Hide Forgot
Description of problem: The first boot guest, Second hot-plug a not-existent image to guest,Last reboot guest. qemu-kvm will core dump(Segmentation fault). Version-Release number of selected component (if applicable): qemu-kvm-1.5.3-9.el7.x86_64 3.10.0-35.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1./usr/libexec/qemu-kvm -name 'linux-guest' -nodefaults -m 20G -smp 8,cores=4,threads=2,sockets=1 -M q35 -cpu SandyBridge \ -rtc base=utc,clock=host,driftfix=slew -k en-us -boot menu=on -monitor stdio -vnc :1 -spice disable-ticketing,port=5931 -vga qxl -qmp tcp:0:5555,server,nowait \ -drive file=/home/rng-RHEL7.0.qcow2_v3,if=none,id=drive-virtio-disk,format=qcow2,cache=none,werror=stop,rerror=stop \ -device virtio-blk-pci,scsi=off,drive=drive-virtio-disk,id=disk0,bootindex=1 -device \ virtio-scsi-pci,id=bus1 -balloon virtio -monitor unix:/tmp/monitor2,server,nowait 2. hot-plug a non-existent image to guest (qemu)drive_add pci_addr=auto file=/home/disk/disk0.qcow2,format=qcow2,media=disk,id=scsi0,if=none could not open disk image /home/disk/disk0.qcow2: No such file or directory 3.Reboot guest device_add scsi-hd,bus=bus1.0,drive=scsi0,id=hd0 Property 'scsi-hd.drive' can't find value 'scsi0' Actual results: (gdb) bt #0 bdrv_getlength (bs=0x0) at block.c:2765 #1 0x00005555555daacd in bdrv_get_geometry (bs=<optimized out>, nb_sectors_ptr=nb_sectors_ptr@entry=0x7fffffffdbc0) at block.c:2781 #2 0x0000555555689436 in scsi_disk_reset (dev=0x555556a2e9c0) at hw/scsi/scsi-disk.c:1982 #3 0x000055555563d839 in qdev_reset_one (dev=dev@entry=0x555556a2e9c0, opaque=opaque@entry=0x0) at hw/core/qdev.c:227 #4 0x000055555563cf30 in qdev_walk_children (dev=0x555556a2e9c0, devfn=devfn@entry=0x55555563d820 <qdev_reset_one>, busfn=busfn@entry=0x55555563b820 <qbus_reset_one>, opaque=opaque@entry=0x0) at hw/core/qdev.c:376 #5 0x000055555563d03a in qbus_walk_children (bus=bus@entry=0x555556741f20, devfn=devfn@entry=0x55555563d820 <qdev_reset_one>, busfn=busfn@entry=0x55555563b820 <qbus_reset_one>, opaque=opaque@entry=0x0) at hw/core/qdev.c:360 #6 0x000055555563d0ad in qbus_reset_all (bus=bus@entry=0x555556741f20) at hw/core/qdev.c:248 #7 0x0000555555777de3 in virtio_scsi_reset (vdev=<optimized out>) at /usr/src/debug/qemu-1.5.3/hw/scsi/virtio-scsi.c:451 #8 0x000055555577f9ae in virtio_reset (opaque=0x555556741e08) at /usr/src/debug/qemu-1.5.3/hw/virtio/virtio.c:543 #9 0x00005555556b4166 in virtio_bus_reset (bus=bus@entry=0x555556741d98) at hw/virtio/virtio-bus.c:63 #10 0x00005555556b63d1 in virtio_pci_reset (qdev=<optimized out>) at hw/virtio/virtio-pci.c:1014 #11 0x000055555563d839 in qdev_reset_one (dev=dev@entry=0x555556741610, opaque=opaque@entry=0x0) at hw/core/qdev.c:227 #12 0x000055555563cf30 in qdev_walk_children (dev=dev@entry=0x555556741610, devfn=devfn@entry=0x55555563d820 <qdev_reset_one>, busfn=busfn@entry=0x55555563b820 <qbus_reset_one>, opaque=opaque@entry=0x0) at hw/core/qdev.c:376 #13 0x000055555563cfcd in qdev_reset_all (dev=dev@entry=0x555556741610) at