(resend) qemu crashes during VCPU hotplug

(resend) qemu crashes during VCPU hotplug

[Boris Ostrovsky]

(Now with correct address for Stefano)

Upstream qemu appears to be crashing during VCPU hotplug. I think this 
is something relatively new since I have been doing this a few week ago.

I reproduced this on two different setups. Haven't had a chance to look 
any further but e3cadac073 looks suspicious.

The crash happens in fw_cfg_modify_bytes_read() when we pass in NULL 
pointer as first argument. The stack is below:


(gdb) where
#0  0x0000561d762d64d4 in fw_cfg_modify_bytes_read (s=0x0, key=5, 
data=0x561d787031d0, len=2) at hw/nvram/fw_cfg.c:614
#1  0x0000561d762d6730 in fw_cfg_modify_i16 (s=0x0, key=5, value=2) at 
hw/nvram/fw_cfg.c:656
#2  0x0000561d761195b3 in pc_cpu_plug (hotplug_dev=0x561d770f9810, 
dev=0x561d7712a7e0, errp=0x7ffe8f75f2b0) at 
/root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1823
#3  0x0000561d76119fc0 in pc_machine_device_plug_cb 
(hotplug_dev=0x561d770f9810, dev=0x561d7712a7e0, errp=0x7ffe8f75f2b0) at 
/root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1993
#4  0x0000561d76239cba in hotplug_handler_plug 
(plug_handler=0x561d770f9810, plugged_dev=0x561d7712a7e0, 
errp=0x7ffe8f75f2b0) at hw/core/hotplug.c:34
#5  0x0000561d7623584d in device_set_realized (obj=0x561d7712a7e0, 
value=true, errp=0x7ffe8f75f468) at hw/core/qdev.c:928
#6  0x0000561d763e22a3 in property_set_bool (obj=0x561d7712a7e0, 
v=0x561d78702090, name=0x561d764fd9d0 "realized", opaque=0x561d785aea00, 
errp=0x7ffe8f75f468) at qom/object.c:1854
#7  0x0000561d763e07aa in object_property_set (obj=0x561d7712a7e0, 
v=0x561d78702090, name=0x561d764fd9d0 "realized", errp=0x7ffe8f75f468) 
at qom/object.c:1088
#8  0x0000561d763e3609 in object_property_set_qobject 
(obj=0x561d7712a7e0, value=0x561d773869c0, name=0x561d764fd9d0 
"realized", errp=0x7ffe8f75f468) at qom/qom-qobject.c:27
#9  0x0000561d763e0a40 in object_property_set_bool (obj=0x561d7712a7e0, 
value=true, name=0x561d764fd9d0 "realized", errp=0x7ffe8f75f468) at 
qom/object.c:1157
#10 0x0000561d76117304 in pc_new_cpu (typename=0x561d7707c880 
"qemu32-i386-cpu", apic_id=1, errp=0x7ffe8f75f4c0) at 
/root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1099
#11 0x0000561d761174cc in pc_hot_add_cpu (id=1, errp=0x7ffe8f75f558) at 
/root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1131
#12 0x0000561d761cb7b3 in qmp_cpu_add (id=1, errp=0x7ffe8f75f558) at 
qmp.c:126
#13 0x0000561d761bdc60 in qmp_marshal_cpu_add (args=0x561d7711a1b0, 
ret=0x7ffe8f75f5b0, errp=0x7ffe8f75f5a8) at qmp-marshal.c:1274
#14 0x0000561d764b2f13 in do_qmp_dispatch (request=0x561d77129360, 
errp=0x7ffe8f75f610) at qapi/qmp-dispatch.c:98
#15 0x0000561d764b3042 in qmp_dispatch (request=0x561d77129360) at 
qapi/qmp-dispatch.c:125
#16 0x0000561d76084d39 in handle_qmp_command (parser=0x561d771288b0, 
tokens=0x561d770f8cc0) at /root/xen/tools/qemu-xen-dir/monitor.c:3758
#17 0x0000561d764ba402 in json_message_process_token 
(lexer=0x561d771288b8, input=0x561d770f9040, type=JSON_RCURLY, x=1, 
y=11) at qobject/json-streamer.c:105
#18 0x0000561d764dd5dc in json_lexer_feed_char (lexer=0x561d771288b8, 
ch=125 '}', flush=false) at qobject/json-lexer.c:319
#19 0x0000561d764dd71c in json_lexer_feed (lexer=0x561d771288b8, 
buffer=0x7ffe8f75f880 "}\224Dx\035V", size=1) at qobject/json-lexer.c:369
#20 0x0000561d764ba4a2 in json_message_parser_feed 
(parser=0x561d771288b0, buffer=0x7ffe8f75f880 "}\224Dx\035V", size=1) at 
qobject/json-streamer.c:124
#21 0x0000561d76084e53 in monitor_qmp_read (opaque=0x561d77128830, 
buf=0x7ffe8f75f880 "}\224Dx\035V", size=1) at 
/root/xen/tools/qemu-xen-dir/monitor.c:3788
#22 0x0000561d761a3b2d in qemu_chr_be_write_impl (s=0x561d77107020, 
buf=0x7ffe8f75f880 "}\224Dx\035V", len=1) at qemu-char.c:419
#23 0x0000561d761a3b8f in qemu_chr_be_write (s=0x561d77107020, 
buf=0x7ffe8f75f880 "}\224Dx\035V", len=1) at qemu-char.c:431
#24 0x0000561d761a83d0 in tcp_chr_read (chan=0x561d785ae8a0, 
cond=G_IO_IN, opaque=0x561d77107020) at qemu-char.c:3145
#25 0x0000561d76475a36 in qio_channel_fd_source_dispatch 
(source=0x561d77cbe7c0, callback=0x561d761a8279 <tcp_chr_read>, 
user_data=0x561d77107020) at io/channel-watch.c:84
#26 0x00007f77f3e407aa in g_main_context_dispatch () from 
/lib64/libglib-2.0.so.0
#27 0x0000561d763f03ee in glib_pollfds_poll () at main-loop.c:259
#28 0x0000561d763f04dc in os_host_main_loop_wait (timeout=15045517) at 
main-loop.c:306
#29 0x0000561d763f058c in main_loop_wait (nonblocking=0) at main-loop.c:556
#30 0x0000561d761b1cb5 in main_loop () at vl.c:1966
#31 0x0000561d761b93fb in main (argc=38, argv=0x7ffe8f760df8, 
envp=0x7ffe8f760f30) at vl.c:4684

