Bug 1299030 - drmgr with invalid value in guest crashes qemu
Summary: drmgr with invalid value in guest crashes qemu
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.2
Hardware: ppc64le
OS: Linux
Target Milestone: rc
: ---
Assignee: Laurent Vivier
QA Contact: Virtualization Bugs
Depends On:
Blocks: 1306343 RHEV4.0PPC RHV4.1PPC
TreeView+ depends on / blocked
Reported: 2016-01-15 18:02 UTC by Laurent Vivier
Modified: 2016-11-07 20:55 UTC (History)
11 users (show)

Fixed In Version: qemu-kvm-rhev-2.5.0-1.el7
Doc Type: Bug Fix
Doc Text:
Previously, if the drmgr command was used in the guest to hot plug a device before a device_add command was issued via the QEMU monitor, QEMU terminated unexpectedly with a segmentation fault. This update fixes the handling of drmgr so that in the described circumstances, an error is properly raised and QEMU does not crash.
Clone Of:
: 1306343 (view as bug list)
Last Closed: 2016-11-07 20:55:51 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2673 0 normal SHIPPED_LIVE qemu-kvm-rhev bug fix and enhancement update 2016-11-08 01:06:13 UTC

Description Laurent Vivier 2016-01-15 18:02:04 UTC
Description of problem:

While debugging BZ1276205, I've found that invalid value used with "drmgr" can crash the VM.

Version-Release number of selected component (if applicable):





How reproducible:


Steps to Reproduce:

1. start a guest with "-m 4G,slots=8,maxmem=8G"
   (see BZ1276205 for details)

2. in the guest: "drmgr -c mem -a -s 0x80000010"

Actual results:

 16438 Segmentation fault      $QEMU -name bz1276205 -machine pseries,accel=kvm,usb=off -nodefaults -m 4G,slots=8,maxmem=8G -smp 4 -vga none -nographic -chardev stdio,id=conmon,mux=on,signal=off -device spapr-vty,chardev=conmon -mon conmon -netdev bridge,id=hostnet0,br=virbr0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=$MAC,bus=pci.0,addr=0x6 -drive file=$IMAGE,if=none,id=drive-scsi0-0-0-0,format=qcow2,rerror=stop,werror=stop -device virtio-blk-pci,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bus=pci.0,addr=0x3,bootindex=1

Expected results:

No segfault.

Additional info:

Comment 2 Min Deng 2016-01-18 06:18:15 UTC
Reproduce the bug on the following build and cli
Log info,
 96056 Segmentation fault      (core dumped) /usr/libexec/qemu-kvm -name RHEL-7.2 -machine pseries,accel=kvm,usb=off -m 4G,slots=32,maxmem=40G -numa node -realtime mlock=off -smp 8,sockets=2,cores=2,threads=2 -rtc base=localtime,clock=host,driftfix=slew -monitor stdio -boot menu=on -usb -vnc :99 -device VGA,id=video0,vgamem_mb=16,bus=pci.0,addr=0x5 -device usb-kbd,id=input0 -device usb-mouse,id=input1 -device usb-tablet,id=input2 -msg timestamp=on -netdev tap,id=hostnet0,script=/etc/qemu-ifup,downscript=/etc/qemu-ifdown -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:c4:e7:93,bus=pci.0,addr=0x6 -qmp tcp:0:6666,server,nowait -serial unix:/tmp/console0,server,nowait -device virtio-scsi-pci,id=scsi0 -drive file=/home/mdeng/autotest/client/tests/virt/shared/data/images/RHEL-Server-7.2-ppc64le-virtio-scsi.qcow2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=none,rerror=stop,werror=stop,aio=native -device virtio-blk-pci,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bus=pci.0,addr=0x3,bootindex=1

Comment 3 Laurent Vivier 2016-01-22 15:53:21 UTC
With drmg, we are trying to configure a slot with no memory inside.

The slot exists because of "-m 4G,slots=8,maxmem=8G".

But no memory has been attached, so some fields are empty, like "fdt", which is normally filled by "attach()" (in spapr_drc.c).

So when drmg tries to configure it, kernel calls RTAS interface "ibm,configure-connector", and when  rtas_ibm_configure_connector() wants to use "fdt", it is using a NULL pointer -> crash.

This fixes the problem:

diff --git a/hw/ppc/spapr_rtas.c b/hw/ppc/spapr_rtas.c
index 2986f94..a5c7be3 100644
--- a/hw/ppc/spapr_rtas.c
+++ b/hw/ppc/spapr_rtas.c
@@ -515,6 +515,12 @@ static void rtas_ibm_configure_connector(PowerPCCPU *cpu,
     fdt = drck->get_fdt(drc, NULL);
+    if (!fdt) {
+        DPRINTF("rtas_ibm_configure_connector: invalid DRC index, FDT is NULL: %xh\n",
+                drc_index);
+        rc = RTAS_OUT_PARAM_ERROR;
+        goto out;
+    }
     ccs = spapr_ccs_find(spapr, drc_index);
     if (!ccs) {

Comment 4 Laurent Vivier 2016-01-22 16:06:51 UTC
Already fixed upstream by:

commit e6fc9568c865f2f81499475a4e322cd563fdfd90
Author: Bharata B Rao <bharata@linux.vnet.ibm.com>
Date:   Tue Sep 1 09:53:52 2015 +1000

    spapr_rtas: Prevent QEMU crash during hotplug without a prior device_add
    If drmgr is used in the guest to hotplug a device before a device_add
    has been issued via the QEMU monitor, QEMU segfaults in configure_connector
    call. This occurs due to accessing of NULL FDT which otherwise would have
    been created and associated with the DRC during device_add command.
    Check for NULL FDT and return failure from configure_connector call.
    As per PAPR+, an error value of -9003 seems appropriate for this failure.
    Signed-off-by: Bharata B Rao <bharata@linux.vnet.ibm.com>
    Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
    Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
    Signed-off-by: David Gibson <david@gibson.dropbear.id.au>

Comment 11 Min Deng 2016-06-01 02:44:05 UTC
Verified the bug on the following builds and detail steps please refer to original part and comment2's
Build info,qemu-kvm-rhev-2.6.0-4.el7.ppc64le
  Now,the guest won't crash even if invalid value is used by "drmgr".The issue has been fixed.Thank for developer's effort ! Any issues please let me know.

Comment 13 errata-xmlrpc 2016-11-07 20:55:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.