RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1140145 - qemu-kvm crashed when doing iofuzz testing
Summary: qemu-kvm crashed when doing iofuzz testing
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Kevin Wolf
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-09-10 11:20 UTC by Kevin Wolf
Modified: 2015-03-05 09:55 UTC (History)
15 users (show)

Fixed In Version: qemu-kvm-rhev-2.1.0-4.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1123372
Environment:
Last Closed: 2015-03-05 09:55:00 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0624 0 normal SHIPPED_LIVE Important: qemu-kvm-rhev security, bug fix, and enhancement update 2015-03-05 14:37:36 UTC

Comment 1 Miroslav Rezanina 2014-09-17 07:38:13 UTC
Fix included in qemu-kvm-rhev-2.1.0-4.el7

Comment 3 Qian Guo 2014-10-20 07:30:37 UTC
Reproduced this bug by qemu-kvm-rhev-2.1.0-3.el7.x86_64

Steps:
Boot guest :
/usr/libexec/qemu-kvm \
    -S  \
    -name 'virt-tests-vm1'  \
    -sandbox off  \
    -M pc  \
    -nodefaults  \
    -vga cirrus  \
    -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20141020-144555-MBmqGjFJ,server,nowait \
    -mon chardev=qmp_id_qmpmonitor1,mode=control  \
    -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20141020-144555-MBmqGjFJ,server,nowait \
    -device isa-serial,chardev=serial_id_serial0  \
    -chardev socket,id=seabioslog_id_20141020-144555-MBmqGjFJ,path=/tmp/seabios-20141020-144555-MBmqGjFJ,server,nowait \
    -device isa-debugcon,chardev=seabioslog_id_20141020-144555-MBmqGjFJ,iobase=0x402 \
    -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=03 \
    -drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,file=/root/staf-kvm-devel/autotest-devel/client/tests/virt/shared/data/images/rhel70-64-virtio.qcow2 \
    -device virtio-blk-pci,id=image1,drive=drive_image1,bootindex=0,bus=pci.0,addr=04 \
    -device virtio-net-pci,mac=9a:8d:8e:8f:90:91,id=id4sZgOo,vectors=4,netdev=idCltxru,bus=pci.0,addr=05  \
    -netdev tap,id=idCltxru,vhost=on,vhostfd=23,fd=22  \
    -m 4096  \
    -smp 1,cores=1,threads=1,sockets=1  \
    -cpu 'Opteron_G2',+kvm_pv_unhalt \
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1  \
    -vnc :0  \
    -rtc base=utc,clock=host,driftfix=slew  \
    -boot order=cdn,once=c,menu=off  \
    -no-kvm-pit-reinjection \
    -enable-kvm


2.Check the ioports, and confirm the ata_piix ioports
# cat /proc/ioports
2014-10-20 14:47:03: 0000-0cf7 : PCI Bus 0000:00
2014-10-20 14:47:03:   0000-001f : dma1
2014-10-20 14:47:03:   0020-0021 : pic1
2014-10-20 14:47:03:   0040-0043 : timer0
2014-10-20 14:47:03:   0050-0053 : timer1
2014-10-20 14:47:03:   0060-0060 : keyboard
2014-10-20 14:47:03:   0064-0064 : keyboard
2014-10-20 14:47:03:   0070-0071 : rtc0
2014-10-20 14:47:03:   0080-008f : dma page reg
2014-10-20 14:47:03:   00a0-00a1 : pic2
2014-10-20 14:47:03:   00c0-00df : dma2
2014-10-20 14:47:03:   00f0-00ff : fpu
2014-10-20 14:47:03:   0170-0177 : 0000:00:01.1
2014-10-20 14:47:03:     0170-0177 : ata_piix
2014-10-20 14:47:03:   01f0-01f7 : 0000:00:01.1
2014-10-20 14:47:03:     01f0-01f7 : ata_piix
2014-10-20 14:47:03:   0376-0376 : 0000:00:01.1
2014-10-20 14:47:03:     0376-0376 : ata_piix
2014-10-20 14:47:03:   03c0-03df : vga+
2014-10-20 14:47:03:   03f2-03f2 : floppy
2014-10-20 14:47:03:   03f4-03f5 : floppy
2014-10-20 14:47:03:   03f6-03f6 : 0000:00:01.1
2014-10-20 14:47:03:     03f6-03f6 : ata_piix
2014-10-20 14:47:03:   03f7-03f7 : floppy
2014-10-20 14:47:03:   03f8-03ff : serial
2014-10-20 14:47:03:   0600-063f : 0000:00:01.3
2014-10-20 14:47:03:     0600-0603 : ACPI PM1a_EVT_BLK
2014-10-20 14:47:03:     0604-0605 : ACPI PM1a_CNT_BLK
2014-10-20 14:47:03:     0608-060b : ACPI PM_TMR
2014-10-20 14:47:03:   0700-070f : 0000:00:01.3
2014-10-20 14:47:03:     0700-0707 : piix4_smbus
2014-10-20 14:47:03: 0cf8-0cff : PCI conf1
2014-10-20 14:47:03: 0d00-adff : PCI Bus 0000:00
2014-10-20 14:47:03: ae0f-aeff : PCI Bus 0000:00
2014-10-20 14:47:03: af20-afdf : PCI Bus 0000:00
2014-10-20 14:47:03: afe0-afe3 : ACPI GPE0_BLK
2014-10-20 14:47:03: afe4-ffff : PCI Bus 0000:00
2014-10-20 14:47:03:   c000-c03f : 0000:00:04.0
2014-10-20 14:47:03:     c000-c03f : virtio-pci
2014-10-20 14:47:03:   c040-c05f : 0000:00:03.0
2014-10-20 14:47:03:     c040-c05f : uhci_hcd
2014-10-20 14:47:03:   c060-c07f : 0000:00:05.0
2014-10-20 14:47:03:     c060-c07f : virtio-pci
2014-10-20 14:47:03:   c080-c08f : 0000:00:01.1
2014-10-20 14:47:03:     c080-c08f : ata_piix


