Bug 1123372
| Summary: | qemu-kvm crashed when doing iofuzz testing | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ademar Reis <areis> | |
| Component: | qemu-kvm | Assignee: | Kevin Wolf <kwolf> | |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.0 | CC: | bsarathy, coli, juzhang, kwolf, mkenneth, mrezanin, qiguo, qzhang, rbalakri, scui, shuang, virt-bugs, virt-maint, xuhan | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | qemu-kvm-1.5.3-71.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 1120541 | |||
| : | 1140145 (view as bug list) | Environment: | ||
| Last Closed: | 2015-03-05 08:11:01 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1120541 | |||
| Bug Blocks: | ||||
|
Comment 1
Miroslav Rezanina
2014-09-18 15:31:25 UTC
Reproduced this bug with qemu-kvm-1.5.3-70.el7
Steps:
1.Boot guest
/usr/libexec/qemu-kvm -name 'virt-tests-vm1' -sandbox off -M pc -nodefaults -vga cirrus -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20141020-144555-MBmqGjFJ,server,nowait -mon chardev=qmp_id_qmpmonitor1,mode=control -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20141020-144555-MBmqGjFJ,server,nowait -device isa-serial,chardev=serial_id_serial0 -chardev socket,id=seabioslog_id_20141020-144555-MBmqGjFJ,path=/tmp/seabios-20141020-144555-MBmqGjFJ,server,nowait -device isa-debugcon,chardev=seabioslog_id_20141020-144555-MBmqGjFJ,iobase=0x402 -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=03 -drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,file=/root/staf-kvm-devel/autotest-devel/client/tests/virt/shared/data/images/rhel70-64-virtio.qcow2 -device virtio-blk-pci,id=image1,drive=drive_image1,bootindex=0,bus=pci.0,addr=04 -device virtio-net-pci,mac=9a:8d:8e:8f:90:91,id=id4sZgOo,vectors=4,netdev=idCltxru,bus=pci.0,addr=05 -netdev tap,id=idCltxru,vhost=on,script=/etc/qemu-ifup -m 4096 -smp 1,cores=1,threads=1,sockets=1 -cpu 'Opteron_G2',+kvm_pv_unhalt -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 -vnc :0 -rtc base=utc,clock=host,driftfix=slew -boot order=cdn,once=c,menu=off -no-kvm-pit-reinjection -enable-kvm -monitor stdio
2.In guest, do iofuzz:
# cat iofuzz.sh
dd if=/dev/port seek=368 of=/dev/null bs=1 count=1
dd if=/dev/port seek=369 of=/dev/null bs=1 count=1
dd if=/dev/port seek=370 of=/dev/null bs=1 count=1
dd if=/dev/port seek=371 of=/dev/null bs=1 count=1
dd if=/dev/port seek=372 of=/dev/null bs=1 count=1
dd if=/dev/port seek=373 of=/dev/null bs=1 count=1
dd if=/dev/port seek=374 of=/dev/null bs=1 count=1
dd if=/dev/port seek=375 of=/dev/null bs=1 count=1
echo -e '\0' | dd of=/dev/port seek=368 bs=1 count=1
echo -e '\0' | dd of=/dev/port seek=369 bs=1 count=1
echo -e '\0' | dd of=/dev/port seek=370 bs=1 count=1
echo -e '\0' | dd of=/dev/port seek=371 bs=1 count=1
echo -e '\0' | dd of=/dev/port seek=372 bs=1 count=1
echo -e '\0' | dd of=/dev/port seek=373 bs=1 count=1
echo -e '\0' | dd of=/dev/port seek=374 bs=1 count=1
echo -e '\0' | dd of=/dev/port seek=375 bs=1 count=1
echo -e '\0102' | dd of=/dev/port seek=370 bs=1 count=1
echo -e '\0372' | dd of=/dev/port seek=368 bs=1 count=1
echo -e '\060' | dd of=/dev/port seek=371 bs=1 count=1
echo -e '\034' | dd of=/dev/port seek=372 bs=1 count=1
echo -e '\026' | dd of=/dev/port seek=369 bs=1 count=1
echo -e '\063' | dd of=/dev/port seek=372 bs=1 count=1
echo -e '\041' | dd of=/dev/port seek=374 bs=1 count=1
echo -e '\0365' | dd of=/dev/port seek=372 bs=1 count=1
echo -e '\06' | dd of=/dev/port seek=372 bs=1 count=1
echo -e '\0106' | dd of=/dev/port seek=371 bs=1 count=1
echo -e '\0156' | dd of=/dev/port seek=374 bs=1 count=1
echo -e '\01' | dd of=/dev/port seek=370 bs=1 count=1
echo -e '\0317' | dd of=/dev/port seek=369 bs=1 count=1
echo -e '\023' | dd of=/dev/port seek=374 bs=1 count=1
echo -e '\053' | dd of=/dev/port seek=374 bs=1 count=1
echo -e '\0153' | dd of=/dev/port seek=370 bs=1 count=1
echo -e '\05' | dd of=/dev/port seek=369 bs=1 count=1
echo -e '\0233' | dd of=/dev/port seek=375 bs=1 count=1
echo -e '\0250' | dd of=/dev/port seek=371 bs=1 count=1
echo -e '\0140' | dd of=/dev/port seek=375 bs=1 count=1
echo -e '\0150' | dd of=/dev/port seek=373 bs=1 count=1
echo -e '\0334' | dd of=/dev/port seek=374 bs=1 count=1
echo -e '\0360' | dd of=/dev/port seek=375 bs=1 count=1
echo -e '\0372' | dd of=/dev/port seek=371 bs=1 count=1