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: (resend) qemu crashes during VCPU hotplug

[Boris Ostrovsky]

On 02/15/2017 11:20 PM, Boris Ostrovsky wrote:
> (Now with correct address for Stefano)
>
> Upstream qemu appears to be crashing during VCPU hotplug. I think this
> is something relatively new since I have been doing this a few week ago.
>
> I reproduced this on two different setups. Haven't had a chance to look
> any further but e3cadac073 looks suspicious.

Yes, this is the offending commit.

For Xen guests qemu never sets pcms->fw_cfg.

-boris

>
> The crash happens in fw_cfg_modify_bytes_read() when we pass in NULL
> pointer as first argument. The stack is below:
>
>
> (gdb) where
> #0  0x0000561d762d64d4 in fw_cfg_modify_bytes_read (s=0x0, key=5,
> data=0x561d787031d0, len=2) at hw/nvram/fw_cfg.c:614
> #1  0x0000561d762d6730 in fw_cfg_modify_i16 (s=0x0, key=5, value=2) at
> hw/nvram/fw_cfg.c:656
> #2  0x0000561d761195b3 in pc_cpu_plug (hotplug_dev=0x561d770f9810,
> dev=0x561d7712a7e0, errp=0x7ffe8f75f2b0) at
> /root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1823
> #3  0x0000561d76119fc0 in pc_machine_device_plug_cb
> (hotplug_dev=0x561d770f9810, dev=0x561d7712a7e0, errp=0x7ffe8f75f2b0) at
> /root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1993
> #4  0x0000561d76239cba in hotplug_handler_plug
> (plug_handler=0x561d770f9810, plugged_dev=0x561d7712a7e0,
> errp=0x7ffe8f75f2b0) at hw/core/hotplug.c:34
> #5  0x0000561d7623584d in device_set_realized (obj=0x561d7712a7e0,
> value=true, errp=0x7ffe8f75f468) at hw/core/qdev.c:928
> #6  0x0000561d763e22a3 in property_set_bool (obj=0x561d7712a7e0,
> v=0x561d78702090, name=0x561d764fd9d0 "realized", opaque=0x561d785aea00,
> errp=0x7ffe8f75f468) at qom/object.c:1854
> #7  0x0000561d763e07aa in object_property_set (obj=0x561d7712a7e0,
> v=0x561d78702090, name=0x561d764fd9d0 "realized", errp=0x7ffe8f75f468)
> at qom/object.c:1088
> #8  0x0000561d763e3609 in object_property_set_qobject
> (obj=0x561d7712a7e0, value=0x561d773869c0, name=0x561d764fd9d0
> "realized", errp=0x7ffe8f75f468) at qom/qom-qobject.c:27
> #9  0x0000561d763e0a40 in object_property_set_bool (obj=0x561d7712a7e0,
> value=true, name=0x561d764fd9d0 "realized", errp=0x7ffe8f75f468) at
> qom/object.c:1157
> #10 0x0000561d76117304 in pc_new_cpu (typename=0x561d7707c880
> "qemu32-i386-cpu", apic_id=1, errp=0x7ffe8f75f4c0) at
> /root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1099
> #11 0x0000561d761174cc in pc_hot_add_cpu (id=1, errp=0x7ffe8f75f558) at
> /root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1131
> #12 0x0000561d761cb7b3 in qmp_cpu_add (id=1, errp=0x7ffe8f75f558) at
> qmp.c:126
> #13 0x0000561d761bdc60 in qmp_marshal_cpu_add (args=0x561d7711a1b0,
> ret=0x7ffe8f75f5b0, errp=0x7ffe8f75f5a8) at qmp-marshal.c:1274
