RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1299030 - drmgr with invalid value in guest crashes qemu
Summary: drmgr with invalid value in guest crashes qemu
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.2
Hardware: ppc64le
OS: Linux
high
unspecified
Target Milestone: rc
: ---
Assignee: Laurent Vivier
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 1306343 RHEV4.0PPC RHV4.1PPC
TreeView+ depends on / blocked
 
Reported: 2016-01-15 18:02 UTC by Laurent Vivier
Modified: 2016-11-07 20:55 UTC (History)
11 users (show)

Fixed In Version: qemu-kvm-rhev-2.5.0-1.el7
Doc Type: Bug Fix
Doc Text:
Previously, if the drmgr command was used in the guest to hot plug a device before a device_add command was issued via the QEMU monitor, QEMU terminated unexpectedly with a segmentation fault. This update fixes the handling of drmgr so that in the described circumstances, an error is properly raised and QEMU does not crash.
Clone Of:
: 1306343 (view as bug list)
Environment:
Last Closed: 2016-11-07 20:55:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2673 0 normal SHIPPED_LIVE qemu-kvm-rhev bug fix and enhancement update 2016-11-08 01:06:13 UTC

Description Laurent Vivier 2016-01-15 18:02:04 UTC 
Description of problem:

While debugging BZ1276205, I've found that invalid value used with "drmgr" can crash the VM.

Version-Release number of selected component (if applicable):

guest:

kernel-3.10.0-340.el7.ppc64le
ppc64-diag-2.6.9-2.el7.ppc64le
librtas-1.3.13-2.el7.ppc64le
powerpc-utils-1.2.26-2.el7.ppc64le

host:

kernel-3.10.0-327.4.4.el7.ppc64le
qemu-kvm-rhev-2.3.0-31.el7_2.5.ppc64le

How reproducible:

100%


Steps to Reproduce:

1. start a guest with "-m 4G,slots=8,maxmem=8G"
   (see BZ1276205 for details)

2. in the guest: "drmgr -c mem -a -s 0x80000010"

Actual results:

 16438 Segmentation fault      $QEMU -name bz1276205 -machine pseries,accel=kvm,usb=off -nodefaults -m 4G,slots=8,maxmem=8G -smp 4 -vga none -nographic -chardev stdio,id=conmon,mux=on,signal=off -device spapr-vty,chardev=conmon -mon conmon -netdev bridge,id=hostnet0,br=virbr0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=$MAC,bus=pci.0,addr=0x6 -drive file=$IMAGE,if=none,id=drive-scsi0-0-0-0,format=qcow2,rerror=stop,werror=stop -device virtio-blk-pci,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bus=pci.0,addr=0x3,bootindex=1

Expected results:

No segfault.

Additional info:
Comment 2 Min Deng 2016-01-18 06:18:15 UTC 
Reproduce the bug on the following build and cli
Host,kernel-3.10.0-327.el7.ppc64le
     qemu-kvm-rhev-2.3.0-31.el7_2.5.ppc64le
Guest,kernel-3.10.0-327.el7.ppc64le
      ppc64-diag-2.6.9-2.el7.ppc64le
      librtas-1.3.13-2.el7.ppc64le
      powerpc-utils-1.2.26-2.el7.ppc64le
Log info,
 96056 Segmentation fault      (core dumped) /usr/libexec/qemu-kvm -name RHEL-7.2 -machine pseries,accel=kvm,usb=off -m 4G,slots=32,maxmem=40G -numa node -realtime mlock=off -smp 8,sockets=2,cores=2,threads=2 -rtc base=localtime,clock=host,driftfix=slew -monitor stdio -boot menu=on -usb -vnc :99 -device VGA,id=video0,vgamem_mb=16,bus=pci.0,addr=0x5 -device usb-kbd,id=input0 -device usb-mouse,id=input1 -device usb-tablet,id=input2 -msg timestamp=on -netdev tap,id=hostnet0,script=/etc/qemu-ifup,downscript=/etc/qemu-ifdown -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:c4:e7:93,bus=pci.0,addr=0x6 -qmp tcp:0:6666,server,nowait -serial unix:/tmp/console0,server,nowait -device virtio-scsi-pci,id=scsi0 -drive file=/home/mdeng/autotest/client/tests/virt/shared/data/images/RHEL-Server-7.2-ppc64le-virtio-scsi.qcow2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=none,rerror=stop,werror=stop,aio=native -device virtio-blk-pci,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bus=pci.0,addr=0x3,bootindex=1
Comment 3 Laurent Vivier 2016-01-22 15:53:21 UTC 
With drmg, we are trying to configure a slot with no memory inside.

The slot exists because of "-m 4G,slots=8,maxmem=8G".

But no memory has been attached, so some fields are empty, like "fdt", which is normally filled by "attach()" (in spapr_drc.c).

So when drmg tries to configure it, kernel calls RTAS interface "ibm,configure-connector", and when  rtas_ibm_configure_connector() wants to use "fdt", it is using a NULL pointer -> crash.

This fixes the problem:

diff --git a/hw/ppc/spapr_rtas.c b/hw/ppc/spapr_rtas.c
index 2986f94..a5c7be3 100644
--- a/hw/ppc/spapr_rtas.c
+++ b/hw/ppc/spapr_rtas.c
@@ -515,6 +515,12 @@ static void rtas_ibm_configure_connector(PowerPCCPU *cpu,
 
     drck = SPAPR_DR_CONNECTOR_GET_CLASS(drc);
     fdt = drck->get_fdt(drc, NULL);
+    if (!fdt) {
+        DPRINTF("rtas_ibm_configure_connector: invalid DRC index, FDT is NULL: %xh\n",
+                drc_index);
+        rc = RTAS_OUT_PARAM_ERROR;
+        goto out;
+    }
 
     ccs = spapr_ccs_find(spapr, drc_index);
     if (!ccs) {
Comment 4 Laurent Vivier 2016-01-22 16:06:51 UTC 
Already fixed upstream by:

commit e6fc9568c865f2f81499475a4e322cd563fdfd90
Author: Bharata B Rao <bharata.ibm.com>
Date:   Tue Sep 1 09:53:52 2015 +1000

    spapr_rtas: Prevent QEMU crash during hotplug without a prior device_add
    
    If drmgr is used in the guest to hotplug a device before a device_add
    has been issued via the QEMU monitor, QEMU segfaults in configure_connector
    call. This occurs due to accessing of NULL FDT which otherwise would have
    been created and associated with the DRC during device_add command.
    
    Check for NULL FDT and return failure from configure_connector call.
    As per PAPR+, an error value of -9003 seems appropriate for this failure.
    
    Signed-off-by: Bharata B Rao <bharata.ibm.com>
    Cc: Michael Roth <mdroth.ibm.com>
    Reviewed-by: David Gibson <david.id.au>
    Signed-off-by: David Gibson <david.id.au>
Comment 11 Min Deng 2016-06-01 02:44:05 UTC 
Verified the bug on the following builds and detail steps please refer to original part and comment2's
Build info,qemu-kvm-rhev-2.6.0-4.el7.ppc64le
           kernel-3.10.0-418.el7.ppc64le
           SLOF-20160223-3.gitdbbfda4.el7.noarch
  Now,the guest won't crash even if invalid value is used by "drmgr".The issue has been fixed.Thank for developer's effort ! Any issues please let me know.
Comment 13 errata-xmlrpc 2016-11-07 20:55:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2673.html
Note You need to log in before you can comment on or make changes to this bug.