Bug 2329448 - qemu 9.1.1.2 → 9.2.0-0.1.rc1 crashes with ../qapi/qobject-output-visitor.c:95: qobject_output_add_obj: Assertion `name' failed.
Summary: qemu 9.1.1.2 → 9.2.0-0.1.rc1 crashes with ../qapi/qobject-output-visitor.c:95...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: qemu
Version: 42
Hardware: Unspecified
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Fedora Virtualization Maintainers
QA Contact: Fedora Extras Quality Assurance
URL: https://artifacts.dev.testing-farm.io...
Whiteboard: CockpitTest
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-29 08:35 UTC by Martin Pitt
Modified: 2025-02-26 13:18 UTC (History)
10 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Martin Pitt 2024-11-29 08:35:56 UTC 
Yesterday, pretty pretty much all of cockpit-machines tests started to fail in rawhide. I bisected this to the qemu 9.1.1.2 → 9.2.0-0.1.rc1 upgrade: https://bodhi.fedoraproject.org/updates/FEDORA-2024-d9af925186 which causes a crash.



Reproducible: Always

Steps to Reproduce:
virsh net-start default
virt-install --memory 50 --pxe --virt-type qemu --os-variant alpinelinux3.8 --disk none --wait 0 --name test1

# should be running now
virsh list --all

virsh domstats test1

# now it's stopped
virsh list --all

Actual Results:  
VM crashes. /var/log/libvirt/qemu/test1.log shows

qemu-system-x86_64: ../qapi/qobject-output-visitor.c:95: qobject_output_add_obj: Assertion `name' failed.
2024-11-29 08:31:13.738+0000: shutting down, reason=crashed


Expected Results:  
VM runs and successfully retrieves domstats

qemu-system-x86-core-9.2.0-0.1.rc1.fc42.x86_64
libvirt-daemon-driver-qemu-10.9.0-1.fc42.x86_64 (but libvirt didn't change)
Comment 1 Richard W.M. Jones 2024-11-29 09:01:52 UTC 
I was able to reproduce this.  Note that it's the 'domstats' command
which causes the crash in qemu.
Comment 2 Martin Pitt 2024-11-29 09:04:21 UTC 
Richard: Yes, I suppose I didn't point that out explicitly. Indeed it's domstats.
Comment 3 Richard W.M. Jones 2024-11-29 09:12:11 UTC 
Thread 5 (Thread 0x7ff0224006c0 (LWP 3862699) "qemu-system-x86"):
#0  syscall () at ../sysdeps/unix/sysv/linux/x86_64/syscall.S:38
#1  0x0000564a0a26ff62 in qemu_futex_wait (val=<optimized out>, f=<optimized out>) at /usr/src/debug/qemu-9.2.0-0.1.rc1.fc42.x86_64/include/qemu/futex.h:29
#2  qemu_event_wait (ev=ev@entry=0x564a0b386b48 <rcu_call_ready_event>) at ../util/qemu-thread-posix.c:464
#3  0x0000564a0a27a666 in call_rcu_thread (opaque=<optimized out>) at ../util/rcu.c:278
#4  0x0000564a0a26f455 in qemu_thread_start (args=0x564a355cdf80) at ../util/qemu-thread-posix.c:541
#5  0x00007ff0237ee797 in start_thread (arg=<optimized out>) at pthread_create.c:447
#6  0x00007ff02387278c in __GI___clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Thread 4 (Thread 0x7ff0212006c0 (LWP 3862700) "IO mon_iothread"):
#0  0x00007ff023864f70 in __GI_ppoll (fds=fds@entry=0x7fefc8000cf0, nfds=nfds@entry=3, timeout=<optimized out>, timeout@entry=0x0, sigmask=sigmask@entry=0x0) at ../sysdeps/unix/sysv/linux/ppoll.c:42
#1  0x00007ff023d818c0 in ppoll (__fds=0x7fefc8000cf0, __nfds=3, __timeout=0x0, __ss=0x0) at /usr/include/bits/poll2.h:101
#2  g_main_context_poll_unlocked (priority=2147483647, context=0x564a35644030, t--Type <RET> for more, q to quit, c to continue without paging--c
imeout_usec=<optimized out>, fds=0x7fefc8000cf0, n_fds=3) at ../glib/gmain.c:4579
#3  g_main_context_iterate_unlocked.isra.0 (context=0x564a35644030, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4257
#4  0x00007ff023d273f7 in g_main_loop_run (loop=0x564a356441f0) at ../glib/gmain.c:4464
#5  0x0000564a0a13bae9 in iothread_run (opaque=0x564a35926850) at ../iothread.c:70
#6  0x0000564a0a26f455 in qemu_thread_start (args=0x564a35644210) at ../util/qemu-thread-posix.c:541
#7  0x00007ff0237ee797 in start_thread (arg=<optimized out>) at pthread_create.c:447
#8  0x00007ff023872594 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:100