> #14 0x0000561d764b2f13 in do_qmp_dispatch (request=0x561d77129360,
> errp=0x7ffe8f75f610) at qapi/qmp-dispatch.c:98
> #15 0x0000561d764b3042 in qmp_dispatch (request=0x561d77129360) at
> qapi/qmp-dispatch.c:125
> #16 0x0000561d76084d39 in handle_qmp_command (parser=0x561d771288b0,
> tokens=0x561d770f8cc0) at /root/xen/tools/qemu-xen-dir/monitor.c:3758
> #17 0x0000561d764ba402 in json_message_process_token
> (lexer=0x561d771288b8, input=0x561d770f9040, type=JSON_RCURLY, x=1,
> y=11) at qobject/json-streamer.c:105
> #18 0x0000561d764dd5dc in json_lexer_feed_char (lexer=0x561d771288b8,
> ch=125 '}', flush=false) at qobject/json-lexer.c:319
> #19 0x0000561d764dd71c in json_lexer_feed (lexer=0x561d771288b8,
> buffer=0x7ffe8f75f880 "}\224Dx\035V", size=1) at qobject/json-lexer.c:369
> #20 0x0000561d764ba4a2 in json_message_parser_feed
> (parser=0x561d771288b0, buffer=0x7ffe8f75f880 "}\224Dx\035V", size=1) at
> qobject/json-streamer.c:124
> #21 0x0000561d76084e53 in monitor_qmp_read (opaque=0x561d77128830,
> buf=0x7ffe8f75f880 "}\224Dx\035V", size=1) at
> /root/xen/tools/qemu-xen-dir/monitor.c:3788
> #22 0x0000561d761a3b2d in qemu_chr_be_write_impl (s=0x561d77107020,
> buf=0x7ffe8f75f880 "}\224Dx\035V", len=1) at qemu-char.c:419
> #23 0x0000561d761a3b8f in qemu_chr_be_write (s=0x561d77107020,
> buf=0x7ffe8f75f880 "}\224Dx\035V", len=1) at qemu-char.c:431
> #24 0x0000561d761a83d0 in tcp_chr_read (chan=0x561d785ae8a0,
> cond=G_IO_IN, opaque=0x561d77107020) at qemu-char.c:3145
> #25 0x0000561d76475a36 in qio_channel_fd_source_dispatch
> (source=0x561d77cbe7c0, callback=0x561d761a8279 <tcp_chr_read>,
> user_data=0x561d77107020) at io/channel-watch.c:84
> #26 0x00007f77f3e407aa in g_main_context_dispatch () from
> /lib64/libglib-2.0.so.0
> #27 0x0000561d763f03ee in glib_pollfds_poll () at main-loop.c:259
> #28 0x0000561d763f04dc in os_host_main_loop_wait (timeout=15045517) at
> main-loop.c:306
> #29 0x0000561d763f058c in main_loop_wait (nonblocking=0) at main-loop.c:556
> #30 0x0000561d761b1cb5 in main_loop () at vl.c:1966
> #31 0x0000561d761b93fb in main (argc=38, argv=0x7ffe8f760df8,
> envp=0x7ffe8f760f30) at vl.c:4684

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: (resend) qemu crashes during VCPU hotplug

[Stefano Stabellini]

On Thu, 16 Feb 2017, Boris Ostrovsky wrote:
> On 02/15/2017 11:20 PM, Boris Ostrovsky wrote:
> > (Now with correct address for Stefano)
> > 
> > Upstream qemu appears to be crashing during VCPU hotplug. I think this
> > is something relatively new since I have been doing this a few week ago.
> > 
> > I reproduced this on two different setups. Haven't had a chance to look
> > any further but e3cadac073 looks suspicious.
> 
> Yes, this is the offending commit.
> 
> For Xen guests qemu never sets pcms->fw_cfg.

