Commit a82c8e4d836121cec49ccd9031438a3110f2e192 bumped the CPU version to 9, however the format is very different from the version 9 of upstream QEMU. This causes problems in crash, which uses QEMU's savefiles as kvm core dumps. Until now, the differences did nothing problematic, but for version 9 upstream does this: int32_t pending_irq = (int32_t) get_be32 (fp); if (pending_irq >= 0) dx86->kvm.int_bitmap[pending_irq / 64] |= instead of this: for (i = 0; i < 4; i++) dx86->kvm.int_bitmap[i] = get_be64 (fp); (Source code from qemu-load.c in git://git.engineering.redhat.com/users/pbonzini/qemu-reader.git). In other words, the first 32 bits of the bitmap are treated as an index, causing an out-of-bounds access. Of course, adding a "<= 255" check is easily done, but it's only a matter of time until RHEL5's version will hit 12 and we'll have serious problems handling both RHEL5 and RHEL6 dumps. I suggest adding a fake __rhel5 section in the dumps for 5.5.z and 5.6, so that we can look for that in crash. I'll attach the patch soon.
Created attachment 423249 [details] qemu patch
Hi Paolo, Could you please suggest how we could verify this patch effectively? Thanks.
You can try grepping a dump for the string __rhel5. If you do the dump early enough, possibly while grub is running, the chance of a false positive is ~zero (and it is pretty unlikely even if the system has already finished booting).
Created attachment 434483 [details] qemu patch v2 Unlike the previous one, this patch doesn't break backwards migration.
Verified on: # rpm -q kvm kvm-83-207.el5 # uname -r 2.6.18-231.el5 # grep __rhel5 /var/crash/2010-11-15-10:36/vmcore Binary file vmcore matches host dmesg: # dmesg |grep crashkernel Command line: ro root=LABEL=/ crashkernel=128M@16M Kernel command line: ro root=LABEL=/ crashkernel=128M@16M and /proc/iomem # grep -i crash /proc/iomem 01000000-08ffffff : Crash kernel guest launching cmd: /usr/libexec/qemu-kvm -name 'vm1' -monitor stdio -drive file='/home/RHEL-Server-6.0-64-virtio.qcow2',index=0,if=virtio,media=disk,cache=none,boot=on,format=qcow2 -net nic,vlan=0,model=virtio,macaddr='9a:30:70:9c:34:b4' -net tap,vlan=0,ifname='virtio_xxx_5900',script='/home/qemu-ifup-switch',downscript='no' -m 4096 -smp 2 -soundhw ac97 -vnc :0 -rtc-td-hack -M rhel5.6.0 -usbdevice tablet
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0028.html