| Summary: | drmgr with invalid value in guest crashes qemu | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Laurent Vivier <lvivier> | |
| Component: | qemu-kvm-rhev | Assignee: | Laurent Vivier <lvivier> | |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.2 | CC: | hannsj_uhl, jherrman, juzhang, knoel, lvivier, mdeng, michen, qzhang, sherold, snagar, virt-maint | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | ppc64le | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | qemu-kvm-rhev-2.5.0-1.el7 | Doc Type: | Bug Fix | |
| Doc Text: |
Previously, if the drmgr command was used in the guest to hot plug a device before a device_add command was issued via the QEMU monitor, QEMU terminated unexpectedly with a segmentation fault. This update fixes the handling of drmgr so that in the described circumstances, an error is properly raised and QEMU does not crash.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1306343 (view as bug list) | Environment: | ||
| Last Closed: | 2016-11-07 20:55:51 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1306343, 1308609, 1359843 | |||
|
Description
Laurent Vivier
2016-01-15 18:02:04 UTC
Reproduce the bug on the following build and cli
Host,kernel-3.10.0-327.el7.ppc64le
qemu-kvm-rhev-2.3.0-31.el7_2.5.ppc64le
Guest,kernel-3.10.0-327.el7.ppc64le
ppc64-diag-2.6.9-2.el7.ppc64le
librtas-1.3.13-2.el7.ppc64le
powerpc-utils-1.2.26-2.el7.ppc64le
Log info,
96056 Segmentation fault (core dumped) /usr/libexec/qemu-kvm -name RHEL-7.2 -machine pseries,accel=kvm,usb=off -m 4G,slots=32,maxmem=40G -numa node -realtime mlock=off -smp 8,sockets=2,cores=2,threads=2 -rtc base=localtime,clock=host,driftfix=slew -monitor stdio -boot menu=on -usb -vnc :99 -device VGA,id=video0,vgamem_mb=16,bus=pci.0,addr=0x5 -device usb-kbd,id=input0 -device usb-mouse,id=input1 -device usb-tablet,id=input2 -msg timestamp=on -netdev tap,id=hostnet0,script=/etc/qemu-ifup,downscript=/etc/qemu-ifdown -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:c4:e7:93,bus=pci.0,addr=0x6 -qmp tcp:0:6666,server,nowait -serial unix:/tmp/console0,server,nowait -device virtio-scsi-pci,id=scsi0 -drive file=/home/mdeng/autotest/client/tests/virt/shared/data/images/RHEL-Server-7.2-ppc64le-virtio-scsi.qcow2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=none,rerror=stop,werror=stop,aio=native -device virtio-blk-pci,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bus=pci.0,addr=0x3,bootindex=1
With drmg, we are trying to configure a slot with no memory inside.
The slot exists because of "-m 4G,slots=8,maxmem=8G".
But no memory has been attached, so some fields are empty, like "fdt", which is normally filled by "attach()" (in spapr_drc.c).
So when drmg tries to configure it, kernel calls RTAS interface "ibm,configure-connector", and when rtas_ibm_configure_connector() wants to use "fdt", it is using a NULL pointer -> crash.
This fixes the problem:
diff --git a/hw/ppc/spapr_rtas.c b/hw/ppc/spapr_rtas.c
index 2986f94..a5c7be3 100644
--- a/hw/ppc/spapr_rtas.c
+++ b/hw/ppc/spapr_rtas.c
@@ -515,6 +515,12 @@ static void rtas_ibm_configure_connector(PowerPCCPU *cpu,
drck = SPAPR_DR_CONNECTOR_GET_CLASS(drc);
fdt = drck->get_fdt(drc, NULL);
+ if (!fdt) {
+ DPRINTF("rtas_ibm_configure_connector: invalid DRC index, FDT is NULL: %xh\n",
+ drc_index);
+ rc = RTAS_OUT_PARAM_ERROR;
+ goto out;
+ }
ccs = spapr_ccs_find(spapr, drc_index);
if (!ccs) {
Already fixed upstream by:
commit e6fc9568c865f2f81499475a4e322cd563fdfd90
Author: Bharata B Rao <bharata.ibm.com>
Date: Tue Sep 1 09:53:52 2015 +1000
spapr_rtas: Prevent QEMU crash during hotplug without a prior device_add
If drmgr is used in the guest to hotplug a device before a device_add
has been issued via the QEMU monitor, QEMU segfaults in configure_connector
call. This occurs due to accessing of NULL FDT which otherwise would have
been created and associated with the DRC during device_add command.
Check for NULL FDT and return failure from configure_connector call.
As per PAPR+, an error value of -9003 seems appropriate for this failure.
Signed-off-by: Bharata B Rao <bharata.ibm.com>
Cc: Michael Roth <mdroth.ibm.com>
Reviewed-by: David Gibson <david.id.au>
Signed-off-by: David Gibson <david.id.au>
Verified the bug on the following builds and detail steps please refer to original part and comment2's Build info,qemu-kvm-rhev-2.6.0-4.el7.ppc64le kernel-3.10.0-418.el7.ppc64le SLOF-20160223-3.gitdbbfda4.el7.noarch Now,the guest won't crash even if invalid value is used by "drmgr".The issue has been fixed.Thank for developer's effort ! Any issues please let me know. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2673.html |