1046248 – qemu-kvm crash when send "info qtree" after hot plug a device with invalid addr

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1046248 - qemu-kvm crash when send "info qtree" after hot plug a device with invalid addr

Summary: qemu-kvm crash when send "info qtree" after hot plug a device with invalid addr

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Amos Kong
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Duplicates (4):	1019583 1020666 1042665 1049241 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-12-24 08:24 UTC by mazhang
Modified:	2016-09-20 04:40 UTC (History)
CC List:	14 users (show)
Fixed In Version:	qemu-kvm-1.5.3-54.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 10:23:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
qemu-kvm crash log (8.22 KB, text/plain) 2013-12-24 08:24 UTC, mazhang	no flags	Details
View All

Description mazhang 2013-12-24 08:24:04 UTC

Created attachment 841165 [details]
qemu-kvm crash log

Description of problem:
qemu-kvm crash when send "info qtree" after hot plug vf with invalid addr.

Version-Release number of selected component (if applicable):

Host:
qemu-kvm-rhev-1.5.3-21.el7.x86_64
kernel-3.10.0-61.el7.x86_64

Guest:
RHEL7-64
kernel-3.10.0-64.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.start qemu-kvm with:
gdb --args /usr/libexec/qemu-kvm \
-M pc \
-cpu Opteron_G1 \
-m 4G \
-smp 4,sockets=2,cores=2,threads=1,maxcpus=16 \
-enable-kvm \
-name rhel7-64 \
-uuid 990ea161-6b67-47b2-b803-19fb01d30d12 \
-smbios type=1,manufacturer='Red Hat',product='RHEV Hypervisor',version=el6,serial=koTUXQrb,uuid=feebc8fd-f8b0-4e75-abc3-e63fcdb67170 \
-k en-us \
-rtc base=localtime,clock=host,driftfix=slew \
-nodefaults \
-monitor stdio \
-qmp tcp:0:6666,server,nowait \
-boot menu=on \
-bios /usr/share/seabios/bios.bin \
-vga std \
-vnc :0 \
-drive file=/home/rhel7-64.raw,if=none,id=drive-virtio-disk0,format=raw,cache=none,werror=stop,rerror=stop,aio=threads \
-device virtio-blk-pci,scsi=off,bus=pci.0,drive=drive-virtio-disk0,id=virtio-disk0 \
-chardev socket,id=seabioslog,path=/tmp/seabios,server,nowait \
-device isa-debugcon,chardev=seabioslog,iobase=0x402 \

2.Hot plug vf with invalid addr.
(qemu) device_add vfio-pci,id=vf,host=01:10.1,addr=skadlfkew
Property 'vfio-pci.addr' doesn't take value 'skadlfkew'

3.Query device tree, qemu-kvm crash.
(qemu) info qtree

Actual results:
Qemu-kvm crash.

Expected results:
Qemu-kvm should not crash.

Additional info:

[root@dell-per415-03 ~]# lspci -v -s 01:10.1
01:10.1 Ethernet controller: Intel Corporation 82576 Virtual Function (rev 01)
	Subsystem: Intel Corporation Device a03c
	Flags: fast devsel
	[virtual] Memory at edc40000 (64-bit, non-prefetchable) [size=16K]
	[virtual] Memory at edc60000 (64-bit, non-prefetchable) [size=16K]
	Capabilities: [70] MSI-X: Enable- Count=3 Masked-
	Capabilities: [a0] Express Endpoint, MSI 00
	Capabilities: [100] Advanced Error Reporting
	Capabilities: [150] Alternative Routing-ID Interpretation (ARI)
	Kernel driver in use: vfio-pci

