From patchwork Tue Sep 3 12:06:33 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Zhanghaoyu (A)" X-Patchwork-Id: 272209 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 4446C2C00B1 for ; Tue, 3 Sep 2013 22:07:46 +1000 (EST) Received: from localhost ([::1]:45396 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VGpOa-0007Qx-8z for incoming@patchwork.ozlabs.org; Tue, 03 Sep 2013 08:07:44 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47980) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VGpNz-0007Em-56 for qemu-devel@nongnu.org; Tue, 03 Sep 2013 08:07:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VGpNt-0007CX-5Y for qemu-devel@nongnu.org; Tue, 03 Sep 2013 08:07:07 -0400 Received: from szxga03-in.huawei.com ([119.145.14.66]:63063) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VGpNs-0007Av-Ar for qemu-devel@nongnu.org; Tue, 03 Sep 2013 08:07:01 -0400 Received: from 172.24.2.119 (EHLO szxeml209-edg.china.huawei.com) ([172.24.2.119]) by szxrg03-dlp.huawei.com (MOS 4.4.2a-FCS FastPath queued) with ESMTP id ADV18024; Tue, 03 Sep 2013 20:06:42 +0800 (CST) Received: from SZXEML417-HUB.china.huawei.com (10.82.67.156) by szxeml209-edg.china.huawei.com (172.24.2.184) with Microsoft SMTP Server (TLS) id 14.1.323.7; Tue, 3 Sep 2013 20:06:41 +0800 Received: from szxeml556-mbx.china.huawei.com ([169.254.3.97]) by szxeml417-hub.china.huawei.com ([10.82.67.156]) with mapi id 14.01.0323.007; Tue, 3 Sep 2013 20:06:33 +0800 From: "Zhanghaoyu (A)" To: Jan Kiszka , qemu-devel , "paolo.bonzini@gmail.com" , "Michael S. Tsirkin" , Eric Blake , Gleb Natapov Thread-Topic: [KVM] segmentation fault happened when reboot VM after hot-uplug virtio NIC Thread-Index: Ac6ongaehI4UjAW/RtO5zwF4/2s7fg== Date: Tue, 3 Sep 2013 12:06:33 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.135.68.97] MIME-Version: 1.0 X-CFilter-Loop: Reflected X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic] X-Received-From: 119.145.14.66 Cc: "Huangweidong \(C\)" , Luonengjun Subject: [Qemu-devel] [KVM] segmentation fault happened when reboot VM after hot-uplug virtio NIC X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Hi, all Segmentation fault happened when reboot VM after hot-unplug virtio NIC, which can be reproduced 100%. See similar bug report to https://bugzilla.redhat.com/show_bug.cgi?id=988256 test environment: host: SLES11SP2 (kenrel version: 3.0.58) qemu: 1.5.1, upstream-qemu (commit 545825d4cda03ea292b7788b3401b99860efe8bc) libvirt: 1.1.0 guest os: win2k8 R2 x64bit or sles11sp2 x64 or win2k3 32bit You can reproduce this problem by following steps: 1. start a VM with virtio NIC(s) 2. hot-unplug a virtio NIC from the VM 3. reboot the VM, then segmentation fault happened during starting period the qemu backtrace shown as below: #0 0x00007ff4be3288d0 in __memcmp_sse4_1 () from /lib64/libc.so.6 #1 0x00007ff4c07f82c0 in patch_hypercalls (s=0x7ff4c15dd610) at /mnt/zhanghaoyu/qemu/qemu-1.5.1/hw/i386/kvmvapic.c:549 #2 0x00007ff4c07f84f0 in vapic_prepare (s=0x7ff4c15dd610) at /mnt/zhanghaoyu/qemu/qemu-1.5.1/hw/i386/kvmvapic.c:614 #3 0x00007ff4c07f85e7 in vapic_write (opaque=0x7ff4c15dd610, addr=0, data=32, size=2) at /mnt/zhanghaoyu/qemu/qemu-1.5.1/hw/i386/kvmvapic.c:651 #4 0x00007ff4c082a917 in memory_region_write_accessor (opaque=0x7ff4c15df938, addr=0, value=0x7ff4bbfe3d00, size=2, shift=0, mask=65535) at /mnt/zhanghaoyu/qemu/qemu-1.5.1/memory.c:334 #5 0x00007ff4c082a9ee in access_with_adjusted_size (addr=0, value=0x7ff4bbfe3d00, size=2, access_size_min=1, access_size_max=4, access=0x7ff4c082a89a , opaque=0x7ff4c15df938) at /mnt/zhanghaoyu/qemu/qemu-1.5.1/memory.c:364 #6 0x00007ff4c082ae49 in memory_region_iorange_write (iorange=0x7ff4c15dfca0, offset=0, width=2, data=32) at /mnt/zhanghaoyu/qemu/qemu-1.5.1/memory.c:439 #7 0x00007ff4c08236f7 in ioport_writew_thunk (opaque=0x7ff4c15dfca0, addr=126, data=32) at /mnt/zhanghaoyu/qemu/qemu-1.5.1/ioport.c:219 #8 0x00007ff4c0823078 in ioport_write (index=1, address=126, data=32) at /mnt/zhanghaoyu/qemu/qemu-1.5.1/ioport.c:83 #9 0x00007ff4c0823ca9 in cpu_outw (addr=126, val=32) at /mnt/zhanghaoyu/qemu/qemu-1.5.1/ioport.c:296 #10 0x00007ff4c0827485 in kvm_handle_io (port=126, data=0x7ff4c0510000, direction=1, size=2, count=1) at /mnt/zhanghaoyu/qemu/qemu-1.5.1/kvm-all.c:1485 #11 0x00007ff4c0827e14 in kvm_cpu_exec (env=0x7ff4c15bf270) at /mnt/zhanghaoyu/qemu/qemu-1.5.1/kvm-all.c:1634 #12 0x00007ff4c07b6f27 in qemu_kvm_cpu_thread_fn (arg=0x7ff4c15bf270) at /mnt/zhanghaoyu/qemu/qemu-1.5.1/cpus.c:759 #13 0x00007ff4be58af05 in start_thread () from /lib64/libpthread.so.0 #14 0x00007ff4be2cd53d in clone () from /lib64/libc.so.6 If I apply below patch to the upstream qemu, this problem will disappear, --- hw/i386/kvmvapic.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -- 1.8.1.4 Thanks, Daniel diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c index 15beb80..6fff299 100644 --- a/hw/i386/kvmvapic.c +++ b/hw/i386/kvmvapic.c @@ -652,11 +652,11 @@ static void vapic_write(void *opaque, hwaddr addr, uint64_t data, switch (size) { case 2: if (s->state == VAPIC_INACTIVE) { - rom_paddr = (env->segs[R_CS].base + env->eip) & ROM_BLOCK_MASK; - s->rom_state_paddr = rom_paddr + data; - s->state = VAPIC_STANDBY; } + rom_paddr = (env->segs[R_CS].base + env->eip) & ROM_BLOCK_MASK; + s->rom_state_paddr = rom_paddr + data; + if (vapic_prepare(s) < 0) { s->state = VAPIC_INACTIVE; break;