Bug 2207886

Summary:	qemu-kvm gets coredump if guest is attached with -object and the name of id is set to “mach-virt.ram” but no “memory-backend=mach-virt.ram” is set to “-machine” coincidentally
Product:	Red Hat Enterprise Linux 9	Reporter:	Min Deng <mdeng>
Component:	qemu-kvm	Assignee:	Igor Mammedov <imammedo>
qemu-kvm sub component:	Machine Types	QA Contact:	Mario Casquero <mcasquer>
Status:	POST ---	Docs Contact:
Severity:	medium
Priority:	medium	CC:	bfu, chayang, coli, imammedo, jinzhao, juzhang, lijin, shahuang, smitterl, thuth, virt-maint, zhenyzha
Version:	9.3	Keywords:	Patch, Triaged
Target Milestone:	rc
Target Release:	9.3
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:	qemu 8.1
Embargoed:

Description Min Deng 2023-05-17 08:08:45 UTC

Description of problem:
qemu-kvm gets coredump if guest is attached with -object and the name of id is set to “mach-virt.ram” but no “memory-backend=mach-virt.ram” is set to “-machine” coincidentally

Version-Release number of selected component (if applicable):
qemu-kvm-8.0.0-3.el9.aarch64 - 9.3.0
or
qemu-kvm-7.2.0-14.el9_2.aarch64 - 9.2.0
How reproducible:
3/3
Steps to Reproduce:
1.boot up with the following cmdline 
/usr/libexec/qemu-kvm -machine virt-rhel9.2.0 -object '{"qom-type":"memory-backend-ram","id":"mach-virt.ram","size":4294967296}' -monitor stdio -cpu host

Actual results:
QEMU 7.2.0 monitor - type 'help' for more information
(qemu) Unexpected error in object_property_try_add() at ../qom/object.c:1239:
qemu-kvm: attempt to add duplicate property 'mach-virt.ram' to object (type 'container')
Aborted (core dumped)

Expected results:
No core dumped

Additional info:
If using /usr/libexec/qemu-kvm -machine virt-rhel9.2.0,memory-backend=mach-virt.ram -object '{"qom-type":"memory-backend-ram","id":"mach-virt.ram","size":4294967296}' -monitor stdio -cpu host
Actual results,
The guest works well.

Comment 1 Min Deng 2023-05-17 08:11:00 UTC

GDB debugging
(gdb) r -machine virt-rhel9.2.0 -object '{"qom-type":"memory-backend-ram","id":"mach-virt.ram","size":4294967296}' -monitor stdio -cpu host
Starting program: /usr/libexec/qemu-kvm -machine virt-rhel9.2.0 -object '{"qom-type":"memory-backend-ram","id":"mach-virt.ram","size":4294967296}' -monitor stdio -cpu host
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0xfffff611a940 (LWP 123245)]
QEMU 7.2.0 monitor - type 'help' for more information
(qemu) Unexpected error in object_property_try_add() at ../qom/object.c:1239:
qemu-kvm: attempt to add duplicate property 'mach-virt.ram' to object (type 'container')

Thread 1 "qemu-kvm" received signal SIGABRT, Aborted.
0x0000fffff70e3640 in __pthread_kill_implementation () from /lib64/libc.so.6
(gdb) bt
#0  0x0000fffff70e3640 in __pthread_kill_implementation () from /lib64/libc.so.6
#1  0x0000fffff709e7fc in raise () from /lib64/libc.so.6
#2  0x0000fffff7086030 in abort () from /lib64/libc.so.6
#3  0x0000aaaaab2a6e9c in error_handle_fatal ()
#4  0x0000aaaaab2a6484 in error_setg_internal ()
#5  0x0000aaaaab1709a4 in object_property_try_add ()
#6  0x0000aaaaab171ed8 in object_property_try_add_child ()
#7  0x0000aaaaaad5c05c in machine_run_board_init ()
#8  0x0000aaaaaadd11c0 in qmp_x_exit_preconfig ()
#9  0x0000aaaaaadd4898 in qemu_init ()
#10 0x0000aaaaaad16948 in main ()