[root@dell-per415-03 ~]# ls -l /sys/bus/pci/drivers/vfio-pci/0000\:01\:10.*
lrwxrwxrwx. 1 root root 0 Dec 24 15:22 /sys/bus/pci/drivers/vfio-pci/0000:01:10.0 -> ../../../../devices/pci0000:00/0000:00:02.0/0000:01:10.0
lrwxrwxrwx. 1 root root 0 Dec 24 15:22 /sys/bus/pci/drivers/vfio-pci/0000:01:10.1 -> ../../../../devices/pci0000:00/0000:00:02.0/0000:01:10.1

Comment 2 Amos Kong 2013-12-31 08:13:41 UTC

Test steps:
      (qemu) device_add e1000,addr=adsf
      Property 'e1000.addr' doesn't take value 'adsf'
      (qemu) info qtree
Then qemu crashed.


=======
DeviceState *qdev_device_add(QemuOpts *opts)
{
    dc = DEVICE_CLASS(oc);

    /* create device, set properties */
    dev = DEVICE(object_new(driver));

    if (bus) {
        qdev_set_parent_bus(dev, bus);
    }

    if (qemu_opt_foreach(opts, set_property, dev, 1) != 0) {
        object_unparent(OBJECT(dev)); <<<<<< try to unparent object here
        object_unref(OBJECT(dev));
        return NULL;
    }
    if (dev->id) {
        object_property_add_child(qdev_get_peripheral(), dev->id,
                                  OBJECT(dev), NULL); <<<<< obj is added to parent obj here
    }

}

    When it fails to set properties, qdev's parent is already set, but the
    object hasn't been added to parent object, object_unparent() won't
    unparent the device. We should unparents device in the mediacy.

Comment 3 Amos Kong 2013-12-31 08:14:18 UTC

Post fix to upstream:
 http://marc.info/?l=qemu-devel&m=138847725219468&w=2

Comment 4 Amos Kong 2014-01-14 02:20:38 UTC

*** Bug 1019583 has been marked as a duplicate of this bug. ***

Comment 5 Amos Kong 2014-01-14 02:40:43 UTC

V2: http://marc.info/?l=qemu-devel&m=138862458830683&w=2

Comment 6 Amos Kong 2014-01-15 03:20:23 UTC

*** Bug 1042665 has been marked as a duplicate of this bug. ***

Comment 7 Amos Kong 2014-01-21 13:49:54 UTC

*** Bug 1020666 has been marked as a duplicate of this bug. ***

Comment 8 Jun Li 2014-02-18 05:55:55 UTC

1,boot guest with following cli:
# gdb --args  /usr/libexec/qemu-kvm -m 384 --enable-kvm --nodefaults -monitor stdio -usb -S -vnc :0 -qmp tcp::6666,server,nowait
2, hot plug virtio-blk device:
{"execute":"device_add","arguments":{"driver":"virtio-blk-pci","drive":"test33","id":"dev-test33","bus": "pci.0"}}
{"error": {"class": "GenericError", "desc": "Property 'virtio-blk-pci.drive' can't find value 'test33'"}}

{"execute":"__com.redhat_drive_add", "arguments": {"file":"gluster://10.66.6.82:24007/gv0/t.raw","format":"raw","id":"test33", "cache": "none","aio": "native"}}

