id = 647 title = "scsi_device_purge_requests() waits infinietly" state = "opened" created_at = "2021-09-29T15:51:12.331Z" closed_at = "n/a" labels = ["Storage", "block:NVMe", "device:virtio", "kind::Bug"] url = "https://gitlab.com/qemu-project/qemu/-/issues/647" host-os = "(RHEL)" host-arch = "(x86)" qemu-version = "n/a" guest-os = "(RHEL)" guest-arch = "(x86)" description = """QEMU hangs typing `system_reset` in the monitor, the monitor becomes unresponsive, as does VNC.""" reproduce = """1. In the guest as root: `dd if=/dev/sda ibs=2K obs=1M of=/dev/null` 2. In the host monitor: `(qemu) system_reset` 3. Attach with gdb 4. Press ^C in the unresponsive monitor ``` Thread 1 "qemu-system-x86" received signal SIGINT, Interrupt. 0x00007ffff749796e in ppoll () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff749796e in ppoll () at /lib64/libc.so.6 #1 0x00005555570e829a in ppoll () #2 0x0000555559624473 in qemu_poll_ns (fds=0x6060000204e0, nfds=1, timeout=-1) at ../util/qemu-timer.c:336 #3 0x0000555559651973 in fdmon_poll_wait (ctx=0x61300004d900, ready_list=0x7fffffffb200, timeout=-1) at ../util/fdmon-poll.c:80 #4 0x00005555595f48f1 in aio_poll (ctx=0x61300004d900, blocking=true) at ../util/aio-posix.c:607 #5 0x0000555559041dac in bdrv_do_drained_begin (bs=0x62900000a200, recursive=false, parent=0x0, ignore_bds_parents=false, poll=true) at ../block/io.c:473 #6 0x00005555590414a3 in bdrv_drained_begin (bs=0x62900000a200) at ../block/io.c:479 #7 0x000055555916f180 in blk_drain (blk=0x618000001080) at ../block/block-backend.c:1732 #8 0x000055555778f140 in scsi_device_purge_requests (sdev=0x617000004d80, sense=...) at ../hw/scsi/scsi-bus.c:1638 #9 0x0000555557842df9 in scsi_disk_reset (dev=0x617000004d80) at ../hw/scsi/scsi-disk.c:2248 #10 0x00005555592a557e in device_transitional_reset (obj=0x617000004d80) at ../hw/core/qdev.c:1028 #11 0x00005555592a7eb7 in resettable_phase_hold (obj=0x617000004d80, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:182 #12 0x000055555928a2e8 in bus_reset_child_foreach (obj=0x62d0000268d8, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/bus.c:97 #13 0x00005555592aaaac in resettable_child_foreach (rc=0x60e000026f40, obj=0x62d0000268d8, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96 #14 0x00005555592a7b9a in resettable_phase_hold (obj=0x62d0000268d8, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173 #15 0x00005555592a1c55 in device_reset_child_foreach (obj=0x62d000026680, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/qdev.c:366 #16 0x00005555592aaaac in resettable_child_foreach (rc=0x60e000040a80, obj=0x62d000026680, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96 #17 0x00005555592a7b9a in resettable_phase_hold (obj=0x62d000026680, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173 #18 0x000055555928a2e8 in bus_reset_child_foreach (obj=0x62d0000265f8, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/bus.c:97 #19 0x00005555592aaaac in resettable_child_foreach (rc=0x60e000026680, obj=0x62d0000265f8, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96 #20 0x00005555592a7b9a in resettable_phase_hold (obj=0x62d0000265f8, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173 #21 0x00005555592a1c55 in device_reset_child_foreach (obj=0x62d00001e400, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/qdev.c:366 #22 0x00005555592aaaac in resettable_child_foreach (rc=0x60e000042300, obj=0x62d00001e400, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96 #23 0x00005555592a7b9a in resettable_phase_hold (obj=0x62d00001e400, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173 #24 0x000055555928a2e8 in bus_reset_child_foreach (obj=0x62200005c260, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/bus.c:97 #25 0x00005555592aaaac in resettable_child_foreach (rc=0x60e00002e2c0, obj=0x62200005c260, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96 #26 0x00005555592a7b9a