echo -e '\0202' | dd of=/dev/port seek=371 bs=1 count=1
echo -e '\0160' | dd of=/dev/port seek=375 bs=1 count=1
echo -e '\0316' | dd of=/dev/port seek=368 bs=1 count=1
echo -e '\043' | dd of=/dev/port seek=370 bs=1 count=1
echo -e '\0121' | dd of=/dev/port seek=371 bs=1 count=1
echo -e '\0153' | dd of=/dev/port seek=375 bs=1 count=1
echo -e '\071' | dd of=/dev/port seek=369 bs=1 count=1
echo -e '\0153' | dd of=/dev/port seek=370 bs=1 count=1
echo -e '\0302' | dd of=/dev/port seek=375 bs=1 count=1
echo -e '\0275' | dd of=/dev/port seek=375 bs=1 count=1
echo -e '\0170' | dd of=/dev/port seek=372 bs=1 count=1
echo -e '\0302' | dd of=/dev/port seek=370 bs=1 count=1
echo -e '\0377' | dd of=/dev/port seek=369 bs=1 count=1
echo -e '\0310' | dd of=/dev/port seek=369 bs=1 count=1
echo -e '\0153' | dd of=/dev/port seek=372 bs=1 count=1
echo -e '\0101' | dd of=/dev/port seek=368 bs=1 count=1
echo -e '\056' | dd of=/dev/port seek=373 bs=1 count=1
echo -e '\0126' | dd of=/dev/port seek=374 bs=1 count=1
echo -e '\0124' | dd of=/dev/port seek=369 bs=1 count=1
echo -e '\0131' | dd of=/dev/port seek=370 bs=1 count=1
echo -e '\0272' | dd of=/dev/port seek=369 bs=1 count=1
echo -e '\03' | dd of=/dev/port seek=370 bs=1 count=1
echo -e '\017' | dd of=/dev/port seek=375 bs=1 count=1
echo -e '\0160' | dd of=/dev/port seek=371 bs=1 count=1
echo -e '\0117' | dd of=/dev/port seek=368 bs=1 count=1
echo -e '\0334' | dd of=/dev/port seek=369 bs=1 count=1
echo -e '\0353' | dd of=/dev/port seek=371 bs=1 count=1
echo -e '\072' | dd of=/dev/port seek=375 bs=1 count=1
echo -e '\0213' | dd of=/dev/port seek=371 bs=1 count=1
echo -e '\0351' | dd of=/dev/port seek=372 bs=1 count=1
echo -e '\0271' | dd of=/dev/port seek=373 bs=1 count=1
echo -e '\0210' | dd of=/dev/port seek=374 bs=1 count=1
echo -e '\0127' | dd of=/dev/port seek=375 bs=1 count=1
echo -e '\067' | dd of=/dev/port seek=371 bs=1 count=1
echo -e '\064' | dd of=/dev/port seek=374 bs=1 count=1
echo -e '\0251' | dd of=/dev/port seek=374 bs=1 count=1
echo -e '\0352' | dd of=/dev/port seek=375 bs=1 count=1
# sh iofuzz.sh
Result:
qemu crashed:
(gdb) bt ful
#0 0x000055555561aeea in bdrv_acct_done (bs=0x0, cookie=cookie@entry=0x5555566a7d48) at block.c:5159
__PRETTY_FUNCTION__ = "bdrv_acct_done"
#1 0x000055555569224b in ide_flush_cb (opaque=0x5555566a7a80, ret=<optimized out>) at hw/ide/core.c:813
s = 0x5555566a7a80
#2 0x00005555557966e2 in memory_region_iorange_write (iorange=<optimized out>, offset=375, width=1, data=234)
at /usr/src/debug/qemu-1.5.3/memory.c:431
mrp = <optimized out>
mrio = <optimized out>
mr = 0x5555566b3b20
__PRETTY_FUNCTION__ = "memory_region_iorange_write"
#3 0x00005555557945e2 in kvm_handle_io (count=1, size=1, direction=1, data=<optimized out>, port=375)
at /usr/src/debug/qemu-1.5.3/kvm-all.c:1517
i = 0
ptr = 0x7ffff7ff5000 <incomplete sequence \352>
#4 kvm_cpu_exec (env=env@entry=0x555556664220) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1669
cpu = 0x555556664110
__func__ = "kvm_cpu_exec"
run = 0x7ffff7ff4000
ret = <optimized out>
run_ret = <optimized out>
#5 0x0000555555748755 in qemu_kvm_cpu_thread_fn (arg=0x555556664220) at /usr/src/debug/qemu-1.5.3/cpus.c:793
env = 0x555556664220
cpu = 0x555556664110
__func__ = "qemu_kvm_cpu_thread_fn"
r = <optimized out>
#6 0x00007ffff55eedf3 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#7 0x00007ffff2d593dd in clone () from /lib64/libc.so.6
No symbol table info available.
Verify this bug with qemu-kvm-1.5.3-75.el7.x86_64
Steps as reproduced:
Result, the iofuzz script can be finished and no crash occured:
# sh iofuzz.sh
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.000368274 s, 2.7 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.000399481 s, 2.5 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.000430065 s, 2.3 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.000414614 s, 2.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.000408625 s, 2.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.000418933 s, 2.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.000399218 s, 2.5 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.000437139 s, 2.3 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00238156 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.000135196 s, 7.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00235958 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00227941 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00229937 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00229861 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00228961 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00278751 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00233305 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00227866 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00229736 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00226794 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.000135789 s, 7.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00234236 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00228201 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00242317 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00233668 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00240815 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00229196 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00227363 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00228532 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00227639 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00228185 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.002304 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.0022894 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00232049 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00241151 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00237905 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00241626 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.002262 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00227019 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00235728 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00231159 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00231852 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00240718 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00234787 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00233551 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00238685 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00227274 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00235348 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00231497 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00227976 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00239602 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00235552 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00235898 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.0022727 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00232976 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00227784 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00238701 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00228166 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00228241 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00226916 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00228747 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00226236 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00228272 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00226844 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00233129 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00231912 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00230219 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00230003 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00237306 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00249369 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00226228 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00226695 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00239093 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00228757 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00237673 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00236717 s, 0.4 kB/s
1+0 records in
1+0 records out
1 byte (1 B) copied, 0.00232696 s, 0.4 kB/s
#
So this bug if fixed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0349.html |