1049734 – PCI: QEMU crash on illegal operation: attaching a function to a non multi-function device

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1049734 - PCI: QEMU crash on illegal operation: attaching a function to a non multi-function device

Summary: PCI: QEMU crash on illegal operation: attaching a function to a non multi-fun...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Marcel Apfelbaum
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-01-08 06:04 UTC by Sibiao Luo
Modified:	2015-03-05 08:03 UTC (History)
CC List:	14 users (show)
Fixed In Version:	qemu-kvm-1.5.3-78.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 08:03:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0349	0	normal	SHIPPED_LIVE	Important: qemu-kvm security, bug fix, and enhancement update	2015-03-05 12:27:34 UTC

Description Sibiao Luo 2014-01-08 06:04:14 UTC

Description of problem:
Hot-plugging many multi-fun virtio-blk devices to guest which has specified all the addr for the device in qemu-kvm command line which will casue QEMU core dumped and give prompt that PCI: single function device can't be populated in function x.x.

Version-Release number of selected component (if applicable):
host info:
# uname -r && rpm -q qemu-kvm-rhev
3.10.0-66.el7.x86_64.debug
qemu-kvm-rhev-1.5.3-31.el7.x86_64
guest info:
# uname -r
3.10.0-66.el7.x86_64.debug

How reproducible:
100%

Steps to Reproduce:
1.boot up guest specified all the addr for the device in qemu-kvm command line.
2.Hot-plugging many multi-fun virtio-blk devices.
# cat repeat_add.sh 
for i in `seq 3 9` a b c d e f 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f;do
#for i in `seq 5 5`;do
for j in `seq 1 7` 0;do
qemu-img create /tmp/resize$i$j.qcow2 1M -f qcow2
sleep 2
echo __com.redhat_drive_add id=drv$i$j,file=/tmp/resize$i$j.qcow2
echo __com.redhat_drive_add id=drv$i$j,file=/tmp/resize$i$j.qcow2 | nc -U /tmp/monitor2
sleep 2
echo device_add virtio-blk-pci,id=dev$i$j,drive=drv$i$j,addr=0x$i.$j,multifunction=on
echo device_add virtio-blk-pci,id=dev$i$j,drive=drv$i$j,addr=0x$i.$j,multifunction=on | nc -U /tmp/monitor2
done
done

Actual results:
after step 2, PCI: single function device can't be populated in function x.x and QEMU will core dumped. I will paste the core dumped log later.
# sh repeat_add.sh 
Formatting '/tmp/resize31.qcow2', fmt=qcow2 size=1048576 encryption=off cluster_size=65536 lazy_refcounts=off 
__com.redhat_drive_add id=drv31,file=/tmp/resize31.qcow2
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) __com.redhat_drive_add id=drv31,file=/tmp/resize31.qcow2
(qemu) device_add virtio-blk-pci,id=dev31,drive=drv31,addr=0x3.1,multifunction=on
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) device_add virtio-blk-pci,id=dev31,drive=drv31,addr=0x3.1,multifunction=on
PCI: single function device can't be populated in function 3.1
Device initialization failed.
Device 'virtio-blk-pci' could not be initialized
(qemu) Formatting '/tmp/resize32.qcow2', fmt=qcow2 size=1048576 encryption=off cluster_size=65536 lazy_refcounts=off 
__com.redhat_drive_add id=drv32,file=/tmp/resize32.qcow2
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) __com.redhat_drive_add id=drv32,file=/tmp/resize32.qcow2
(qemu) device_add virtio-blk-pci,id=dev32,drive=drv32,addr=0x3.2,multifunction=on
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) device_add virtio-blk-pci,id=dev32,drive=drv32,addr=0x3.2,multifunction=on
Formatting '/tmp/resize33.qcow2', fmt=qcow2 size=1048576 encryption=off cluster_size=65536 lazy_refcounts=off 
__com.redhat_drive_add id=drv33,file=/tmp/resize33.qcow2
Ncat: Connection refused.
device_add virtio-blk-pci,id=dev33,drive=drv33,addr=0x3.3,multifunction=on
Ncat: Connection refused.
Formatting '/tmp/resize34.qcow2', fmt=qcow2 size=1048576 encryption=off cluster_size=65536 lazy_refcounts=off 
__com.redhat_drive_add id=drv34,file=/tmp/resize34.qcow2
Ncat: Connection refused.

Expected results:
it should no any core dumped occur.

Additional info:
# /usr/libexec/qemu-kvm -M pc -S -cpu SandyBridge -enable-kvm -m 4096 -smp 4,sockets=2,cores=2,threads=1 -no-kvm-pit-reinjection -usb -device usb-tablet,id=input0 -name sluo -uuid 990ea161-6b67-47b2-b803-19fb01d30d30 -rtc base=localtime,clock=host,driftfix=slew -device virtio-serial-pci,id=virtio-serial0,max_ports=16,vectors=0,bus=pci.0,addr=0x3 -chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait -device virtserialport,chardev=channel1,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port1 -chardev socket,id=channel2,path=/tmp/helloworld2,server,nowait -device virtserialport,chardev=channel2,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port2 -drive file=iscsi://10.66.90.100:3260/iqn.2001-05.com.equallogic:0-8a0906-4c41f7d03-453f49b421052a57-s2-sluo-270305-1/0,if=none,id=drive-system-disk,cache=none,aio=native,werror=stop,rerror=stop -iscsi id=iqn0 -device virtio-blk-pci,vectors=0,bus=pci.0,addr=0x4,scsi=off,drive=drive-system-disk,id=system-disk,bootindex=1 -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device virtio-net-pci,netdev=hostnet0,id=virtio-net-pci0,mac=00:01:02:03:40:21,bus=pci.0,addr=0x5 -device virtio-balloon-pci,id=ballooning,bus=pci.0,addr=0x6 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -drive file=iscsi://10.66.90.100:3260/iqn.2001-05.com.equallogic:0-8a0906-4fb1f7d03-455f49b421252a57-s2-sluo-270305-2/0,if=none,id=drive-data-disk,format=raw,cache=none,aio=native,werror=stop,rerror=stop -iscsi id=iqn1 -device virtio-scsi-pci,id=scsi1,bus=pci.0,addr=0x7 -device scsi-block,drive=drive-data-disk,bus=scsi1.0,id=data-disk -qmp tcp:0:4444,server,nowait -serial unix:/tmp/ttyS0,server,nowait -k en-us -boot menu=on -spice disable-ticketing,port=5931 -monitor stdio -monitor unix:/tmp/monitor2,server,nowait