hw/core/qdev.c:243 #14 0x000055555567eafd in pci_device_reset (dev=0x555556741610) at hw/pci/pci.c:180 #15 0x000055555567ecb2 in pci_bus_reset (bus=0x55555666e750) at hw/pci/pci.c:226 #16 0x000055555567ecf9 in pcibus_reset (qbus=<optimized out>) at hw/pci/pci.c:233 #17 0x000055555563d010 in qbus_walk_children (bus=bus@entry=0x55555666e750, devfn=devfn@entry=0x55555563d820 <qdev_reset_one>, busfn=busfn@entry=0x55555563b820 <qbus_reset_one>, opaque=opaque@entry=0x0) at hw/core/qdev.c:353 #18 0x000055555563cf5a in qdev_walk_children (dev=<optimized out>, ---Type <return> to continue, or q <return> to quit--- devfn=devfn@entry=0x55555563d820 <qdev_reset_one>, busfn=busfn@entry=0x55555563b820 <qbus_reset_one>, opaque=opaque@entry=0x0) at hw/core/qdev.c:383 #19 0x000055555563d03a in qbus_walk_children (bus=<optimized out>, devfn=0x55555563d820 <qdev_reset_one>, busfn=0x55555563b820 <qbus_reset_one>, opaque=0x0) at hw/core/qdev.c:360 #20 0x000055555572b89d in qemu_devices_reset () at vl.c:1809 #21 qemu_system_reset (report=report@entry=true) at vl.c:1818 #22 0x00005555555c3f84 in main_loop_should_exit () at vl.c:1952 #23 main_loop () at vl.c:1990 #24 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4379 (gdb) Expected results: qemu-kvm works well Additional info:
I simplified the reproducer, and reproduced with latest upstream: $ gdb --args upstream-qemu -nodefaults -S -display none -monitor stdio -device virtio-scsi-pci,id=bus1 [...] (gdb) r [...] (qemu) device_add scsi-hd,bus=bus1.0,drive=scsi0,id=hd0 Property 'scsi-hd.drive' can't find value 'scsi0' (qemu) system_reset (qemu) Program received signal SIGSEGV, Segmentation fault. 0x0000555555616307 in bdrv_getlength (bs=0x0) at /work/armbru/qemu/block.c:2959 2959 BlockDriver *drv = bs->drv; (gdb) bt #0 0x0000555555616307 in bdrv_getlength (bs=0x0) at /work/armbru/qemu/block.c:2959 #1 0x00005555556163a0 in bdrv_get_geometry (bs=0x0, nb_sectors_ptr= 0x7fffffffd7a8) at /work/armbru/qemu/block.c:2976 #2 0x000055555579415b in scsi_disk_reset (dev=0x555556363430) at /work/armbru/qemu/hw/scsi/scsi-disk.c:2119 #3 0x00005555556e5394 in device_reset (dev=0x555556363430) at /work/armbru/qemu/hw/core/qdev.c:840 #4 0x00005555556e3624 in qdev_reset_one (dev=0x555556363430, opaque=0x0) at /work/armbru/qemu/hw/core/qdev.c:227 #5 0x00005555556e3d6b in qdev_walk_children (dev=0x555556363430, pre_devfn= 0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn= 0x5555556e363f <qbus_reset_one>, opaque=0x0) at /work/armbru/qemu/hw/core/qdev.c:398 #6 0x00005555556e3c3b in qbus_walk_children (bus=0x5555563674d8, pre_devfn= 0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn= 0x5555556e363f <qbus_reset_one>, opaque=0x0) at /work/armbru/qemu/hw/core/qdev.c:356 #7 0x00005555556e3d2f in qdev_walk_children (dev=0x5555563673c0, pre_devfn= 0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn= 0x5555556e363f <qbus_reset_one>, opaque=0x0) at /work/armbru/qemu/hw/core/qdev.c:390 #8 0x00005555556e3c3b in qbus_walk_children (bus=0x555556367358, pre_devfn= 0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn= 0x5555556e363f <qbus_reset_one>, opaque=0x0) at /work/armbru/qemu/hw/core/qdev.c:356 #9 0x00005555556e3d2f in qdev_walk_children (dev=0x555556366ad0, pre_devfn= 0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn= 0x5555556e363f <qbus_reset_one>, opaque=0x0) at /work/armbru/qemu/hw/core/qdev.c:390 #10 0x00005555556e3c3b in qbus_walk_children (bus=0x5555563458d0, pre_devfn= 0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn= 0x5555556e363f <qbus_reset_one>, opaque=0x0) at /work/armbru/qemu/hw/core/qdev.c:356 #11 0x00005555556e3d2f in qdev_walk_children (dev=0x5555563524e0, pre_devfn= 0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn= 0x5555556e363f <qbus_reset_one>, opaque=0x0) at /work/armbru/qemu/hw/core/qdev.c:390 #12 0x00005555556e3c3b in qbus_walk_children (bus=0x555556320e00, pre_devfn= 0x0, pre_busfn=0x0, post_devfn=0x5555556e35f9 <qdev_reset_one>, post_busfn= 0x5555556e363f <qbus_reset_one>, opaque=0x0) at /work/armbru/qemu/hw/core/qdev.c:356 #13 0x00005555556e3769 in qbus_reset_all (bus=0x555556320e00) at /work/armbru/qemu/hw/core/qdev.c:248 #14 0x00005555556e37ae in qbus_reset_all_fn (opaque=0x555556320e00) at /work/armbru/qemu/hw/core/qdev.c:254 #15 0x000055555589feba in qemu_devices_reset () at /work/armbru/qemu/vl.c:1839 #16 0x000055555589ff26 in qemu_system_reset (report=true) at /work/armbru/qemu/vl.c:1848 #17 0x00005555558a0454 in main_loop_should_exit () at /work/armbru/qemu/vl.c:1981 #18 0x00005555558a0564 in main_loop () at /work/armbru/qemu/vl.c:2021 #19 0x00005555558a7c0b in main (argc=9, argv=0x7fffffffe078, envp= 0x7fffffffe0c8) at /work/armbru/qemu/vl.c:4382 (gdb) up 2 #2 0x000055555579415b in scsi_disk_reset (dev=0x555556363430) at /work/armbru/qemu/hw/scsi/scsi-disk.c:2119 2119 bdrv_get_geometry(s->qdev.conf.bs, &nb_sectors); (gdb) p *s $1 = {qdev = {qdev = {parent_obj = {class = 0x5555563699a0, free = 0x7ffff76fd790 <g_free>, properties = {tqh_first = 0x555556364b80, tqh_last = 0x5555563f3250}, ref = 1, parent = 0x0}, id = 0x5555563c5ea0 "ȇ\241\356\377\177", realized = false, opts = 0x0, hotplugged = 1, parent_bus = 0x5555563674d8, num_gpio_out = 0, gpio_out = 0x0, num_gpio_in = 0, gpio_in = 0x0, child_bus = {lh_first = 0x0}, num_child_bus = 0, instance_id_alias = -1, alias_required_for_version = 0}, vmsentry = 0x0, bh = 0x0, id = 4294967295, conf = {bs = 0x0, physical_block_size = 512, logical_block_size = 512, min_io_size = 0, opt_io_size = 0, bootindex = -1, discard_granularity = 4294967295, cyls = 0, heads = 0, secs = 0}, unit_attention = {key = 6 '\006', asc = 41 ')', ascq = 0 '\000'}, sense_is_ua = false, sense = '\000' <repeats 95 times>, sense_len = 0, requests = {tqh_first = 0x0, tqh_last = 0x0}, channel = 0, lun = 4294967295, blocksize = 0, type = 0, max_lba = 0}, features = 0, media_changed = false, media_event = false, eject_request = false, wwn = 0, max_unmap_size = 1073741824, bh = 0x0, version = 0x0, serial = 