Thanks for narrowing it down. Are you using qemu-xen/staging? It looks
like it has been fixed in qemu.org by

commit 26ef65beab852caf2b1ef4976e3473f2d525164d
Author: Igor Mammedov <imammedo@redhat.com>
Date:   Fri Dec 30 15:33:11 2016 +0100

    pc: fix crash in rtc_set_memory() if initial cpu is marked as hotplugged
    
can you confirm?



> -boris
> 
> > 
> > The crash happens in fw_cfg_modify_bytes_read() when we pass in NULL
> > pointer as first argument. The stack is below:
> > 
> > 
> > (gdb) where
> > #0  0x0000561d762d64d4 in fw_cfg_modify_bytes_read (s=0x0, key=5,
> > data=0x561d787031d0, len=2) at hw/nvram/fw_cfg.c:614
> > #1  0x0000561d762d6730 in fw_cfg_modify_i16 (s=0x0, key=5, value=2) at
> > hw/nvram/fw_cfg.c:656
> > #2  0x0000561d761195b3 in pc_cpu_plug (hotplug_dev=0x561d770f9810,
> > dev=0x561d7712a7e0, errp=0x7ffe8f75f2b0) at
> > /root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1823
> > #3  0x0000561d76119fc0 in pc_machine_device_plug_cb
> > (hotplug_dev=0x561d770f9810, dev=0x561d7712a7e0, errp=0x7ffe8f75f2b0) at
> > /root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1993
> > #4  0x0000561d76239cba in hotplug_handler_plug
> > (plug_handler=0x561d770f9810, plugged_dev=0x561d7712a7e0,
> > errp=0x7ffe8f75f2b0) at hw/core/hotplug.c:34
> > #5  0x0000561d7623584d in device_set_realized (obj=0x561d7712a7e0,
> > value=true, errp=0x7ffe8f75f468) at hw/core/qdev.c:928
> > #6  0x0000561d763e22a3 in property_set_bool (obj=0x561d7712a7e0,
> > v=0x561d78702090, name=0x561d764fd9d0 "realized", opaque=0x561d785aea00,
> > errp=0x7ffe8f75f468) at qom/object.c:1854
> > #7  0x0000561d763e07aa in object_property_set (obj=0x561d7712a7e0,
> > v=0x561d78702090, name=0x561d764fd9d0 "realized", errp=0x7ffe8f75f468)
> > at qom/object.c:1088
> > #8  0x0000561d763e3609 in object_property_set_qobject
> > (obj=0x561d7712a7e0, value=0x561d773869c0, name=0x561d764fd9d0
> > "realized", errp=0x7ffe8f75f468) at qom/qom-qobject.c:27
> > #9  0x0000561d763e0a40 in object_property_set_bool (obj=0x561d7712a7e0,
> > value=true, name=0x561d764fd9d0 "realized", errp=0x7ffe8f75f468) at
> > qom/object.c:1157
> > #10 0x0000561d76117304 in pc_new_cpu (typename=0x561d7707c880
> > "qemu32-i386-cpu", apic_id=1, errp=0x7ffe8f75f4c0) at
> > /root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1099
> > #11 0x0000561d761174cc in pc_hot_add_cpu (id=1, errp=0x7ffe8f75f558) at
> > /root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1131
> > #12 0x0000561d761cb7b3 in qmp_cpu_add (id=1, errp=0x7ffe8f75f558) at
> > qmp.c:126
> > #13 0x0000561d761bdc60 in qmp_marshal_cpu_add (args=0x561d7711a1b0,
> > ret=0x7ffe8f75f5b0, errp=0x7ffe8f75f5a8) at qmp-marshal.c:1274
> > #14 0x0000561d764b2f13 in do_qmp_dispatch (request=0x561d77129360,
> > errp=0x7ffe8f75f610) at qapi/qmp-dispatch.c:98
> > #15 0x0000561d764b3042 in qmp_dispatch (request=0x561d77129360) at
> > qapi/qmp-dispatch.c:125
> > #16 0x0000561d76084d39 in handle_qmp_command (parser=0x561d771288b0,
> > tokens=0x561d770f8cc0) at /root/xen/tools/qemu-xen-dir/monitor.c:3758
> > #17 0x0000561d764ba402 in json_message_process_token
> > (lexer=0x561d771288b8, input=0x561d770f9040, type=JSON_RCURLY, x=1,
> > y=11) at qobject/json-streamer.c:105
> > #18 0x0000561d764dd5dc in json_lexer_feed_char (lexer=0x561d771288b8,
> > ch=125 '}', flush=false) at qobject/json-lexer.c:319
> > #19 0x0000561d764dd71c in json_lexer_feed (lexer=0x561d771288b8,
> > buffer=0x7ffe8f75f880 "}\224Dx\035V", size=1) at qobject/json-lexer.c:369
> > #20 0x0000561d764ba4a2 in json_message_parser_feed
> > (parser=0x561d771288b0, buffer=0x7ffe8f75f880 "}\224Dx\035V", size=1) at
> > qobject/json-streamer.c:124
> > #21 0x0000561d76084e53 in monitor_qmp_read (opaque=0x561d77128830,
> > buf=0x7ffe8f75f880 "}\224Dx\035V", size=1) at
> > /root/xen/tools/qemu-xen-dir/monitor.c:3788
> > #22 0x0000561d761a3b2d in qemu_chr_be_write_impl (s=0x561d77107020,
> > buf=0x7ffe8f75f880 "}\224Dx\035V", len=1) at qemu-char.c:419
> > #23 0x0000561d761a3b8f in qemu_chr_be_write (s=0x561d77107020,
> > buf=0x7ffe8f75f880 "}\224Dx\035V", len=1) at qemu-char.c:431
> > #24 0x0000561d761a83d0 in tcp_chr_read (chan=0x561d785ae8a0,
> > cond=G_IO_IN, opaque=0x561d77107020) at qemu-char.c:3145
> > #25 0x0000561d76475a36 in qio_channel_fd_source_dispatch
> > (source=0x561d77cbe7c0, callback=0x561d761a8279 <tcp_chr_read>,
> > user_data=0x561d77107020) at io/channel-watch.c:84
> > #26 0x00007f77f3e407aa in g_main_context_dispatch () from
> > /lib64/libglib-2.0.so.0
> > #27 0x0000561d763f03ee in glib_pollfds_poll () at main-loop.c:259
> > #28 0x0000561d763f04dc in os_host_main_loop_wait (timeout=15045517) at
> > main-loop.c:306
> > #29 0x0000561d763f058c in main_loop_wait (nonblocking=0) at main-loop.c:556
> > #30 0x0000561d761b1cb5 in main_loop () at vl.c:1966
> > #31 0x0000561d761b93fb in main (argc=38, argv=0x7ffe8f760df8,
> > envp=0x7ffe8f760f30) at vl.c:4684
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: (resend) qemu crashes during VCPU hotplug