Thread 3 (Thread 0x7fefcec006c0 (LWP 3862701) "CPU 0/TCG"):
#0  0x00007ff0237eae69 in __futex_abstimed_wait_common64 (private=0, futex_word=0x564a3564593c, expected=0, op=393, abstime=0x0, cancel=true) at futex-internal.c:57
#1  __futex_abstimed_wait_common (futex_word=futex_word@entry=0x564a3564593c, expected=expected@entry=0, clockid=clockid@entry=0, abstime=abstime@entry=0x0, private=private@entry=0, cancel=cancel@entry=true) at futex-internal.c:87
#2  0x00007ff0237eaeef in __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x564a3564593c, expected=expected@entry=0, clockid=clockid@entry=0, abstime=abstime@entry=0x0, private=private@entry=0) at futex-internal.c:139
#3  0x00007ff0237ed8b9 in __pthread_cond_wait_common (cond=0x564a35645910, mutex=0x564a35645910, clockid=0, abstime=0x0) at pthread_cond_wait.c:503
#4  ___pthread_cond_wait (cond=0x564a35645910, mutex=mutex@entry=0x564a0b3598e0 <bql>) at pthread_cond_wait.c:618
#5  0x0000564a0a26f9ca in qemu_cond_wait_impl (cond=<optimized out>, mutex=0x564a0b3598e0 <bql>, file=0x564a0a3e9bff "../system/cpus.c", line=462) at ../util/qemu-thread-posix.c:225
#6  0x0000564a09ec8e63 in qemu_wait_io_event (cpu=cpu@entry=0x564a3592eda0) at ../system/cpus.c:462
#7  0x00007ff0212af211 in mttcg_cpu_thread_fn (arg=0x564a3592eda0) at ../accel/tcg/tcg-accel-ops-mttcg.c:118
#8  0x0000564a0a26f455 in qemu_thread_start (args=0x564a35991110) at ../util/qemu-thread-posix.c:541
#9  0x00007ff0237ee797 in start_thread (arg=<optimized out>) at pthread_create.c:447
#10 0x00007ff023872594 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:100

Thread 2 (Thread 0x7fefcda006c0 (LWP 3862702) "SPICE Worker"):
#0  0x00007ff023864f70 in __GI_ppoll (fds=fds@entry=0x7fefb0000b70, nfds=nfds@entry=2, timeout=<optimized out>, timeout@entry=0x7fefcd9fee70, sigmask=sigmask@entry=0x0) at ../sysdeps/unix/sysv/linux/ppoll.c:42
#1  0x00007ff023d818c0 in ppoll (__fds=0x7fefb0000b70, __nfds=2, __timeout=0x7fefcd9fee70, __ss=0x0) at /usr/include/bits/poll2.h:101
#2  g_main_context_poll_unlocked (priority=2147483647, context=0x564a3682b2f0, timeout_usec=<optimized out>, fds=0x7fefb0000b70, n_fds=2) at ../glib/gmain.c:4579
#3  g_main_context_iterate_unlocked.isra.0 (context=0x564a3682b2f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4257
#4  0x00007ff023d273f7 in g_main_loop_run (loop=0x7fefb0000cb0) at ../glib/gmain.c:4464
#5  0x00007ff021a7957a in red_worker_main (arg=0x564a3682b240) at /usr/src/debug/spice-0.15.1-6.fc41.x86_64/server/red-worker.cpp:1021
#6  0x00007ff0237ee797 in start_thread (arg=<optimized out>) at pthread_create.c:447
#7  0x00007ff023872594 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:100

