RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1368040 - Qemu-kvm coredump in repeating hotplug/hot remove virtio-gpu device
Summary: Qemu-kvm coredump in repeating hotplug/hot remove virtio-gpu device
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.3
Hardware: x86_64
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Gerd Hoffmann
QA Contact: Guo, Zhiyi
URL:
Whiteboard:
Depends On:
Blocks: 1401400
TreeView+ depends on / blocked
 
Reported: 2016-08-18 07:54 UTC by Guo, Zhiyi
Modified: 2017-08-02 03:29 UTC (History)
9 users (show)

Fixed In Version: qemu-kvm-rhev-2.9.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 23:34:44 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2392 0 normal SHIPPED_LIVE Important: qemu-kvm-rhev security, bug fix, and enhancement update 2017-08-01 20:04:36 UTC

Description Guo, Zhiyi 2016-08-18 07:54:58 UTC 
Description of problem:
Qemu-kvm coredump in repeating hotplug/hot remove virtio-gpu device

Version-Release number of selected component (if applicable):
qemu-kvm-rhev package:qemu-kvm-rhev-2.6.0-21.el7.x86_64
host kernel:
3.10.0-489.el7.x86_64

How reproducible:
100% reproduce

Steps to Reproduce:
1.Boot Windows10 guest use qemu cli:
/usr/libexec/qemu-kvm -name rhel7.3 -m 2048 \
        -cpu Haswell-noTSX \
        -smp 6,threads=2,cores=1,sockets=3,maxcpus=6 \
	-device virtio-vga\
	-device virtio-gpu\
        -spice port=5901,disable-ticketing \
        -device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent \
        -serial unix:/tmp/m,server,nowait \
        -device virtserialport,chardev=vdagent,name=com.redhat.spice.0 \
        -drive file=rhel73.qcow2,if=none,id=drive-scsi-disk0,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-scsi-pci,id=scsi0,disable-modern=off,disable-legacy=off -device scsi-hd,drive=drive-scsi-disk0,bus=scsi0.0,scsi-id=0,lun=0,id=scsi-disk0,bootindex=1 \
        -monitor stdio \
        -usb -device usb-kbd,id=input0 \
        -netdev tap,id=idinWyYp -device virtio-net-pci,mac=42:ce:a9:d2:4d:d7,id=idlbq7eA,netdev=idinWyYp \
        -qmp tcp:localhost:4444,server,nowait \
	-device ich9-intel-hda -device hda-duplex \

2.Hot plug a new virtio-gpu into guest via qmp:
{ "execute": "device_add","arguments":{"driver":"virtio-gpu","id":"gpu1"}}
3.Hot remove this this virtio-gpu from guest:
{ "execute": "device_del","arguments":{"id":"gpu1"}}
4.Hot plug virtio-gpu again into guest via qmp:
{ "execute": "device_add","arguments":{"driver":"virtio-gpu","id":"gpu1"}}

