678729 – Hotplug VF/PF with invalid addr value leading to qemu-kvm process quit with core dump

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 678729 - Hotplug VF/PF with invalid addr value leading to qemu-kvm process quit with core dump

Summary: Hotplug VF/PF with invalid addr value leading to qemu-kvm process quit with c...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Don Dutile (Red Hat)
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	739493 (view as bug list)
Depends On:
Blocks:	580954
TreeView+	depends on / blocked

Reported:	2011-02-19 06:31 UTC by juzhang
Modified:	2013-01-09 23:34 UTC (History)
CC List:	7 users (show)
Fixed In Version:	qemu-kvm-0.12.1.2-2.206.el6
Doc Type:	Bug Fix
Doc Text:	When doing a device assignment of a VF/PF with invalid PCI configuration address value, the qemu-kvm process would quit with a core dump. This bug has been fixed such that qemu-kvm returns an error and the device assignment fails properly. Cause Performing a device assignment of a PCI(e) PF or VF device with an invalid host PCI configuration address, such as 0Z:88.00, to a KVM guest will cause the guest to immediately quit and core dump. Consequence The qemu-kvm guest process will quit and core dump. Fix Check the value of the B:D.F fields of an assigned device to ensure they are in the proper ranges. Result Performing a device assignment of a PCI(e) PF or VF device with an invalid host PCI configuration address will fail the assignment with an error message, and not crash the runnning KVM guest.
Clone Of:
Environment:
Last Closed:	2011-12-06 15:44:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1531	0	normal	SHIPPED_LIVE	Moderate: qemu-kvm security, bug fix, and enhancement update	2011-12-06 01:23:30 UTC

Description juzhang 2011-02-19 06:31:55 UTC

Description of problem:
Hot add VF/PF with invalid addr value leading to qemu-kvm process quit with core dump

Version-Release number of selected component (if applicable):
1.Qemu version
qemu-kvm-0.12.1.2-2.144.el6.x86_64
2.Host kernel version
2.6.32-115.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
Take VF for example.
1.Generate VF
#modprobe -r igb
#modprobe igb max_vfs=7
2.Unbind one of vf form host
#lspci -n | grep 03:10.5
03:10.5 0200: 8086:10ca
#echo "17d5 10ca" >/sys/bus/pci/drivers/pci-stub/new_id
#echo 0000:03:10.5 >/sys/bus/pci/devices/0000\:03\:10.5/driver/unbind
#echo 0000:03:10.5 >/sys/bus/pci/drivers/pci-stub/bind
3.Boot guest
#/usr/libexec/qemu-kvm -M rhel6.1.0 -enable-kvm -m 4096 -smp 4 -cpu qemu64,+sse2,+x2apic -name rhel6.1 -uuid `uuidgen` -rtc base=localtime -boot c -drive file=/root/images-rhel6.1/rhel6.1-ide.qcow2,if=none,id=drive-ide0-0-0,media=disk,format=qcow2,cache=none -device ide-drive,drive=drive-ide0-0-0,id=ide0-0-0 -net none -usb -device usb-tablet,id=input0 -spice port=8000,disable-ticketing -vga qxl -monitor stdio -balloon none
4.Hot add vf with addr=abc
#(qemu) device_add pci-assign,host=03:10.5,id=vf44,bus=pci.0,addr=abc
  