3.Do iofuzz to the ata_piix ioports

Results:
qemu crashed:
(gdb) bt
#0  0x00007f6ea4fd097a in bdrv_acct_done (bs=0x0, cookie=cookie@entry=0x7f6ea7430f48) at block.c:5536
#1  0x00007f6ea4f44f7b in ide_flush_cb (opaque=0x7f6ea7430c80, ret=<optimized out>) at hw/ide/core.c:841
#2  0x00007f6ea4f45333 in ide_flush_cache (s=<optimized out>) at hw/ide/core.c:850
#3  0x00007f6ea4f45559 in cmd_flush_cache (s=<optimized out>, cmd=<optimized out>) at hw/ide/core.c:1226
#4  0x00007f6ea4f45609 in ide_exec_cmd (bus=<optimized out>, val=<optimized out>) at hw/ide/core.c:1758
#5  0x00007f6ea4dee3da in access_with_adjusted_size (addr=addr@entry=7, value=value@entry=0x7f6e977b0af0, size=size@entry=1, 
    access_size_min=<optimized out>, access_size_max=<optimized out>, access=0x7f6ea4dee550 <memory_region_write_accessor>, 
    mr=0x7f6ea743d680) at /usr/src/debug/qemu-2.1.0/memory.c:481
#6  0x00007f6ea4df2fa7 in memory_region_dispatch_write (size=1, data=234, addr=7, mr=0x7f6ea743d680)
    at /usr/src/debug/qemu-2.1.0/memory.c:1143
#7  io_mem_write (mr=mr@entry=0x7f6ea743d680, addr=7, val=<optimized out>, size=1) at /usr/src/debug/qemu-2.1.0/memory.c:1976
#8  0x00007f6ea4dbe343 in address_space_rw (as=0x7f6ea5445ce0 <address_space_io>, addr=addr@entry=375, 
    buf=0x7f6ea4ce3000 <Address 0x7f6ea4ce3000 out of bounds>, len=len@entry=1, is_write=is_write@entry=true)
    at /usr/src/debug/qemu-2.1.0/exec.c:2052
#9  0x00007f6ea4ded860 in kvm_handle_io (count=1, size=1, direction=<optimized out>, data=<optimized out>, port=375)
    at /usr/src/debug/qemu-2.1.0/kvm-all.c:1600
#10 kvm_cpu_exec (cpu=cpu@entry=0x7f6ea73aa400) at /usr/src/debug/qemu-2.1.0/kvm-all.c:1737
#11 0x00007f6ea4ddca02 in qemu_kvm_cpu_thread_fn (arg=0x7f6ea73aa400) at /usr/src/debug/qemu-2.1.0/cpus.c:874
#12 0x00007f6ea3892df3 in start_thread () from /usr/lib64/libpthread.so.0
#13 0x00007f6e9ee7c3dd in clone () from /usr/lib64/libc.so.6
(gdb) bt full
#0  0x00007f6ea4fd097a in bdrv_acct_done (bs=0x0, cookie=cookie@entry=0x7f6ea7430f48) at block.c:5536
        __PRETTY_FUNCTION__ = "bdrv_acct_done"
#1  0x00007f6ea4f44f7b in ide_flush_cb (opaque=0x7f6ea7430c80, ret=<optimized out>) at hw/ide/core.c:841
        s = 0x7f6ea7430c80
#2  0x00007f6ea4f45333 in ide_flush_cache (s=<optimized out>) at hw/ide/core.c:850
No locals.
#3  0x00007f6ea4f45559 in cmd_flush_cache (s=<optimized out>, cmd=<optimized out>) at hw/ide/core.c:1226
No locals.
#4  0x00007f6ea4f45609 in ide_exec_cmd (bus=<optimized out>, val=<optimized out>) at hw/ide/core.c:1758
        s = 0x7f6ea7430c80
        complete = <optimized out>
        __PRETTY_FUNCTION__ = "ide_exec_cmd"
#5  0x00007f6ea4dee3da in access_with_adjusted_size (addr=addr@entry=7, value=value@entry=0x7f6e977b0af0, size=size@entry=1, 
    access_size_min=<optimized out>, access_size_max=<optimized out>, access=0x7f6ea4dee550 <memory_region_write_accessor>, 
    mr=0x7f6ea743d680) at /usr/src/debug/qemu-2.1.0/memory.c:481
        access_mask = 255
        access_size = 1
        i = <optimized out>
#6  0x00007f6ea4df2fa7 in memory_region_dispatch_write (size=1, data=234, addr=7, mr=0x7f6ea743d680)
    at /usr/src/debug/qemu-2.1.0/memory.c:1143
No locals.
#7  io_mem_write (mr=mr@entry=0x7f6ea743d680, addr=7, val=<optimized out>, size=1) at /usr/src/debug/qemu-2.1.0/memory.c:1976
No locals.
#8  0x00007f6ea4dbe343 in address_space_rw (as=0x7f6ea5445ce0 <address_space_io>, addr=addr@entry=375, 
    buf=0x7f6ea4ce3000 <Address 0x7f6ea4ce3000 out of bounds>, len=len@entry=1, is_write=is_write@entry=true)
    at /usr/src/debug/qemu-2.1.0/exec.c:2052
        l = 1
        ptr = <optimized out>
        val = 234
        addr1 = 7
        mr = 0x7f6ea743d680
        error = false
#9  0x00007f6ea4ded860 in kvm_handle_io (count=1, size=1, direction=<optimized out>, data=<optimized out>, port=375)
    at /usr/src/debug/qemu-2.1.0/kvm-all.c:1600
        i = 0
        ptr = <optimized out>
#10 kvm_cpu_exec (cpu=cpu@entry=0x7f6ea73aa400) at /usr/src/debug/qemu-2.1.0/kvm-all.c:1737
        run = 0x7f6ea4ce2000
        ret = <optimized out>
        run_ret = <optimized out>
#11 0x00007f6ea4ddca02 in qemu_kvm_cpu_thread_fn (arg=0x7f6ea73aa400) at /usr/src/debug/qemu-2.1.0/cpus.c:874
        cpu = 0x7f6ea73aa400
        r = <optimized out>
#12 0x00007f6ea3892df3 in start_thread () from /usr/lib64/libpthread.so.0
No symbol table info available.
#13 0x00007f6e9ee7c3dd in clone () from /usr/lib64/libc.so.6
No symbol table info available.