Comment 1 Sibiao Luo 2014-01-08 06:04:41 UTC

Core was generated by `/usr/libexec/qemu-kvm -M pc -S -cpu SandyBridge -enable-kvm -m 4096 -smp 4,sock'.
Program terminated with signal 11, Segmentation fault.
#0  memory_region_update_coalesced_range_as (mr=mr@entry=0x7f997fa5dc10, as=as@entry=0x7f997fc21260)
    at /usr/src/debug/qemu-1.5.3/memory.c:1161
1161	    FOR_EACH_FLAT_RANGE(fr, as->current_map) {

(gdb) bt
#0  memory_region_update_coalesced_range_as (mr=mr@entry=0x7f997fa5dc10, as=as@entry=0x7f997fc21260)
    at /usr/src/debug/qemu-1.5.3/memory.c:1161
#1  0x00007f997b116c0b in memory_region_update_coalesced_range (mr=0x7f997fa5dc10)
    at /usr/src/debug/qemu-1.5.3/memory.c:1193
#2  memory_region_clear_coalescing (mr=mr@entry=0x7f997fa5dc10) at /usr/src/debug/qemu-1.5.3/memory.c:1227
#3  0x00007f997b116c64 in memory_region_destroy (mr=0x7f997fa5dc10) at /usr/src/debug/qemu-1.5.3/memory.c:1026
#4  0x00007f997b0c109d in destroy_page_desc (section_index=<optimized out>) at /usr/src/debug/qemu-1.5.3/exec.c:702
#5  destroy_l2_mapping (lp=0x7f997e242e84, level=level@entry=0) at /usr/src/debug/qemu-1.5.3/exec.c:721
#6  0x00007f997b0c1058 in destroy_l2_mapping (lp=0x7f997e241e90, level=level@entry=1)
    at /usr/src/debug/qemu-1.5.3/exec.c:719
#7  0x00007f997b0c1058 in destroy_l2_mapping (lp=0x7f997e241690, level=level@entry=2)
    at /usr/src/debug/qemu-1.5.3/exec.c:719
#8  0x00007f997b0c1058 in destroy_l2_mapping (lp=lp@entry=0x7f997d73aeb0, level=level@entry=3)
    at /usr/src/debug/qemu-1.5.3/exec.c:719
#9  0x00007f997b0c1106 in destroy_all_mappings (d=<optimized out>) at /usr/src/debug/qemu-1.5.3/exec.c:730
#10 mem_begin (listener=0x7f997d73aeb8) at /usr/src/debug/qemu-1.5.3/exec.c:1750
#11 0x00007f997b1154b0 in memory_region_transaction_commit () at /usr/src/debug/qemu-1.5.3/memory.c:747
#12 0x00007f997b002100 in do_pci_register_device (devfn=26, name=0x7f997d71a5e0 "virtio-blk-pci", bus=0x7f997d795a30, 
    pci_dev=0x7f997fc21040) at hw/pci/pci.c:819
#13 pci_qdev_init (qdev=0x7f997fc21040) at hw/pci/pci.c:1709
#14 0x00007f997afbda84 in device_realize (dev=0x7f997fc21040, err=0x7fffa55fe580) at hw/core/qdev.c:178
#15 0x00007f997afbefab in device_set_realized (obj=0x7f997fc21040, value=<optimized out>, err=0x7fffa55fe690)
    at hw/core/qdev.c:693
#16 0x00007f997b080c9e in property_set_bool (obj=0x7f997fc21040, v=<optimized out>, opaque=0x7f997e9c25d0, 
    name=<optimized out>, errp=0x7fffa55fe690) at qom/object.c:1302
#17 0x00007f997b083857 in object_property_set_qobject (obj=0x7f997fc21040, value=<optimized out>, 
---Type <return> to continue, or q <return> to quit---
    name=0x7f997b1f885a "realized", errp=0x7fffa55fe690) at qom/qom-qobject.c:24
#18 0x00007f997b082660 in object_property_set_bool (obj=obj@entry=0x7f997fc21040, value=value@entry=true, 
    name=name@entry=0x7f997b1f885a "realized", errp=errp@entry=0x7fffa55fe690) at qom/object.c:853
#19 0x00007f997afbdf9a in qdev_init (dev=dev@entry=0x7f997fc21040) at hw/core/qdev.c:163
#20 0x00007f997b06da9b in qdev_device_add (opts=opts@entry=0x7f9983a1c100) at qdev-monitor.c:538
#21 0x00007f997b06debd in do_device_add (mon=<optimized out>, qdict=<optimized out>, ret_data=<optimized out>)
    at qdev-monitor.c:651
#22 0x00007f997b120490 in handle_user_command (mon=mon@entry=0x7f997d73ba80, cmdline=<optimized out>)
    at /usr/src/debug/qemu-1.5.3/monitor.c:4001
#23 0x00007f997b12089b in monitor_command_cb (mon=0x7f997d73ba80, cmdline=<optimized out>, opaque=<optimized out>)
    at /usr/src/debug/qemu-1.5.3/monitor.c:4624
#24 0x00007f997b084210 in readline_handle_byte (rs=0x7f997d766230, ch=<optimized out>) at readline.c:374
#25 0x00007f997b120804 in monitor_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>)
    at /usr/src/debug/qemu-1.5.3/monitor.c:4610
#26 0x00007f997b071aa1 in qemu_chr_be_write (len=<optimized out>, buf=0x7fffa55fe970 "\n\b", s=0x7f997d72d930)
    at qemu-char.c:167
#27 tcp_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x7f997d72d930) at qemu-char.c:2491
#28 0x00007f997a37fe06 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#29 0x00007f997b03e67a in glib_pollfds_poll () at main-loop.c:187
#30 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:232
#31 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:464
#32 0x00007f997af42ae0 in main_loop () at vl.c:1984
#33 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4343
(gdb) 
(gdb) bt full
#0  memory_region_update_coalesced_range_as (mr=mr@entry=0x7f997fa5dc10, as=as@entry=0x7f997fc21260)
    at /usr/src/debug/qemu-1.5.3/memory.c:1161
        fr = <optimized out>
        cmr = <optimized out>
        tmp = <optimized out>
        section = {mr = 0x33, address_space = 0x7fffa55fe328, offset_within_region = 206158430248, 
          size = 140735967913296, offset_within_address_space = 140735967913104, readonly = 13}
#1  0x00007f997b116c0b in memory_region_update_coalesced_range (mr=0x7f997fa5dc10)
    at /usr/src/debug/qemu-1.5.3/memory.c:1193
        as = 0x7f997fc21260
#2  memory_region_clear_coalescing (mr=mr@entry=0x7f997fa5dc10) at /usr/src/debug/qemu-1.5.3/memory.c:1227
        cmr = <optimized out>
#3  0x00007f997b116c64 in memory_region_destroy (mr=0x7f997fa5dc10) at /usr/src/debug/qemu-1.5.3/memory.c:1026
        __PRETTY_FUNCTION__ = "memory_region_destroy"
#4  0x00007f997b0c109d in destroy_page_desc (section_index=<optimized out>) at /usr/src/debug/qemu-1.5.3/exec.c:702
        subpage = 0x7f997fa5dc10
        section = <optimized out>
        mr = 0x7f997fa5dc10
#5  destroy_l2_mapping (lp=0x7f997e242e84, level=level@entry=0) at /usr/src/debug/qemu-1.5.3/exec.c:721
        i = <optimized out>
        p = 0x7f997e243690
#6  0x00007f997b0c1058 in destroy_l2_mapping (lp=0x7f997e241e90, level=level@entry=1)
    at /usr/src/debug/qemu-1.5.3/exec.c:719
        i = <optimized out>
        p = 0x7f997e242690
#7  0x00007f997b0c1058 in destroy_l2_mapping (lp=0x7f997e241690, level=level@entry=2)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/debug/qemu-1.5.3/exec.c:719
        i = <optimized out>
        p = 0x7f997e241e90
#8  0x00007f997b0c1058 in destroy_l2_mapping (lp=lp@entry=0x7f997d73aeb0, level=level@entry=3)
    at /usr/src/debug/qemu-1.5.3/exec.c:719
        i = <optimized out>
        p = 0x7f997e241690
#9  0x00007f997b0c1106 in destroy_all_mappings (d=<optimized out>) at /usr/src/debug/qemu-1.5.3/exec.c:730
No locals.
#10 mem_begin (listener=0x7f997d73aeb8) at /usr/src/debug/qemu-1.5.3/exec.c:1750
No locals.
#11 0x00007f997b1154b0 in memory_region_transaction_commit () at /usr/src/debug/qemu-1.5.3/memory.c:747
        _listener = 0x7f997d73aeb8
        as = <optimized out>
