Bug 1299030 - drmgr with invalid value in guest crashes qemu
drmgr with invalid value in guest crashes qemu
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev (Show other bugs)
7.2
ppc64le Linux
high Severity unspecified
: rc
: ---
Assigned To: Laurent Vivier
Virtualization Bugs
: ZStream
Depends On:
Blocks: RHV4.1PPC 1306343 RHEV4.0PPC
  Show dependency treegraph
 
Reported: 2016-01-15 13:02 EST by Laurent Vivier
Modified: 2016-11-07 15:55 EST (History)
11 users (show)

See Also:
Fixed In Version: qemu-kvm-rhev-2.5.0-1.el7
Doc Type: Bug Fix
Doc Text:
Previously, if the drmgr command was used in the guest to hot plug a device before a device_add command was issued via the QEMU monitor, QEMU terminated unexpectedly with a segmentation fault. This update fixes the handling of drmgr so that in the described circumstances, an error is properly raised and QEMU does not crash.
Story Points: ---
Clone Of:
: 1306343 (view as bug list)
Environment:
Last Closed: 2016-11-07 15:55:51 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Laurent Vivier 2016-01-15 13:02:04 EST
Description of problem:

While debugging BZ1276205, I've found that invalid value used with "drmgr" can crash the VM.

Version-Release number of selected component (if applicable):

guest:

kernel-3.10.0-340.el7.ppc64le
ppc64-diag-2.6.9-2.el7.ppc64le
librtas-1.3.13-2.el7.ppc64le
powerpc-utils-1.2.26-2.el7.ppc64le

host:

kernel-3.10.0-327.4.4.el7.ppc64le
qemu-kvm-rhev-2.3.0-31.el7_2.5.ppc64le

How reproducible:

100%


Steps to Reproduce:

1. start a guest with "-m 4G,slots=8,maxmem=8G"
   (see BZ1276205 for details)

2. in the guest: "drmgr -c mem -a -s 0x80000010"

Actual results:

 16438 Segmentation fault      $QEMU -name bz1276205 -machine pseries,accel=kvm,usb=off -nodefaults -m 4G,slots=8,maxmem=8G -smp 4 -vga none -nographic -chardev stdio,id=conmon,mux=on,signal=off -device spapr-vty,chardev=conmon -mon conmon -netdev bridge,id=hostnet0,br=virbr0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=$MAC,bus=pci.0,addr=0x6 -drive file=$IMAGE,if=none,id=drive-scsi0-0-0-0,format=qcow2,rerror=stop,werror=stop -device virtio-blk-pci,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bus=pci.0,addr=0x3,bootindex=1

Expected results:

No segfault.

Additional info:
Comment 2 Min Deng 2016-01-18 01:18:15 EST
Reproduce the bug on the following build and cli
Host,kernel-3.10.0-327.el7.ppc64le
     qemu-kvm-rhev-2.3.0-31.el7_2.5.ppc64le
Guest,kernel-3.10.0-327.el7.ppc64le
      ppc64-diag-2.6.9-2.el7.ppc64le
      librtas-1.3.13-2.el7.ppc64le
      powerpc-utils-1.2.26-2.el7.ppc64le
Log info,
 96056 Segmentation fault      (core dumped) /usr/libexec/qemu-kvm -name RHEL-7.2 -machine pseries,accel=kvm,usb=off -m 4G,slots=32,maxmem=40G -numa node -realtime mlock=off -smp 8,sockets=2,cores=2,threads=2 -rtc base=localtime,clock=host,driftfix=slew -monitor stdio -boot menu=on -usb -vnc :99 -device VGA,id=video0,vgamem_mb=16,bus=pci.0,addr=0x5 -device usb-kbd,id=input0 -device usb-mouse,id=input1 -device usb-tablet,id=input2 -msg timestamp=on -netdev tap,id=hostnet0,script=/etc/qemu-ifup,downscript=/etc/qemu-ifdown -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:c4:e7:93,bus=pci.0,addr=0x6 -qmp tcp:0:6666,server,nowait -serial unix:/tmp/console0,server,nowait -device virtio-scsi-pci,id=scsi0 -drive file=/home/mdeng/autotest/client/tests/virt/shared/data/images/RHEL-Server-7.2-ppc64le-virtio-scsi.qcow2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=none,rerror=stop,werror=stop,aio=native -device virtio-blk-pci,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bus=pci.0,addr=0x3,bootindex=1
Comment 3 Laurent Vivier 2016-01-22 10:53:21 EST
With drmg, we are trying to configure a slot with no memory inside.

The slot exists because of "-m 4G,slots=8,maxmem=8G".

But no memory has been attached, so some fields are empty, like "fdt", which is normally filled by "attach()" (in spapr_drc.c).

So when drmg tries to configure it, kernel calls RTAS interface "ibm,configure-connector", and when  rtas_ibm_configure_connector() wants to use "fdt", it is using a NULL pointer -> crash.

This fixes the problem:

diff --git a/hw/ppc/spapr_rtas.c b/hw/ppc/spapr_rtas.c
index 2986f94..a5c7be3 100644
--- a/hw/ppc/spapr_rtas.c
+++ b/hw/ppc/spapr_rtas.c
@@ -515,6 +515,12 @@ static void rtas_ibm_configure_connector(PowerPCCPU *cpu,
 
     drck = SPAPR_DR_CONNECTOR_GET_CLASS(drc);
     fdt = drck->get_fdt(drc, NULL);
+    if (!fdt) {
+        DPRINTF("rtas_ibm_configure_connector: invalid DRC index, FDT is NULL: %xh\n",
+                drc_index);
+        rc = RTAS_OUT_PARAM_ERROR;
+        goto out;
+    }
 
     ccs = spapr_ccs_find(spapr, drc_index);
     if (!ccs) {
Comment 4 Laurent Vivier 2016-01-22 11:06:51 EST
Already fixed upstream by:

commit e6fc9568c865f2f81499475a4e322cd563fdfd90
Author: Bharata B Rao <bharata@linux.vnet.ibm.com>
Date:   Tue Sep 1 09:53:52 2015 +1000

    spapr_rtas: Prevent QEMU crash during hotplug without a prior device_add
    
    If drmgr is used in the guest to hotplug a device before a device_add
    has been issued via the QEMU monitor, QEMU segfaults in configure_connector
    call. This occurs due to accessing of NULL FDT which otherwise would have
    been created and associated with the DRC during device_add command.
    
    Check for NULL FDT and return failure from configure_connector call.
    As per PAPR+, an error value of -9003 seems appropriate for this failure.
    
    Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
    Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
    Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
    Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Comment 11 Min Deng 2016-05-31 22:44:05 EDT
Verified the bug on the following builds and detail steps please refer to original part and comment2's
Build info,qemu-kvm-rhev-2.6.0-4.el7.ppc64le
           kernel-3.10.0-418.el7.ppc64le
           SLOF-20160223-3.gitdbbfda4.el7.noarch
  Now,the guest won't crash even if invalid value is used by "drmgr".The issue has been fixed.Thank for developer's effort ! Any issues please let me know.
Comment 13 errata-xmlrpc 2016-11-07 15:55:51 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2673.html

Note You need to log in before you can comment on or make changes to this bug.