{"execute":"device_add","arguments":{"driver":"virtio-blk-pci","drive":"test33","id":"dev-test33","bus": "pci.0"}}
3, "info qtree" via HMP.
(qemu)info qtree
----------
After step 3, qemu-kvm core dump.
(gdb) bt
#0  pcibus_dev_print (mon=0x5555564e34f0, dev=0x555556585690, indent=8)
    at hw/pci/pci.c:2065
#1  0x00005555557087cb in bus_print_dev (indent=8, dev=0x555556585690, 
    mon=0x5555564e34f0, bus=<optimized out>) at qdev-monitor.c:599
#2  qdev_print (indent=8, dev=0x555556585690, mon=0x5555564e34f0)
    at qdev-monitor.c:621
#3  qbus_print (mon=mon@entry=0x5555564e34f0, bus=bus@entry=0x5555565043e0, 
    indent=6, indent@entry=4) at qdev-monitor.c:636
#4  0x00005555557087ed in qdev_print (indent=4, dev=0x555556501e60, 
    mon=0x5555564e34f0) at qdev-monitor.c:623
#5  qbus_print (mon=0x5555564e34f0, bus=<optimized out>, indent=2)
    at qdev-monitor.c:636
#6  0x00005555557a45e9 in handle_user_command (mon=mon@entry=0x5555564e34f0, 
    cmdline=<optimized out>) at /usr/src/debug/qemu-1.5.3/monitor.c:4008
#7  0x00005555557a48b7 in monitor_command_cb (mon=0x5555564e34f0, 
    cmdline=<optimized out>, opaque=<optimized out>)
    at /usr/src/debug/qemu-1.5.3/monitor.c:4624
#8  0x000055555571c834 in readline_handle_byte (rs=0x5555564e35c0, 
    ch=<optimized out>) at readline.c:374
#9  0x00005555557a4844 in monitor_read (opaque=<optimized out>, 
    buf=<optimized out>, size=<optimized out>)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/debug/qemu-1.5.3/monitor.c:4610
#10 0x000055555570c3ab in qemu_chr_be_write (len=<optimized out>, 
    buf=0x7fffffffcea0 "\r", s=0x5555564e02a0) at qemu-char.c:167
#11 fd_chr_read (chan=<optimized out>, cond=<optimized out>, 
    opaque=0x5555564e02a0) at qemu-char.c:850
#12 0x00007ffff74edac6 in g_main_context_dispatch ()
   from /lib64/libglib-2.0.so.0
#13 0x00005555556deb4a in glib_pollfds_poll () at main-loop.c:187
#14 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:232
#15 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:464
#16 0x0000555555602290 in main_loop () at vl.c:1988
#17 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>)
    at vl.c:4357

Comment 9 Jun Li 2014-02-18 05:57:06 UTC

version of qemu-kvm:
qemu-kvm-rhev-1.5.3-47.el7.x86_64
3.10.0-86.el7.x86_64

Comment 10 Amos Kong 2014-02-25 03:46:18 UTC

*** Bug 1049241 has been marked as a duplicate of this bug. ***

Comment 11 Amos Kong 2014-03-03 08:09:42 UTC

Posted V3 to upstream.
[Qemu-devel] [PATCH v3] qdev: move the code adding the device out of realize
http://lists.nongnu.org/archive/html/qemu-devel/2014-03/msg00095.html

