Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1140145

Summary: qemu-kvm crashed when doing iofuzz testing
Product: Red Hat Enterprise Linux 7 Reporter: Kevin Wolf <kwolf>
Component: qemu-kvm-rhevAssignee: Kevin Wolf <kwolf>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.0CC: areis, bsarathy, coli, juzhang, kwolf, mkenneth, mrezanin, qiguo, qzhang, rbalakri, scui, shuang, virt-bugs, virt-maint, xuhan
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-rhev-2.1.0-4.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1123372 Environment:
Last Closed: 2015-03-05 09:55:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Miroslav Rezanina 2014-09-17 07:38:13 UTC 
Fix included in qemu-kvm-rhev-2.1.0-4.el7
Comment 3 Qian Guo 2014-10-20 07:30:37 UTC 
Reproduced this bug by qemu-kvm-rhev-2.1.0-3.el7.x86_64

Steps:
Boot guest :
/usr/libexec/qemu-kvm \
    -S  \
    -name 'virt-tests-vm1'  \
    -sandbox off  \
    -M pc  \
    -nodefaults  \
    -vga cirrus  \
    -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20141020-144555-MBmqGjFJ,server,nowait \
    -mon chardev=qmp_id_qmpmonitor1,mode=control  \
    -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20141020-144555-MBmqGjFJ,server,nowait \
    -device isa-serial,chardev=serial_id_serial0  \
    -chardev socket,id=seabioslog_id_20141020-144555-MBmqGjFJ,path=/tmp/seabios-20141020-144555-MBmqGjFJ,server,nowait \
    -device isa-debugcon,chardev=seabioslog_id_20141020-144555-MBmqGjFJ,iobase=0x402 \
    -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=03 \
    -drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,file=/root/staf-kvm-devel/autotest-devel/client/tests/virt/shared/data/images/rhel70-64-virtio.qcow2 \
    -device virtio-blk-pci,id=image1,drive=drive_image1,bootindex=0,bus=pci.0,addr=04 \
    -device virtio-net-pci,mac=9a:8d:8e:8f:90:91,id=id4sZgOo,vectors=4,netdev=idCltxru,bus=pci.0,addr=05  \
    -netdev tap,id=idCltxru,vhost=on,vhostfd=23,fd=22  \
    -m 4096  \
    -smp 1,cores=1,threads=1,sockets=1  \
    -cpu 'Opteron_G2',+kvm_pv_unhalt \
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1  \
    -vnc :0  \
    -rtc base=utc,clock=host,driftfix=slew  \
    -boot order=cdn,once=c,menu=off  \
    -no-kvm-pit-reinjection \
    -enable-kvm


2.Check the ioports, and confirm the ata_piix ioports
# cat /proc/ioports
2014-10-20 14:47:03: 0000-0cf7 : PCI Bus 0000:00
2014-10-20 14:47:03:   0000-001f : dma1
2014-10-20 14:47:03:   0020-0021 : pic1
2014-10-20 14:47:03:   0040-0043 : timer0
2014-10-20 14:47:03:   0050-0053 : timer1
2014-10-20 14:47:03:   0060-0060 : keyboard
2014-10-20 14:47:03:   0064-0064 : keyboard
2014-10-20 14:47:03:   0070-0071 : rtc0
2014-10-20 14:47:03:   0080-008f : dma page reg
2014-10-20 14:47:03:   00a0-00a1 : pic2
2014-10-20 14:47:03:   00c0-00df : dma2
2014-10-20 14:47:03:   00f0-00ff : fpu
2014-10-20 14:47:03:   0170-0177 : 0000:00:01.1
2014-10-20 14:47:03:     0170-0177 : ata_piix
2014-10-20 14:47:03:   01f0-01f7 : 0000:00:01.1
2014-10-20 14:47:03:     01f0-01f7 : ata_piix
2014-10-20 14:47:03:   0376-0376 : 0000:00:01.1
2014-10-20 14:47:03:     0376-0376 : ata_piix
2014-10-20 14:47:03:   03c0-03df : vga+
2014-10-20 14:47:03:   03f2-03f2 : floppy
2014-10-20 14:47:03:   03f4-03f5 : floppy
2014-10-20 14:47:03:   03f6-03f6 : 0000:00:01.1
2014-10-20 14:47:03:     03f6-03f6 : ata_piix
2014-10-20 14:47:03:   03f7-03f7 : floppy
2014-10-20 14:47:03:   03f8-03ff : serial
2014-10-20 14:47:03:   0600-063f : 0000:00:01.3
2014-10-20 14:47:03:     0600-0603 : ACPI PM1a_EVT_BLK
2014-10-20 14:47:03:     0604-0605 : ACPI PM1a_CNT_BLK
2014-10-20 14:47:03:     0608-060b : ACPI PM_TMR
2014-10-20 14:47:03:   0700-070f : 0000:00:01.3
2014-10-20 14:47:03:     0700-0707 : piix4_smbus
2014-10-20 14:47:03: 0cf8-0cff : PCI conf1
2014-10-20 14:47:03: 0d00-adff : PCI Bus 0000:00
2014-10-20 14:47:03: ae0f-aeff : PCI Bus 0000:00
2014-10-20 14:47:03: af20-afdf : PCI Bus 0000:00
2014-10-20 14:47:03: afe0-afe3 : ACPI GPE0_BLK
2014-10-20 14:47:03: afe4-ffff : PCI Bus 0000:00
2014-10-20 14:47:03:   c000-c03f : 0000:00:04.0
2014-10-20 14:47:03:     c000-c03f : virtio-pci
2014-10-20 14:47:03:   c040-c05f : 0000:00:03.0
2014-10-20 14:47:03:     c040-c05f : uhci_hcd
2014-10-20 14:47:03:   c060-c07f : 0000:00:05.0
2014-10-20 14:47:03:     c060-c07f : virtio-pci
2014-10-20 14:47:03:   c080-c08f : 0000:00:01.1
2014-10-20 14:47:03:     c080-c08f : ata_piix


