Commit a82c8e4d836121cec49ccd9031438a3110f2e192 bumped the CPU version to 9, however the format is very different from the version 9 of upstream QEMU. This causes problems in crash, which uses QEMU's savefiles as kvm core dumps.
Until now, the differences did nothing problematic, but for version 9 upstream does this:
int32_t pending_irq = (int32_t) get_be32 (fp);
if (pending_irq >= 0)
dx86->kvm.int_bitmap[pending_irq / 64] |=
instead of this:
for (i = 0; i < 4; i++)
dx86->kvm.int_bitmap[i] = get_be64 (fp);
(Source code from qemu-load.c in git://git.engineering.redhat.com/users/pbonzini/qemu-reader.git). In other words, the first 32 bits of the bitmap are treated as an index, causing an out-of-bounds access.
Of course, adding a "<= 255" check is easily done, but it's only a matter of time until RHEL5's version will hit 12 and we'll have serious problems handling both RHEL5 and RHEL6 dumps.
I suggest adding a fake __rhel5 section in the dumps for 5.5.z and 5.6, so that we can look for that in crash. I'll attach the patch soon.
Created attachment 423249 [details]
Could you please suggest how we could verify this patch effectively?
You can try grepping a dump for the string __rhel5. If you do the dump early enough, possibly while grub is running, the chance of a false positive is ~zero (and it is pretty unlikely even if the system has already finished booting).
Created attachment 434483 [details]
qemu patch v2
Unlike the previous one, this patch doesn't break backwards migration.
# rpm -q kvm
# uname -r
# grep __rhel5 /var/crash/2010-11-15-10:36/vmcore
Binary file vmcore matches
# dmesg |grep crashkernel
Command line: ro root=LABEL=/ crashkernel=128M@16M
Kernel command line: ro root=LABEL=/ crashkernel=128M@16M
# grep -i crash /proc/iomem
01000000-08ffffff : Crash kernel
guest launching cmd:
/usr/libexec/qemu-kvm -name 'vm1' -monitor stdio -drive file='/home/RHEL-Server-6.0-64-virtio.qcow2',index=0,if=virtio,media=disk,cache=none,boot=on,format=qcow2 -net nic,vlan=0,model=virtio,macaddr='9a:30:70:9c:34:b4' -net tap,vlan=0,ifname='virtio_xxx_5900',script='/home/qemu-ifup-switch',downscript='no' -m 4096 -smp 2 -soundhw ac97 -vnc :0 -rtc-td-hack -M rhel5.6.0 -usbdevice tablet
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.