[Boris Ostrovsky]

On 02/16/2017 04:19 PM, Stefano Stabellini wrote:
> On Thu, 16 Feb 2017, Boris Ostrovsky wrote:
>> On 02/15/2017 11:20 PM, Boris Ostrovsky wrote:
>>> (Now with correct address for Stefano)
>>>
>>> Upstream qemu appears to be crashing during VCPU hotplug. I think this
>>> is something relatively new since I have been doing this a few week ago.
>>>
>>> I reproduced this on two different setups. Haven't had a chance to look
>>> any further but e3cadac073 looks suspicious.
>>
>> Yes, this is the offending commit.
>>
>> For Xen guests qemu never sets pcms->fw_cfg.
>
> Thanks for narrowing it down. Are you using qemu-xen/staging?


Yes.


> It looks
> like it has been fixed in qemu.org by
>
> commit 26ef65beab852caf2b1ef4976e3473f2d525164d
> Author: Igor Mammedov <imammedo@redhat.com>
> Date:   Fri Dec 30 15:33:11 2016 +0100
>
>     pc: fix crash in rtc_set_memory() if initial cpu is marked as hotplugged
>
> can you confirm?


Yes, this fixes it.

-boris

>
>
>
>> -boris
>>
>>>
>>> The crash happens in fw_cfg_modify_bytes_read() when we pass in NULL
>>> pointer as first argument. The stack is below:
>>>
>>>
>>> (gdb) where
>>> #0  0x0000561d762d64d4 in fw_cfg_modify_bytes_read (s=0x0, key=5,
>>> data=0x561d787031d0, len=2) at hw/nvram/fw_cfg.c:614
>>> #1  0x0000561d762d6730 in fw_cfg_modify_i16 (s=0x0, key=5, value=2) at
>>> hw/nvram/fw_cfg.c:656
>>> #2  0x0000561d761195b3 in pc_cpu_plug (hotplug_dev=0x561d770f9810,
>>> dev=0x561d7712a7e0, errp=0x7ffe8f75f2b0) at
>>> /root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1823
>>> #3  0x0000561d76119fc0 in pc_machine_device_plug_cb
>>> (hotplug_dev=0x561d770f9810, dev=0x561d7712a7e0, errp=0x7ffe8f75f2b0) at
>>> /root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1993
>>> #4  0x0000561d76239cba in hotplug_handler_plug
>>> (plug_handler=0x561d770f9810, plugged_dev=0x561d7712a7e0,
>>> errp=0x7ffe8f75f2b0) at hw/core/hotplug.c:34
>>> #5  0x0000561d7623584d in device_set_realized (obj=0x561d7712a7e0,
>>> value=true, errp=0x7ffe8f75f468) at hw/core/qdev.c:928
>>> #6  0x0000561d763e22a3 in property_set_bool (obj=0x561d7712a7e0,
>>> v=0x561d78702090, name=0x561d764fd9d0 "realized", opaque=0x561d785aea00,
>>> errp=0x7ffe8f75f468) at qom/object.c:1854
>>> #7  0x0000561d763e07aa in object_property_set (obj=0x561d7712a7e0,
>>> v=0x561d78702090, name=0x561d764fd9d0 "realized", errp=0x7ffe8f75f468)
>>> at qom/object.c:1088
>>> #8  0x0000561d763e3609 in object_property_set_qobject
>>> (obj=0x561d7712a7e0, value=0x561d773869c0, name=0x561d764fd9d0
>>> "realized", errp=0x7ffe8f75f468) at qom/qom-qobject.c:27
>>> #9  0x0000561d763e0a40 in object_property_set_bool (obj=0x561d7712a7e0,
>>> value=true, name=0x561d764fd9d0 "realized", errp=0x7ffe8f75f468) at
>>> qom/object.c:1157
>>> #10 0x0000561d76117304 in pc_new_cpu (typename=0x561d7707c880