#12 0x00007f997b002100 in do_pci_register_device (devfn=26, name=0x7f997d71a5e0 "virtio-blk-pci", bus=0x7f997d795a30, 
    pci_dev=0x7f997fc21040) at hw/pci/pci.c:819
        config_read = 0x0
        config_write = 0x0
        pc = 0x7f997d8281f0
#13 pci_qdev_init (qdev=0x7f997fc21040) at hw/pci/pci.c:1709
        pci_dev = 0x7f997fc21040
        pc = 0x7f997d8281f0
        __func__ = "pci_qdev_init"
        bus = 0x7f997d795a30
        rc = <optimized out>
        is_default_rom = <optimized out>
---Type <return> to continue, or q <return> to quit---
        __PRETTY_FUNCTION__ = "pci_qdev_init"
#14 0x00007f997afbda84 in device_realize (dev=0x7f997fc21040, err=0x7fffa55fe580) at hw/core/qdev.c:178
        rc = <optimized out>
        dc = <optimized out>
#15 0x00007f997afbefab in device_set_realized (obj=0x7f997fc21040, value=<optimized out>, err=0x7fffa55fe690)
    at hw/core/qdev.c:693
        dev = 0x7f997fc21040
        __func__ = "device_set_realized"
        dc = 0x7f997d8281f0
        local_err = 0x0
#16 0x00007f997b080c9e in property_set_bool (obj=0x7f997fc21040, v=<optimized out>, opaque=0x7f997e9c25d0, 
    name=<optimized out>, errp=0x7fffa55fe690) at qom/object.c:1302
        prop = 0x7f997e9c25d0
        value = true
        local_err = 0x0
#17 0x00007f997b083857 in object_property_set_qobject (obj=0x7f997fc21040, value=<optimized out>, 
    name=0x7f997b1f885a "realized", errp=0x7fffa55fe690) at qom/qom-qobject.c:24
        mi = 0x7f997fd03a10
#18 0x00007f997b082660 in object_property_set_bool (obj=obj@entry=0x7f997fc21040, value=value@entry=true, 
    name=name@entry=0x7f997b1f885a "realized", errp=errp@entry=0x7fffa55fe690) at qom/object.c:853
        qbool = 0x7f997fdeac10
#19 0x00007f997afbdf9a in qdev_init (dev=dev@entry=0x7f997fc21040) at hw/core/qdev.c:163
        local_err = 0x0
        __PRETTY_FUNCTION__ = "qdev_init"
#20 0x00007f997b06da9b in qdev_device_add (opts=opts@entry=0x7f9983a1c100) at qdev-monitor.c:538
        obj = <optimized out>
---Type <return> to continue, or q <return> to quit---
        k = 0x7f997d8281f0
        driver = 0x7f9983a7c970 "virtio-blk-pci"
        path = 0x0
        id = <optimized out>
        qdev = 0x7f997fc21040
        bus = <optimized out>
        __func__ = "qdev_device_add"
#21 0x00007f997b06debd in do_device_add (mon=<optimized out>, qdict=<optimized out>, ret_data=<optimized out>)
    at qdev-monitor.c:651
        local_err = 0x0
        opts = 0x7f9983a1c100
        dev = <optimized out>
#22 0x00007f997b120490 in handle_user_command (mon=mon@entry=0x7f997d73ba80, cmdline=<optimized out>)
    at /usr/src/debug/qemu-1.5.3/monitor.c:4001
        data = 0x0
        qdict = 0x7f997fa267a0
        cmd = 0x7f997b5d2560 <mon_cmds+1728>
        __PRETTY_FUNCTION__ = "handle_user_command"
#23 0x00007f997b12089b in monitor_command_cb (mon=0x7f997d73ba80, cmdline=<optimized out>, opaque=<optimized out>)
    at /usr/src/debug/qemu-1.5.3/monitor.c:4624
No locals.
#24 0x00007f997b084210 in readline_handle_byte (rs=0x7f997d766230, ch=<optimized out>) at readline.c:374
No locals.
#25 0x00007f997b120804 in monitor_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>)
    at /usr/src/debug/qemu-1.5.3/monitor.c:4610
        old_mon = 0x0
---Type <return> to continue, or q <return> to quit---
        i = <optimized out>
#26 0x00007f997b071aa1 in qemu_chr_be_write (len=<optimized out>, buf=0x7fffa55fe970 "\n\b", s=0x7f997d72d930)
    at qemu-char.c:167
No locals.
#27 tcp_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x7f997d72d930) at qemu-char.c:2491
        chr = 0x7f997d72d930
        s = 0x7f997d72da80
        buf = "\n\b\000\000n\001\000\000 \000\000\000\000\000\000\000\004\000\000\000\000\000\000\000\227\000\000\000\200\000\000\000\257\351_\245\377\177\000\000~\000\000\000\000\000\000\000\300\351_\245\377\177\000\000\321\063\371z\231\177\000\000\000\001\000\000\000\000\000\000`\327\354u\231\177\000\000\000\001\000\000\000\000\000\000\000;\375\004\000\000\000\000 \000\000\000\000\000\000\000`\327\354u\231\177\000\000\000\000\020\000\000\000\000\000\000;\375\004\000\000\000\000 \000\000\000\000\000\000\000\240w\251\203\231\177\000\000\030\000\000\000\231\177\000\000`\352_\245\377\177\000\000 \352_\245\377\177\000\000\000\000\020\000\000\000\000\000p\206u}\231\177\000\000\255>\v{\231\177\000\000\231\177\000\000\000\000\000\000\000"...
        len = <optimized out>
        size = <optimized out>
#28 0x00007f997a37fe06 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
No symbol table info available.
#29 0x00007f997b03e67a in glib_pollfds_poll () at main-loop.c:187
        context = 0x7f997d72bf40
        pfds = <optimized out>
#30 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:232
        ret = 2
        spin_counter = 0
#31 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:464
        ret = 2
---Type <return> to continue, or q <return> to quit---
        timeout = 4294967295
#32 0x00007f997af42ae0 in main_loop () at vl.c:1984
        nonblocking = <optimized out>
        last_io = 2
#33 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4343
        i = <optimized out>
        snapshot = 0
        linux_boot = 0
        icount_option = 0x0
        initrd_filename = 0x0
        kernel_filename = 0x0
        kernel_cmdline = 0x7f997b23d6e0 ""
        boot_order = 0x7f997b1f59c6 "cad"
        ds = <optimized out>
        cyls = 0
        heads = 0
        secs = 0
        translation = 0
        hda_opts = <optimized out>
        opts = 0x7f997d72acd0
        machine_opts = <optimized out>
        olist = <optimized out>
        optind = 69
        optarg = 0x7fffa56017d7 "unix:/tmp/monitor2,server,nowait"
        loadvm = 0x0
        machine = 0x7f997b5d04a0 <pc_machine_rhel700>
---Type <return> to continue, or q <return> to quit---
        cpu_model = 0x7fffa5601124 "SandyBridge"
        vga_model = 0x7f997b22041f "cirrus"
        pid_file = 0x0
        incoming = 0x0
        show_vnc_port = 0
        defconfig = <optimized out>
        userconfig = 36
        log_mask = <optimized out>
        log_file = 0x0
        mem_trace = {malloc = 0x7f997b0b3e90 <malloc_and_trace>, realloc = 0x7f997b0b3e50 <realloc_and_trace>, 
          free = 0x7f997b0b3e10 <free_and_trace>, calloc = 0x0, try_malloc = 0x0, try_realloc = 0x0}
        trace_events = 0x0
        trace_file = 0x0
        __PRETTY_FUNCTION__ = "main"
        args = {machine = 0x7f997b5d04a0 <pc_machine_rhel700>, ram_size = 4294967296, 
          boot_device = 0x7f997b1f59c6 "cad", kernel_filename = 0x0, kernel_cmdline = 0x7f997b23d6e0 "", 
          initrd_filename = 0x0, cpu_model = 0x7fffa5601124 "SandyBridge"}
(gdb)