0x0, vendor = 0x0, product = 0x0, tray_open = false, tray_locked = false} Same qemu invocation, but "info qtree" before and after the device_add: (qemu) info qtree bus: main-system-bus type System [...] dev: i440FX-pcihost, id "" pci-hole64-size = 16777216.000T short_root_bus = 0 irq 0 bus: pci.0 type PCI dev: virtio-scsi-pci, id "bus1" ioeventfd = off vectors = 4 indirect_desc = on event_idx = on hotplug = on param_change = on num_queues = 1 max_sectors = 65535 cmd_per_lun = 128 addr = 02.0 romfile = <null> rombar = 1 multifunction = off command_serr_enable = on class SCSI controller, addr 00:02.0, pci id 1af4:1004 (sub 1af4:0008) bar 0: i/o at 0xffffffffffffffff [0x3e] bar 1: mem at 0xffffffffffffffff [0xffe] bus: virtio-bus type virtio-pci-bus dev: virtio-scsi-device, id "" num_queues = 1 max_sectors = 65535 cmd_per_lun = 128 bus: bus1.0 type SCSI dev: PIIX4_PM, id "" [...] (qemu) device_add scsi-hd,bus=bus1.0,drive=scsi0,id=hd0 Property 'scsi-hd.drive' can't find value 'scsi0' (qemu) info qtree bus: main-system-bus type System [...] dev: i440FX-pcihost, id "" pci-hole64-size = 16777216.000T short_root_bus = 0 irq 0 bus: pci.0 type PCI dev: virtio-scsi-pci, id "bus1" ioeventfd = off vectors = 4 indirect_desc = on event_idx = on hotplug = on param_change = on num_queues = 1 max_sectors = 65535 cmd_per_lun = 128 addr = 02.0 romfile = <null> rombar = 1 multifunction = off command_serr_enable = on class SCSI controller, addr 00:02.0, pci id 1af4:1004 (sub 1af4:0008) bar 0: i/o at 0xffffffffffffffff [0x3e] bar 1: mem at 0xffffffffffffffff [0xffe] bus: virtio-bus type virtio-pci-bus dev: virtio-scsi-device, id "" num_queues = 1 max_sectors = 65535 cmd_per_lun = 128 bus: bus1.0 type SCSI dev: scsi-hd, id "���C1" drive = <null> logical_block_size = 512 physical_block_size = 512 min_io_size = 0 opt_io_size = 0 bootindex = -1 discard_granularity = 4294967295 ver = <null> serial = <null> vendor = <null> product = <null> removable = off dpofua = off wwn = 0x0 max_unmap_size = 1073741824 cyls = 0 heads = 0 secs = 0 channel = 0 scsi-id = 4294967295 lun = 4294967295 [...] Even though the device_add failed, it added a scsi-hd device to SCSI bus "bus1.0"! Many of its properties are obvious crap.
Additional reproducers: 1. qemu -nodefaults -S -display none -monitor stdio -device lsi device_add scsi-hd,drive=scsi0,id=hd0 system_reset 2. qemu -nodefaults -S -display none -monitor stdio device_add e1000,netdev=xxx info qtree This is almost certainly a core qdev bug.
Possibly duplicate of 1046248.
Amos, can you confirm it's a dupe of 1046248?
Yes, it's same issue. | (qemu) device_add scsi-hd,bus=bus1.0,drive=scsi0,id=hd0 | Property 'scsi-hd.drive' can't find value 'scsi0' Failed to hotplug the device. We didn't add the dev to QOM tree, but we already create a link for the unexisted dev. | (qemu) system_reset Try to walk qdev children, the link exists, so try to free a unexisted dev. Then Crash. *** This bug has been marked as a duplicate of bug 1046248 ***
Thank you, Amos!