>>> "qemu32-i386-cpu", apic_id=1, errp=0x7ffe8f75f4c0) at
>>> /root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1099
>>> #11 0x0000561d761174cc in pc_hot_add_cpu (id=1, errp=0x7ffe8f75f558) at
>>> /root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1131
>>> #12 0x0000561d761cb7b3 in qmp_cpu_add (id=1, errp=0x7ffe8f75f558) at
>>> qmp.c:126
>>> #13 0x0000561d761bdc60 in qmp_marshal_cpu_add (args=0x561d7711a1b0,
>>> ret=0x7ffe8f75f5b0, errp=0x7ffe8f75f5a8) at qmp-marshal.c:1274
>>> #14 0x0000561d764b2f13 in do_qmp_dispatch (request=0x561d77129360,
>>> errp=0x7ffe8f75f610) at qapi/qmp-dispatch.c:98
>>> #15 0x0000561d764b3042 in qmp_dispatch (request=0x561d77129360) at
>>> qapi/qmp-dispatch.c:125
>>> #16 0x0000561d76084d39 in handle_qmp_command (parser=0x561d771288b0,
>>> tokens=0x561d770f8cc0) at /root/xen/tools/qemu-xen-dir/monitor.c:3758
>>> #17 0x0000561d764ba402 in json_message_process_token
>>> (lexer=0x561d771288b8, input=0x561d770f9040, type=JSON_RCURLY, x=1,
>>> y=11) at qobject/json-streamer.c:105
>>> #18 0x0000561d764dd5dc in json_lexer_feed_char (lexer=0x561d771288b8,
>>> ch=125 '}', flush=false) at qobject/json-lexer.c:319
>>> #19 0x0000561d764dd71c in json_lexer_feed (lexer=0x561d771288b8,
>>> buffer=0x7ffe8f75f880 "}\224Dx\035V", size=1) at qobject/json-lexer.c:369
>>> #20 0x0000561d764ba4a2 in json_message_parser_feed
>>> (parser=0x561d771288b0, buffer=0x7ffe8f75f880 "}\224Dx\035V", size=1) at
>>> qobject/json-streamer.c:124
>>> #21 0x0000561d76084e53 in monitor_qmp_read (opaque=0x561d77128830,
>>> buf=0x7ffe8f75f880 "}\224Dx\035V", size=1) at
>>> /root/xen/tools/qemu-xen-dir/monitor.c:3788
>>> #22 0x0000561d761a3b2d in qemu_chr_be_write_impl (s=0x561d77107020,
>>> buf=0x7ffe8f75f880 "}\224Dx\035V", len=1) at qemu-char.c:419
>>> #23 0x0000561d761a3b8f in qemu_chr_be_write (s=0x561d77107020,
>>> buf=0x7ffe8f75f880 "}\224Dx\035V", len=1) at qemu-char.c:431
>>> #24 0x0000561d761a83d0 in tcp_chr_read (chan=0x561d785ae8a0,
>>> cond=G_IO_IN, opaque=0x561d77107020) at qemu-char.c:3145
>>> #25 0x0000561d76475a36 in qio_channel_fd_source_dispatch
>>> (source=0x561d77cbe7c0, callback=0x561d761a8279 <tcp_chr_read>,
>>> user_data=0x561d77107020) at io/channel-watch.c:84
>>> #26 0x00007f77f3e407aa in g_main_context_dispatch () from
>>> /lib64/libglib-2.0.so.0
>>> #27 0x0000561d763f03ee in glib_pollfds_poll () at main-loop.c:259
>>> #28 0x0000561d763f04dc in os_host_main_loop_wait (timeout=15045517) at
>>> main-loop.c:306
>>> #29 0x0000561d763f058c in main_loop_wait (nonblocking=0) at main-loop.c:556
>>> #30 0x0000561d761b1cb5 in main_loop () at vl.c:1966
>>> #31 0x0000561d761b93fb in main (argc=38, argv=0x7ffe8f760df8,
>>> envp=0x7ffe8f760f30) at vl.c:4684
>>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: (resend) qemu crashes during VCPU hotplug

