Bug 1170934

Summary: Segfault at spapr_tce_table_finalize(): QLIST_REMOVE(tcet, list)
Product: Red Hat Enterprise Linux 7 Reporter: Xu Han <xuhan>
Component: qemu-kvm-rhevAssignee: David Gibson <dgibson>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: hhuang, juzhang, knoel, lmiksik, michen, ngu, qzhang, shuyu, virt-maint, ypu
Target Milestone: rc   
Target Release: ---   
Hardware: ppc64   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-rhev-2.2.0-4.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-04 16:22:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Xu Han 2014-12-05 06:52:37 UTC 
Description of problem:
Segfault at spapr_tce_table_finalize(): QLIST_REMOVE(tcet, list). This issue can be triggered by "/usr/libexec/qemu-kvm -device spapr-tce-table,?".

(gdb) bt full 5
#0  spapr_tce_table_finalize (obj=<optimized out>) at /usr/src/debug/qemu-2.1.2/hw/ppc/spapr_iommu.c:179
        tcet = 0x4e161ca0
        __func__ = "spapr_tce_table_finalize"
#1  0x000000004d915744 in object_deinit (type=<optimized out>, obj=0x4e161ca0) at qom/object.c:408
No locals.
#2  object_finalize (data=0x4e161ca0) at qom/object.c:421
        obj = 0x4e161ca0
        ti = <optimized out>
#3  object_unref (obj=0x4e161ca0) at qom/object.c:729
No locals.
#4  0x000000004d85aa44 in qmp_device_list_properties (typename=<optimized out>, errp=<optimized out>) at qmp.c:535
        klass = 0x4e095650
        obj = 0x4e161ca0
        prop = 0x0
        prop_list = <optimized out>


Version-Release number of selected component (if applicable):
qemu-kvm-rhev-2.1.2-14.el7.ppc64

How reproducible:
100%

Steps to Reproduce:
1. # /usr/libexec/qemu-kvm -device spapr-tce-table,?
or # /usr/libexec/qemu-kvm -qmp unix:'qmp',server,nowait
   {"execute": "device-list-properties", "arguments": {"typename": "spapr-tce-table"}}

Actual results:
Segfault

Expected results:
No crash

Additional info:
Comment 2 David Gibson 2014-12-08 02:57:19 UTC 
I've identified the cause of this problem and sent a patch upstream.

I've made a preliminary backport here:

https://brewweb.devel.redhat.com/taskinfo?taskID=8340020

Please retest with that.
Comment 3 Xu Han 2014-12-08 05:27:06 UTC 
Re-tested with above build:

QEMU did not SEGV.

# ./qemu-kvm -device spapr-tce-table,?
# echo $?
0

# ./qemu-kvm -qmp unix:/tmp/qmp,server,nowait
{"execute": "device-list-properties", "arguments": {"typename": "spapr-tce-table"}}
{"return": []}


Thanks.
Comment 4 David Gibson 2014-12-08 23:27:04 UTC 
Thanks for the test.

Patch is pending upstream, see http://lists.gnu.org/archive/html/qemu-devel/2014-12/msg00797.html
Comment 5 David Gibson 2014-12-18 01:03:40 UTC 
This has been merged into agraf's ppc-next tree db6f3cac3f8fdc2a9f2a43b660fc8f83d166e3bb
Comment 6 Miroslav Rezanina 2015-02-09 16:27:57 UTC 
Fix included in qemu-kvm-rhev-2.2.0-4.el7
Comment 8 Shuang Yu 2015-08-26 11:22:27 UTC 
Reproduce this bug with "qemu-kvm-rhev-2.1.2-22.el7.ppc64" on PowerBE host "3.10.0-308.el7.ppc64"

1.#gdb /usr/libexec/qemu-kvm

2.(gdb)r -device spapr-tce-table,?
Starting program: /usr/libexec/qemu-kvm -device spapr-tce-table,?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/power8/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
spapr_tce_table_finalize (obj=<optimized out>)
    at /usr/src/debug/qemu-2.1.2/hw/ppc/spapr_iommu.c:179
179	    QLIST_REMOVE(tcet, list);
...

