1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
|
id = 647
title = "scsi_device_purge_requests() waits infinietly"
state = "opened"
created_at = "2021-09-29T15:51:12.331Z"
closed_at = "n/a"
labels = ["Storage", "block:NVMe", "device:virtio", "kind::Bug"]
url = "https://gitlab.com/qemu-project/qemu/-/issues/647"
host-os = "(RHEL)"
host-arch = "(x86)"
qemu-version = "n/a"
guest-os = "(RHEL)"
guest-arch = "(x86)"
description = """QEMU hangs typing `system_reset` in the monitor, the monitor becomes unresponsive, as does VNC."""
reproduce = """1. In the guest as root: `dd if=/dev/sda ibs=2K obs=1M of=/dev/null`
2. In the host monitor: `(qemu) system_reset`
3. Attach with gdb
4. Press ^C in the unresponsive monitor
```
Thread 1 "qemu-system-x86" received signal SIGINT, Interrupt.
0x00007ffff749796e in ppoll () from /lib64/libc.so.6
(gdb) bt
#0 0x00007ffff749796e in ppoll () at /lib64/libc.so.6
#1 0x00005555570e829a in ppoll ()
#2 0x0000555559624473 in qemu_poll_ns (fds=0x6060000204e0, nfds=1, timeout=-1) at ../util/qemu-timer.c:336
#3 0x0000555559651973 in fdmon_poll_wait (ctx=0x61300004d900, ready_list=0x7fffffffb200, timeout=-1) at ../util/fdmon-poll.c:80
#4 0x00005555595f48f1 in aio_poll (ctx=0x61300004d900, blocking=true) at ../util/aio-posix.c:607
#5 0x0000555559041dac in bdrv_do_drained_begin (bs=0x62900000a200, recursive=false, parent=0x0, ignore_bds_parents=false, poll=true) at ../block/io.c:473
#6 0x00005555590414a3 in bdrv_drained_begin (bs=0x62900000a200) at ../block/io.c:479
#7 0x000055555916f180 in blk_drain (blk=0x618000001080) at ../block/block-backend.c:1732
#8 0x000055555778f140 in scsi_device_purge_requests (sdev=0x617000004d80, sense=...) at ../hw/scsi/scsi-bus.c:1638
#9 0x0000555557842df9 in scsi_disk_reset (dev=0x617000004d80) at ../hw/scsi/scsi-disk.c:2248
#10 0x00005555592a557e in device_transitional_reset (obj=0x617000004d80) at ../hw/core/qdev.c:1028
#11 0x00005555592a7eb7 in resettable_phase_hold (obj=0x617000004d80, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:182
#12 0x000055555928a2e8 in bus_reset_child_foreach (obj=0x62d0000268d8, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/bus.c:97
#13 0x00005555592aaaac in resettable_child_foreach (rc=0x60e000026f40, obj=0x62d0000268d8, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96
#14 0x00005555592a7b9a in resettable_phase_hold (obj=0x62d0000268d8, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173
#15 0x00005555592a1c55 in device_reset_child_foreach (obj=0x62d000026680, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/qdev.c:366
#16 0x00005555592aaaac in resettable_child_foreach (rc=0x60e000040a80, obj=0x62d000026680, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96
#17 0x00005555592a7b9a in resettable_phase_hold (obj=0x62d000026680, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173
#18 0x000055555928a2e8 in bus_reset_child_foreach (obj=0x62d0000265f8, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/bus.c:97
#19 0x00005555592aaaac in resettable_child_foreach (rc=0x60e000026680, obj=0x62d0000265f8, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96
#20 0x00005555592a7b9a in resettable_phase_hold (obj=0x62d0000265f8, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173
#21 0x00005555592a1c55 in device_reset_child_foreach (obj=0x62d00001e400, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/qdev.c:366
#22 0x00005555592aaaac in resettable_child_foreach (rc=0x60e000042300, obj=0x62d00001e400, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96
#23 0x00005555592a7b9a in resettable_phase_hold (obj=0x62d00001e400, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173
#24 0x000055555928a2e8 in bus_reset_child_foreach (obj=0x62200005c260, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/bus.c:97