So this bug is reproduced

Comment 4 Qian Guo 2014-10-20 09:40:42 UTC
Verify this bug with 
qemu-kvm-rhev-2.1.2-3.el7.x86_64

steps:
1.Boot guest 
/usr/libexec/qemu-kvm -name 'virt-tests-vm1' -sandbox off -M pc -nodefaults -vga cirrus -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20141020-144555-MBmqGjFJ,server,nowait -mon chardev=qmp_id_qmpmonitor1,mode=control -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20141020-144555-MBmqGjFJ,server,nowait -device isa-serial,chardev=serial_id_serial0 -chardev socket,id=seabioslog_id_20141020-144555-MBmqGjFJ,path=/tmp/seabios-20141020-144555-MBmqGjFJ,server,nowait -device isa-debugcon,chardev=seabioslog_id_20141020-144555-MBmqGjFJ,iobase=0x402 -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=03 -drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,file=/root/staf-kvm-devel/autotest-devel/client/tests/virt/shared/data/images/rhel70-64-virtio.qcow2 -device virtio-blk-pci,id=image1,drive=drive_image1,bootindex=0,bus=pci.0,addr=04 -device virtio-net-pci,mac=9a:8d:8e:8f:90:91,id=id4sZgOo,vectors=4,netdev=idCltxru,bus=pci.0,addr=05 -netdev tap,id=idCltxru,vhost=on,script=/etc/qemu-ifup -m 4096 -smp 1,cores=1,threads=1,sockets=1 -cpu 'Opteron_G2',+kvm_pv_unhalt -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 -vnc :0 -rtc base=utc,clock=host,driftfix=slew -boot order=cdn,once=c,menu=off -no-kvm-pit-reinjection -enable-kvm -monitor stdio

