Bug 1458782 – QEMU crashes after hot-unplugging virtio-serial device

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1458782 - QEMU crashes after hot-unplugging virtio-serial device

Summary:	QEMU crashes after hot-unplugging virtio-serial device

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm-rhev (Show other bugs)
Sub Component:
Version:	7.4
Hardware:	Unspecified Unspecified

Priority	high Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Ladi Prosek
QA Contact:	Sitong Liu
Docs Contact:

URL:
Whiteboard:
Keywords:	Regression

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-06-05 08:58 EDT by Ladi Prosek
Modified:	2017-08-02 00:41 EDT (History)
CC List:	16 users (show)

See Also:
Fixed In Version:	qemu-kvm-rhev-2.9.0-8.el7
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:	1449031
Environment:
Last Closed:	2017-08-02 00:41:00 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:2392	normal	SHIPPED_LIVE	Important: qemu-kvm-rhev security, bug fix, and enhancement update	2017-08-01 16:04:36 EDT

Groups: None (edit)

Description Ladi Prosek 2017-06-05 08:58:56 EDT

+++ Opening as clone of virtio-scsi Bug #1449031; the bug is exactly the same, only in virtio-serial +++

Description of problem:

Version-Release number of selected component (if applicable):
qemu-kvm-rhev-2.9.0-2.el7.x86_64&qemu-kvm-rhev-2.9.0-3.el7.x86_64
kernel-3.10.0-661.el7.x86_64
seabios-1.10.2-2.el7.x86_64
virtio-win-prewhql-136

How reproducible:
100%

Steps to Reproduce:
1.boot win2016 guest:
/usr/libexec/qemu-kvm \
  -name 137SRLW10S64TRT \
  -enable-kvm -m 6G -smp 8 \
  -nodefconfig -nodefaults \
  -rtc base=localtime,driftfix=slew \
  -boot order=cd,menu=on \
  -drive file=137SRLW10S64TRT,if=none,id=drive-ide0-0-0,format=raw,serial=mike_cao,cache=none \
  -device ide-drive,bus=ide.0,drive=drive-ide0-0-0,id=ide0-0-0 \
  -drive file=en_windows_server_2016_x64_dvd_9718492.iso,if=none,media=cdrom,id=drive-ide0-1-0,readonly=on,format=raw \
  -device ide-drive,bus=ide.1,drive=drive-ide0-1-0,id=ide0-1-0 \
  -netdev tap,script=/etc/qemu-ifup,downscript=no,id=hostnet0 \
  -device e1000,netdev=hostnet0,id=net0,mac=00:52:69:6c:2a:84 \
  -usb -device usb-tablet,id=input0 \
  -vnc 0.0.0.0:0 -vga std -monitor stdio \
  -qmp tcp:0:1234,server,nowait -M q35 \
  -device ioh3420,bus=pcie.0,id=root1.0,slot=1 \
  -drive file=137SRLW10S64TRT_ovmf/OVMF_CODE.secboot.fd,if=pflash,format=raw,unit=0,readonly=on \
  -drive file=137SRLW10S64TRT_ovmf/OVMF_VARS.fd,if=pflash,format=raw,unit=1 \
  -drive file=137SRLW10S64TRT_ovmf/UefiShell.iso,if=none,cache=none,snapshot=off,aio=native,media=cdrom,id=cdrom1 \
  -device ide-cd,drive=cdrom1,id=ide-cd1 \
  -device virtio-serial-pci,id=virtio-serial0,max_ports=511,bus=root1.0 \
  -chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait \
  -device virtserialport,chardev=channel1,name=com.redhat.rhevm.vdsm1,bus=virtio-serial0.0,id=port1

2.hot-unplug virtio-serial:
(qemu) device_del virtio-serial0

3.interact with the guest: open start menu, click around the desktop

Actual results:
QEMU crashes at a memory listener related callstack

Expected results:
QEMU doesn't crash

Comment 3 Ladi Prosek 2017-06-05 09:01:25 EDT

Fixed in upstream commit:

commit f811f97040a48358b456b46ecbc9167f0131034f
Author: Ladi Prosek <lprosek@redhat.com>
Date:   Tue May 30 10:59:43 2017 +0200

    virtio-serial-bus: Unset hotplug handler when unrealize
    
    Virtio serial device controls the lifetime of virtio-serial-bus and
    virtio-serial-bus links back to the device via its hotplug-handler
    property. This extra ref-count prevents the device from getting
    finalized, leaving the VirtIODevice memory listener registered and
    leading to use-after-free later on.
    
    This patch addresses the same issue as Fam Zheng's
    "virtio-scsi: Unset hotplug handler when unrealize"
    only for a different virtio device.

Comment 5 Miroslav Rezanina 2017-06-06 04:55:18 EDT

Fix included in qemu-kvm-rhev-2.9.0-8.el7

Comment 7 FuXiangChun 2017-06-13 06:23:04 EDT

Reproduced this bug with qemu-kvm-rhev-2.9.0-7.el7.x86_64 & 3.10.0-675.el7.x86_64

Boot win2016 guest.

/usr/libexec/qemu-kvm \
-M pc \
-cpu Westmere \
-nodefaults -rtc base=utc \
-m 2G \
-smp 4,sockets=2,cores=2,threads=1 \
-enable-kvm \
-name rhel7.4 \
-uuid 990ea161-6b67-47b2-b803-19fb01d30d12 \
-k en-us \
-global isa-debugcon.iobase=0x402 \
-serial unix:/tmp/console,server,nowait \
-qmp tcp::4446,server,nowait \
-drive file=/home/win2016-64-virtio-scsi-2.qcow2,if=none,id=drive0,format=qcow2,cache=none,werror=stop,rerror=stop,aio=threads \
-device virtio-scsi-pci,id=scsi1,disable-legacy=off,disable-modern=off \
-device scsi-hd,id=virtio-disk0,drive=drive0,bus=scsi1.0,bootindex=1 \
-boot menu=on \
-vnc :1 \
-monitor stdio \
-device virtio-net-pci,netdev=tap10,mac=08:9e:01:c2:6d:6e,disable-legacy=off,disable-modern=off,bootindex=4 \
-netdev tap,id=tap10 \
-smbios type=1,manufacturer=redhat-kvmqe,product=rhel7.4-kvm,version=7.444444,serial=123456789,uuid=4C4C4544-0044-3010-8047-B4C04F313232,sku=fuxc,family=rhel7 \
-fda /usr/share/virtio-win/virtio-win_amd64.vfd \
-vga qxl \
-device virtio-serial-pci,id=virtio-serial0,max_ports=511 \
-chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait \
-device virtserialport,chardev=channel1,name=com.redhat.rhevm.vdsm1,bus=virtio-serial0.0,id=port1 \


(qemu) device_del virtio-serial0
(qemu) device_add virtio-serial-pci,id=serial1
(qemu) device_del serial1
(qemu) device_add virtio-serial-pci,id=serial1
(qemu) device_del serial1

result:
qemu-kvm core dump

Verified this bug with qemu-kvm-rhev-2.9.0-9.el7.x86_64 & 3.10.0-675.el7.x86_64

hotplug and unhotplug as above(repeat 50 times), qemu-kvm process and win2016 guest work well.  So, this bug is fixed.

Comment 9 errata-xmlrpc 2017-08-02 00:41:00 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Note You need to log in before you can comment on or make changes to this bug.