Bug 1730560 - QEMU core dumped if hotplug memory to a negative slot
Summary: QEMU core dumped if hotplug memory to a negative slot
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux Advanced Virtualization
Classification: Red Hat
Component: qemu-kvm
Version: 8.1
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Igor Mammedov
QA Contact: Yumei Huang
URL:
Whiteboard:
Depends On:
Blocks: 1730561
TreeView+ depends on / blocked
 
Reported: 2019-07-17 06:52 UTC by Yumei Huang
Modified: 2020-02-05 23:00 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1730561 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Yumei Huang 2019-07-17 06:52:07 UTC 
Description of problem:
Hotplug memory to a negative slot, qemu core dumped.


Version-Release number of selected component (if applicable):
qemu-kvm-4.0.0-5.module+el8.1.0+3622+5812d9bf
kernel-4.18.0-112.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. Start qemu process 
# /usr/libexec/qemu-kvm -m 1G,maxmem=20G,slots=256 -monitor stdio

2. Hotplug memory to slot '-2'
(qemu) object_add memory-backend-ram,id=mem1,size=1G
(qemu) device_add pc-dimm,id=dimm1,memdev=mem1,slot=-2


Actual results:
(qemu) object_add memory-backend-ram,id=mem1,size=1G
(qemu) device_add pc-dimm,id=dimm1,memdev=mem1,slot=-2
Bus error (core dumped)


Expected results:
QEMU should print some error message instead of core dump. 

Additional info:
Backtrace:
(gdb) bt
#0  0x000055608482ad17 in test_bit (addr=<optimized out>, nr=<optimized out>)
    at /usr/src/debug/qemu-kvm-4.0.0-5.module+el8.1.0+3622+5812d9bf.x86_64/include/qemu/bitops.h:134
#1  0x000055608482ad17 in pc_dimm_get_free_slot (errp=0x7ffd86fde7f0, max_slots=256, hint=<optimized out>)
    at hw/mem/pc-dimm.c:110
#2  0x000055608482ad17 in pc_dimm_pre_plug
    (dimm=0x556086f63160, machine=machine@entry=0x556086b70c00, legacy_align=legacy_align@entry=0x0, errp=errp@entry=0x7ffd86fde8c0) at hw/mem/pc-dimm.c:40
#3  0x0000556084720c30 in pc_memory_pre_plug
    (errp=0x7ffd86fde8c0, dev=0x556086f63160, hotplug_dev=<optimized out>)
    at /usr/src/debug/qemu-kvm-4.0.0-5.module+el8.1.0+3622+5812d9bf.x86_64/hw/i386/pc.c:2748
#4  0x0000556084720c30 in pc_machine_device_pre_plug_cb
    (hotplug_dev=<optimized out>, dev=0x556086f63160, errp=0x7ffd86fde8c0)
    at /usr/src/debug/qemu-kvm-4.0.0-5.module+el8.1.0+3622+5812d9bf.x86_64/hw/i386/pc.c:3045
#5  0x00005560847e4cf6 in device_set_realized
    (obj=<optimized out>, value=<optimized out>, errp=0x7ffd86fde9e8) at hw/core/qdev.c:827
#6  0x00005560848e3a5b in property_set_bool
    (obj=0x556086f63160, v=<optimized out>, name=<optimized out>, opaque=0x556087063020, errp=0x7ffd86fde9e8) at qom/object.c:2074
#7  0x00005560848e7f53 in object_property_set_qobject
    (obj=0x556086f63160, value=<optimized out>, name=0x556084a95e9d "realized", errp=0x7ffd86fde9e8)
    at qom/qom-qobject.c:27
#8  0x00005560848e57c9 in object_property_set_bool
    (obj=0x556086f63160, value=<optimized out>, name=0x556084a95e9d "realized", errp=0x7ffd86fde9e8)
    at qom/object.c:1332
#9  0x00005560847a2e74 in qdev_device_add (opts=opts@entry=0x556086c799b0, errp=errp@entry=0x7ffd86fdeac0)
    at qdev-monitor.c:642
#10 0x00005560847a335b in qmp_device_add
    (qdict=<optimized out>, ret_data=ret_data@entry=0x0, errp=errp@entry=0x7ffd86fdeaf0)
    at qdev-monitor.c:822
#11 0x00005560847ae77d in hmp_device_add (mon=<optimized out>, qdict=<optimized out>) at hmp.c:2169
#12 0x00005560846abdb9 in handle_hmp_command (mon=mon@entry=0x556086b70400, cmdline=<optimized out>, 
    cmdline@entry=0x556086be8c00 " device_add pc-dimm,id=dimm1,memdev=mem1,slot=-2")
    at /usr/src/debug/qemu-kvm-4.0.0-5.module+el8.1.0+3622+5812d9bf.x86_64/monitor.c:3458
--Type <RET> for more, q to quit, c to continue without paging-- c
#13 0x00005560846ad330 in monitor_command_cb (opaque=0x556086b70400, cmdline=0x556086be8c00 " device_add pc-dimm,id=dimm1,memdev=mem1,slot=-2", readline_opaque=<optimized out>) at /usr/src/debug/qemu-kvm-4.0.0-5.module+el8.1.0+3622+5812d9bf.x86_64/monitor.c:4319
#14 0x00005560849c5ee5 in readline_handle_byte (rs=0x556086be8c00, ch=<optimized out>) at util/readline.c:393
#15 0x00005560846abeb9 in monitor_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>) at /usr/src/debug/qemu-kvm-4.0.0-5.module+el8.1.0+3622+5812d9bf.x86_64/monitor.c:4302
#16 0x000055608494cccd in fd_chr_read (chan=0x556086bc3da0, cond=<optimized out>, opaque=<optimized out>) at chardev/char-fd.c:66
#17 0x00007f5497aab67d in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#18 0x00005560849b1ec8 in glib_pollfds_poll () at util/main-loop.c:213
#19 0x00005560849b1ec8 in os_host_main_loop_wait (timeout=<optimized out>) at util/main-loop.c:236
#20 0x00005560849b1ec8 in main_loop_wait (nonblocking=<optimized out>) at util/main-loop.c:512
#21 0x00005560847a6839 in main_loop () at vl.c:1988
#22 0x000055608465b328 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4642
Comment 1 Yumei Huang 2019-07-17 06:55:44 UTC 
Strangely, QEMU would take 'slot=-1' as slot 0.

#  /usr/libexec/qemu-kvm -m 1G,maxmem=20G,slots=256 -monitor stdio -numa node
(qemu) object_add memory-backend-ram,id=mem1,size=1G
(qemu) device_add pc-dimm,id=dimm1,memdev=mem1,slot=-1
(qemu) info memory-devices 
Memory device [dimm]: "dimm1"
  addr: 0x100000000
  slot: 0
  node: 0
  size: 1073741824
  memdev: /objects/mem1
  hotplugged: true
  hotpluggable: true
Comment 4 Ademar Reis 2020-02-05 23:00:50 UTC 
QEMU has been recently split into sub-components and as a one-time operation to avoid breakage of tools, we are setting the QEMU sub-component of this BZ to "General". Please review and change the sub-component if necessary the next time you review this BZ. Thanks
Note You need to log in before you can comment on or make changes to this bug.