Comment 2 Markus Armbruster 2014-01-16 14:17:18 UTC

Possibly related: bug 1003535 (thanks Marcel!)

Please retest with a build that includes the fix for that bug.  It hasn't been committed, yet.  You can grab the fix's test build from brew task 6834194 if you don't want to wait for the fix to land.

Comment 3 Sibiao Luo 2014-01-17 06:40:51 UTC

(In reply to Markus Armbruster from comment #2)
> Possibly related: bug 1003535 (thanks Marcel!)
> 
> Please retest with a build that includes the fix for that bug.  It hasn't
> been committed, yet.  You can grab the fix's test build from brew task
> 6834194 if you don't want to wait for the fix to land.
It's a little pity, the taskID=6834197 build was closed. Could you help provide it and i will try it, thanks.

Comment 4 Markus Armbruster 2014-01-17 08:03:13 UTC

Please try http://brewweb.devel.redhat.com/brew/taskinfo?taskID=6890149

Comment 5 Sibiao Luo 2014-01-20 06:07:13 UTC

(In reply to Markus Armbruster from comment #4)
> Please try http://brewweb.devel.redhat.com/brew/taskinfo?taskID=6890149
Tried your build that still hit the same issue with the same testing as comment #0.

host info:
3.10.0-66.el7.x86_64.debug
qemu-kvm-1.5.3-35.el7.bz1049734.armbru1.x86_64
seabios-1.7.2.2-7.el7.x86_64
guest info:
3.10.0-66.el7.x86_64.debug

Core was generated by `/usr/libexec/qemu-kvm -M pc -S -cpu SandyBridge -enable-kvm -m 4096 -smp 4,sock'.
Program terminated with signal 11, Segmentation fault.
#0  memory_region_update_coalesced_range_as (mr=mr@entry=0x7f19c73daa20, as=as@entry=0x7f19c1c55620)
    at /usr/src/debug/qemu-1.5.3/memory.c:1161
1161	    FOR_EACH_FLAT_RANGE(fr, as->current_map) {