Comment 2 Min Deng 2023-05-18 07:47:52 UTC

The similar issue also can be reproduced on x86 side
[root@dell-per750-18 x86_64]# /usr/libexec/qemu-kvm -machine q35 -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":4294967296}' -monitor stdio
QEMU 6.2.0 monitor - type 'help' for more information
(qemu) Unexpected error in object_property_try_add() at ../qom/object.c:1224:
qemu-kvm: attempt to add duplicate property 'pc.ram' to object (type 'container')
Aborted (core dumped)

Comment 3 bfu 2023-05-18 08:52:52 UTC

The similar issue also could reproduce on s390x:
[root@l42 home]# /usr/libexec/qemu-kvm -machine s390-ccw-virtio -object '{"qom-type":"memory-backend-ram","id":"s390.ram","size":4294967296}' -monitor stdio -cpu host
QEMU 8.0.0 monitor - type 'help' for more information
(qemu) Unexpected error in object_property_try_add() at ../qom/object.c:1239:
qemu-kvm: attempt to add duplicate property 's390.ram' to object (type 'container')
Aborted (core dumped)


@thuth @

Comment 4 bfu 2023-05-18 08:53:40 UTC

@smitterl FYI

Comment 5 John Ferlan 2023-05-18 13:28:27 UTC

Unclear to me if there is a relationship to Paolo's commit 26f88d84dab62e6eb3ec72737ccb155d06049e3a or perhaps commit 8db0b20415c129cf5e577a593a4a0372d90b7cc9, so I'll start with you Igor under the assumption you know a bit about the code.

It's also unclear whether this can be triggered via libvirt - if not, then although a crash, it becomes more of an upstream-ish type problem.

Comment 6 Shaoqin Huang 2023-05-19 09:49:09 UTC

Here is what I observed, without the `memory-backend` in the `-machine`, qemu will not create the memdev in the `qemu_resolve_machine_memdev()` function. At the same time, qemu will resolve -object '{"qom-type":"memory-backend-ram","id":"mach-virt.ram","size":4294967296}' option, so the id `mach-virt.ram` will be added as child of the object root in the `qemu_create_late_backends` function.

qemu_create_late_backends
  -> object_option_foreach_add
    -> user_creatable_add_qapi
      -> user_creatable_add_type
        -> object_property_try_add_child(object_get_objects_root(), "mach-virt.ram", obj, &err)

So the id "mach-virt.ram" has existed as child in the objects root. Later, in the `machine_run_board_init()` function, qemu didn't create memdev yet, so it will call `create_default_memdev()` with the `machine_class->default_ram_id`, unfortunately, it's value is "mach-virt.ram", so it will cause:

Unexpected error in object_property_try_add() at ../qom/object.c:1239:
qemu-kvm: attempt to add duplicate property 'mach-virt.ram' to object (type 'container')

      if (machine->memdev) {
          ram_addr_t backend_size = object_property_get_uint(OBJECT(machine->memdev),
          ¦       ¦       ¦       ¦       ¦       ¦       ¦  "size",  &error_abort);
          if (backend_size != machine->ram_size) {
          ¦   error_setg(errp, "Machine memory size does not match the size of the memory backend");
          ¦   return;
          }
      } else if (machine_class->default_ram_id && machine->ram_size &&
          ¦      numa_uses_legacy_mem()) {
          if (!create_default_memdev(current_machine, mem_path, errp)) {
          ¦   return;
          }
      }

But if we use the option `-machine virt,memory-backend=mach-virt.ram`, the memdev will be created, so everything is fine.

I'm not sure how should we fix it?

Comment 8 Igor Mammedov 2023-05-23 08:59:25 UTC

Fix posted upstream:
https://patchwork.kernel.org/project/qemu-devel/patch/20230522131717.3780533-1-imammedo@redhat.com/

Comment 9 Thomas Huth 2023-06-06 05:34:15 UTC

Patch has been merged: https://gitlab.com/qemu-project/qemu/-/commit/a37531f2381c4e294e48b1417089474128388b44

Comment 11 Mario Casquero 2023-07-20 08:15:13 UTC

Decreasing priority as this is a corner/negative scenario and can be avoided by libvirt.

Comment 13 Igor Mammedov 2023-07-20 08:54:29 UTC

I don't think is worth backporting.
Lets move it to 9.4 and get the fix with rebase