in resettable_phase_hold (obj=0x62200005c260, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173 #27 0x00005555592a1c55 in device_reset_child_foreach (obj=0x62200005b900, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/qdev.c:366 #28 0x00005555592aaaac in resettable_child_foreach (rc=0x60e000030940, obj=0x62200005b900, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96 #29 0x00005555592a7b9a in resettable_phase_hold (obj=0x62200005b900, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173 #30 0x000055555928a2e8 in bus_reset_child_foreach (obj=0x61d00008a280, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/bus.c:97 #31 0x00005555592aaaac in resettable_child_foreach (rc=0x60e00002e2c0, obj=0x61d00008a280, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96 #32 0x00005555592a7b9a in resettable_phase_hold (obj=0x61d00008a280, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173 #33 0x00005555592a1c55 in device_reset_child_foreach (obj=0x62a000006200, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/qdev.c:366 #34 0x00005555592aaaac in resettable_child_foreach (rc=0x60e000030160, obj=0x62a000006200, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96 #35 0x00005555592a7b9a in resettable_phase_hold (obj=0x62a000006200, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173 #36 0x000055555928a2e8 in bus_reset_child_foreach (obj=0x60c000020a40, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/bus.c:97 #37 0x00005555592aaaac in resettable_child_foreach (rc=0x60e00002fde0, obj=0x60c000020a40, cb=0x5555592a78e0 , opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96 #38 0x00005555592a7b9a in resettable_phase_hold (obj=0x60c000020a40, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173 #39 0x00005555592a6e04 in resettable_assert_reset (obj=0x60c000020a40, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:60 #40 0x00005555592a6cb7 in resettable_reset (obj=0x60c000020a40, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:45 #41 0x00005555592a9337 in resettable_cold_reset_fn (opaque=0x60c000020a40) at ../hw/core/resettable.c:269 #42 0x00005555592a6c35 in qemu_devices_reset () at ../hw/core/reset.c:69 #43 0x00005555582fb4f5 in pc_machine_reset (machine=0x616000000380) at ../hw/i386/pc.c:1764 #44 0x0000555558a58e56 in qemu_system_reset (reason=SHUTDOWN_CAUSE_HOST_QMP_SYSTEM_RESET) at ../softmmu/runstate.c:443 #45 0x0000555558a5a746 in main_loop_should_exit () at ../softmmu/runstate.c:688 #46 0x0000555558a5a57e in qemu_main_loop () at ../softmmu/runstate.c:722 #47 0x00005555571acaef in main (argc=58, argv=0x7fffffffd8f8, envp=0x7fffffffdad0) at ../softmmu/main.c:50 (gdb) (gdb) fr 5 #5 0x0000555559041dac in bdrv_do_drained_begin (bs=0x62900000a200, recursive=false, parent=0x0, ignore_bds_parents=false, poll=true) at ../block/io.c:473 473 BDRV_POLL_WHILE(bs, bdrv_drain_poll_top_level(bs, recursive, parent)); (gdb) p *bs $1 = {open_flags = 24578, encrypted = false, sg = false, probed = false, force_share = false, implicit = false, drv = 0x55555b0b0c60 , opaque = 0x615000015200, aio_context = 0x6130000df080, aio_notifiers = {lh_first = 0x0}, walking_aio_notifiers = false, filename = "nvme://0000:bc:00.0/1", '\\000' , backing_file = '\\000' , auto_backing_file = '\\000' , backing_format = '\\000' , full_open_options = 0x621002ba2100, exact_filename = "nvme://0000:bc:00.0/1", '\\000' , backing = 0x0, file = 0x608000002ba0, bl = {request_alignment = 1, max_pdiscard = 0, pdiscard_alignment = 65536, max_pwrite_zeroes = 0, pwrite_zeroes_alignment = 65536, opt_transfer = 0, max_transfer = 131072, max_hw_transfer = 0, min_mem_alignment = 512, opt_mem_alignment = 4096, max_iov = 1024}, supported_read_flags = 0, supported_write_flags = 0, supported_zero_flags = 260, supported_truncate_flags = 2, node_name = "drive_nvme1", '\\000' , node_list = {tqe_next = 0x0, tqe_circ = {tql_next = 0x0, tql_prev = 0x6290000092d0}}, bs_list = {tqe_next = 0x0, tqe_circ = {tql_next = 0x0, tql_prev = 0x6290000092e0}}, monitor_list = {tqe_next = 0x0, tqe_circ = {tql_next = 0x0, tql_prev = 0x6290000092f0}}, refcnt = 2, op_blockers = {{ lh_first = 0x0} }, inherits_from = 0x0, children = {lh_first = 0x608000002ba0}, parents = {lh_first = 0x608000003620}, options = 0x621000019100, explicit_options = 0x62100001a500, detect_zeroes = BLOCKDEV_DETECT_ZEROES_OPTIONS_OFF, backing_blocker = 0x0, total_sectors = 41943040, write_threshold_offset = 0, dirty_bitmap_mutex = {lock = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\\000' , __align = 0}, file = 0x0, line = 0, initialized = true}, dirty_bitmaps = {lh_first = 0x0}, wr_highest_offset = {value = 17686634496}, copy_on_read = 0, in_flight = 128, serialising_in_flight = 0, io_plugged = 0, enable_write_cache = 0, quiesce_counter = 1, recursive_quiesce_counter = 0, write_gen = 101, reqs_lock = {locked = 0, ctx = 0x0, from_push = {slh_first = 0x0}, to_pop = {slh_first = 0x0}, handoff = 0, sequence = 0, holder = 0x0}, tracked_requests = { lh_first = 0x7ffc251b48a0}, flush_queue = {entries = {sqh_first = 0x0, sqh_last = 0x62900000e470}}, active_flush_req = false, flushed_gen = 81, never_freeze = false} (gdb) fr 4 #4 0x00005555595f48f1 in aio_poll (ctx=0x61300004d900, blocking=true) at ../util/aio-posix.c:607 607 ret = ctx->fdmon_ops->wait(ctx, &ready_list, timeout); (gdb) p timeout $5 = -1 (gdb) p blocking $6 = true (gdb) p *ctx $3 = {source = {callback_data = 0x0, callback_funcs = 0x0, source_funcs = 0x55555b42d900 , ref_count = 2, context = 0x60f000000400, priority = 0, flags = 33, source_id = 1, poll_fds = 0x615000001790 = {0x60d000000860}, prev = 0x0, next = 0x61300004d3c0, name = 0x602000010a10 "aio-context", priv = 0x619000003830}, lock = {m = {lock = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 1, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\\000' , "\\001", '\\000' , __align = 0}, file = 0x0, line = 0, initialized = true}}, aio_handlers = {lh_first = 0x60d000000860}, deleted_aio_handlers = {lh_first = 0x0}, notify_me = 2, list_lock = {count = 4}, bh_list = {slh_first = 0x0}, bh_slice_list = {sqh_first = 0x0, sqh_last = 0x61300004d9b8}, notified = false, notifier = {rfd = 7, wfd = 7, initialized = true}, scheduled_coroutines = {slh_first = 0x0}, co_schedule_bh = 0x604000001110, thread_pool = 0x0, tlg = {tl = {0x60b00000a1d0, 0x60b00000a280, 0x60b00000a330, 0x60b00000a3e0}}, external_disable_cnt = 0, poll_disable_cnt = 0, poll_ns = 0, poll_max_ns = 0, poll_grow = 0, poll_shrink = 0, aio_max_batch = 0, poll_aio_handlers = {lh_first = 0x60d000000860}, poll_started = false, epollfd = 6, fdmon_ops = 0x55555a4ebbc0 } (gdb) p ctx->bh_list $8 = {slh_first = 0x0} (gdb) p ctx->bh_slice_list $9 = {sqh_first = 0x0, sqh_last = 0x61300004d9b8} (gdb) p *ctx->bh_slice_list.sqh_last $11 = (struct BHListSlice *) 0x0 (gdb) p ctx->tlg $12 = {tl = {0x60b00000a1d0, 0x60b00000a280, 0x60b00000a330, 0x60b00000a3e0}} (gdb) p timerlist_deadline_ns(ctx->tlg.tl[0]) $14 = -1 (gdb) p timerlist_deadline_ns(ctx->tlg.tl[1]) $15 = -1 (gdb) p timerlist_deadline_ns(ctx->tlg.tl[2]) $16 = -1 (gdb) p timerlist_deadline_ns(ctx->tlg.tl[3]) $17 = -1 ``` What I see is: - timerlistgroup_deadline_ns() -> -1 - aio_compute_timeout() -> -1 - aio_poll() -> -1 So scsi_device_purge_requests() waits indefinitively.""" additional = """``` ../configure --enable-trace-backends=log --disable-docs --enable-debug --extra-cflags='-ggdb -fPIE' --disable-user --disable-tools --target-list=x86_64-softmmu --cc=clang --cxx=clang++ --enable-sanitizers --disable-vhost-user qemu 6.1.0 Directories Install prefix: /usr/local BIOS directory: share/qemu firmware path: /usr/local/share/qemu-firmware binary directory: bin library directory: lib module directory: lib/qemu libexec directory: libexec include directory: include config directory: /usr/local/etc local state directory: /usr/local/var Manual directory: share/man Doc directory: /usr/local/share/doc Build directory: /home/philmd/qemu/build Source path: /home/philmd/qemu GIT submodules: ui/keycodemapdb meson tests/fp/berkeley-testfloat-3 tests/fp/berkeley-softfloat-3 dtc capstone slirp Host binaries git: git make: make python: /usr/bin/python3 (version: 3.9) sphinx-build: NO gdb: /usr/bin/gdb genisoimage: /usr/bin/mkisofs smbd: "/usr/sbin/smbd" Configurable features Documentation: NO system-mode emulation: YES user-mode emulation: NO block layer: YES Install blobs: YES module support: NO fuzzing support: NO Audio drivers: oss Trace backends: log QOM debugging: YES vhost-kernel support: YES vhost-net support: YES vhost-crypto support: NO vhost-scsi support: YES vhost-vsock support: YES vhost-user support: NO vhost-user-blk server support: NO vhost-user-fs support: NO vhost-vdpa support: YES build guest agent: YES Compilation host CPU: x86_64 host endianness: little C compiler: clang Host C compiler: clang C++ compiler: clang++ CFLAGS: -O0 -g CXXFLAGS: -O0 -g QEMU_CFLAGS: -fsanitize=undefined -fsanitize=address -m64 -mcx16 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv -ggdb -fPIE -Wold-style-definition -Wtype-limits -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs -Wendif-labels -Wexpansion-to-defined -Wno-initializer-overrides -Wno-missing-include-dirs -Wno-shift-negative-value -Wno-string-plus-int -Wno-typedef-redefinition -Wno-tautological-type-limit-compare -Wno-psabi -fstack-protector-strong QEMU_LDFLAGS: -Wl,--warn-common -fsanitize=undefined -fsanitize=address -Wl,-z,relro -Wl,-z,now -m64 -ggdb -fPIE -fstack-protector-strong profiler: NO link-time optimization (LTO): NO PIE: YES static build: NO malloc trim support: YES membarrier: NO debug stack usage: NO mutex debugging: YES memory allocator: system avx2 optimization: NO avx512f optimization: NO gprof enabled: NO gcov: NO thread sanitizer: NO CFI support: NO strip binaries: NO sparse: NO mingw32 support: NO x86_64 tests: x86_64-linux-gnu-gcc via debian-amd64-cross Targets and accelerators KVM support: YES HAX support: NO HVF support: NO WHPX support: NO NVMM support: NO Xen support: NO TCG support: YES TCG backend: native (x86_64) TCG plugins: YES TCG debug enabled: YES target list: x86_64-softmmu default devices: YES out of process emulation: YES Block layer support coroutine backend: ucontext coroutine pool: YES Block whitelist (rw): Block whitelist (ro): Use block whitelist in tools: NO VirtFS support: NO build virtiofs daemon: NO Live block migration: YES replication support: YES bochs support: YES cloop support: YES dmg support: YES qcow v1 support: YES vdi support: YES vvfat support: YES qed support: YES parallels support: YES FUSE exports: NO Crypto TLS priority: "NORMAL" GNUTLS support: YES GNUTLS crypto: YES libgcrypt: NO nettle: NO crypto afalg: NO rng-none: NO Linux keyring: YES Dependencies SDL support: NO SDL image support: NO GTK support: NO pixman: YES VTE support: NO slirp support: internal libtasn1: YES PAM: NO iconv support: YES curses support: YES virgl support: NO curl support: NO Multipath support: NO VNC support: YES VNC SASL support: YES VNC JPEG support: YES VNC PNG support: NO brlapi support: NO vde support: NO netmap support: NO Linux AIO support: NO Linux io_uring support: NO ATTR/XATTR support: YES RDMA support: NO PVRDMA support: NO fdt support: internal libcap-ng support: NO bpf support: NO spice support: NO rbd support: NO xfsctl support: NO smartcard support: NO U2F support: NO libusb: NO usb net redir: NO OpenGL support: NO GBM: NO libiscsi support: NO libnfs support: NO seccomp support: NO GlusterFS support: NO TPM support: YES libssh support: NO lzo support: NO snappy support: NO bzip2 support: NO lzfse support: NO zstd support: NO NUMA host support: NO libxml2: NO capstone: internal libpmem support: NO libdaxctl support: NO libudev: NO FUSE lseek: NO ```"""