Bug 1367040 - QEMU crash when guest notifies non-existent virtqueue
Summary: QEMU crash when guest notifies non-existent virtqueue
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: jason wang
QA Contact: Guo, Zhiyi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-15 11:22 UTC by Stefan Hajnoczi
Modified: 2016-11-03 20:02 UTC (History)
8 users (show)

Fixed In Version: qemu-kvm-1.5.3-122.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-03 20:02:24 UTC
Target Upstream Version:

Attachments (Terms of Use)
Makefile for handle-output kernel module (25 bytes, text/plain)
2016-08-15 11:25 UTC, Stefan Hajnoczi 		no flags Details
Reproducer kernel module (1.00 KB, text/x-csrc)
2016-08-15 11:26 UTC, Stefan Hajnoczi 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2585 0 normal SHIPPED_LIVE Moderate: qemu-kvm security, bug fix, and enhancement update 2016-11-03 12:09:03 UTC

Description Stefan Hajnoczi 2016-08-15 11:22:57 UTC 
Description of problem:

zhguo from QE hit the QEMU crash fixed in:

  commit 9e0f5b8108e248b78444c9a2ec41a8309825736c
  Author: Jason Wang <jasowang@redhat.com>
  Date:   Thu Mar 12 17:50:18 2015 +0800

    virtio: validate the existence of handle_output before calling it

The fix isn't present in qemu-kvm RHEL 5, 6, or 7.  QEMU jumps to 0x0 if
the guest sets up a vring that is unused by the device and then notifies
it.

How reproducible:
100%

Steps to Reproduce:
1. Install gcc and kernel-devel inside the guest
2. Build the kernel module: make -C /lib/modules/$(uname -r)/build M=$PWD
3. Enable kernel module: insmod handle-output.ko

Actual results:
QEMU crashes with a jump to 0x0.

Expected results:
QEMU does not crash and the following guest kernel message is printed to the console:
  Trying to trigger crash...
  Unsuccessful - QEMU is fixed!
Comment 1 Stefan Hajnoczi 2016-08-15 11:25:15 UTC 
Created attachment 1190855 [details]
Makefile for handle-output kernel module
Comment 2 Stefan Hajnoczi 2016-08-15 11:26:36 UTC 
Created attachment 1190856 [details]
Reproducer kernel module
Comment 4 Miroslav Rezanina 2016-08-26 15:32:53 UTC 
Fix included in qemu-kvm-1.5.3-122.el7
Comment 6 Guo, Zhiyi 2016-09-02 08:33:38 UTC 
Test against rhel 7.3 host with rhel 7.3 guest, host & guest kernel:3.10.0-500.el7.x86_64

Reproduce against qemu-kvm-1.5.3-119.el7.x86_64

qemu cli used:
/usr/libexec/qemu-kvm -name rhel7.3 -m 2048 \
        -cpu Haswell \
        -smp 1,threads=2,cores=1,sockets=3,maxcpus=6 \
         -vga qxl\
        -spice port=3003,disable-ticketing \
        -device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent \
        -serial unix:/tmp/m,server,nowait \
        -device virtserialport,chardev=vdagent,name=com.redhat.spice.0 \
        -drive file=/home/ss1rhel73.qcow2,if=none,id=drive-scsi-disk0,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-scsi-pci,id=scsi0 -device scsi-hd,drive=drive-scsi-disk0,bus=scsi0.0,scsi-id=0,lun=0,id=scsi-disk0,bootindex=1 \
        -monitor stdio \
        -usb -device usb-kbd,id=input0 \
        -netdev tap,id=idinWyYp,vhost=on -device virtio-net-pci,mac=42:ce:a9:d2:4d:d7,id=idlbq7eA,netdev=idinWyYp \
        -qmp tcp:localhost:4444,server,nowait \

Steps:
1. Modify #define VIRTIO_BASE_ADDR 0xc040 to my virtio scsi port
2. Build the kernel module: make -C /lib/modules/$(uname -r)/build M=$PWD
3. Enable kernel module: insmod handle-output.ko

Results:
qemu core dump

Replace virtio-scsi-pci with virtio-blk-pci and redo steps, qemu core dump again.

Verify with qemu-kvm-1.5.3-122.el7.x86_64, test against virtio-blk-pci/virtio-scsi-pci, guest dmesg output:
  Trying to trigger crash...
  Unsuccessful - QEMU is fixed!
Comment 7 Guo, Zhiyi 2016-09-06 07:48:11 UTC 
Sync with Jason, bug has been fixed per comment 6, move to verified
Comment 9 errata-xmlrpc 2016-11-03 20:02:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2585.html
Note You need to log in before you can comment on or make changes to this bug.