(gdb) bt
#0  memory_region_update_coalesced_range_as (mr=mr@entry=0x7f19c73daa20, as=as@entry=0x7f19c1c55620)
    at /usr/src/debug/qemu-1.5.3/memory.c:1161
#1  0x00007f19be5d793b in memory_region_update_coalesced_range (mr=0x7f19c73daa20)
    at /usr/src/debug/qemu-1.5.3/memory.c:1193
#2  memory_region_clear_coalescing (mr=mr@entry=0x7f19c73daa20) at /usr/src/debug/qemu-1.5.3/memory.c:1227
#3  0x00007f19be5d7994 in memory_region_destroy (mr=0x7f19c73daa20) at /usr/src/debug/qemu-1.5.3/memory.c:1026
#4  0x00007f19be58236e in destroy_page_desc (map=0x7f19c0a66d78, section_index=<optimized out>)
    at /usr/src/debug/qemu-1.5.3/exec.c:717
#5  destroy_l2_mapping (map=map@entry=0x7f19c0a66d78, lp=0x7f19c0b0a2e4, level=level@entry=0)
    at /usr/src/debug/qemu-1.5.3/exec.c:737
#6  0x00007f19be58232b in destroy_l2_mapping (map=map@entry=0x7f19c0a66d78, lp=0x7f19c0b092f0, level=level@entry=1)
    at /usr/src/debug/qemu-1.5.3/exec.c:735
#7  0x00007f19be58232b in destroy_l2_mapping (map=map@entry=0x7f19c0a66d78, lp=0x7f19c0b08af0, level=level@entry=2)
    at /usr/src/debug/qemu-1.5.3/exec.c:735
#8  0x00007f19be58232b in destroy_l2_mapping (map=map@entry=0x7f19c0a66d78, lp=lp@entry=0x7f19c0a66d70, 
    level=level@entry=3) at /usr/src/debug/qemu-1.5.3/exec.c:735
#9  0x00007f19be5823de in destroy_all_mappings (d=<optimized out>) at /usr/src/debug/qemu-1.5.3/exec.c:746
#10 mem_begin (listener=0x7f19c0a66da0) at /usr/src/debug/qemu-1.5.3/exec.c:1769
#11 0x00007f19be5d61e0 in memory_region_transaction_commit () at /usr/src/debug/qemu-1.5.3/memory.c:747
#12 0x00007f19be4c4400 in do_pci_register_device (devfn=26, name=0x7f19c0a465e0 "virtio-blk-pci", bus=0x7f19c0abfcc0, 
    pci_dev=0x7f19c1c55400) at hw/pci/pci.c:819
#13 pci_qdev_init (qdev=0x7f19c1c55400) at hw/pci/pci.c:1709
#14 0x00007f19be47fd64 in device_realize (dev=0x7f19c1c55400, err=0x7fff1da0c4c0) at hw/core/qdev.c:178
#15 0x00007f19be48128b in device_set_realized (obj=0x7f19c1c55400, value=<optimized out>, err=0x7fff1da0c5d0)
    at hw/core/qdev.c:693
#16 0x00007f19be541a1e in property_set_bool (obj=0x7f19c1c55400, v=<optimized out>, opaque=0x7f19c2df9ae0, 
---Type <return> to continue, or q <return> to quit---
    name=<optimized out>, errp=0x7fff1da0c5d0) at qom/object.c:1302
#17 0x00007f19be5445d7 in object_property_set_qobject (obj=0x7f19c1c55400, value=<optimized out>, 
    name=0x7f19be6b9ada "realized", errp=0x7fff1da0c5d0) at qom/qom-qobject.c:24
#18 0x00007f19be5433e0 in object_property_set_bool (obj=obj@entry=0x7f19c1c55400, value=value@entry=true, 
    name=name@entry=0x7f19be6b9ada "realized", errp=errp@entry=0x7fff1da0c5d0) at qom/object.c:853
#19 0x00007f19be48027a in qdev_init (dev=dev@entry=0x7f19c1c55400) at hw/core/qdev.c:163
#20 0x00007f19be52f8fb in qdev_device_add (opts=opts@entry=0x7f19c582c520) at qdev-monitor.c:538
#21 0x00007f19be52fd1d in do_device_add (mon=<optimized out>, qdict=<optimized out>, ret_data=<optimized out>)
    at qdev-monitor.c:651
#22 0x00007f19be5e11c0 in handle_user_command (mon=mon@entry=0x7f19c0a89f70, cmdline=<optimized out>)
    at /usr/src/debug/qemu-1.5.3/monitor.c:4001
#23 0x00007f19be5e15cb in monitor_command_cb (mon=0x7f19c0a89f70, cmdline=<optimized out>, opaque=<optimized out>)
    at /usr/src/debug/qemu-1.5.3/monitor.c:4624
#24 0x00007f19be544f90 in readline_handle_byte (rs=0x7f19c0a93290, ch=<optimized out>) at readline.c:374

#25 0x00007f19be5e1534 in monitor_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>)
    at /usr/src/debug/qemu-1.5.3/monitor.c:4610
#26 0x00007f19be533901 in qemu_chr_be_write (len=<optimized out>, buf=0x7fff1da0c8b0 "\nȠ\035\377\177", 
    s=0x7f19c0a59950) at qemu-char.c:167
#27 tcp_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x7f19c0a59950) at qemu-char.c:2491
#28 0x00007f19bd83fe06 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#29 0x00007f19be500e0a in glib_pollfds_poll () at main-loop.c:187
#30 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:232
#31 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:464
#32 0x00007f19be402ab0 in main_loop () at vl.c:1984
#33 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4343
(gdb) 

Best Regards,
sluo

Comment 6 Marcel Apfelbaum 2014-01-20 10:58:01 UTC

Can you please provide the output of lspci (it is a linux guest, I hope) before
your script start running?

Thanks!
Marcel

Comment 7 Sibiao Luo 2014-01-21 02:35:01 UTC

(In reply to Marcel Apfelbaum from comment #6)
> Can you please provide the output of lspci (it is a linux guest, I hope)
> before
> your script start running?
> 
guest ]# lspci
00:00.0 Host bridge: Intel Corporation 440FX - 82441FX PMC [Natoma] (rev 02)
00:01.0 ISA bridge: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II]
00:01.1 IDE interface: Intel Corporation 82371SB PIIX3 IDE [Natoma/Triton II]
00:01.2 USB controller: Intel Corporation 82371SB PIIX3 USB [Natoma/Triton II] (rev 01)
00:01.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 03)
00:02.0 VGA compatible controller: Cirrus Logic GD 5446
00:03.0 Communication controller: Red Hat, Inc Virtio console
00:04.0 SCSI storage controller: Red Hat, Inc Virtio block device
00:05.0 Ethernet controller: Red Hat, Inc Virtio network device
00:06.0 Unclassified device [00ff]: Red Hat, Inc Virtio memory balloon
00:07.0 SCSI storage controller: Red Hat, Inc Virtio SCSI

host ]# sh repeat_add.sh 
Formatting '/tmp/resize31.qcow2', fmt=qcow2 size=1048576 encryption=off cluster_size=65536 lazy_refcounts=off 
__com.redhat_drive_add id=drv31,file=/tmp/resize31.qcow2
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) __com.redhat_drive_add id=drv31,file=/tmp/resize31.qcow2
(qemu) device_add virtio-blk-pci,id=dev31,drive=drv31,addr=0x3.1,multifunction=on
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) device_add virtio-blk-pci,id=dev31,drive=drv31,addr=0x3.1,multifunction=on
PCI: single function device can't be populated in function 3.1
Device initialization failed.
Device 'virtio-blk-pci' could not be initialized
(qemu) Formatting '/tmp/resize32.qcow2', fmt=qcow2 size=1048576 encryption=off cluster_size=65536 lazy_refcounts=off 
__com.redhat_drive_add id=drv32,file=/tmp/resize32.qcow2
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) __com.redhat_drive_add id=drv32,file=/tmp/resize32.qcow2
(qemu) device_add virtio-blk-pci,id=dev32,drive=drv32,addr=0x3.2,multifunction=on
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) device_add virtio-blk-pci,id=dev32,drive=drv32,addr=0x3.2,multifunction=on
Formatting '/tmp/resize33.qcow2', fmt=qcow2 size=1048576 encryption=off cluster_size=65536 lazy_refcounts=off 
__com.redhat_drive_add id=drv33,file=/tmp/resize33.qcow2
Ncat: Connection refused.
device_add virtio-blk-pci,id=dev33,drive=drv33,addr=0x3.3,multifunction=on
Ncat: Connection refused.
Formatting '/tmp/resize34.qcow2', fmt=qcow2 size=1048576 encryption=off cluster_size=65536 lazy_refcounts=off 
^C

