1042665 – Qemu segmentation fault (core dumped) if repeat hotplug/unplug virtio-scsi/virtio-blk disk in turns

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1042665 - Qemu segmentation fault (core dumped) if repeat hotplug/unplug virtio-scsi/virtio-blk disk in turns

Summary: Qemu segmentation fault (core dumped) if repeat hotplug/unplug virtio-scsi/vi...

Keywords:
Status:	CLOSED DUPLICATE of bug 1046248
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Amos Kong
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-12-13 02:43 UTC by Sibiao Luo
Modified:	2015-05-25 00:07 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-01-15 03:20:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Sibiao Luo 2013-12-13 02:43:50 UTC

Description of problem:
boot up a guest normally and repeatly hotplug/unplug virtio-scsi/virtio-blk disk in turns, qemu will segmentation fault (core dumped).

Version-Release number of selected component (if applicable):
host info:
3.10.0-60.el7.x86_64
qemu-kvm-rhev-1.5.3-21.el7.x86_64
seabios-1.7.2.2-4.el7.x86_64
guest info:
3.10.0-60.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.boot up a guest with a virti-scsi data disk normally.
# /usr/libexec/qemu-kvm -M pc -cpu SandyBridge -enable-kvm -m 2048 -smp 4,sockets=2,cores=2,threads=1 -no-kvm-pit-reinjection -usb -device usb-tablet,id=input0 -name sluo -uuid 990ea161-6b67-47b2-b803-19fb01d30d30 -rtc base=localtime,clock=host,driftfix=slew -device virtio-serial-pci,id=virtio-serial0,max_ports=16,vectors=0,bus=pci.0,addr=0x3 -chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait -device virtserialport,chardev=channel1,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port1 -chardev socket,id=channel2,path=/tmp/helloworld2,server,nowait -device virtserialport,chardev=channel2,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port2 -drive file=iscsi://10.66.90.100:3260/iqn.2001-05.com.equallogic:0-8a0906-4c41f7d03-453f49b421052a57-s2-sluo-270305-1/0,if=none,id=drive-system-disk,cache=none,format=raw,aio=native,werror=stop,rerror=stop,discard=on -iscsi id=iqn0 -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x4,num_queues=4 -device scsi-block,drive=drive-system-disk,bus=scsi0.0,id=libiscsi-system-disk,bootindex=1 -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device rtl8139,netdev=hostnet0,id=rtl8139-net-pci0,mac=00:01:02:B6:40:21,bus=pci.0,addr=0x5 -device virtio-balloon-pci,id=ballooning,bus=pci.0,addr=0x6 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -drive file=iscsi://10.66.90.100:3260/iqn.2001-05.com.equallogic:0-8a0906-4fb1f7d03-455f49b421252a57-s2-sluo-270305-2/0,if=none,id=drive-data-disk,cache=none,format=raw,aio=native,werror=stop,rerror=stop,discard=on -iscsi id=iqn1 -device virtio-scsi-pci,id=scsi1,bus=pci.0,addr=0x7,num_queues=4 -device scsi-hd,drive=drive-data-disk,bus=scsi1.0,id=libiscsi-data-disk -k en-us -boot menu=on -qmp tcp:0:4444,server,nowait -serial unix:/tmp/ttyS0,server,nowait -vnc :1 -spice disable-ticketing,port=5931 -monitor unix:/tmp/monitor2,server,nowait
2.repeatly hotplug/unplug virtio-scsi/virtio-blk disk in turns.
# cat repeat_hot_pluging.sh
while true
do
    echo "device_del libiscsi-data-disk" | nc -U /tmp/monitor2
    sleep 1
    echo "device_del scsi1" | nc -U /tmp/monitor2
    sleep 1
    echo "drive_add pci_addr=auto file=/home/my-data-disk.qcow2,if=none,id=drive-data-disk,cache=none,format=qcow2,aio=native" | nc -U /tmp/monitor2
    sleep 1
    echo "device_add virtio-blk-pci,drive=drive-data-disk,id=data-disk,bus=pci.0,addr=0x7" | nc -U /tmp/monitor2
    sleep 1
    echo "device_del data-disk" | nc -U /tmp/monitor2
    sleep 1
    echo "drive_add pci_addr=auto file=iscsi://10.66.90.100:3260/iqn.2001-05.com.equallogic:0-8a0906-4fb1f7d03-455f49b421252a57-s2-sluo-270305-2/0,if=none,id=drive-data-disk,cache=none,format=raw,aio=native" | nc -U /tmp/monitor2
    sleep 2
    echo "device_add virtio-scsi-pci,id=scsi1,bus=pci.0,addr=0x7,num_queues=4" | nc -U /tmp/monitor2
    sleep 1
    echo "device_add scsi-hd,drive=drive-data-disk,bus=scsi1.0,id=libiscsi-data-disk" | nc -U /tmp/monitor2
    sleep 1
done

Actual results:
after step 2, qemu will segmentation fault (core dumped), I will paste the core dumped log later.

