Bug 1982134

Summary:	QEMU core dump while booting guest with a non-exist fd on tap
Product:	Red Hat Enterprise Linux 8	Reporter:	Tingting Mao <timao>
Component:	qemu-kvm	Assignee:	Laurent Vivier <lvivier>
qemu-kvm sub component:	Networking	QA Contact:	Lei Yang <leiyang>
Status:	CLOSED ERRATA	Docs Contact:
Severity:	medium
Priority:	medium	CC:	chayang, coli, jinzhao, juzhang, leiyang, lvivier, mrezanin, virt-maint, xuwei
Version:	8.5	Keywords:	Triaged
Target Milestone:	beta
Target Release:	---
Hardware:	x86_64
OS:	All
Whiteboard:
Fixed In Version:	qemu-kvm-4.2.0-56.module+el8.5.0+12039+0434c559	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-11-09 18:02:58 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Tingting Mao 2021-07-14 09:53:59 UTC

Description of problem:
As subject


Version-Release number of selected component (if applicable):
qemu-kvm-4.2.0-53.module+el8.5.0+11673+72138537
kernel-modules-4.18.0-321.el8.x86_64


How reproducible:
100%


Steps to Reproduce:
1. Boot a guest with below command lines:
# /usr/libexec/qemu-kvm \
-S  \
-name 'avocado-vt-vm1'  \
-sandbox on  \
-machine q35 \
-nodefaults \
-monitor stdio \
-m 30720  \
-smp 12,maxcpus=12,cores=6,threads=1,dies=1,sockets=2  \
-cpu 'Skylake-Server',+kvm_pv_unhalt \
-device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pcie-root-port-2,addr=0x0 \
-blockdev node-name=file_image1,driver=file,auto-read-only=on,discard=unmap,aio=threads,filename=/home/kvm_autotest_root/images/rhel850-64-virtio-scsi.qcow2,cache.direct=on,cache.no-flush=off \
-blockdev node-name=drive_image1,driver=qcow2,read-only=off,cache.direct=on,cache.no-flush=off,file=file_image1 \
-device virtio-net-pci,mac=9a:10:b6:be:9a:e4,id=idCoDCYq,netdev=idkTLAIS,bus=pcie-root-port-3,addr=0x0  \
-netdev tap,id=idkTLAIS,vhost=on,vhostfd=22,fd=20  \
-vnc :0  \
-enable-kvm \


Actual results:
Core dump as below:
qemu-kvm: util/oslib-posix.c:247: qemu_set_nonblock: Assertion `f != -1' failed.
Aborted (core dumped)



Expected results:
QEMU should give a kindly warning instead of core dump.


Additional info:
(gdb) bt
#0  0x00007f440b7fa37f in raise () at /lib64/libc.so.6
#1  0x00007f440b7e4db5 in abort () at /lib64/libc.so.6
#2  0x00007f440b7e4c89 in _nl_load_domain.cold.0 () at /lib64/libc.so.6
#3  0x00007f440b7f2a76 in .annobin_assert.c_end () at /lib64/libc.so.6
#4  0x000055ebb56ca9d1 in qemu_set_nonblock (fd=fd@entry=20) at util/oslib-posix.c:247
#5  0x000055ebb55b6609 in net_init_tap (netdev=0x55ebb7eced60, name=0x55ebb7ecefb0 "idkTLAIS", peer=0x0, errp=0x7ffde5860160) at net/tap.c:798
#6  0x000055ebb55a5b9c in net_client_init1 (object=<optimized out>, is_netdev=<optimized out>, errp=0x7ffde5860160) at net/net.c:1055
#7  0x000055ebb55a6241 in net_client_init (opts=<optimized out>, is_netdev=<optimized out>, errp=0x7ffde5860310) at net/net.c:1155
#8  0x000055ebb56da992 in qemu_opts_foreach
    (list=<optimized out>, func=func@entry=0x55ebb55a62d0 <net_init_netdev>, opaque=opaque@entry=0x0, errp=errp@entry=0x7ffde5860310) at util/qemu-option.c:1170
#9  0x000055ebb55a86b6 in net_init_clients (errp=0x7ffde5860310) at net/net.c:1567
#10 0x000055ebb535441f in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4305

Comment 1 Tingting Mao 2021-07-14 09:59:26 UTC

This issue in fast train was fixed, refer to #Bug 1708076 and #Bug 1848274

Comment 2 Chao Yang 2021-07-14 13:54:48 UTC

(In reply to Tingting Mao from comment #1)
> This issue in fast train was fixed, refer to #Bug 1708076 and #Bug 1848274

Hi Laurent,

Could you please check this bug(fixed in rhelav already)? It is a negative/corner case and libvirt should be able to avoid such mis-configuration. QE should get rid of this scenario too.

Comment 3 Laurent Vivier 2021-07-15 12:39:39 UTC

(In reply to Chao Yang from comment #2)
> (In reply to Tingting Mao from comment #1)
> > This issue in fast train was fixed, refer to #Bug 1708076 and #Bug 1848274
> 
> Hi Laurent,
> 
> Could you please check this bug(fixed in rhelav already)? It is a
> negative/corner case and libvirt should be able to avoid such
> mis-configuration. QE should get rid of this scenario too.

Yes, this bug is fixed upstream and in rhel-av-8.5.0 by:

e7b347d0bf64 net: detect errors from probing vnet hdr flag for TAP devices
             https://github.com/qemu/qemu/commit/e7b347d0bf640adb1c998d317eaf44d2d7cbd973
894022e61601 net: check if the file descriptor is valid before using it
             https://github.com/qemu/qemu/commit/894022e616016fe81745753f14adfbd680a1c7ee

The bug can be easily fixed in rhel-8.5.0 by backporting both fixes (this is straigtforward).

