Hide Forgot
Description of problem: While debugging BZ1276205, I've found that invalid value used with "drmgr" can crash the VM. Version-Release number of selected component (if applicable): guest: kernel-3.10.0-340.el7.ppc64le ppc64-diag-2.6.9-2.el7.ppc64le librtas-1.3.13-2.el7.ppc64le powerpc-utils-1.2.26-2.el7.ppc64le host: kernel-3.10.0-327.4.4.el7.ppc64le qemu-kvm-rhev-2.3.0-31.el7_2.5.ppc64le How reproducible: 100% Steps to Reproduce: 1. start a guest with "-m 4G,slots=8,maxmem=8G" (see BZ1276205 for details) 2. in the guest: "drmgr -c mem -a -s 0x80000010" Actual results: 16438 Segmentation fault $QEMU -name bz1276205 -machine pseries,accel=kvm,usb=off -nodefaults -m 4G,slots=8,maxmem=8G -smp 4 -vga none -nographic -chardev stdio,id=conmon,mux=on,signal=off -device spapr-vty,chardev=conmon -mon conmon -netdev bridge,id=hostnet0,br=virbr0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=$MAC,bus=pci.0,addr=0x6 -drive file=$IMAGE,if=none,id=drive-scsi0-0-0-0,format=qcow2,rerror=stop,werror=stop -device virtio-blk-pci,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bus=pci.0,addr=0x3,bootindex=1 Expected results: No segfault. Additional info:
Reproduce the bug on the following build and cli Host,kernel-3.10.0-327.el7.ppc64le qemu-kvm-rhev-2.3.0-31.el7_2.5.ppc64le Guest,kernel-3.10.0-327.el7.ppc64le ppc64-diag-2.6.9-2.el7.ppc64le librtas-1.3.13-2.el7.ppc64le powerpc-utils-1.2.26-2.el7.ppc64le Log info, 96056 Segmentation fault (core dumped) /usr/libexec/qemu-kvm -name RHEL-7.2 -machine pseries,accel=kvm,usb=off -m 4G,slots=32,maxmem=40G -numa node -realtime mlock=off -smp 8,sockets=2,cores=2,threads=2 -rtc base=localtime,clock=host,driftfix=slew -monitor stdio -boot menu=on -usb -vnc :99 -device VGA,id=video0,vgamem_mb=16,bus=pci.0,addr=0x5 -device usb-kbd,id=input0 -device usb-mouse,id=input1 -device usb-tablet,id=input2 -msg timestamp=on -netdev tap,id=hostnet0,script=/etc/qemu-ifup,downscript=/etc/qemu-ifdown -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:c4:e7:93,bus=pci.0,addr=0x6 -qmp tcp:0:6666,server,nowait -serial unix:/tmp/console0,server,nowait -device virtio-scsi-pci,id=scsi0 -drive file=/home/mdeng/autotest/client/tests/virt/shared/data/images/RHEL-Server-7.2-ppc64le-virtio-scsi.qcow2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=none,rerror=stop,werror=stop,aio=native -device virtio-blk-pci,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bus=pci.0,addr=0x3,bootindex=1
With drmg, we are trying to configure a slot with no memory inside. The slot exists because of "-m 4G,slots=8,maxmem=8G". But no memory has been attached, so some fields are empty, like "fdt", which is normally filled by "attach()" (in spapr_drc.c). So when drmg tries to configure it, kernel calls RTAS interface "ibm,configure-connector", and when rtas_ibm_configure_connector() wants to use "fdt", it is using a NULL pointer -> crash. This fixes the problem: diff --git a/hw/ppc/spapr_rtas.c b/hw/ppc/spapr_rtas.c index 2986f94..a5c7be3 100644 --- a/hw/ppc/spapr_rtas.c +++ b/hw/ppc/spapr_rtas.c @@ -515,6 +515,12 @@ static void rtas_ibm_configure_connector(PowerPCCPU *cpu, drck = SPAPR_DR_CONNECTOR_GET_CLASS(drc); fdt = drck->get_fdt(drc, NULL); + if (!fdt) { + DPRINTF("rtas_ibm_configure_connector: invalid DRC index, FDT is NULL: %xh\n", + drc_index); + rc = RTAS_OUT_PARAM_ERROR; + goto out; + } ccs = spapr_ccs_find(spapr, drc_index); if (!ccs) {
Already fixed upstream by: commit e6fc9568c865f2f81499475a4e322cd563fdfd90 Author: Bharata B Rao <bharata.ibm.com> Date: Tue Sep 1 09:53:52 2015 +1000 spapr_rtas: Prevent QEMU crash during hotplug without a prior device_add If drmgr is used in the guest to hotplug a device before a device_add has been issued via the QEMU monitor, QEMU segfaults in configure_connector call. This occurs due to accessing of NULL FDT which otherwise would have been created and associated with the DRC during device_add command. Check for NULL FDT and return failure from configure_connector call. As per PAPR+, an error value of -9003 seems appropriate for this failure. Signed-off-by: Bharata B Rao <bharata.ibm.com> Cc: Michael Roth <mdroth.ibm.com> Reviewed-by: David Gibson <david.id.au> Signed-off-by: David Gibson <david.id.au>
Verified the bug on the following builds and detail steps please refer to original part and comment2's Build info,qemu-kvm-rhev-2.6.0-4.el7.ppc64le kernel-3.10.0-418.el7.ppc64le SLOF-20160223-3.gitdbbfda4.el7.noarch Now,the guest won't crash even if invalid value is used by "drmgr".The issue has been fixed.Thank for developer's effort ! Any issues please let me know.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2673.html