Expected results:
It should no any core dumped.

Additional info:

Comment 1 Sibiao Luo 2013-12-13 02:44:35 UTC

Core was generated by `/usr/libexec/qemu-kvm -M pc -cpu SandyBridge -enable-kvm -m 2048 -smp 4,sockets'.
Program terminated with signal 11, Segmentation fault.
#0  bdrv_getlength (bs=0x0) at block.c:2884
2884	    BlockDriver *drv = bs->drv;
(gdb) bt
#0  bdrv_getlength (bs=0x0) at block.c:2884
#1  0x00007f0473433ccd in bdrv_get_geometry (bs=<optimized out>, nb_sectors_ptr=nb_sectors_ptr@entry=0x7f0466670990)
    at block.c:2901
#2  0x00007f04734e3f66 in scsi_disk_reset (dev=0x7f04765317b0) at hw/scsi/scsi-disk.c:1982
#3  0x00007f0473498799 in qdev_reset_one (dev=dev@entry=0x7f04765317b0, opaque=opaque@entry=0x0) at hw/core/qdev.c:227
#4  0x00007f0473497e90 in qdev_walk_children (dev=0x7f04765317b0, devfn=devfn@entry=0x7f0473498780 <qdev_reset_one>, 
    busfn=busfn@entry=0x7f0473496780 <qbus_reset_one>, opaque=opaque@entry=0x0) at hw/core/qdev.c:376
#5  0x00007f0473497f9a in qbus_walk_children (bus=bus@entry=0x7f04769db3d0, 
    devfn=devfn@entry=0x7f0473498780 <qdev_reset_one>, busfn=busfn@entry=0x7f0473496780 <qbus_reset_one>, 
    opaque=opaque@entry=0x0) at hw/core/qdev.c:360
#6  0x00007f047349800d in qbus_reset_all (bus=bus@entry=0x7f04769db3d0) at hw/core/qdev.c:248
#7  0x00007f04735d5783 in virtio_scsi_reset (vdev=<optimized out>) at /usr/src/debug/qemu-1.5.3/hw/scsi/virtio-scsi.c:451
#8  0x00007f04735dd34e in virtio_reset (opaque=0x7f04769db2b8) at /usr/src/debug/qemu-1.5.3/hw/virtio/virtio.c:543
#9  0x00007f047350ea40 in virtio_ioport_write (val=0, addr=<optimized out>, opaque=0x7f04769daac0)
    at hw/virtio/virtio-pci.c:307
#10 virtio_pci_config_write (opaque=0x7f04769daac0, addr=<optimized out>, val=0, size=<optimized out>)
    at hw/virtio/virtio-pci.c:422
#11 0x00007f04735e3a62 in access_with_adjusted_size (addr=addr@entry=18, value=value@entry=0x7f0466670b58, size=1, 
    access_size_min=<optimized out>, access_size_max=<optimized out>, 
    access=access@entry=0x7f04735e4020 <memory_region_write_accessor>, opaque=opaque@entry=0x7f04769db170)
    at /usr/src/debug/qemu-1.5.3/memory.c:364
#12 0x00007f04735e4f37 in memory_region_iorange_write (iorange=<optimized out>, offset=18, width=1, data=0)
    at /usr/src/debug/qemu-1.5.3/memory.c:439
#13 0x00007f04735e2602 in kvm_handle_io (count=1, size=1, direction=1, data=<optimized out>, port=4114)
    at /usr/src/debug/qemu-1.5.3/kvm-all.c:1497
#14 kvm_cpu_exec (env=env@entry=0x7f0474b9d2b0) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1649
#15 0x00007f047358dad5 in qemu_kvm_cpu_thread_fn (arg=0x7f0474b9d2b0) at /usr/src/debug/qemu-1.5.3/cpus.c:793
#16 0x00007f04713c7de3 in start_thread () from /lib64/libpthread.so.0
#17 0x00007f046e50e26d in clone () from /lib64/libc.so.6
(gdb) 
(gdb) bt full
#0  bdrv_getlength (bs=0x0) at block.c:2884
        drv = <optimized out>
#1  0x00007f0473433ccd in bdrv_get_geometry (bs=<optimized out>, nb_sectors_ptr=nb_sectors_ptr@entry=0x7f0466670990)
    at block.c:2901
        length = <optimized out>
#2  0x00007f04734e3f66 in scsi_disk_reset (dev=0x7f04765317b0) at hw/scsi/scsi-disk.c:1982
        s = 0x7f04765317b0
        nb_sectors = 139657180933576
#3  0x00007f0473498799 in qdev_reset_one (dev=dev@entry=0x7f04765317b0, opaque=opaque@entry=0x0) at hw/core/qdev.c:227
No locals.
#4  0x00007f0473497e90 in qdev_walk_children (dev=0x7f04765317b0, devfn=devfn@entry=0x7f0473498780 <qdev_reset_one>, 
    busfn=busfn@entry=0x7f0473496780 <qbus_reset_one>, opaque=opaque@entry=0x0) at hw/core/qdev.c:376
        bus = <optimized out>
        err = <optimized out>