#25 0x00005555592aaaac in resettable_child_foreach (rc=0x60e00002e2c0, obj=0x62200005c260, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96
#26 0x00005555592a7b9a in resettable_phase_hold (obj=0x62200005c260, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173
#27 0x00005555592a1c55 in device_reset_child_foreach (obj=0x62200005b900, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/qdev.c:366
#28 0x00005555592aaaac in resettable_child_foreach (rc=0x60e000030940, obj=0x62200005b900, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96
#29 0x00005555592a7b9a in resettable_phase_hold (obj=0x62200005b900, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173
#30 0x000055555928a2e8 in bus_reset_child_foreach (obj=0x61d00008a280, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/bus.c:97
#31 0x00005555592aaaac in resettable_child_foreach (rc=0x60e00002e2c0, obj=0x61d00008a280, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96
#32 0x00005555592a7b9a in resettable_phase_hold (obj=0x61d00008a280, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173
#33 0x00005555592a1c55 in device_reset_child_foreach (obj=0x62a000006200, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/qdev.c:366
#34 0x00005555592aaaac in resettable_child_foreach (rc=0x60e000030160, obj=0x62a000006200, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96
#35 0x00005555592a7b9a in resettable_phase_hold (obj=0x62a000006200, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173
#36 0x000055555928a2e8 in bus_reset_child_foreach (obj=0x60c000020a40, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/bus.c:97
#37 0x00005555592aaaac in resettable_child_foreach (rc=0x60e00002fde0, obj=0x60c000020a40, cb=0x5555592a78e0 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:96
#38 0x00005555592a7b9a in resettable_phase_hold (obj=0x60c000020a40, opaque=0x0, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:173
#39 0x00005555592a6e04 in resettable_assert_reset (obj=0x60c000020a40, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:60
#40 0x00005555592a6cb7 in resettable_reset (obj=0x60c000020a40, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:45
#41 0x00005555592a9337 in resettable_cold_reset_fn (opaque=0x60c000020a40) at ../hw/core/resettable.c:269
#42 0x00005555592a6c35 in qemu_devices_reset () at ../hw/core/reset.c:69
#43 0x00005555582fb4f5 in pc_machine_reset (machine=0x616000000380) at ../hw/i386/pc.c:1764
#44 0x0000555558a58e56 in qemu_system_reset (reason=SHUTDOWN_CAUSE_HOST_QMP_SYSTEM_RESET) at ../softmmu/runstate.c:443
#45 0x0000555558a5a746 in main_loop_should_exit () at ../softmmu/runstate.c:688
#46 0x0000555558a5a57e in qemu_main_loop () at ../softmmu/runstate.c:722
#47 0x00005555571acaef in main (argc=58, argv=0x7fffffffd8f8, envp=0x7fffffffdad0) at ../softmmu/main.c:50
(gdb)
(gdb) fr 5
#5 0x0000555559041dac in bdrv_do_drained_begin (bs=0x62900000a200, recursive=false, parent=0x0, ignore_bds_parents=false, poll=true) at ../block/io.c:473
473 BDRV_POLL_WHILE(bs, bdrv_drain_poll_top_level(bs, recursive, parent));
(gdb) p *bs
$1 = {open_flags = 24578, encrypted = false, sg = false, probed = false, force_share = false, implicit = false, drv = 0x55555b0b0c60 <bdrv_qcow2>, opaque = 0x615000015200, aio_context = 0x6130000df080,
aio_notifiers = {lh_first = 0x0}, walking_aio_notifiers = false, filename = "nvme://0000:bc:00.0/1", '\\000' <repeats 4074 times>, backing_file = '\\000' <repeats 4095 times>,
auto_backing_file = '\\000' <repeats 4095 times>, backing_format = '\\000' <repeats 15 times>, full_open_options = 0x621002ba2100, exact_filename = "nvme://0000:bc:00.0/1", '\\000' <repeats 4074 times>,
backing = 0x0, file = 0x608000002ba0, bl = {request_alignment = 1, max_pdiscard = 0, pdiscard_alignment = 65536, max_pwrite_zeroes = 0, pwrite_zeroes_alignment = 65536, opt_transfer = 0,