Actual results:
qemu-kvm crash with:
(gdb) bt
#0  0x00007f6f329ae1d7 in raise () from /lib64/libc.so.6
#1  0x00007f6f329af8c8 in abort () from /lib64/libc.so.6
#2  0x00007f6f329a7146 in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007f6f329a71f2 in __assert_fail () from /lib64/libc.so.6
#4  0x00007f6f3e6e706d in vmstate_register_with_alias_id (dev=<optimized out>, 
    instance_id=<optimized out>, 
    vmsd=0x7f6f3ece1ba0 <vmstate_virtio_gpu_unmigratable>, opaque=0x7f6f43074340, 
    alias_id=<optimized out>, required_for_version=<optimized out>)
    at /usr/src/debug/qemu-2.6.0/migration/savevm.c:622
#5  0x00007f6f3e70c9db in virtio_device_realize (dev=0x7f6f43074340, 
    errp=0x7ffd85b045f0) at /usr/src/debug/qemu-2.6.0/hw/virtio/virtio.c:1877
#6  0x00007f6f3e7e0a56 in device_set_realized (obj=<optimized out>, 
    value=<optimized out>, errp=0x7ffd85b047d0) at hw/core/qdev.c:1076
#7  0x00007f6f3e8b503e in property_set_bool (obj=0x7f6f43074340, v=<optimized out>, 
    name=<optimized out>, opaque=0x7f6f49d81000, errp=0x7ffd85b047d0)
    at qom/object.c:1861
#8  0x00007f6f3e8b8d07 in object_property_set_qobject (obj=0x7f6f43074340, 
    value=<optimized out>, name=0x7f6f3e9b1ead "realized", errp=0x7ffd85b047d0)
    at qom/qom-qobject.c:26
#9  0x00007f6f3e8b6b80 in object_property_set_bool (obj=0x7f6f43074340, 
    value=<optimized out>, name=0x7f6f3e9b1ead "realized", errp=0x7ffd85b047d0)
    at qom/object.c:1158
#10 0x00007f6f3e6f4e6e in virtio_gpu_pci_realize (vpci_dev=0x7f6f4306c000, 
    errp=0x7ffd85b047d0) at /usr/src/debug/qemu-2.6.0/hw/display/virtio-gpu-pci.c:34
#11 0x00007f6f3e867255 in virtio_pci_realize (pci_dev=0x7f6f4306c000, 
    errp=0x7ffd85b047d0) at hw/virtio/virtio-pci.c:1847
#12 0x00007f6f3e831e7c in pci_qdev_realize (qdev=0x7f6f4306c000, errp=0x7ffd85b04860)
    at hw/pci/pci.c:1966
#13 0x00007f6f3e7e0a56 in device_set_realized (obj=<optimized out>, 
    value=<optimized out>, errp=0x7ffd85b04998) at hw/core/qdev.c:1076
#14 0x00007f6f3e8b503e in property_set_bool (obj=0x7f6f4306c000, v=<optimized out>, 
    name=<optimized out>, opaque=0x7f6f49d81180, errp=0x7ffd85b04998)
    at qom/object.c:1861
#15 0x00007f6f3e8b8d07 in object_property_set_qobject (obj=0x7f6f4306c000, 
    value=<optimized out>, name=0x7f6f3e9b1ead "realized", errp=0x7ffd85b04998)
    at qom/qom-qobject.c:26
#16 0x00007f6f3e8b6b80 in object_property_set_bool (obj=0x7f6f4306c000, 
    value=<optimized out>, name=0x7f6f3e9b1ead "realized", errp=0x7ffd85b04998)
---Type <return> to continue, or q <return> to quit---
    at qom/object.c:1158
#17 0x00007f6f3e78f3cc in qdev_device_add (opts=opts@entry=0x7f6f40ff0f50, 
    errp=errp@entry=0x7ffd85b04a70) at qdev-monitor.c:617
#18 0x00007f6f3e78f9b3 in qmp_device_add (qdict=<optimized out>, 
    ret_data=<optimized out>, errp=0x7ffd85b04ad0) at qdev-monitor.c:794
#19 0x00007f6f3e6c2d15 in handle_qmp_command (parser=<optimized out>, 
    tokens=<optimized out>) at /usr/src/debug/qemu-2.6.0/monitor.c:3929
#20 0x00007f6f3e9504a8 in json_message_process_token (lexer=0x7f6f40fe9f08, 
    input=0x7f6f40fd9680, type=JSON_RCURLY, x=74, y=5) at qobject/json-streamer.c:105
#21 0x00007f6f3e964f4b in json_lexer_feed_char (lexer=lexer@entry=0x7f6f40fe9f08, 
    ch=125 '}', flush=flush@entry=false) at qobject/json-lexer.c:310
#22 0x00007f6f3e96500e in json_lexer_feed (lexer=0x7f6f40fe9f08, 
    buffer=<optimized out>, size=<optimized out>) at qobject/json-lexer.c:360
#23 0x00007f6f3e950569 in json_message_parser_feed (parser=<optimized out>, 
    buffer=<optimized out>, size=<optimized out>) at qobject/json-streamer.c:124
#24 0x00007f6f3e6c12cb in monitor_qmp_read (opaque=<optimized out>, 
    buf=<optimized out>, size=<optimized out>)
    at /usr/src/debug/qemu-2.6.0/monitor.c:3945
#25 0x00007f6f3e794bd1 in tcp_chr_read (chan=<optimized out>, cond=<optimized out>, 
    opaque=0x7f6f41097e60) at qemu-char.c:2895
#26 0x00007f6f337abd7a in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#27 0x00007f6f3e8c1d70 in glib_pollfds_poll () at main-loop.c:213
#28 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:258
#29 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:506
#30 0x00007f6f3e690d2f in main_loop () at vl.c:1936
#31 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>)
    at vl.c:4679