#5  0x00007f0473497f9a in qbus_walk_children (bus=bus@entry=0x7f04769db3d0, 
    devfn=devfn@entry=0x7f0473498780 <qdev_reset_one>, busfn=busfn@entry=0x7f0473496780 <qbus_reset_one>, 
    opaque=opaque@entry=0x0) at hw/core/qdev.c:360
        kid = 0x7f047650e0d0
        err = <optimized out>
#6  0x00007f047349800d in qbus_reset_all (bus=bus@entry=0x7f04769db3d0) at hw/core/qdev.c:248
No locals.
#7  0x00007f04735d5783 in virtio_scsi_reset (vdev=<optimized out>) at /usr/src/debug/qemu-1.5.3/hw/scsi/virtio-scsi.c:451
        s = 0x7f04769db2b8
        __func__ = "virtio_scsi_reset"
        vs = 0x7f04769db2b8
#8  0x00007f04735dd34e in virtio_reset (opaque=0x7f04769db2b8) at /usr/src/debug/qemu-1.5.3/hw/virtio/virtio.c:543
        vdev = 0x7f04769db2b8
        k = 0x7f0474c4c460
        __func__ = "virtio_reset"
        i = <optimized out>
#9  0x00007f047350ea40 in virtio_ioport_write (val=0, addr=<optimized out>, opaque=0x7f04769daac0)
    at hw/virtio/virtio-pci.c:307
        proxy = 0x7f04769daac0
        vdev = 0x7f04769db2b8
        pa = <optimized out>
#10 virtio_pci_config_write (opaque=0x7f04769daac0, addr=<optimized out>, val=0, size=<optimized out>)
    at hw/virtio/virtio-pci.c:422
        proxy = 0x7f04769daac0
#11 0x00007f04735e3a62 in access_with_adjusted_size (addr=addr@entry=18, value=value@entry=0x7f0466670b58, size=1, 
    access_size_min=<optimized out>, access_size_max=<optimized out>, 
    access=access@entry=0x7f04735e4020 <memory_region_write_accessor>, opaque=opaque@entry=0x7f04769db170)
    at /usr/src/debug/qemu-1.5.3/memory.c:364
        access_mask = 255
        access_size = 1
        i = <optimized out>
#12 0x00007f04735e4f37 in memory_region_iorange_write (iorange=<optimized out>, offset=18, width=1, data=0)
    at /usr/src/debug/qemu-1.5.3/memory.c:439
        mrio = <optimized out>
        mr = 0x7f04769db170
        __PRETTY_FUNCTION__ = "memory_region_iorange_write"
#13 0x00007f04735e2602 in kvm_handle_io (count=1, size=1, direction=1, data=<optimized out>, port=4114)
    at /usr/src/debug/qemu-1.5.3/kvm-all.c:1497
        i = 0
        ptr = 0x7f0473365000 <Address 0x7f0473365000 out of bounds>
#14 kvm_cpu_exec (env=env@entry=0x7f0474b9d2b0) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1649
        cpu = 0x7f0474b9d1a0
        __func__ = "kvm_cpu_exec"
        run = 0x7f0473364000
        ret = <optimized out>
        run_ret = <optimized out>
#15 0x00007f047358dad5 in qemu_kvm_cpu_thread_fn (arg=0x7f0474b9d2b0) at /usr/src/debug/qemu-1.5.3/cpus.c:793
        cpu = 0x7f0474b9d1a0
        __func__ = "qemu_kvm_cpu_thread_fn"
        r = <optimized out>
#16 0x00007f04713c7de3 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#17 0x00007f046e50e26d in clone () from /lib64/libc.so.6
No symbol table info available.
(gdb)

Comment 2 Amos Kong 2014-01-14 02:32:22 UTC

If you can provide the script error next time, it's appreciated.

You should use an unique "id" when you execute monitor command, so it's actually not repeated hotplug. I always use a increased number as the suffix of id.

It seems a same issue as bug 1046248.

Comment 4 Sibiao Luo 2014-01-15 03:15:59 UTC

Hi akong,
   
   I tried your private build which did not meet this issue any more, thanks for your helps.

host info:
# uname -r && rpm -q qemu-kvm
3.10.0-66.el7.x86_64.debug
qemu-kvm-1.5.3-32.el7.qdev.x86_64
guest info:
# uname -r
3.10.0-66.el7.x86_64.debug

Best Regards,
sluo

Comment 5 Amos Kong 2014-01-15 03:20:23 UTC


*** This bug has been marked as a duplicate of bug 1046248 ***

Note You need to log in before you can comment on or make changes to this bug.