QEMU 1.5.3 monitor - type 'help' for more information
(qemu) (/usr/libexec/qemu-kvm:13181): SpiceWorker-Warning **: red_worker.c:11464:dev_destroy_primary_surface: double destroy of primary surface
(/usr/libexec/qemu-kvm:13181): SpiceWorker-Warning **: red_worker.c:9650:red_create_surface: condition `surface->context.canvas' reached

(qemu) main_channel_link: add main channel client
main_channel_handle_parsed: net test: latency 120.224000 ms, bitrate 15515151515 bps (14796.401515 Mbps)
inputs_connect: inputs channel client create
red_dispatcher_set_cursor_peer: 

(qemu) c
(qemu) Segmentation fault (core dumped)

Best Regards,
sluo

Comment 8 Markus Armbruster 2014-01-21 12:36:28 UTC

Simplified reproducer:

1. qemu-kvm -nodefaults -S -display none -monitor stdio -device virtio-serial-pci -drive if=none,id=drv0,file=tmp.qcow2

   The contents of tmp.qcow2 doesn't matter.

2. Monitor command "info pci" shows:

      Bus  0, device   0, function 0:
	Host bridge: PCI device 8086:1237
	  id ""
      Bus  0, device   1, function 0:
	ISA bridge: PCI device 8086:7000
	  id ""
      Bus  0, device   1, function 1:
	IDE controller: PCI device 8086:7010
	  BAR4: I/O at 0xffffffffffffffff [0x000e].
	  id ""
      Bus  0, device   1, function 3:
	Bridge: PCI device 8086:7113
	  IRQ 0.
	  id ""
      Bus  0, device   2, function 0:
	Class 1920: PCI device 1af4:1003
	  IRQ 0.
	  BAR0: I/O at 0xffffffffffffffff [0x001e].
	  BAR1: 32 bit memory at 0xffffffffffffffff [0x00000ffe].
	  id ""

   The mandatory chipset devices are in slot 0 and 1, as usual.  The
   virtio-serial-pci device is in slot 2.  All other slots are unused.

3. Plug virtio-blk-pci into slot 2.1, and watch it fail:

    (qemu) device_add virtio-blk-pci,drive=drv0,addr=0x2.1,multifunction=on
    PCI: single function device can't be populated in function 2.1
    Device initialization failed.
    Device 'virtio-blk-pci' could not be initialized

4. Do it again, and watch it crash:

    (qemu) device_add virtio-blk-pci,drive=drv0,addr=0x2.1,multifunction=on
    Segmentation fault (core dumped)

   Backtrace matches the one in comment#1:

    #0  0x00005555557e5e14 in memory_region_update_coalesced_range_as (as=0x5555566e9840, mr=0x5555566f51a0) at /work/armbru/qemu-kvm-rhel7/memory.c:1156
    #1  memory_region_update_coalesced_range (mr=mr@entry=0x5555566f51a0) at /work/armbru/qemu-kvm-rhel7/memory.c:1188
    #2  0x00005555557e988d in memory_region_clear_coalescing (mr=mr@entry=0x5555566f51a0) at /work/armbru/qemu-kvm-rhel7/memory.c:1222
    #3  0x00005555557e98d7 in memory_region_destroy (mr=0x5555566f51a0) at /work/armbru/qemu-kvm-rhel7/memory.c:1027
    #4  0x00005555557911de in destroy_page_desc (map=0x5555565175c8, section_index=<optimized out>) at /work/armbru/qemu-kvm-rhel7/exec.c:719
    #5  destroy_l2_mapping (map=map@entry=0x5555565175c8, lp=0x5555566b13f0, level=level@entry=0) at /work/armbru/qemu-kvm-rhel7/exec.c:739
    #6  0x000055555579119b in destroy_l2_mapping (map=map@entry=0x5555565175c8, lp=0x5555566b0bf0, level=level@entry=1) at /work/armbru/qemu-kvm-rhel7/exec.c:737
    #7  0x000055555579119b in destroy_l2_mapping (map=map@entry=0x5555565175c8, lp=0x5555566b03f0, level=level@entry=2) at /work/armbru/qemu-kvm-rhel7/exec.c:737
    #8  0x000055555579119b in destroy_l2_mapping (map=map@entry=0x5555565175c8, lp=lp@entry=0x5555565175c0, level=level@entry=3) at /work/armbru/qemu-kvm-rhel7/exec.c:737
    #9  0x000055555579124e in destroy_all_mappings (d=<optimized out>) at /work/armbru/qemu-kvm-rhel7/exec.c:748
    #10 mem_begin (listener=0x5555565175e8) at /work/armbru/qemu-kvm-rhel7/exec.c:1776
    #11 0x00005555557e7fa0 in memory_region_transaction_commit () at /work/armbru/qemu-kvm-rhel7/memory.c:748
    #12 memory_region_transaction_commit () at /work/armbru/qemu-kvm-rhel7/memory.c:740
    #13 0x00005555556cf64a in do_pci_register_device (devfn=17, name=0x5555565015e0 "virtio-blk-pci", bus=0x5555566be3d0, pci_dev=0x5555566e9450) at /work/armbru/qemu-kvm-rhel7/hw/pci/pci.c:819
    #14 pci_qdev_init (qdev=0x5555566e9450) at /work/armbru/qemu-kvm-rhel7/hw/pci/pci.c:1709
    #15 0x000055555568a8c4 in device_realize (dev=0x5555566e9450, err=0x7fffffffc8b0) at /work/armbru/qemu-kvm-rhel7/hw/core/qdev.c:178
    #16 0x000055555568bf23 in device_set_realized (obj=0x5555566e9450, value=true, err=0x7fffffffc9e8) at /work/armbru/qemu-kvm-rhel7/hw/core/qdev.c:693
    #17 0x000055555574caae in property_set_bool (obj=0x5555566e9450, v=<optimized out>, opaque=0x5555566e62d0, name=<optimized out>, errp=0x7fffffffc9e8) at /work/armbru/qemu-kvm-rhel7/qom/object.c:1302
    #18 0x000055555574fb65 in object_property_set_qobject (obj=0x5555566e9450, value=<optimized out>, name=0x5555558bb26b "realized", errp=0x7fffffffc9e8) at /work/armbru/qemu-kvm-rhel7/qom/qom-qobject.c:24
    #19 0x000055555574e7de in object_property_set_bool (obj=obj@entry=0x5555566e9450, value=value@entry=true, name=name@entry=0x5555558bb26b "realized", errp=errp@entry=0x7fffffffc9e8) at /work/armbru/qemu-kvm-rhel7/qom/object.c:853
    #20 0x00005555557395bf in qdev_device_add (opts=opts@entry=0x5555566fbac0) at /work/armbru/qemu-kvm-rhel7/qdev-monitor.c:551
    #21 0x00005555557399aa in do_device_add (mon=<optimized out>, qdict=<optimized out>, ret_data=<optimized out>) at /work/armbru/qemu-kvm-rhel7/qdev-monitor.c:668
    #22 0x00005555557f364e in handle_user_command (mon=mon@entry=0x55555651c780, cmdline=<optimized out>) at /work/armbru/qemu-kvm-rhel7/monitor.c:4001
    #23 0x00005555557f3aeb in monitor_command_cb (mon=0x55555651c780, cmdline=<optimized out>, opaque=<optimized out>) at /work/armbru/qemu-kvm-rhel7/monitor.c:4624
    #24 0x00005555557505a3 in readline_handle_byte (rs=0x555556684290, ch=<optimized out>) at /work/armbru/qemu-kvm-rhel7/readline.c:374
    #25 0x00005555557f3834 in monitor_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>) at /work/armbru/qemu-kvm-rhel7/monitor.c:4610
    #26 0x000055555573cc92 in qemu_chr_be_write (len=<optimized out>, buf=0x7fffffffcbf0 "\r\323IVUU", s=0x555556514e80) at /work/armbru/qemu-kvm-rhel7/qemu-char.c:167
    #27 fd_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x555556514e80) at /work/armbru/qemu-kvm-rhel7/qemu-char.c:850
    #28 0x00007ffff74f3a55 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
    #29 0x000055555570d728 in glib_pollfds_poll () at /work/armbru/qemu-kvm-rhel7/main-loop.c:187
    #30 os_host_main_loop_wait (timeout=<optimized out>) at /work/armbru/qemu-kvm-rhel7/main-loop.c:232
    #31 main_loop_wait (nonblocking=<optimized out>) at /work/armbru/qemu-kvm-rhel7/main-loop.c:464
    #32 0x0000555555608511 in main_loop () at /work/armbru/qemu-kvm-rhel7/vl.c:1988