Thread 1 (Thread 0x7ff022bd7700 (LWP 3862697) "qemu-system-x86"):
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00007ff0237f0793 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:78
#2  0x00007ff023797d0e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007ff02377f942 in __GI_abort () at abort.c:79
#4  0x00007ff02377f85e in __assert_fail_base (fmt=0x7ff023933cb0 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x564a0a3fd38f "name", file=file@entry=0x564a0a46ff28 "../qapi/qobject-output-visitor.c", line=line@entry=95, function=function@entry=0x564a0a54b240 <__PRETTY_FUNCTION__.6> "qobject_output_add_obj") at assert.c:94
#5  0x00007ff02378fe47 in __assert_fail (assertion=assertion@entry=0x564a0a3fd38f "name", file=file@entry=0x564a0a46ff28 "../qapi/qobject-output-visitor.c", line=line@entry=95, function=function@entry=0x564a0a54b240 <__PRETTY_FUNCTION__.6> "qobject_output_add_obj") at assert.c:103
#6  0x0000564a09cd2560 in qobject_output_add_obj (qov=qov@entry=0x564a36dbf7e0, name=name@entry=0x0, value=<optimized out>) at ../qapi/qobject-output-visitor.c:95
#7  0x0000564a0a260547 in qobject_output_type_uint64 (v=0x564a36dbf7e0, name=0x0, obj=<optimized out>, errp=<optimized out>) at ../qapi/qobject-output-visitor.c:163
#8  0x0000564a0a03b731 in balloon_stats_get_all (obj=<optimized out>, v=0x564a35e016d0, name=<optimized out>, opaque=<optimized out>, errp=0x7ffec773ebb0) at ../hw/virtio/virtio-balloon.c:258
#9  0x0000564a0a0d7142 in object_property_get (obj=0x564a368d2200, name=0x564a368d3bd0 "guest-stats", v=v@entry=0x564a35e016d0, errp=errp@entry=0x7ffec773ec20) at ../qom/object.c:1435
#10 0x0000564a0a0d71f8 in property_get_alias (obj=<optimized out>, v=<optimized out>, name=<optimized out>, opaque=0x564a368d3bb0, errp=0x7ffec773ec20) at ../qom/object.c:2779
#11 0x0000564a0a0d7142 in object_property_get (obj=obj@entry=0x564a368c9c60, name=name@entry=0x564a364c4790 "guest-stats", v=v@entry=0x564a36dbf7e0, errp=errp@entry=0x7ffec773ecc0) at ../qom/object.c:1435
#12 0x0000564a0a0daca3 in object_property_get_qobject (obj=0x564a368c9c60, name=0x564a364c4790 "guest-stats", errp=errp@entry=0x7ffec773ecc0) at ../qom/qom-qobject.c:40
#13 0x0000564a0a1e416e in qmp_qom_get (path=<optimized out>, property=<optimized out>, errp=errp@entry=0x7ffec773ecc0) at ../qom/qom-qmp-cmds.c:89
#14 0x0000564a0a23c8cb in qmp_marshal_qom_get (args=0x7fefc8005a00, ret=0x7ff022bd3e98, errp=0x7ff022bd3e90) at qapi/qapi-commands-qom.c:130
#15 0x0000564a0a262222 in do_qmp_dispatch_bh (opaque=0x7ff022bd3ea0) at ../qapi/qmp-dispatch.c:128
#16 0x0000564a0a282776 in aio_bh_poll (ctx=ctx@entry=0x564a35640620) at ../util/async.c:219
#17 0x0000564a0a26c61b in aio_dispatch (ctx=0x564a35640620) at ../util/aio-posix.c:424
#18 0x0000564a0a2824f6 in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at ../util/async.c:361
#19 0x00007ff023d2136c in g_main_dispatch (context=0x564a356c1980) at ../glib/gmain.c:3348
#20 g_main_context_dispatch_unlocked (context=context@entry=0x564a356c1980) at ../glib/gmain.c:4197
#21 0x00007ff023d21635 in g_main_context_dispatch (context=0x564a356c1980) at ../glib/gmain.c:4185
#22 0x0000564a0a283c28 in glib_pollfds_poll () at ../util/main-loop.c:287
#23 os_host_main_loop_wait (timeout=0) at ../util/main-loop.c:310
#24 main_loop_wait (nonblocking=nonblocking@entry=0) at ../util/main-loop.c:589
#25 0x0000564a09ed35f0 in qemu_main_loop () at ../system/runstate.c:835
#26 0x0000564a0a1e7372 in qemu_default_main () at ../system/main.c:37
#27 0x00007ff023781248 in __libc_start_call_main (main=main@entry=0x564a09cda440 <main>, argc=argc@entry=87, argv=argv@entry=0x7ffec773f0a8) at ../sysdeps/nptl/libc_start_call_main.h:58
#28 0x00007ff02378130b in __libc_start_main_impl (main=0x564a09cda440 <main>, argc=87, argv=0x7ffec773f0a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffec773f098) at ../csu/libc-start.c:360
#29 0x0000564a09cda935 in _start ()
Comment 4 Daniel Berrangé 2024-11-29 14:04:42 UTC 
An update of the linux headers introduced new stats, which broke existing code in QEMU

https://lists.nongnu.org/archive/html/qemu-devel/2024-11/msg05455.html

I'm patching Fedora now, and the fix ought to be upstream for the 9.2.0 GA release
Comment 5 Martin Pitt 2024-11-29 14:19:23 UTC 
Thanks Richard and Daniel, that was light-speed bug fixing! ♥
Comment 6 Han Han 2025-01-15 09:43:16 UTC 
@berrange This bug could cause VM down by unprivileged cmd 'virsh -r domstats'. I think we should request a CVE for it.
Comment 7 Daniel Berrangé 2025-01-15 10:09:32 UTC 
(In reply to Han Han from comment #6)
> @berrange This bug could cause VM down by unprivileged cmd 'virsh
> -r domstats'. I think we should request a CVE for it.

This bug was never present in any upstream release of QEMU, nor in a release of Fedora. It only existed in Fedora rawhide for a short time because we shipped a pre-release snapshot of code for QEMU. As such it doesn't justify a CVE from Fedora or upstream POV.
Comment 8 Aoife Moloney 2025-02-26 13:18:22 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle.
Changing version to 42.
Note You need to log in before you can comment on or make changes to this bug.