RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1262784 - quit qemu-kvm during boot with data plane enabled cause segmentation fault
Summary: quit qemu-kvm during boot with data plane enabled cause segmentation fault
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Stefan Hajnoczi
QA Contact: FuXiangChun
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-14 11:08 UTC by mazhang
Modified: 2016-11-07 20:38 UTC (History)
7 users (show)

Fixed In Version: Qemu-2.6.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-07 20:38:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2673 0 normal SHIPPED_LIVE qemu-kvm-rhev bug fix and enhancement update 2016-11-08 01:06:13 UTC

Description mazhang 2015-09-14 11:08:00 UTC 
Description of problem:
quit qemu-kvm during boot with data plane enabled cause segmentation fault

Version-Release number of selected component (if applicable):

Host:
qemu-kvm-rhev-2.3.0-22.el7.x86_64
3.10.0-314.el7.x86_64

Guest:
3.10.0-314.el7.x86_64

How reproducible:
80%

Steps to Reproduce:
1.Boot guest with following command line:
gdb --args /usr/libexec/qemu-kvm \
-M pc \
-cpu SandyBridge \
-m 2G \
-smp 4,sockets=2,cores=2,threads=1 \
-enable-kvm \
-name rhel7 \
-uuid 990ea161-6b67-47b2-b803-19fb01d30d12 \
-smbios type=1,manufacturer='Red Hat',product='RHEV Hypervisor',version=el6,serial=koTUXQrb,uuid=feebc8fd-f8b0-4e75-abc3-e63fcdb67170 \
-k en-us \
-rtc base=utc,clock=host,driftfix=slew \
-nodefaults \
-monitor stdio \
-qmp tcp:0:6773,server,nowait \
-boot menu=on \
-bios /usr/share/seabios/bios.bin \
-serial unix:/tmp/console0,server,nowait \
-spice port=5900,disable-ticketing \
-vga std \
-global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 \
-netdev tap,id=hostnet0,vhost=on \
-device virtio-net-pci,netdev=hostnet0,id=net0,mac=54:52:00:B6:40:23 \
-object iothread,id=iothread0 \
-drive file=/home/rhel7.2-64.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none,werror=stop,rerror=stop,aio=threads \
-device virtio-blk-pci,scsi=off,bus=pci.0,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1,iothread=iothread0 \

2. send "q" in hmp during boot.

3.

Actual results:
qemu-kvm segmentation fault.

q[Thread 0x7fffe5f72700 (LWP 28346) exited]