Latest upstream does *not* crash in step 4.

Comment 9 Markus Armbruster 2014-01-21 13:20:14 UTC

Correction: latest upstream *does* crash in step 4.  But sometimes it takes more than two of the device_add to crash it.

Comment 10 Marcel Apfelbaum 2014-01-30 08:08:49 UTC

In the scenario described above, a function is added to 00.03.1,
but there is already a *non* multi-function device at 00.03.0
(see lspci print). This is not allowed by the PCI spec.

Adding the device function to a free slot or to a multi-function
device solves the problem.

However, there is a bug in the above error flow described above.
The resolution is already posted upstream and will be backported soon.

In the mean time I suggest renaming the BZ and changing the priority/severity.

Comment 11 Sibiao Luo 2014-01-30 08:54:56 UTC

(In reply to Marcel Apfelbaum from comment #10)
> In the scenario described above, a function is added to 00.03.1,
> but there is already a *non* multi-function device at 00.03.0
> (see lspci print). This is not allowed by the PCI spec.
> 
> Adding the device function to a free slot or to a multi-function
> device solves the problem.
> 
> However, there is a bug in the above error flow described above.
> The resolution is already posted upstream and will be backported soon.
> 
> In the mean time I suggest renaming the BZ and changing the
> priority/severity.
Ok, please do it, thanks.

Comment 14 Marcel Apfelbaum 2014-10-28 14:14:54 UTC

The upstream commit was: 306077640a652e090779498aadbeb0c605feaacd

Comment 15 Miroslav Rezanina 2014-11-10 09:29:37 UTC

Fix included in qemu-kvm-1.5.3-78.el7

Comment 17 huiqingding 2014-11-12 09:09:37 UTC

Reproduce this issue using the following version:
kernel-3.10.0-196.el7.x86_64
qemu-kvm-1.5.3-31.el7.x86_64

Steps to Reproduce:
1. start a vm
# /usr/libexec/qemu-kvm -nodefaults -S -display none -monitor stdio -device virtio-serial-pci -drive if=none,id=drv0,file=tmp.qcow2

2. Monitor command "info pci" shows:
(qemu) info pci
  Bus  0, device   0, function 0:
    Host bridge: PCI device 8086:1237
      id ""
  Bus  0, device   1, function 0:
    ISA bridge: PCI device 8086:7000
      id ""
  Bus  0, device   1, function 1:
    IDE controller: PCI device 8086:7010
      BAR4: I/O at 0xffffffffffffffff [0x000e].
      id ""
  Bus  0, device   1, function 3:
    Bridge: PCI device 8086:7113
      IRQ 0.
      id ""
  Bus  0, device   2, function 0:
    Class 1920: PCI device 1af4:1003
      IRQ 0.
      BAR0: I/O at 0xffffffffffffffff [0x001e].
      BAR1: 32 bit memory at 0xffffffffffffffff [0x00000ffe].
      id ""
3. Plug virtio-blk-pci into slot 2.1, and watch it fail:
(qemu) device_add virtio-blk-pci,drive=drv0,addr=0x2.1,multifunction=on
    PCI: single function device can't be populated in function 2.1
    Device initialization failed.
    Device 'virtio-blk-pci' could not be initialized

4. Do it again, and watch it crash:
(qemu) device_add virtio-blk-pci,drive=drv0,addr=0x2.1,multifunction=on
Segmentation fault (core dumped)