Comment 13 Miroslav Rezanina 2014-03-19 10:34:56 UTC

Fix included in qemu-kvm-1.5.3-54.el7

Comment 15 Jun Li 2014-03-20 03:28:56 UTC

Reproduce:
Version of some components:
qemu-kvm-rhev-1.5.3-52.el7.x86_64
----
Steps as comments 0.
1, start qemu-kvm with:
gdb --args /usr/libexec/qemu-kvm \
-M pc \
-cpu Opteron_G1 \
-m 4G \
-smp 4,sockets=2,cores=2,threads=1,maxcpus=16 \
-enable-kvm \
-name rhel7-64 \
-uuid 990ea161-6b67-47b2-b803-19fb01d30d12 \
-smbios type=1,manufacturer='Red Hat',product='RHEV Hypervisor',version=el6,serial=koTUXQrb,uuid=feebc8fd-f8b0-4e75-abc3-e63fcdb67170 \
-k en-us \
-rtc base=localtime,clock=host,driftfix=slew \
-nodefaults \
-monitor stdio \
-qmp tcp:0:6666,server,nowait \
-boot menu=on \
-bios /usr/share/seabios/bios.bin \
-vga std \
-vnc :0 \
-drive file=/home/juli/RHEL-Server-7.0-64.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none,werror=stop,rerror=stop,aio=threads \
-device virtio-blk-pci,scsi=off,bus=pci.0,drive=drive-virtio-disk0,id=virtio-disk0 \
-chardev socket,id=seabioslog,path=/tmp/seabios,server,nowait \
-device isa-debugcon,chardev=seabioslog,iobase=0x402 
--------------------
2, Hot plug vf with invalid addr.
(qemu) device_add vfio-pci,id=vf,host=01:10.1,addr=skadlfkew
Property 'vfio-pci.addr' doesn't take value 'skadlfkew'
3.Query device tree, qemu-kvm crash.
(qemu) info qtree
bus: main-system-bus
  type System
  dev: kvm-ioapic, id ""
    gpio-in 24
    gsi_base = 0
    irq 0
    mmio 00000000fec00000/0000000000001000
  dev: i440FX-pcihost, id ""
    pci-hole64-size = 16777216.000T
    irq 0
    bus: pci.0
      type PCI
      dev: vfio-pci, id "��pVUU"
        host = 0000:00:00.0
        x-intx-mmap-timeout-ms = 1100
        x-vga = off
        bootindex = -1
        addr = <unset>
        romfile = <null>
        rombar = 1
        multifunction = off
        command_serr_enable = on

Program received signal SIGSEGV, Segmentation fault.
0x00005555556a99e1 in pcibus_dev_print ()
(gdb) bt
#0  0x00005555556a99e1 in pcibus_dev_print ()
#1  0x000055555570899b in qbus_print ()
#2  0x00005555557089bd in qbus_print ()
#3  0x00005555557a48e9 in handle_user_command ()
#4  0x00005555557a4bb7 in monitor_command_cb ()
#5  0x000055555571c934 in readline_handle_byte ()
#6  0x00005555557a4b44 in monitor_read ()
#7  0x000055555570c59b in fd_chr_read ()
#8  0x00007ffff74edac6 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#9  0x00005555556ded1a in main_loop_wait ()
#10 0x0000555555602460 in main ()
-------
As above show, this issue was reproduced.
==============================================
Verify :
Version of some components:
qemu-kvm-1.5.3-55.el7.x86_64
-----------
Steps as comments 0.
1, start qemu-kvm with:
gdb --args /usr/libexec/qemu-kvm \
-M pc \
-cpu Opteron_G1 \
-m 4G \
-smp 4,sockets=2,cores=2,threads=1,maxcpus=16 \
-enable-kvm \
-name rhel7-64 \
-uuid 990ea161-6b67-47b2-b803-19fb01d30d12 \
-smbios type=1,manufacturer='Red Hat',product='RHEV Hypervisor',version=el6,serial=koTUXQrb,uuid=feebc8fd-f8b0-4e75-abc3-e63fcdb67170 \
-k en-us \
-rtc base=localtime,clock=host,driftfix=slew \
-nodefaults \
-monitor stdio \
-qmp tcp:0:6666,server,nowait \
-boot menu=on \
-bios /usr/share/seabios/bios.bin \
-vga std \
-vnc :0 \
-drive file=/home/juli/RHEL-Server-7.0-64.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none,werror=stop,rerror=stop,aio=threads \
-device virtio-blk-pci,scsi=off,bus=pci.0,drive=drive-virtio-disk0,id=virtio-disk0 \
-chardev socket,id=seabioslog,path=/tmp/seabios,server,nowait \
-device isa-debugcon,chardev=seabioslog,iobase=0x402 
--------------------
2, Hot plug vf with invalid addr.
(qemu) device_add vfio-pci,id=vf,host=01:10.1,addr=skadlfkew
Property 'vfio-pci.addr' doesn't take value 'skadlfkew'
3.Query device tree.
(qemu) info qtree
...
4, check the qemu-kvm after step 3.
(qemu) info status 
VM status: running
---------
Based on above test, this issue has been verified.

Comment 17 Ludek Smid 2014-06-13 10:23:41 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.