[Stefano Stabellini]

On Thu, 16 Feb 2017, Boris Ostrovsky wrote:
> On 02/16/2017 04:19 PM, Stefano Stabellini wrote:
> > On Thu, 16 Feb 2017, Boris Ostrovsky wrote:
> > > On 02/15/2017 11:20 PM, Boris Ostrovsky wrote:
> > > > (Now with correct address for Stefano)
> > > > 
> > > > Upstream qemu appears to be crashing during VCPU hotplug. I think this
> > > > is something relatively new since I have been doing this a few week ago.
> > > > 
> > > > I reproduced this on two different setups. Haven't had a chance to look
> > > > any further but e3cadac073 looks suspicious.
> > > 
> > > Yes, this is the offending commit.
> > > 
> > > For Xen guests qemu never sets pcms->fw_cfg.
> > 
> > Thanks for narrowing it down. Are you using qemu-xen/staging?
> 
> 
> Yes.
> 
> 
> > It looks
> > like it has been fixed in qemu.org by
> > 
> > commit 26ef65beab852caf2b1ef4976e3473f2d525164d
> > Author: Igor Mammedov <imammedo@redhat.com>
> > Date:   Fri Dec 30 15:33:11 2016 +0100
> > 
> >     pc: fix crash in rtc_set_memory() if initial cpu is marked as hotplugged
> > 
> > can you confirm?
> 
> 
> Yes, this fixes it.