2.In guest, do iofuzz to the "ata_piix" (which can hit crash as reproduced):
# cat iofuzz.sh 
 dd if=/dev/port seek=368 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=369 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=370 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=371 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=372 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=373 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=374 of=/dev/null bs=1 count=1                         
 dd if=/dev/port seek=375 of=/dev/null bs=1 count=1                         
 echo -e '\0' | dd of=/dev/port seek=368 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=369 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=370 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=371 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=372 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=373 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=374 bs=1 count=1                       
 echo -e '\0' | dd of=/dev/port seek=375 bs=1 count=1                       
 echo -e '\0102' | dd of=/dev/port seek=370 bs=1 count=1                    
 echo -e '\0372' | dd of=/dev/port seek=368 bs=1 count=1                    
 echo -e '\060' | dd of=/dev/port seek=371 bs=1 count=1                     
 echo -e '\034' | dd of=/dev/port seek=372 bs=1 count=1                     
 echo -e '\026' | dd of=/dev/port seek=369 bs=1 count=1                     
 echo -e '\063' | dd of=/dev/port seek=372 bs=1 count=1                     
 echo -e '\041' | dd of=/dev/port seek=374 bs=1 count=1                     
 echo -e '\0365' | dd of=/dev/port seek=372 bs=1 count=1                    
 echo -e '\06' | dd of=/dev/port seek=372 bs=1 count=1                      
 echo -e '\0106' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0156' | dd of=/dev/port seek=374 bs=1 count=1                    
 echo -e '\01' | dd of=/dev/port seek=370 bs=1 count=1                      
 echo -e '\0317' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\023' | dd of=/dev/port seek=374 bs=1 count=1                     
 echo -e '\053' | dd of=/dev/port seek=374 bs=1 count=1                     
 echo -e '\0153' | dd of=/dev/port seek=370 bs=1 count=1                    
 echo -e '\05' | dd of=/dev/port seek=369 bs=1 count=1                      
 echo -e '\0233' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0250' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0140' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0150' | dd of=/dev/port seek=373 bs=1 count=1                    
 echo -e '\0334' | dd of=/dev/port seek=374 bs=1 count=1                    
 echo -e '\0360' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0372' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0202' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0160' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0316' | dd of=/dev/port seek=368 bs=1 count=1                    
 echo -e '\043' | dd of=/dev/port seek=370 bs=1 count=1                     
 echo -e '\0121' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0153' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\071' | dd of=/dev/port seek=369 bs=1 count=1                     
 echo -e '\0153' | dd of=/dev/port seek=370 bs=1 count=1                    
 echo -e '\0302' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0275' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\0170' | dd of=/dev/port seek=372 bs=1 count=1                    
 echo -e '\0302' | dd of=/dev/port seek=370 bs=1 count=1                    
 echo -e '\0377' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\0310' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\0153' | dd of=/dev/port seek=372 bs=1 count=1                    
 echo -e '\0101' | dd of=/dev/port seek=368 bs=1 count=1                    
 echo -e '\056' | dd of=/dev/port seek=373 bs=1 count=1                     
 echo -e '\0126' | dd of=/dev/port seek=374 bs=1 count=1                    
 echo -e '\0124' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\0131' | dd of=/dev/port seek=370 bs=1 count=1                    
 echo -e '\0272' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\03' | dd of=/dev/port seek=370 bs=1 count=1                      
 echo -e '\017' | dd of=/dev/port seek=375 bs=1 count=1                     
 echo -e '\0160' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0117' | dd of=/dev/port seek=368 bs=1 count=1                    
 echo -e '\0334' | dd of=/dev/port seek=369 bs=1 count=1                    
 echo -e '\0353' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\072' | dd of=/dev/port seek=375 bs=1 count=1                     
 echo -e '\0213' | dd of=/dev/port seek=371 bs=1 count=1                    
 echo -e '\0351' | dd of=/dev/port seek=372 bs=1 count=1                    
 echo -e '\0271' | dd of=/dev/port seek=373 bs=1 count=1                    
 echo -e '\0210' | dd of=/dev/port seek=374 bs=1 count=1                    
 echo -e '\0127' | dd of=/dev/port seek=375 bs=1 count=1                    
 echo -e '\067' | dd of=/dev/port seek=371 bs=1 count=1                     
 echo -e '\064' | dd of=/dev/port seek=374 bs=1 count=1                     
 echo -e '\0251' | dd of=/dev/port seek=374 bs=1 count=1                    
 echo -e '\0352' | dd of=/dev/port seek=375 bs=1 count=1


# sh iofuzz.sh

result: no crash, so this bug is fixed.

Comment 6 errata-xmlrpc 2015-03-05 09:55:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0624.html


Note You need to log in before you can comment on or make changes to this bug.