(gdb) bt
#0  memory_region_update_coalesced_range_as (mr=mr@entry=0x5555567188d0, as=as@entry=0x55555670cf90) at /usr/src/debug/qemu-1.5.3/memory.c:1161
#1  0x00005555557d04bb in memory_region_update_coalesced_range (mr=0x5555567188d0) at /usr/src/debug/qemu-1.5.3/memory.c:1193
#2  memory_region_clear_coalescing (mr=mr@entry=0x5555567188d0) at /usr/src/debug/qemu-1.5.3/memory.c:1227
#3  0x00005555557d0514 in memory_region_destroy (mr=0x5555567188d0) at /usr/src/debug/qemu-1.5.3/memory.c:1026
#4  0x000055555577a94d in destroy_page_desc (section_index=<optimized out>) at /usr/src/debug/qemu-1.5.3/exec.c:702
#5  destroy_l2_mapping (lp=0x5555566ed280, level=level@entry=0) at /usr/src/debug/qemu-1.5.3/exec.c:721
#6  0x000055555577a908 in destroy_l2_mapping (lp=0x5555566eca80, level=level@entry=1) at /usr/src/debug/qemu-1.5.3/exec.c:719
#7  0x000055555577a908 in destroy_l2_mapping (lp=0x5555566ec280, level=level@entry=2) at /usr/src/debug/qemu-1.5.3/exec.c:719
#8  0x000055555577a908 in destroy_l2_mapping (lp=lp@entry=0x555556542eb0, level=level@entry=3) at /usr/src/debug/qemu-1.5.3/exec.c:719
#9  0x000055555577a9b6 in destroy_all_mappings (d=<optimized out>) at /usr/src/debug/qemu-1.5.3/exec.c:730
#10 mem_begin (listener=0x555556542eb8) at /usr/src/debug/qemu-1.5.3/exec.c:1750
#11 0x00005555557ced60 in memory_region_transaction_commit () at /usr/src/debug/qemu-1.5.3/memory.c:747
#12 0x00005555556bd3a0 in do_pci_register_device (devfn=17, name=0x555556524560 "virtio-blk-pci", bus=0x5555566d4cd0, pci_dev=0x55555670cd00) at hw/pci/pci.c:819
#13 pci_qdev_init (qdev=0x55555670cd00) at hw/pci/pci.c:1709
#14 0x0000555555678d24 in device_realize (dev=0x55555670cd00, err=0x7fffffffccd0) at hw/core/qdev.c:178
#15 0x000055555567a24b in device_set_realized (obj=0x55555670cd00, value=<optimized out>, err=0x7fffffffcde0) at hw/core/qdev.c:693
#16 0x000055555573a54e in property_set_bool (obj=0x55555670cd00, v=<optimized out>, opaque=0x55555670d6b0, name=<optimized out>, errp=0x7fffffffcde0) at qom/object.c:1302
#17 0x000055555573d107 in object_property_set_qobject (obj=0x55555670cd00, value=<optimized out>, name=0x5555558b1dba "realized", errp=0x7fffffffcde0) at qom/qom-qobject.c:24
#18 0x000055555573bf10 in object_property_set_bool (obj=obj@entry=0x55555670cd00, value=value@entry=true, name=name@entry=0x5555558b1dba "realized", errp=errp@entry=0x7fffffffcde0) at qom/object.c:853
#19 0x000055555567923a in qdev_init (dev=dev@entry=0x55555670cd00) at hw/core/qdev.c:163
#20 0x000055555572842b in qdev_device_add (opts=opts@entry=0x555556713850) at qdev-monitor.c:538
#21 0x000055555572884d in do_device_add (mon=<optimized out>, qdict=<optimized out>, ret_data=<optimized out>) at qdev-monitor.c:651
#22 0x00005555557d9d40 in handle_user_command (mon=mon@entry=0x555556559160, cmdline=<optimized out>) at /usr/src/debug/qemu-1.5.3/monitor.c:4001
#23 0x00005555557da14b in monitor_command_cb (mon=0x555556559160, cmdline=<optimized out>, opaque=<optimized out>) at /usr/src/debug/qemu-1.5.3/monitor.c:4624
#24 0x000055555573dac0 in readline_handle_byte (rs=0x5555566ab630, ch=<optimized out>) at readline.c:374
#25 0x00005555557da0b4 in monitor_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>) at /usr/src/debug/qemu-1.5.3/monitor.c:4610
#26 0x000055555572c26b in qemu_chr_be_write (len=<optimized out>, buf=0x7fffffffd050 "\r\323\377\377\377\177", s=0x555556540750) at qemu-char.c:167
#27 fd_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x555556540750) at qemu-char.c:850
#28 0x00007ffff74e39ba in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#29 0x00005555556f991a in glib_pollfds_poll () at main-loop.c:187
#30 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:232
#31 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:464
#32 0x0000555555601050 in main_loop () at vl.c:1984
#33 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4343

Comment 18 huiqingding 2014-11-12 09:51:37 UTC

Test this issue using the following version:
kernel-3.10.0-196.el7.x86_64
qemu-kvm-1.5.3-78.el7.x86_64

Steps to Reproduce:
1. start a vm
# /usr/libexec/qemu-kvm -nodefaults -S -display none -monitor stdio -device virtio-serial-pci -drive if=none,id=drv0,file=tmp.qcow2

2. Monitor command "info pci" shows:
(qemu) info pci
  Bus  0, device   0, function 0:
    Host bridge: PCI device 8086:1237
      id ""
  Bus  0, device   1, function 0:
    ISA bridge: PCI device 8086:7000
      id ""
  Bus  0, device   1, function 1:
    IDE controller: PCI device 8086:7010
      BAR4: I/O at 0xffffffffffffffff [0x000e].
      id ""
  Bus  0, device   1, function 3:
    Bridge: PCI device 8086:7113
      IRQ 0.
      id ""
  Bus  0, device   2, function 0:
    Class 1920: PCI device 1af4:1003
      IRQ 0.
      BAR0: I/O at 0xffffffffffffffff [0x001e].
      BAR1: 32 bit memory at 0xffffffffffffffff [0x00000ffe].
      id ""
3. Plug virtio-blk-pci into slot 2.1, and watch it fail:
(qemu) device_add virtio-blk-pci,drive=drv0,addr=0x2.1,multifunction=on
    PCI: single function device can't be populated in function 2.1
    Device initialization failed.
    Device 'virtio-blk-pci' could not be initialized

4. Do it again, and watch it fail:
(qemu) device_add virtio-blk-pci,drive=drv0,addr=0x2.1,multifunction=on
PCI: single function device can't be populated in function 2.1
    Device initialization failed.
    Device 'virtio-blk-pci' could not be initialized

I also test the scenarios of comment 0, qemu-kvm does not crash.

Comment 19 huiqingding 2014-11-13 01:42:44 UTC

Also test qemu-kvm-rhev-2.1.2-7.el7.x86_64 using the steps of comment 18, qemu-kvm does not crash.

Comment 22 errata-xmlrpc 2015-03-05 08:03:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0349.html

Note You need to log in before you can comment on or make changes to this bug.