Expected results:
qemu & guest alive

Additional info:
Issue also can be reproduced against rhel7.3 guest with kernel 3.10.0-489.el7.x86_64, hot unplug from rhel guest will trigger "Bug 1368032 - kernel crash after hot remove virtio-gpu device" and re hot unplug will cause qemu crash too
Comment 2 Gerd Hoffmann 2017-01-09 14:08:20 UTC 
https://patchwork.ozlabs.org/patch/712720/
Comment 3 Gerd Hoffmann 2017-03-14 08:31:42 UTC 
upstream commit a2056e09b02745e5d000351a8a7938fa8a292ba7
Comment 5 jingzhao 2017-05-05 08:29:25 UTC 
Reproduce the bz on qemu-kvm-rhev-2.6.0-22.el7.x86_64

Verified the bz on qemu-kvm-rhev-2.9.0-2.el7.x86_64

Following are the detailed

1. Boot guest with qemu cli [1]

2. Hot-plug virtio gpu device throug qmp

{ "execute": "device_add","arguments":{"driver":"virtio-gpu-device","id":"gpu1"}}
{"error": {"class": "GenericError", "desc": "Parameter 'driver' expects pluggable device type"}}

{ "execute": "device_add","arguments":{"driver":"virtio-gpu-pci","id":"gpu1"}}
{"error": {"class": "GenericError", "desc": "Parameter 'driver' expects pluggable device type"}}

[1]
/usr/libexec/qemu-kvm -name rhel7.3 -m 2048 \
        -cpu Haswell-noTSX \
        -smp 6,threads=2,cores=1,sockets=3,maxcpus=6 \
	-device virtio-vga\
	-device virtio-gpu\
        -spice port=5901,disable-ticketing \
        -device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent \
        -serial unix:/tmp/m,server,nowait \
        -device virtserialport,chardev=vdagent,name=com.redhat.spice.0 \
        -drive file=/home/test/rhel/rhel74.qcow2,if=none,id=drive-scsi-disk0,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-scsi-pci,id=scsi0,disable-modern=off,disable-legacy=off -device scsi-hd,drive=drive-scsi-disk0,bus=scsi0.0,scsi-id=0,lun=0,id=scsi-disk0,bootindex=1 \
        -monitor stdio \
        -usb -device usb-kbd,id=input0 \
        -netdev tap,id=idinWyYp -device virtio-net-pci,mac=42:ce:a9:d2:4d:d7,id=idlbq7eA,netdev=idinWyYp \
        -qmp tcp:localhost:4444,server,nowait \
	-device ich9-intel-hda -device hda-duplex \



Thanks
Jing
Comment 6 jingzhao 2017-05-05 08:30:50 UTC 
According to comment5 and comment2, move it to verified
Comment 8 errata-xmlrpc 2017-08-01 23:34:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 9 errata-xmlrpc 2017-08-02 01:12:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 10 errata-xmlrpc 2017-08-02 02:04:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 11 errata-xmlrpc 2017-08-02 02:45:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 12 errata-xmlrpc 2017-08-02 03:09:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Comment 13 errata-xmlrpc 2017-08-02 03:29:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Note You need to log in before you can comment on or make changes to this bug.