3.(gdb) bt full 5
#0  spapr_tce_table_finalize (obj=<optimized out>)
    at /usr/src/debug/qemu-2.1.2/hw/ppc/spapr_iommu.c:179
        tcet = 0x4160a440
        __func__ = "spapr_tce_table_finalize"
#1  0x0000000040e552c4 in object_deinit (type=<optimized out>, 
    obj=0x4160a440) at qom/object.c:408
No locals.
#2  object_finalize (data=0x4160a440) at qom/object.c:421
        obj = 0x4160a440
        ti = <optimized out>
#3  object_unref (obj=0x4160a440) at qom/object.c:729
No locals.
#4  0x0000000040d9a5c4 in qmp_device_list_properties (
    typename=<optimized out>, errp=<optimized out>) at qmp.c:535
        klass = 0x415d53c0
        obj = 0x4160a440
        prop = 0x0
        prop_list = <optimized out>

4.# /usr/libexec/qemu-kvm -qmp unix:'qmp',server,nowait
VNC server running on `::1:5900'
Segmentation fault

# nc -U qmp
{"QMP": {"version": {"qemu": {"micro": 2, "minor": 1, "major": 2}, "package": " (qemu-kvm-rhev-2.1.2-22.el7)"}, "capabilities": []}}
{"execute":"qmp_capabilities"}
{"return": {}}
{"execute":"device-list-properties", "arguments": {"typename": "spapr-tce-table"}}
Ncat: Connection reset by peer.



Verify this bug with "qemu-kvm-rhev-2.3.0-19.el7.ppc64" on PowerBE host "3.10.0-308.el7.ppc64"

1.gdb /usr/libexec/qemu-kvm

2.(gdb) r -device spapr-tce-table,?
Starting program: /usr/libexec/qemu-kvm -device spapr-tce-table,?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/power8/libthread_db.so.1".
[New Thread 0x3fffb50beae0 (LWP 50924)]
[Thread 0x3fffb50beae0 (LWP 50924) exited]
[Inferior 1 (process 50921) exited normally]
...

3.(gdb) bt full 5
No stack.

4.# /usr/libexec/qemu-kvm -qmp unix:'qmp',server,nowait
VNC server running on `::1:5900'

# nc -U qmp
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 2, "major": 2}, "package": " (qemu-kvm-rhev-2.2.0-9.el7)"}, "capabilities": []}}
{"execute":"qmp_capabilities"}
{"return": {}}
{"execute":"device-list-properties", "arguments": {"typename": "spapr-tce-table"}}
{"return": []}

Verify this bug with "qemu-kvm-rhev-2.3.0-19.el7.ppc64le" on PowerLE host "3.10.0-308.el7.ppc64le"

1.# gdb /usr/libexec/qemu-kvm

2.(gdb) r -device spapr-tce-table,?
Starting program: /usr/libexec/qemu-kvm -device spapr-tce-table,?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/power8/libthread_db.so.1".
[New Thread 0x3fffb534eb10 (LWP 18414)]
[Thread 0x3fffb534eb10 (LWP 18414) exited]
[Inferior 1 (process 18411) exited normally]
...
3.(gdb) bt full 5
No stack.

4.# /usr/libexec/qemu-kvm -qmp unix:'qmp',server,nowait
VNC server running on `::1:5900'


# nc -U qmp
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-19.el7)"}, "capabilities": []}}
{"execute":"qmp_capabilities"}
{"return": {}}
{"execute":"device-list-properties", "arguments": {"typename": "spapr-tce-table"}}
{"return": []}
Comment 9 Qunfang Zhang 2015-08-27 03:27:48 UTC 
Setting to VERIFIED according to comment 8.
Comment 11 errata-xmlrpc 2015-12-04 16:22:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2546.html