I backported it to qemu-xen/staging


> -boris
> 
> > 
> > 
> > 
> > > -boris
> > > 
> > > > 
> > > > The crash happens in fw_cfg_modify_bytes_read() when we pass in NULL
> > > > pointer as first argument. The stack is below:
> > > > 
> > > > 
> > > > (gdb) where
> > > > #0  0x0000561d762d64d4 in fw_cfg_modify_bytes_read (s=0x0, key=5,
> > > > data=0x561d787031d0, len=2) at hw/nvram/fw_cfg.c:614
> > > > #1  0x0000561d762d6730 in fw_cfg_modify_i16 (s=0x0, key=5, value=2) at
> > > > hw/nvram/fw_cfg.c:656
> > > > #2  0x0000561d761195b3 in pc_cpu_plug (hotplug_dev=0x561d770f9810,
> > > > dev=0x561d7712a7e0, errp=0x7ffe8f75f2b0) at
> > > > /root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1823
> > > > #3  0x0000561d76119fc0 in pc_machine_device_plug_cb
> > > > (hotplug_dev=0x561d770f9810, dev=0x561d7712a7e0, errp=0x7ffe8f75f2b0) at
> > > > /root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1993
> > > > #4  0x0000561d76239cba in hotplug_handler_plug
> > > > (plug_handler=0x561d770f9810, plugged_dev=0x561d7712a7e0,
> > > > errp=0x7ffe8f75f2b0) at hw/core/hotplug.c:34
> > > > #5  0x0000561d7623584d in device_set_realized (obj=0x561d7712a7e0,
> > > > value=true, errp=0x7ffe8f75f468) at hw/core/qdev.c:928
> > > > #6  0x0000561d763e22a3 in property_set_bool (obj=0x561d7712a7e0,
> > > > v=0x561d78702090, name=0x561d764fd9d0 "realized", opaque=0x561d785aea00,
> > > > errp=0x7ffe8f75f468) at qom/object.c:1854
> > > > #7  0x0000561d763e07aa in object_property_set (obj=0x561d7712a7e0,
> > > > v=0x561d78702090, name=0x561d764fd9d0 "realized", errp=0x7ffe8f75f468)
> > > > at qom/object.c:1088
> > > > #8  0x0000561d763e3609 in object_property_set_qobject
> > > > (obj=0x561d7712a7e0, value=0x561d773869c0, name=0x561d764fd9d0
> > > > "realized", errp=0x7ffe8f75f468) at qom/qom-qobject.c:27
> > > > #9  0x0000561d763e0a40 in object_property_set_bool (obj=0x561d7712a7e0,
> > > > value=true, name=0x561d764fd9d0 "realized", errp=0x7ffe8f75f468) at
> > > > qom/object.c:1157
> > > > #10 0x0000561d76117304 in pc_new_cpu (typename=0x561d7707c880
> > > > "qemu32-i386-cpu", apic_id=1, errp=0x7ffe8f75f4c0) at
> > > > /root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1099
> > > > #11 0x0000561d761174cc in pc_hot_add_cpu (id=1, errp=0x7ffe8f75f558) at
> > > > /root/xen/tools/qemu-xen-dir/hw/i386/pc.c:1131
> > > > #12 0x0000561d761cb7b3 in qmp_cpu_add (id=1, errp=0x7ffe8f75f558) at
> > > > qmp.c:126
> > > > #13 0x0000561d761bdc60 in qmp_marshal_cpu_add (args=0x561d7711a1b0,
> > > > ret=0x7ffe8f75f5b0, errp=0x7ffe8f75f5a8) at qmp-marshal.c:1274
> > > > #14 0x0000561d764b2f13 in do_qmp_dispatch (request=0x561d77129360,
> > > > errp=0x7ffe8f75f610) at qapi/qmp-dispatch.c:98
> > > > #15 0x0000561d764b3042 in qmp_dispatch (request=0x561d77129360) at
> > > > qapi/qmp-dispatch.c:125
> > > > #16 0x0000561d76084d39 in handle_qmp_command (parser=0x561d771288b0,
> > > > tokens=0x561d770f8cc0) at /root/xen/tools/qemu-xen-dir/monitor.c:3758
> > > > #17 0x0000561d764ba402 in json_message_process_token
> > > > (lexer=0x561d771288b8, input=0x561d770f9040, type=JSON_RCURLY, x=1,
> > > > y=11) at qobject/json-streamer.c:105
> > > > #18 0x0000561d764dd5dc in json_lexer_feed_char (lexer=0x561d771288b8,
> > > > ch=125 '}', flush=false) at qobject/json-lexer.c:319
> > > > #19 0x0000561d764dd71c in json_lexer_feed (lexer=0x561d771288b8,
> > > > buffer=0x7ffe8f75f880 "}\224Dx\035V", size=1) at
> > > > qobject/json-lexer.c:369
> > > > #20 0x0000561d764ba4a2 in json_message_parser_feed
> > > > (parser=0x561d771288b0, buffer=0x7ffe8f75f880 "}\224Dx\035V", size=1) at
> > > > qobject/json-streamer.c:124
> > > > #21 0x0000561d76084e53 in monitor_qmp_read (opaque=0x561d77128830,
> > > > buf=0x7ffe8f75f880 "}\224Dx\035V", size=1) at
> > > > /root/xen/tools/qemu-xen-dir/monitor.c:3788
> > > > #22 0x0000561d761a3b2d in qemu_chr_be_write_impl (s=0x561d77107020,
> > > > buf=0x7ffe8f75f880 "}\224Dx\035V", len=1) at qemu-char.c:419
> > > > #23 0x0000561d761a3b8f in qemu_chr_be_write (s=0x561d77107020,
> > > > buf=0x7ffe8f75f880 "}\224Dx\035V", len=1) at qemu-char.c:431
> > > > #24 0x0000561d761a83d0 in tcp_chr_read (chan=0x561d785ae8a0,
> > > > cond=G_IO_IN, opaque=0x561d77107020) at qemu-char.c:3145
> > > > #25 0x0000561d76475a36 in qio_channel_fd_source_dispatch
> > > > (source=0x561d77cbe7c0, callback=0x561d761a8279 <tcp_chr_read>,
> > > > user_data=0x561d77107020) at io/channel-watch.c:84
> > > > #26 0x00007f77f3e407aa in g_main_context_dispatch () from
> > > > /lib64/libglib-2.0.so.0
> > > > #27 0x0000561d763f03ee in glib_pollfds_poll () at main-loop.c:259
> > > > #28 0x0000561d763f04dc in os_host_main_loop_wait (timeout=15045517) at
> > > > main-loop.c:306
> > > > #29 0x0000561d763f058c in main_loop_wait (nonblocking=0) at
> > > > main-loop.c:556
> > > > #30 0x0000561d761b1cb5 in main_loop () at vl.c:1966
> > > > #31 0x0000561d761b93fb in main (argc=38, argv=0x7ffe8f760df8,
> > > > envp=0x7ffe8f760f30) at vl.c:4684
> > > 
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel