Bug 1367040
| Summary: | QEMU crash when guest notifies non-existent virtqueue | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Stefan Hajnoczi <stefanha> | ||||||
| Component: | qemu-kvm | Assignee: | jason wang <jasowang> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Guo, Zhiyi <zhguo> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 7.3 | CC: | chayang, jasowang, juzhang, knoel, mrezanin, rbalakri, virt-maint, zhguo | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | qemu-kvm-1.5.3-122.el7 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2016-11-03 20:02:24 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 1190855 [details]
Makefile for handle-output kernel module
Created attachment 1190856 [details]
Reproducer kernel module
Fix included in qemu-kvm-1.5.3-122.el7 Test against rhel 7.3 host with rhel 7.3 guest, host & guest kernel:3.10.0-500.el7.x86_64
Reproduce against qemu-kvm-1.5.3-119.el7.x86_64
qemu cli used:
/usr/libexec/qemu-kvm -name rhel7.3 -m 2048 \
-cpu Haswell \
-smp 1,threads=2,cores=1,sockets=3,maxcpus=6 \
-vga qxl\
-spice port=3003,disable-ticketing \
-device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent \
-serial unix:/tmp/m,server,nowait \
-device virtserialport,chardev=vdagent,name=com.redhat.spice.0 \
-drive file=/home/ss1rhel73.qcow2,if=none,id=drive-scsi-disk0,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-scsi-pci,id=scsi0 -device scsi-hd,drive=drive-scsi-disk0,bus=scsi0.0,scsi-id=0,lun=0,id=scsi-disk0,bootindex=1 \
-monitor stdio \
-usb -device usb-kbd,id=input0 \
-netdev tap,id=idinWyYp,vhost=on -device virtio-net-pci,mac=42:ce:a9:d2:4d:d7,id=idlbq7eA,netdev=idinWyYp \
-qmp tcp:localhost:4444,server,nowait \
Steps:
1. Modify #define VIRTIO_BASE_ADDR 0xc040 to my virtio scsi port
2. Build the kernel module: make -C /lib/modules/$(uname -r)/build M=$PWD
3. Enable kernel module: insmod handle-output.ko
Results:
qemu core dump
Replace virtio-scsi-pci with virtio-blk-pci and redo steps, qemu core dump again.
Verify with qemu-kvm-1.5.3-122.el7.x86_64, test against virtio-blk-pci/virtio-scsi-pci, guest dmesg output:
Trying to trigger crash...
Unsuccessful - QEMU is fixed!
Sync with Jason, bug has been fixed per comment 6, move to verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2585.html |
Description of problem: zhguo from QE hit the QEMU crash fixed in: commit 9e0f5b8108e248b78444c9a2ec41a8309825736c Author: Jason Wang <jasowang> Date: Thu Mar 12 17:50:18 2015 +0800 virtio: validate the existence of handle_output before calling it The fix isn't present in qemu-kvm RHEL 5, 6, or 7. QEMU jumps to 0x0 if the guest sets up a vring that is unused by the device and then notifies it. How reproducible: 100% Steps to Reproduce: 1. Install gcc and kernel-devel inside the guest 2. Build the kernel module: make -C /lib/modules/$(uname -r)/build M=$PWD 3. Enable kernel module: insmod handle-output.ko Actual results: QEMU crashes with a jump to 0x0. Expected results: QEMU does not crash and the following guest kernel message is printed to the console: Trying to trigger crash... Unsuccessful - QEMU is fixed!