Hide Forgot
Description of problem: zhguo from QE hit the QEMU crash fixed in: commit 9e0f5b8108e248b78444c9a2ec41a8309825736c Author: Jason Wang <jasowang@redhat.com> Date: Thu Mar 12 17:50:18 2015 +0800 virtio: validate the existence of handle_output before calling it The fix isn't present in qemu-kvm RHEL 5, 6, or 7. QEMU jumps to 0x0 if the guest sets up a vring that is unused by the device and then notifies it. How reproducible: 100% Steps to Reproduce: 1. Install gcc and kernel-devel inside the guest 2. Build the kernel module: make -C /lib/modules/$(uname -r)/build M=$PWD 3. Enable kernel module: insmod handle-output.ko Actual results: QEMU crashes with a jump to 0x0. Expected results: QEMU does not crash and the following guest kernel message is printed to the console: Trying to trigger crash... Unsuccessful - QEMU is fixed!
Created attachment 1190855 [details] Makefile for handle-output kernel module
Created attachment 1190856 [details] Reproducer kernel module
Fix included in qemu-kvm-1.5.3-122.el7
Test against rhel 7.3 host with rhel 7.3 guest, host & guest kernel:3.10.0-500.el7.x86_64 Reproduce against qemu-kvm-1.5.3-119.el7.x86_64 qemu cli used: /usr/libexec/qemu-kvm -name rhel7.3 -m 2048 \ -cpu Haswell \ -smp 1,threads=2,cores=1,sockets=3,maxcpus=6 \ -vga qxl\ -spice port=3003,disable-ticketing \ -device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent \ -serial unix:/tmp/m,server,nowait \ -device virtserialport,chardev=vdagent,name=com.redhat.spice.0 \ -drive file=/home/ss1rhel73.qcow2,if=none,id=drive-scsi-disk0,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-scsi-pci,id=scsi0 -device scsi-hd,drive=drive-scsi-disk0,bus=scsi0.0,scsi-id=0,lun=0,id=scsi-disk0,bootindex=1 \ -monitor stdio \ -usb -device usb-kbd,id=input0 \ -netdev tap,id=idinWyYp,vhost=on -device virtio-net-pci,mac=42:ce:a9:d2:4d:d7,id=idlbq7eA,netdev=idinWyYp \ -qmp tcp:localhost:4444,server,nowait \ Steps: 1. Modify #define VIRTIO_BASE_ADDR 0xc040 to my virtio scsi port 2. Build the kernel module: make -C /lib/modules/$(uname -r)/build M=$PWD 3. Enable kernel module: insmod handle-output.ko Results: qemu core dump Replace virtio-scsi-pci with virtio-blk-pci and redo steps, qemu core dump again. Verify with qemu-kvm-1.5.3-122.el7.x86_64, test against virtio-blk-pci/virtio-scsi-pci, guest dmesg output: Trying to trigger crash... Unsuccessful - QEMU is fixed!
Sync with Jason, bug has been fixed per comment 6, move to verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2585.html