3.Do iofuzz to the ata_piix ioports

Results:
qemu crashed:
(gdb) bt
#0  0x00007f6ea4fd097a in bdrv_acct_done (bs=0x0, cookie=cookie@entry=0x7f6ea7430f48) at block.c:5536
#1  0x00007f6ea4f44f7b in ide_flush_cb (opaque=0x7f6ea7430c80, ret=<optimized out>) at hw/ide/core.c:841
#2  0x00007f6ea4f45333 in ide_flush_cache (s=<optimized out>) at hw/ide/core.c:850
#3  0x00007f6ea4f45559 in cmd_flush_cache (s=<optimized out>, cmd=<optimized out>) at hw/ide/core.c:1226
#4  0x00007f6ea4f45609 in ide_exec_cmd (bus=<optimized out>, val=<optimized out>) at hw/ide/core.c:1758
#5  0x00007f6ea4dee3da in access_with_adjusted_size (addr=addr@entry=7, value=value@entry=0x7f6e977b0af0, size=size@entry=1, 
    access_size_min=<optimized out>, access_size_max=<optimized out>, access=0x7f6ea4dee550 <memory_region_write_accessor>, 
    mr=0x7f6ea743d680) at /usr/src/debug/qemu-2.1.0/memory.c:481
#6  0x00007f6ea4df2fa7 in memory_region_dispatch_write (size=1, data=234, addr=7, mr=0x7f6ea743d680)
    at /usr/src/debug/qemu-2.1.0/memory.c:1143
#7  io_mem_write (mr=mr@entry=0x7f6ea743d680, addr=7, val=<optimized out>, size=1) at /usr/src/debug/qemu-2.1.0/memory.c:1976
#8  0x00007f6ea4dbe343 in address_space_rw (as=0x7f6ea5445ce0 <address_space_io>, addr=addr@entry=375, 
    buf=0x7f6ea4ce3000 <Address 0x7f6ea4ce3000 out of bounds>, len=len@entry=1, is_write=is_write@entry=true)
    at /usr/src/debug/qemu-2.1.0/exec.c:2052
#9  0x00007f6ea4ded860 in kvm_handle_io (count=1, size=1, direction=<optimized out>, data=<optimized out>, port=375)
    at /usr/src/debug/qemu-2.1.0/kvm-all.c:1600
#10 kvm_cpu_exec (cpu=cpu@entry=0x7f6ea73aa400) at /usr/src/debug/qemu-2.1.0/kvm-all.c:1737
#11 0x00007f6ea4ddca02 in qemu_kvm_cpu_thread_fn (arg=0x7f6ea73aa400) at /usr/src/debug/qemu-2.1.0/cpus.c:874
#12 0x00007f6ea3892df3 in start_thread () from /usr/lib64/libpthread.so.0
#13 0x00007f6e9ee7c3dd in clone () from /usr/lib64/libc.so.6
(gdb) bt full
#0  0x00007f6ea4fd097a in bdrv_acct_done (bs=0x0, cookie=cookie@entry=0x7f6ea7430f48) at block.c:5536
        __PRETTY_FUNCTION__ = "bdrv_acct_done"
#1  0x00007f6ea4f44f7b in ide_flush_cb (opaque=0x7f6ea7430c80, ret=<optimized out>) at hw/ide/core.c:841
        s = 0x7f6ea7430c80
#2  0x00007f6ea4f45333 in ide_flush_cache (s=<optimized out>) at hw/ide/core.c:850
No locals.
#3  0x00007f6ea4f45559 in cmd_flush_cache (s=<optimized out>, cmd=<optimized out>) at hw/ide/core.c:1226
No locals.
#4  0x00007f6ea4f45609 in ide_exec_cmd (bus=<optimized out>, val=<optimized out>) at hw/ide/core.c:1758
        s = 0x7f6ea7430c80
        complete = <optimized out>
        __PRETTY_FUNCTION__ = "ide_exec_cmd"
#5  0x00007f6ea4dee3da in access_with_adjusted_size (addr=addr@entry=7, value=value@entry=0x7f6e977b0af0, size=size@entry=1, 
    access_size_min=<optimized out>, access_size_max=<optimized out>, access=0x7f6ea4dee550 <memory_region_write_accessor>, 
    mr=0x7f6ea743d680) at /usr/src/debug/qemu-2.1.0/memory.c:481
