in qemu_devices_reset () at /work/armbru/qemu/vl.c:1839
#16 0x000055555589ff26 in qemu_system_reset (report=true)
    at /work/armbru/qemu/vl.c:1848
#17 0x00005555558a0454 in main_loop_should_exit ()
    at /work/armbru/qemu/vl.c:1981
#18 0x00005555558a0564 in main_loop () at /work/armbru/qemu/vl.c:2021
#19 0x00005555558a7c0b in main (argc=9, argv=0x7fffffffe078, envp=
    0x7fffffffe0c8) at /work/armbru/qemu/vl.c:4382
(gdb) up 2
#2  0x000055555579415b in scsi_disk_reset (dev=0x555556363430)
    at /work/armbru/qemu/hw/scsi/scsi-disk.c:2119
2119	    bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors);
(gdb) p *s
$1 = {qdev = {qdev = {parent_obj = {class = 0x5555563699a0, free = 
    0x7ffff76fd790 <g_free>, properties = {tqh_first = 0x555556364b80, 
          tqh_last = 0x5555563f3250}, ref = 1, parent = 0x0}, id = 
    0x5555563c5ea0 "ȇ\241\356\377\177", realized = false, opts = 0x0, 
      hotplugged = 1, parent_bus = 0x5555563674d8, num_gpio_out = 0, 
      gpio_out = 0x0, num_gpio_in = 0, gpio_in = 0x0, child_bus = {lh_first = 
    0x0}, num_child_bus = 0, instance_id_alias = -1, 
      alias_required_for_version = 0}, vmsentry = 0x0, bh = 0x0, id = 
    4294967295, conf = {bs = 0x0, physical_block_size = 512, 
      logical_block_size = 512, min_io_size = 0, opt_io_size = 0, bootindex = 
    -1, discard_granularity = 4294967295, cyls = 0, heads = 0, secs = 0}, 
    unit_attention = {key = 6 '\006', asc = 41 ')', ascq = 0 '\000'}, 
    sense_is_ua = false, sense = '\000' <repeats 95 times>, sense_len = 0, 
    requests = {tqh_first = 0x0, tqh_last = 0x0}, channel = 0, lun = 
    4294967295, blocksize = 0, type = 0, max_lba = 0}, features = 0, 
  media_changed = false, media_event = false, eject_request = false, wwn = 0, 
  max_unmap_size = 1073741824, bh = 0x0, version = 0x0, serial = 0x0, vendor = 
    0x0, product = 0x0, tray_open = false, tray_locked = false}

Same qemu invocation, but "info qtree" before and after the
device_add:

(qemu) info qtree
bus: main-system-bus
  type System
[...]
  dev: i440FX-pcihost, id ""
    pci-hole64-size = 16777216.000T
    short_root_bus = 0
    irq 0
    bus: pci.0
      type PCI
      dev: virtio-scsi-pci, id "bus1"
        ioeventfd = off
        vectors = 4
        indirect_desc = on
        event_idx = on
        hotplug = on
        param_change = on
        num_queues = 1
        max_sectors = 65535
        cmd_per_lun = 128
        addr = 02.0
        romfile = <null>
        rombar = 1
        multifunction = off
        command_serr_enable = on
        class SCSI controller, addr 00:02.0, pci id 1af4:1004 (sub 1af4:0008)
        bar 0: i/o at 0xffffffffffffffff [0x3e]
        bar 1: mem at 0xffffffffffffffff [0xffe]
        bus: virtio-bus
          type virtio-pci-bus
          dev: virtio-scsi-device, id ""
            num_queues = 1
            max_sectors = 65535
            cmd_per_lun = 128
            bus: bus1.0
              type SCSI
      dev: PIIX4_PM, id ""
[...]
(qemu) device_add scsi-hd,bus=bus1.0,drive=scsi0,id=hd0
Property 'scsi-hd.drive' can't find value 'scsi0'
(qemu) info qtree
bus: main-system-bus
  type System
[...]
  dev: i440FX-pcihost, id ""
    pci-hole64-size = 16777216.000T
    short_root_bus = 0
    irq 0
    bus: pci.0
      type PCI
      dev: virtio-scsi-pci, id "bus1"
        ioeventfd = off
        vectors = 4
        indirect_desc = on
        event_idx = on
        hotplug = on
        param_change = on
        num_queues = 1
        max_sectors = 65535
        cmd_per_lun = 128
        addr = 02.0
        romfile = <null>
        rombar = 1
        multifunction = off
        command_serr_enable = on
        class SCSI controller, addr 00:02.0, pci id 1af4:1004 (sub 1af4:0008)
        bar 0: i/o at 0xffffffffffffffff [0x3e]
        bar 1: mem at 0xffffffffffffffff [0xffe]
        bus: virtio-bus
          type virtio-pci-bus
          dev: virtio-scsi-device, id ""
            num_queues = 1
            max_sectors = 65535
            cmd_per_lun = 128
            bus: bus1.0
              type SCSI
              dev: scsi-hd, id "���C1"
                drive = <null>
                logical_block_size = 512
                physical_block_size = 512
                min_io_size = 0
                opt_io_size = 0
                bootindex = -1
                discard_granularity = 4294967295
                ver = <null>
                serial = <null>
                vendor = <null>
                product = <null>
                removable = off
                dpofua = off
                wwn = 0x0
                max_unmap_size = 1073741824
                cyls = 0
                heads = 0
                secs = 0
                channel = 0
                scsi-id = 4294967295
                lun = 4294967295
[...]

Even though the device_add failed, it added a scsi-hd device to SCSI
bus "bus1.0"!  Many of its properties are obvious crap.
Comment 4 Markus Armbruster 2014-01-17 09:45:27 UTC 
Additional reproducers:

1. qemu -nodefaults -S -display none -monitor stdio -device lsi
   device_add scsi-hd,drive=scsi0,id=hd0
   system_reset

2. qemu -nodefaults -S -display none -monitor stdio
   device_add e1000,netdev=xxx
   info qtree

This is almost certainly a core qdev bug.
Comment 5 Markus Armbruster 2014-01-21 13:12:03 UTC 
Possibly duplicate of 1046248.
Comment 6 Markus Armbruster 2014-01-21 13:17:35 UTC 
Amos, can you confirm it's a dupe of 1046248?
Comment 7 Amos Kong 2014-01-21 13:49:54 UTC 
Yes, it's same issue.


| (qemu) device_add scsi-hd,bus=bus1.0,drive=scsi0,id=hd0
| Property 'scsi-hd.drive' can't find value 'scsi0'

Failed to hotplug the device. We didn't add the dev to QOM tree, but we already create a link for the unexisted dev.

| (qemu) system_reset 

Try to walk qdev children, the link exists, so try to free a unexisted dev.
Then Crash.

*** This bug has been marked as a duplicate of bug 1046248 ***
Comment 8 Markus Armbruster 2014-01-21 15:04:39 UTC 
Thank you, Amos!
Note You need to log in before you can comment on or make changes to this bug.