Comment 4 John Ferlan 2021-07-22 18:44:30 UTC

Assigned to Ariel for next level triage per bz process and age of bug created or assigned to virt-maint without triage.

Comment 12 Yanan Fu 2021-07-29 14:25:55 UTC

QE bot(pre verify): Set 'Verified:Tested,SanityOnly' as gating/tier1 test pass.

Comment 13 Lei Yang 2021-08-02 04:27:13 UTC

Test Steps

Tet Version:
kernel-4.18.0-327.el8.x86_64
qemu-kvm-4.2.0-53.module+el8.5.0+11673+72138537

1.Boot a guest with non-exist fd
/usr/libexec/qemu-kvm \
-sandbox on  \
-machine q35 \
-device pcie-root-port,id=pcie-root-port-0,multifunction=on,bus=pcie.0,addr=0x1,chassis=1 \
-device pcie-pci-bridge,id=pcie-pci-bridge-0,addr=0x0,bus=pcie-root-port-0  \
-nodefaults \
-device VGA,bus=pcie.0,addr=0x2 \
-m 7168  \
-smp 6,maxcpus=6,cores=3,threads=1,dies=1,sockets=2  \
-cpu 'Haswell-noTSX',+kvm_pv_unhalt \
-device pcie-root-port,id=pcie-root-port-2,port=0x2,addr=0x1.0x2,bus=pcie.0,chassis=3 \
-device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pcie-root-port-2,addr=0x0 \
-blockdev node-name=file_image1,driver=file,auto-read-only=on,discard=unmap,aio=threads,filename=/home/kvm_autotest_root/images/rhel850-64-virtio-scsi.qcow2,cache.direct=on,cache.no-flush=off \
-blockdev node-name=drive_image1,driver=qcow2,read-only=off,cache.direct=on,cache.no-flush=off,file=file_image1 \
-device scsi-hd,id=image1,drive=drive_image1,write-cache=on \
-device pcie-root-port,id=pcie-root-port-3,port=0x3,addr=0x1.0x3,bus=pcie.0,chassis=4 \
-device virtio-net-pci,mac=9a:b6:81:07:81:bd,id=idwznJrA,netdev=id1HQocv,bus=pcie-root-port-3,addr=0x0  \
-netdev tap,id=id1HQocv,vhost=on,vhostfd=20,fd=16  \
-vnc :0  \
-rtc base=utc,clock=host,driftfix=slew  \
-boot menu=off,order=cdn,once=c,strict=off \
-enable-kvm \
-device pcie-root-port,id=pcie_extra_root_port_0,multifunction=on,bus=pcie.0,addr=0x3,chassis=5 \
-monitor stdio \

2. qemu core dump
qemu-kvm: util/oslib-posix.c:247: qemu_set_nonblock: Assertion `f != -1' failed.

==Reproduced with qemu-kvm-4.2.0-53.module+el8.5.0+11673+72138537.x86_64

==Verified with qemu-kvm-4.2.0-56.module+el8.5.0+12039+0434c559.x86_64

1.Boot a guest with non-exist fd
/usr/libexec/qemu-kvm \
-sandbox on  \
-machine q35 \
-device pcie-root-port,id=pcie-root-port-0,multifunction=on,bus=pcie.0,addr=0x1,chassis=1 \
-device pcie-pci-bridge,id=pcie-pci-bridge-0,addr=0x0,bus=pcie-root-port-0  \
-nodefaults \
-device VGA,bus=pcie.0,addr=0x2 \
-m 7168  \
-smp 6,maxcpus=6,cores=3,threads=1,dies=1,sockets=2  \
-cpu 'Haswell-noTSX',+kvm_pv_unhalt \
-device pcie-root-port,id=pcie-root-port-2,port=0x2,addr=0x1.0x2,bus=pcie.0,chassis=3 \
-device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pcie-root-port-2,addr=0x0 \
-blockdev node-name=file_image1,driver=file,auto-read-only=on,discard=unmap,aio=threads,filename=/home/kvm_autotest_root/images/rhel850-64-virtio-scsi.qcow2,cache.direct=on,cache.no-flush=off \
-blockdev node-name=drive_image1,driver=qcow2,read-only=off,cache.direct=on,cache.no-flush=off,file=file_image1 \
-device scsi-hd,id=image1,drive=drive_image1,write-cache=on \
-device pcie-root-port,id=pcie-root-port-3,port=0x3,addr=0x1.0x3,bus=pcie.0,chassis=4 \
-device virtio-net-pci,mac=9a:b6:81:07:81:bd,id=idwznJrA,netdev=id1HQocv,bus=pcie-root-port-3,addr=0x0  \
-netdev tap,id=id1HQocv,vhost=on,vhostfd=20,fd=16  \
-vnc :0  \
-rtc base=utc,clock=host,driftfix=slew  \
-boot menu=off,order=cdn,once=c,strict=off \
-enable-kvm \
-device pcie-root-port,id=pcie_extra_root_port_0,multifunction=on,bus=pcie.0,addr=0x3,chassis=5 \
-monitor stdio \

2. it works
qemu output:
qemu-kvm: id1HQocv: Can't use file descriptor 16: Bad file descriptor

3.Based on above, move to "VERIFIED"

Best Regards
Lei

Comment 16 errata-xmlrpc 2021-11-09 18:02:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4191