        access_mask = 255
        access_size = 1
        i = <optimized out>
#6  0x00007f6ea4df2fa7 in memory_region_dispatch_write (size=1, data=234, addr=7, mr=0x7f6ea743d680)
    at /usr/src/debug/qemu-2.1.0/memory.c:1143
No locals.
#7  io_mem_write (mr=mr@entry=0x7f6ea743d680, addr=7, val=<optimized out>, size=1) at /usr/src/debug/qemu-2.1.0/memory.c:1976
No locals.
#8  0x00007f6ea4dbe343 in address_space_rw (as=0x7f6ea5445ce0 <address_space_io>, addr=addr@entry=375, 
    buf=0x7f6ea4ce3000 <Address 0x7f6ea4ce3000 out of bounds>, len=len@entry=1, is_write=is_write@entry=true)
    at /usr/src/debug/qemu-2.1.0/exec.c:2052
        l = 1
        ptr = <optimized out>
        val = 234
        addr1 = 7
        mr = 0x7f6ea743d680
        error = false
#9  0x00007f6ea4ded860 in kvm_handle_io (count=1, size=1, direction=<optimized out>, data=<optimized out>, port=375)
    at /usr/src/debug/qemu-2.1.0/kvm-all.c:1600
        i = 0
        ptr = <optimized out>
#10 kvm_cpu_exec (cpu=cpu@entry=0x7f6ea73aa400) at /usr/src/debug/qemu-2.1.0/kvm-all.c:1737
        run = 0x7f6ea4ce2000
        ret = <optimized out>
        run_ret = <optimized out>
#11 0x00007f6ea4ddca02 in qemu_kvm_cpu_thread_fn (arg=0x7f6ea73aa400) at /usr/src/debug/qemu-2.1.0/cpus.c:874
        cpu = 0x7f6ea73aa400
        r = <optimized out>
#12 0x00007f6ea3892df3 in start_thread () from /usr/lib64/libpthread.so.0
No symbol table info available.
#13 0x00007f6e9ee7c3dd in clone () from /usr/lib64/libc.so.6
No symbol table info available.



So this bug is reproduced
Comment 4 Qian Guo 2014-10-20 09:40:42 UTC 
Verify this bug with 
qemu-kvm-rhev-2.1.2-3.el7.x86_64

steps:
1.Boot guest 
/usr/libexec/qemu-kvm -name 'virt-tests-vm1' -sandbox off -M pc -nodefaults -vga cirrus -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20141020-144555-MBmqGjFJ,server,nowait -mon chardev=qmp_id_qmpmonitor1,mode=control -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20141020-144555-MBmqGjFJ,server,nowait -device isa-serial,chardev=serial_id_serial0 -chardev socket,id=seabioslog_id_20141020-144555-MBmqGjFJ,path=/tmp/seabios-20141020-144555-MBmqGjFJ,server,nowait -device isa-debugcon,chardev=seabioslog_id_20141020-144555-MBmqGjFJ,iobase=0x402 -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=03 -drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,file=/root/staf-kvm-devel/autotest-devel/client/tests/virt/shared/data/images/rhel70-64-virtio.qcow2 -device virtio-blk-pci,id=image1,drive=drive_image1,bootindex=0,bus=pci.0,addr=04 -device virtio-net-pci,mac=9a:8d:8e:8f:90:91,id=id4sZgOo,vectors=4,netdev=idCltxru,bus=pci.0,addr=05 -netdev tap,id=idCltxru,vhost=on,script=/etc/qemu-ifup -m 4096 -smp 1,cores=1,threads=1,sockets=1 -cpu 'Opteron_G2',+kvm_pv_unhalt -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 -vnc :0 -rtc base=utc,clock=host,driftfix=slew -boot order=cdn,once=c,menu=off -no-kvm-pit-reinjection -enable-kvm -monitor stdio

2.In guest, do iofuzz to the "ata_piix" (which can hit crash as reproduced):
# cat iofuzz.sh 
 dd if=/dev/port seek=368 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=369 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=370 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=371 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=372 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=373 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=374 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=375 of=/dev/null bs=1 count=1                         
 echo -e '\0' | dd of=/dev/port seek=368 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=369 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=370 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=371 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=372 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=373 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=374 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=375 bs=1 count=1                       
 echo -e '\0102' | dd of=/dev/port seek=370 bs=1 count=1                    
 echo -e '\0372' | dd of=/dev/port seek=368 bs=1 count=1                    
 echo -e '\060' | dd of=/dev/port seek=371 bs=1 count=1                     
 echo -e '\034' | dd of=/dev/port seek=372 bs=1 count=1                     
 echo -e '\026' | dd of=/dev/port seek=369 bs=1 count=1                     
 echo -e '\063' | dd of=/dev/port seek=372 bs=1 count=1                     
 echo -e '\041' | dd of=/dev/port seek=374 bs=1 count=1                     
 echo -e '\0365' | dd of=/dev/port seek=372 bs=1 count=1                    
 echo -e '\06' | dd of=/dev/port seek=372 bs=1 count=1                      
 echo -e '\0106' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0156' | dd of=/dev/port seek=374 bs=1 count=1                    
 echo -e '\01' | dd of=/dev/port seek=370 bs=1 count=1                      
 echo -e '\0317' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\023' | dd of=/dev/port seek=374 bs=1 count=1                     
 echo -e '\053' | dd of=/dev/port seek=374 bs=1 count=1                     
 echo -e '\0153' | dd of=/dev/port seek=370 bs=1 count=1                    
 echo -e '\05' | dd of=/dev/port seek=369 bs=1 count=1                      
 echo -e '\0233' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0250' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0140' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0150' | dd of=/dev/port seek=373 bs=1 count=1                    
 echo -e '\0334' | dd of=/dev/port seek=374 bs=1 count=1                    
 echo -e '\0360' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0372' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0202' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0160' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0316' | dd of=/dev/port seek=368 bs=1 count=1                    
 echo -e '\043' | dd of=/dev/port seek=370 bs=1 count=1                     
 echo -e '\0121' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0153' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\071' | dd of=/dev/port seek=369 bs=1 count=1                     
 echo -e '\0153' | dd of=/dev/port seek=370 bs=1 count=1                    
 echo -e '\0302' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0275' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0170' | dd of=/dev/port seek=372 bs=1 count=1                    
 echo -e '\0302' | dd of=/dev/port seek=370 bs=1 count=1                    
 echo -e '\0377' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\0310' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\0153' | dd of=/dev/port seek=372 bs=1 count=1                    
 echo -e '\0101' | dd of=/dev/port seek=368 bs=1 count=1                    
 echo -e '\056' | dd of=/dev/port seek=373 bs=1 count=1                     
 echo -e '\0126' | dd of=/dev/port seek=374 bs=1 count=1                    
 echo -e '\0124' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\0131' | dd of=/dev/port seek=370 bs=1 count=1                    
 echo -e '\0272' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\03' | dd of=/dev/port seek=370 bs=1 count=1                      
 echo -e '\017' | dd of=/dev/port seek=375 bs=1 count=1                     
 echo -e '\0160' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0117' | dd of=/dev/port seek=368 bs=1 count=1                    
 echo -e '\0334' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\0353' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\072' | dd of=/dev/port seek=375 bs=1 count=1                     
 echo -e '\0213' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0351' | dd of=/dev/port seek=372 bs=1 count=1                    
 echo -e '\0271' | dd of=/dev/port seek=373 bs=1 count=1                    
 echo -e '\0210' | dd of=/dev/port seek=374 bs=1 count=1                    
 echo -e '\0127' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\067' | dd of=/dev/port seek=371 bs=1 count=1                     
 echo -e '\064' | dd of=/dev/port seek=374 bs=1 count=1                     
 echo -e '\0251' | dd of=/dev/port seek=374 bs=1 count=1                    
 echo -e '\0352' | dd of=/dev/port seek=375 bs=1 count=1


# sh iofuzz.sh

result: no crash, so this bug is fixed.
Comment 6 errata-xmlrpc 2015-03-05 09:55:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0624.html