Program received signal SIGSEGV, Segmentation fault.
0x0000555555807ce1 in qcow2_get_cluster_offset (bs=bs@entry=0x555556a3e000, offset=offset@entry=3084115968, num=num@entry=0x55555d079d84, 
    cluster_offset=cluster_offset@entry=0x55555d079d88) at block/qcow2-cluster.c:486
486	    if (!l2_offset) {
Missing separate debuginfos, use: debuginfo-install alsa-lib-1.0.28-2.el7.x86_64 boost-system-1.53.0-24.el7.x86_64 boost-thread-1.53.0-24.el7.x86_64 bzip2-libs-1.0.6-13.el7.x86_64 celt051-0.5.1.3-8.el7.x86_64 cyrus-sasl-lib-2.1.26-19.2.el7.x86_64 cyrus-sasl-md5-2.1.26-19.2.el7.x86_64 cyrus-sasl-plain-2.1.26-19.2.el7.x86_64 cyrus-sasl-scram-2.1.26-19.2.el7.x86_64 dbus-libs-1.6.12-13.el7.x86_64 elfutils-libelf-0.163-2.el7.x86_64 elfutils-libs-0.163-2.el7.x86_64 flac-libs-1.3.0-5.el7_1.x86_64 glib2-2.42.2-4.el7.x86_64 glibc-2.17-105.el7.x86_64 glusterfs-api-3.7.1-11.el7.x86_64 glusterfs-libs-3.7.1-11.el7.x86_64 gmp-6.0.0-11.el7.x86_64 gnutls-3.3.8-12.el7_1.1.x86_64 gperftools-libs-2.4-2.el7.x86_64 gsm-1.0.13-11.el7.x86_64 json-c-0.11-4.el7_0.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.13.2-9.el7.x86_64 libICE-1.0.9-2.el7.x86_64 libSM-1.2.2-2.el7.x86_64 libX11-1.6.3-2.el7.x86_64 libXau-1.0.8-2.1.el7.x86_64 libXext-1.3.3-3.el7.x86_64 libXi-1.7.4-2.el7.x86_64 libXtst-1.2.2-2.1.el7.x86_64 libacl-2.2.51-12.el7.x86_64 libaio-0.3.109-13.el7.x86_64 libasyncns-0.8-7.el7.x86_64 libattr-2.4.46-12.el7.x86_64 libcap-2.22-8.el7.x86_64 libcom_err-1.42.9-7.el7.x86_64 libcurl-7.29.0-25.el7.x86_64 libdb-5.3.21-17.el7_0.1.x86_64 libffi-3.0.13-16.el7.x86_64 libgcc-4.8.5-4.el7.x86_64 libgcrypt-1.5.3-12.el7_1.1.x86_64 libgpg-error-1.12-3.el7.x86_64 libibverbs-1.1.8-6.el7.x86_64 libidn-1.28-4.el7.x86_64 libiscsi-1.9.0-6.el7.x86_64 libjpeg-turbo-1.2.90-5.el7.x86_64 libnl-1.1.4-3.el7.x86_64 libogg-1.3.0-7.el7.x86_64 libpng-1.5.13-5.el7.x86_64 librados2-0.80.7-3.el7.x86_64 librbd1-0.80.7-3.el7.x86_64 librdmacm-1.0.21-1.el7.x86_64 libseccomp-2.2.1-1.el7.x86_64 libselinux-2.2.2-6.el7.x86_64 libsndfile-1.0.25-10.el7.x86_64 libssh2-1.4.3-10.el7.x86_64 libstdc++-4.8.5-4.el7.x86_64 libtasn1-3.8-2.el7.x86_64 libunwind-1.1-5.el7.x86_64 libusbx-1.0.15-4.el7.x86_64 libuuid-2.23.2-26.el7.x86_64 libvorbis-1.3.3-8.el7.x86_64 libxcb-1.11-4.el7.x86_64 lzo-2.06-8.el7.x86_64 nettle-2.7.1-4.el7.x86_64 nspr-4.10.8-1.el7_1.x86_64 nss-3.19.1-15.el7.x86_64 nss-softokn-freebl-3.16.2.3-14.el7.x86_64 nss-util-3.19.1-4.el7.x86_64 numactl-libs-2.0.9-5.el7_1.x86_64 openldap-2.4.40-5.el7.x86_64 openssl-libs-1.0.1e-42.el7_1.9.x86_64 p11-kit-0.20.7-3.el7.x86_64 pcre-8.32-15.el7.x86_64 pixman-0.32.6-3.el7.x86_64 pulseaudio-libs-6.0-6.el7.x86_64 snappy-1.1.0-3.el7.x86_64 spice-server-0.12.4-13.el7.x86_64 systemd-libs-219-13.el7.x86_64 tcp_wrappers-libs-7.6-77.el7.x86_64 trousers-0.3.13-1.el7.x86_64 usbredir-0.6-7.el7.x86_64 xz-libs-5.1.2-12alpha.el7.x86_64 zlib-1.2.7-15.el7.x86_64
(gdb) bt full
#0  0x0000555555807ce1 in qcow2_get_cluster_offset (bs=bs@entry=0x555556a3e000, offset=offset@entry=3084115968, num=num@entry=0x55555d079d84, 
    cluster_offset=cluster_offset@entry=0x55555d079d88) at block/qcow2-cluster.c:486
        s = 0x5555569e4a80
        l2_index = <optimized out>
        l1_index = 5
        l2_offset = <error reading variable l2_offset (Cannot access memory at address 0x28)>
        l2_table = 0x555556a3e000
        l1_bits = <optimized out>
        c = <optimized out>
        index_in_cluster = 112
        nb_clusters = <optimized out>
        nb_available = 267904