max_transfer = 131072, max_hw_transfer = 0, min_mem_alignment = 512, opt_mem_alignment = 4096, max_iov = 1024}, supported_read_flags = 0, supported_write_flags = 0, supported_zero_flags = 260,
supported_truncate_flags = 2, node_name = "drive_nvme1", '\\000' <repeats 20 times>, node_list = {tqe_next = 0x0, tqe_circ = {tql_next = 0x0, tql_prev = 0x6290000092d0}}, bs_list = {tqe_next = 0x0,
tqe_circ = {tql_next = 0x0, tql_prev = 0x6290000092e0}}, monitor_list = {tqe_next = 0x0, tqe_circ = {tql_next = 0x0, tql_prev = 0x6290000092f0}}, refcnt = 2, op_blockers = {{
lh_first = 0x0} <repeats 16 times>}, inherits_from = 0x0, children = {lh_first = 0x608000002ba0}, parents = {lh_first = 0x608000003620}, options = 0x621000019100, explicit_options = 0x62100001a500,
detect_zeroes = BLOCKDEV_DETECT_ZEROES_OPTIONS_OFF, backing_blocker = 0x0, total_sectors = 41943040, write_threshold_offset = 0, dirty_bitmap_mutex = {lock = {__data = {__lock = 0, __count = 0, __owner = 0,
__nusers = 0, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\\000' <repeats 39 times>, __align = 0}, file = 0x0, line = 0, initialized = true},
dirty_bitmaps = {lh_first = 0x0}, wr_highest_offset = {value = 17686634496}, copy_on_read = 0, in_flight = 128, serialising_in_flight = 0, io_plugged = 0, enable_write_cache = 0, quiesce_counter = 1,
recursive_quiesce_counter = 0, write_gen = 101, reqs_lock = {locked = 0, ctx = 0x0, from_push = {slh_first = 0x0}, to_pop = {slh_first = 0x0}, handoff = 0, sequence = 0, holder = 0x0}, tracked_requests = {
lh_first = 0x7ffc251b48a0}, flush_queue = {entries = {sqh_first = 0x0, sqh_last = 0x62900000e470}}, active_flush_req = false, flushed_gen = 81, never_freeze = false}
(gdb) fr 4
#4 0x00005555595f48f1 in aio_poll (ctx=0x61300004d900, blocking=true) at ../util/aio-posix.c:607
607 ret = ctx->fdmon_ops->wait(ctx, &ready_list, timeout);
(gdb) p timeout
$5 = -1
(gdb) p blocking
$6 = true
(gdb) p *ctx
$3 = {source = {callback_data = 0x0, callback_funcs = 0x0, source_funcs = 0x55555b42d900 <aio_source_funcs>, ref_count = 2, context = 0x60f000000400, priority = 0, flags = 33, source_id = 1,
poll_fds = 0x615000001790 = {0x60d000000860}, prev = 0x0, next = 0x61300004d3c0, name = 0x602000010a10 "aio-context", priv = 0x619000003830}, lock = {m = {lock = {__data = {__lock = 0, __count = 0,
__owner = 0, __nusers = 0, __kind = 1, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\\000' <repeats 16 times>, "\\001", '\\000' <repeats 22 times>, __align = 0},
file = 0x0, line = 0, initialized = true}}, aio_handlers = {lh_first = 0x60d000000860}, deleted_aio_handlers = {lh_first = 0x0}, notify_me = 2, list_lock = {count = 4}, bh_list = {slh_first = 0x0},
bh_slice_list = {sqh_first = 0x0, sqh_last = 0x61300004d9b8}, notified = false, notifier = {rfd = 7, wfd = 7, initialized = true}, scheduled_coroutines = {slh_first = 0x0}, co_schedule_bh = 0x604000001110,
thread_pool = 0x0, tlg = {tl = {0x60b00000a1d0, 0x60b00000a280, 0x60b00000a330, 0x60b00000a3e0}}, external_disable_cnt = 0, poll_disable_cnt = 0, poll_ns = 0, poll_max_ns = 0, poll_grow = 0,
poll_shrink = 0, aio_max_batch = 0, poll_aio_handlers = {lh_first = 0x60d000000860}, poll_started = false, epollfd = 6, fdmon_ops = 0x55555a4ebbc0 <fdmon_poll_ops>}
(gdb) p ctx->bh_list
$8 = {slh_first = 0x0}
(gdb) p ctx->bh_slice_list
$9 = {sqh_first = 0x0, sqh_last = 0x61300004d9b8}
(gdb) p *ctx->bh_slice_list.sqh_last
$11 = (struct BHListSlice *) 0x0
(gdb) p ctx->tlg
$12 = {tl = {0x60b00000a1d0, 0x60b00000a280, 0x60b00000a330, 0x60b00000a3e0}}
(gdb) p timerlist_deadline_ns(ctx->tlg.tl[0])
$14 = -1
(gdb) p timerlist_deadline_ns(ctx->tlg.tl[1])
$15 = -1
(gdb) p timerlist_deadline_ns(ctx->tlg.tl[2])
$16 = -1
(gdb) p timerlist_deadline_ns(ctx->tlg.tl[3])
$17 = -1
```
What I see is:
- timerlistgroup_deadline_ns() -> -1
- aio_compute_timeout() -> -1
- aio_poll() -> -1
So scsi_device_purge_requests() waits indefinitively."""
