Bug 1458782 - QEMU crashes after hot-unplugging virtio-serial device
Summary: QEMU crashes after hot-unplugging virtio-serial device
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Ladi Prosek
QA Contact: Sitong Liu
URL:
Whiteboard:
Keywords: Regression
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-05 12:58 UTC by Ladi Prosek
Modified: 2017-08-02 04:41 UTC (History)
16 users (show)

(edit)
Clone Of: 1449031
(edit)
Last Closed: 2017-08-02 04:41:00 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2392 normal SHIPPED_LIVE Important: qemu-kvm-rhev security, bug fix, and enhancement update 2017-08-01 20:04:36 UTC

Description Ladi Prosek 2017-06-05 12:58:56 UTC 
+++ Opening as clone of virtio-scsi Bug #1449031; the bug is exactly the same, only in virtio-serial +++

Description of problem:

Version-Release number of selected component (if applicable):
qemu-kvm-rhev-2.9.0-2.el7.x86_64&qemu-kvm-rhev-2.9.0-3.el7.x86_64
kernel-3.10.0-661.el7.x86_64
seabios-1.10.2-2.el7.x86_64
virtio-win-prewhql-136

How reproducible:
100%

Steps to Reproduce:
1.boot win2016 guest:
/usr/libexec/qemu-kvm \
  -name 137SRLW10S64TRT \
  -enable-kvm -m 6G -smp 8 \
  -nodefconfig -nodefaults \
  -rtc base=localtime,driftfix=slew \
  -boot order=cd,menu=on \
  -drive file=137SRLW10S64TRT,if=none,id=drive-ide0-0-0,format=raw,serial=mike_cao,cache=none \
  -device ide-drive,bus=ide.0,drive=drive-ide0-0-0,id=ide0-0-0 \
  -drive file=en_windows_server_2016_x64_dvd_9718492.iso,if=none,media=cdrom,id=drive-ide0-1-0,readonly=on,format=raw \
  -device ide-drive,bus=ide.1,drive=drive-ide0-1-0,id=ide0-1-0 \
  -netdev tap,script=/etc/qemu-ifup,downscript=no,id=hostnet0 \
  -device e1000,netdev=hostnet0,id=net0,mac=00:52:69:6c:2a:84 \
  -usb -device usb-tablet,id=input0 \
  -vnc 0.0.0.0:0 -vga std -monitor stdio \
  -qmp tcp:0:1234,server,nowait -M q35 \
  -device ioh3420,bus=pcie.0,id=root1.0,slot=1 \
  -drive file=137SRLW10S64TRT_ovmf/OVMF_CODE.secboot.fd,if=pflash,format=raw,unit=0,readonly=on \
  -drive file=137SRLW10S64TRT_ovmf/OVMF_VARS.fd,if=pflash,format=raw,unit=1 \
  -drive file=137SRLW10S64TRT_ovmf/UefiShell.iso,if=none,cache=none,snapshot=off,aio=native,media=cdrom,id=cdrom1 \
  -device ide-cd,drive=cdrom1,id=ide-cd1 \
  -device virtio-serial-pci,id=virtio-serial0,max_ports=511,bus=root1.0 \
  -chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait \
  -device virtserialport,chardev=channel1,name=com.redhat.rhevm.vdsm1,bus=virtio-serial0.0,id=port1

2.hot-unplug virtio-serial:
(qemu) device_del virtio-serial0

3.interact with the guest: open start menu, click around the desktop

Actual results:
QEMU crashes at a memory listener related callstack

Expected results:
QEMU doesn't crash
Comment 3 Ladi Prosek 2017-06-05 13:01:25 UTC 
Fixed in upstream commit:

commit f811f97040a48358b456b46ecbc9167f0131034f
Author: Ladi Prosek <lprosek@redhat.com>
Date:   Tue May 30 10:59:43 2017 +0200

    virtio-serial-bus: Unset hotplug handler when unrealize
    
    Virtio serial device controls the lifetime of virtio-serial-bus and
    virtio-serial-bus links back to the device via its hotplug-handler
    property. This extra ref-count prevents the device from getting
    finalized, leaving the VirtIODevice memory listener registered and
    leading to use-after-free later on.
    
    This patch addresses the same issue as Fam Zheng's
    "virtio-scsi: Unset hotplug handler when unrealize"
    only for a different virtio device.
Comment 5 Miroslav Rezanina 2017-06-06 08:55:18 UTC 
Fix included in qemu-kvm-rhev-2.9.0-8.el7
Comment 7 FuXiangChun 2017-06-13 10:23:04 UTC 
Reproduced this bug with qemu-kvm-rhev-2.9.0-7.el7.x86_64 & 3.10.0-675.el7.x86_64

Boot win2016 guest.

/usr/libexec/qemu-kvm \
-M pc \
-cpu Westmere \
-nodefaults -rtc base=utc \
-m 2G \
-smp 4,sockets=2,cores=2,threads=1 \
-enable-kvm \
-name rhel7.4 \
-uuid 990ea161-6b67-47b2-b803-19fb01d30d12 \
-k en-us \
-global isa-debugcon.iobase=0x402 \
-serial unix:/tmp/console,server,nowait \
-qmp tcp::4446,server,nowait \
-drive file=/home/win2016-64-virtio-scsi-2.qcow2,if=none,id=drive0,format=qcow2,cache=none,werror=stop,rerror=stop,aio=threads \
-device virtio-scsi-pci,id=scsi1,disable-legacy=off,disable-modern=off \
-device scsi-hd,id=virtio-disk0,drive=drive0,bus=scsi1.0,bootindex=1 \
-boot menu=on \
-vnc :1 \
-monitor stdio \
-device virtio-net-pci,netdev=tap10,mac=08:9e:01:c2:6d:6e,disable-legacy=off,disable-modern=off,bootindex=4 \
-netdev tap,id=tap10 \
-smbios type=1,manufacturer=redhat-kvmqe,product=rhel7.4-kvm,version=7.444444,serial=123456789,uuid=4C4C4544-0044-3010-8047-B4C04F313232,sku=fuxc,family=rhel7 \
-fda /usr/share/virtio-win/virtio-win_amd64.vfd \
-vga qxl \
-device virtio-serial-pci,id=virtio-serial0,max_ports=511 \
-chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait \
-device virtserialport,chardev=channel1,name=com.redhat.rhevm.vdsm1,bus=virtio-serial0.0,id=port1 \


(qemu) device_del virtio-serial0
(qemu) device_add virtio-serial-pci,id=serial1
(qemu) device_del serial1
(qemu) device_add virtio-serial-pci,id=serial1
(qemu) device_del serial1

result:
qemu-kvm core dump

Verified this bug with qemu-kvm-rhev-2.9.0-9.el7.x86_64 & 3.10.0-675.el7.x86_64

hotplug and unhotplug as above(repeat 50 times), qemu-kvm process and win2016 guest work well.  So, this bug is fixed.
Comment 9 errata-xmlrpc 2017-08-02 04:41:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392
Note You need to log in before you can comment on or make changes to this bug.