        nb_needed = 120
        ret = <optimized out>
#1  0x00005555557ffed5 in qcow2_co_readv (bs=0x555556a3e000, sector_num=6023664, remaining_sectors=8, qiov=0x5555583c6038) at block/qcow2.c:1166
        s = 0x5555569e4a80
        index_in_cluster = <optimized out>
        n1 = <optimized out>
        ret = <optimized out>
        cur_nr_sectors = 8
        cluster_offset = 0
        bytes_done = 0
        hd_qiov = {iov = 0x5555569279e0, niov = 0, nalloc = 1, size = 0}
        cluster_data = 0x0
        __PRETTY_FUNCTION__ = "qcow2_co_readv"
        __FUNCTION__ = "qcow2_co_readv"
#2  0x00005555557e250d in bdrv_aligned_preadv (bs=bs@entry=0x555556a3e000, req=req@entry=0x55555d079f00, offset=offset@entry=3084115968, bytes=bytes@entry=4096, 
    align=align@entry=512, qiov=qiov@entry=0x5555583c6038, flags=flags@entry=0) at block.c:3090
        total_sectors = 41943040
        max_nb_sectors = 35919376
        drv = 0x555555c98200 <bdrv_qcow2>
        ret = <optimized out>
        sector_num = 6023664
        nb_sectors = 8
        __PRETTY_FUNCTION__ = "bdrv_aligned_preadv"
#3  0x00005555557e2813 in bdrv_co_do_preadv (bs=bs@entry=0x555556a3e000, offset=3084115968, bytes=4096, qiov=0x5555583c6038, flags=(unknown: 0)) at block.c:3193
        drv = <optimized out>
        req = {bs = 0x555556a3e000, offset = 3084115968, bytes = 4096, is_write = false, serialising = false, overlap_offset = 3084115968, overlap_bytes = 4096, list = {
            le_next = 0x0, le_prev = 0x555556a41290}, co = 0x555556a1b180, wait_queue = {entries = {tqh_first = 0x0, tqh_last = 0x55555d079f40}}, waiting_for = 0x0}
        align = 512
        head_buf = 0x0
        tail_buf = 0x0
        local_qiov = {iov = 0x0, niov = 0, nalloc = 0, size = 0}
        use_local_qiov = false
        ret = <optimized out>
#4  0x00005555557e38ff in bdrv_co_do_readv (flags=<optimized out>, qiov=<optimized out>, nb_sectors=<optimized out>, sector_num=<optimized out>, bs=0x555556a3e000) at block.c:3215
No locals.
---Type <return> to continue, or q <return> to quit---
#5  bdrv_co_do_rw (opaque=0x5555569991f0) at block.c:4994
        acb = 0x5555569991f0
        bs = 0x555556a3e000
#6  0x00005555557ed82a in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at coroutine-ucontext.c:80
        self = 0x555556a1b180
        co = 0x555556a1b180
#7  0x00007ffff0700110 in ?? () from /lib64/libc.so.6
No symbol table info available.
#8  0x00007fffffffd0e0 in ?? ()
No symbol table info available.
#9  0x0000000000000000 in ?? ()
No symbol table info available.


Expected results:
quit without fault.

Additional info:
without iothread enable, qemu-kvm works well.
Comment 2 Stefan Hajnoczi 2016-06-03 23:36:03 UTC 
I am unable to reproduce this in qemu-kvm-rhev-2.6.0-4.el7 for RHEL 7.3.
Comment 4 FuXiangChun 2016-09-08 10:59:06 UTC 
verified with qemu-kvm-rhev-2.6.0-23

/usr/libexec/qemu-kvm -boot menu=on -m 2G -vnc :1 -object iothread,id=iothread0 -drive file=rbd:libvirt-pool/rhel.raw:mon_host=10.66.144.26,format=raw,if=none,id=drive-scsi-disk0,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,id=scsi0,iothread=iothread0,dirve=drive-scsi-disk0 -qmp tcp:0:6666,server,nowait  -monitor stdio

{"execute": "query-iothreads"}
{"return": [{"thread-id": 38840, "id": "iothread0"}]}

(qemu) q

result:works
Comment 7 errata-xmlrpc 2016-11-07 20:38:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2673.html
Note You need to log in before you can comment on or make changes to this bug.