additional = """```
../configure --enable-trace-backends=log --disable-docs --enable-debug --extra-cflags='-ggdb -fPIE' --disable-user --disable-tools --target-list=x86_64-softmmu --cc=clang --cxx=clang++ --enable-sanitizers --disable-vhost-user
qemu 6.1.0
Directories
Install prefix: /usr/local
BIOS directory: share/qemu
firmware path: /usr/local/share/qemu-firmware
binary directory: bin
library directory: lib
module directory: lib/qemu
libexec directory: libexec
include directory: include
config directory: /usr/local/etc
local state directory: /usr/local/var
Manual directory: share/man
Doc directory: /usr/local/share/doc
Build directory: /home/philmd/qemu/build
Source path: /home/philmd/qemu
GIT submodules: ui/keycodemapdb meson tests/fp/berkeley-testfloat-3 tests/fp/berkeley-softfloat-3 dtc capstone slirp
Host binaries
git: git
make: make
python: /usr/bin/python3 (version: 3.9)
sphinx-build: NO
gdb: /usr/bin/gdb
genisoimage: /usr/bin/mkisofs
smbd: "/usr/sbin/smbd"
Configurable features
Documentation: NO
system-mode emulation: YES
user-mode emulation: NO
block layer: YES
Install blobs: YES
module support: NO
fuzzing support: NO
Audio drivers: oss
Trace backends: log
QOM debugging: YES
vhost-kernel support: YES
vhost-net support: YES
vhost-crypto support: NO
vhost-scsi support: YES
vhost-vsock support: YES
vhost-user support: NO
vhost-user-blk server support: NO
vhost-user-fs support: NO
vhost-vdpa support: YES
build guest agent: YES
Compilation
host CPU: x86_64
host endianness: little
C compiler: clang
Host C compiler: clang
C++ compiler: clang++
CFLAGS: -O0 -g
CXXFLAGS: -O0 -g
QEMU_CFLAGS: -fsanitize=undefined -fsanitize=address -m64 -mcx16 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -Wstrict-prototypes -Wredundant-decls -Wundef -Wwrite-strings -Wmissing-prototypes -fno-strict-aliasing -fno-common -fwrapv -ggdb -fPIE -Wold-style-definition -Wtype-limits -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers -Wempty-body -Wnested-externs -Wendif-labels -Wexpansion-to-defined -Wno-initializer-overrides -Wno-missing-include-dirs -Wno-shift-negative-value -Wno-string-plus-int -Wno-typedef-redefinition -Wno-tautological-type-limit-compare -Wno-psabi -fstack-protector-strong
QEMU_LDFLAGS: -Wl,--warn-common -fsanitize=undefined -fsanitize=address -Wl,-z,relro -Wl,-z,now -m64 -ggdb -fPIE -fstack-protector-strong
profiler: NO
link-time optimization (LTO): NO
PIE: YES
static build: NO
malloc trim support: YES
membarrier: NO
debug stack usage: NO
mutex debugging: YES
memory allocator: system
avx2 optimization: NO
avx512f optimization: NO
gprof enabled: NO
gcov: NO
thread sanitizer: NO
CFI support: NO
strip binaries: NO
sparse: NO
mingw32 support: NO
x86_64 tests: x86_64-linux-gnu-gcc via debian-amd64-cross
Targets and accelerators
KVM support: YES
HAX support: NO
HVF support: NO
WHPX support: NO
NVMM support: NO
Xen support: NO
TCG support: YES
TCG backend: native (x86_64)
TCG plugins: YES
TCG debug enabled: YES
target list: x86_64-softmmu
default devices: YES
out of process emulation: YES
Block layer support
coroutine backend: ucontext
coroutine pool: YES
Block whitelist (rw):
Block whitelist (ro):
Use block whitelist in tools: NO
VirtFS support: NO
build virtiofs daemon: NO
Live block migration: YES
replication support: YES
bochs support: YES
cloop support: YES
dmg support: YES
qcow v1 support: YES
vdi support: YES
vvfat support: YES
qed support: YES
parallels support: YES
FUSE exports: NO
Crypto
TLS priority: "NORMAL"
GNUTLS support: YES
GNUTLS crypto: YES
libgcrypt: NO
nettle: NO
crypto afalg: NO
rng-none: NO
Linux keyring: YES
Dependencies
SDL support: NO
SDL image support: NO
GTK support: NO
pixman: YES
VTE support: NO
slirp support: internal
libtasn1: YES
PAM: NO
iconv support: YES
curses support: YES
virgl support: NO
curl support: NO
Multipath support: NO
VNC support: YES
VNC SASL support: YES
VNC JPEG support: YES
VNC PNG support: NO
brlapi support: NO
vde support: NO
netmap support: NO
Linux AIO support: NO
Linux io_uring support: NO
ATTR/XATTR support: YES
RDMA support: NO
PVRDMA support: NO
fdt support: internal
libcap-ng support: NO
bpf support: NO
spice support: NO
rbd support: NO
xfsctl support: NO
smartcard support: NO
U2F support: NO
libusb: NO
usb net redir: NO
OpenGL support: NO
GBM: NO
libiscsi support: NO
libnfs support: NO
seccomp support: NO
GlusterFS support: NO
TPM support: YES
libssh support: NO
lzo support: NO
snappy support: NO
bzip2 support: NO
lzfse support: NO
zstd support: NO
NUMA host support: NO
libxml2: NO
capstone: internal
libpmem support: NO
libdaxctl support: NO
libudev: NO
FUSE lseek: NO
```"""
|