Hide Forgot
+++ Opening as clone of virtio-scsi Bug #1449031; the bug is exactly the same, only in virtio-serial +++ Description of problem: Version-Release number of selected component (if applicable): qemu-kvm-rhev-2.9.0-2.el7.x86_64&qemu-kvm-rhev-2.9.0-3.el7.x86_64 kernel-3.10.0-661.el7.x86_64 seabios-1.10.2-2.el7.x86_64 virtio-win-prewhql-136 How reproducible: 100% Steps to Reproduce: 1.boot win2016 guest: /usr/libexec/qemu-kvm \ -name 137SRLW10S64TRT \ -enable-kvm -m 6G -smp 8 \ -nodefconfig -nodefaults \ -rtc base=localtime,driftfix=slew \ -boot order=cd,menu=on \ -drive file=137SRLW10S64TRT,if=none,id=drive-ide0-0-0,format=raw,serial=mike_cao,cache=none \ -device ide-drive,bus=ide.0,drive=drive-ide0-0-0,id=ide0-0-0 \ -drive file=en_windows_server_2016_x64_dvd_9718492.iso,if=none,media=cdrom,id=drive-ide0-1-0,readonly=on,format=raw \ -device ide-drive,bus=ide.1,drive=drive-ide0-1-0,id=ide0-1-0 \ -netdev tap,script=/etc/qemu-ifup,downscript=no,id=hostnet0 \ -device e1000,netdev=hostnet0,id=net0,mac=00:52:69:6c:2a:84 \ -usb -device usb-tablet,id=input0 \ -vnc 0.0.0.0:0 -vga std -monitor stdio \ -qmp tcp:0:1234,server,nowait -M q35 \ -device ioh3420,bus=pcie.0,id=root1.0,slot=1 \ -drive file=137SRLW10S64TRT_ovmf/OVMF_CODE.secboot.fd,if=pflash,format=raw,unit=0,readonly=on \ -drive file=137SRLW10S64TRT_ovmf/OVMF_VARS.fd,if=pflash,format=raw,unit=1 \ -drive file=137SRLW10S64TRT_ovmf/UefiShell.iso,if=none,cache=none,snapshot=off,aio=native,media=cdrom,id=cdrom1 \ -device ide-cd,drive=cdrom1,id=ide-cd1 \ -device virtio-serial-pci,id=virtio-serial0,max_ports=511,bus=root1.0 \ -chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait \ -device virtserialport,chardev=channel1,name=com.redhat.rhevm.vdsm1,bus=virtio-serial0.0,id=port1 2.hot-unplug virtio-serial: (qemu) device_del virtio-serial0 3.interact with the guest: open start menu, click around the desktop Actual results: QEMU crashes at a memory listener related callstack Expected results: QEMU doesn't crash
Fixed in upstream commit: commit f811f97040a48358b456b46ecbc9167f0131034f Author: Ladi Prosek <lprosek@redhat.com> Date: Tue May 30 10:59:43 2017 +0200 virtio-serial-bus: Unset hotplug handler when unrealize Virtio serial device controls the lifetime of virtio-serial-bus and virtio-serial-bus links back to the device via its hotplug-handler property. This extra ref-count prevents the device from getting finalized, leaving the VirtIODevice memory listener registered and leading to use-after-free later on. This patch addresses the same issue as Fam Zheng's "virtio-scsi: Unset hotplug handler when unrealize" only for a different virtio device.
Fix included in qemu-kvm-rhev-2.9.0-8.el7
Reproduced this bug with qemu-kvm-rhev-2.9.0-7.el7.x86_64 & 3.10.0-675.el7.x86_64 Boot win2016 guest. /usr/libexec/qemu-kvm \ -M pc \ -cpu Westmere \ -nodefaults -rtc base=utc \ -m 2G \ -smp 4,sockets=2,cores=2,threads=1 \ -enable-kvm \ -name rhel7.4 \ -uuid 990ea161-6b67-47b2-b803-19fb01d30d12 \ -k en-us \ -global isa-debugcon.iobase=0x402 \ -serial unix:/tmp/console,server,nowait \ -qmp tcp::4446,server,nowait \ -drive file=/home/win2016-64-virtio-scsi-2.qcow2,if=none,id=drive0,format=qcow2,cache=none,werror=stop,rerror=stop,aio=threads \ -device virtio-scsi-pci,id=scsi1,disable-legacy=off,disable-modern=off \ -device scsi-hd,id=virtio-disk0,drive=drive0,bus=scsi1.0,bootindex=1 \ -boot menu=on \ -vnc :1 \ -monitor stdio \ -device virtio-net-pci,netdev=tap10,mac=08:9e:01:c2:6d:6e,disable-legacy=off,disable-modern=off,bootindex=4 \ -netdev tap,id=tap10 \ -smbios type=1,manufacturer=redhat-kvmqe,product=rhel7.4-kvm,version=7.444444,serial=123456789,uuid=4C4C4544-0044-3010-8047-B4C04F313232,sku=fuxc,family=rhel7 \ -fda /usr/share/virtio-win/virtio-win_amd64.vfd \ -vga qxl \ -device virtio-serial-pci,id=virtio-serial0,max_ports=511 \ -chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait \ -device virtserialport,chardev=channel1,name=com.redhat.rhevm.vdsm1,bus=virtio-serial0.0,id=port1 \ (qemu) device_del virtio-serial0 (qemu) device_add virtio-serial-pci,id=serial1 (qemu) device_del serial1 (qemu) device_add virtio-serial-pci,id=serial1 (qemu) device_del serial1 result: qemu-kvm core dump Verified this bug with qemu-kvm-rhev-2.9.0-9.el7.x86_64 & 3.10.0-675.el7.x86_64 hotplug and unhotplug as above(repeat 50 times), qemu-kvm process and win2016 guest work well. So, this bug is fixed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:2392