Actual results:
qemu-kvm process quit with core dump
(gdb) bt
#0  0x0000003a5ec48037 in vfprintf () from /lib64/libc.so.6
#1  0x0000003a5ecfd0e0 in __vsnprintf_chk () from /lib64/libc.so.6
#2  0x0000000000414d5f in vsnprintf (mon=0x11ed770,
    fmt=<value optimized out>, ap=<value optimized out>)
    at /usr/include/bits/stdio2.h:78
#3  monitor_vprintf (mon=0x11ed770, fmt=<value optimized out>,
    ap=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:283
#4  0x000000000047b037 in error_report (
    fmt=0x591070 "PCI: devfn %d not available for %s, in use by %s")
    at qemu-error.c:206
#5  0x000000000041b34b in do_pci_register_device (pci_dev=0x16f2010,
    bus=0x11c06d0, name=<value optimized out>, devfn=21984,
    config_read=0x473e60 <assigned_dev_pci_read_config>,
    config_write=0x4761d0 <assigned_dev_pci_write_config>,
    header_type=0 '\000') at /usr/src/debug/qemu-kvm-0.12.1.2/hw/pci.c:648
#6  0x000000000041b6fb in pci_qdev_init (qdev=0x16f2010, base=0x8d8840)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/pci.c:1462
#7  0x00000000004c5af8 in qdev_init (dev=0x16f2010)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qdev.c:286
#8  0x00000000004c5f39 in qdev_device_add (opts=0x10419b0)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qdev.c:261
#9  0x00000000004c64a9 in do_device_add (mon=<value optimized out>,
    qdict=<value optimized out>, ret_data=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qdev.c:809
#10 0x0000000000413e10 in monitor_call_handler (mon=0x11ed770, cmd=0x58ecb8,
    params=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4338
#11 0x0000000000418d60 in handle_user_command (mon=0x11ed770,
    cmdline=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4375
#12 0x0000000000418e8a in monitor_command_cb (mon=0x11ed770,
    cmdline=<value optimized out>, opaque=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4930
#13 0x00000000004a580b in readline_handle_byte (rs=0x2626110,
    ch=<value optimized out>) at readline.c:369
#14 0x00000000004190ac in monitor_read (opaque=<value optimized out>,
    buf=0x7fff388c39c0 "\r", size=1)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4916
#15 0x00000000004be1fb in qemu_chr_read (opaque=0xffad20) at qemu-char.c:171
#16 fd_chr_read (opaque=0xffad20) at qemu-char.c:657
#17 0x000000000040b95f in main_loop_wait (timeout=1000)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4424
#18 0x000000000042b29a in kvm_main_loop ()
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2165
#19 0x000000000040ef0f in main_loop (argc=<value optimized out>,
    argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4634
#20 main (argc=<value optimized out>, argv=<value optimized out>,
    envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6848
(gdb)

Expected results:
Prevent to hotplug PF/VF. 

Additional info:
I also tried hot plug emulation nic with addr=abc,this plug can't be hot-plugged with the following messages.
#{"execute": "netdev_add", "arguments": { "type":"tap","id":"hostnet2"}}
#{"execute": "device_add", "arguments": {"driver":"e1000","netdev":"hostnet2","mac":"22:11:22:45:61:97","id": "net2","bus":"pci.0","addr":"abc"}}
{"error": {"class": "DeviceInitFailed", "desc": "Device 'e1000' could not be initialized", "data": {"device": "e1000"}}}

Comment 4 Don Dutile (Red Hat) 2011-09-27 21:16:26 UTC

*** Bug 739493 has been marked as a duplicate of this bug. ***

Comment 6 FuXiangChun 2011-10-14 09:25:28 UTC

1.reproduce on qemu-kvm-0.12.1.2-2.190.el6.x86_64

steps:
 1.1 #gdb /usr/libexec/qemu-kvm
(gdb) r -M rhel6.1.0 -enable-kvm -m 4096 -smp 4 -cpu qemu64,+sse2,+x2apic -name rhel6.1 -uuid `uuidgen` -rtc base=localtime -boot c -drive file=rhel61.qcow2,if=none,id=drive-ide0-0-0,media=disk,format=qcow2,cache=none -device ide-drive,drive=drive-ide0-0-0,id=ide0-0-0 -net none -usb -device usb-tablet,id=input0 -spice port=8000,disable-ticketing -vga qxl -monitor stdio -balloon none
1.2 (qemu) device_add pci-assign,host=03:10.5,id=vf44,bus=pci.0,addr=abc

Program received signal SIGSEGV, Segmentation fault.
0x00000032eaa479e7 in vfprintf () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install alsa-lib-1.0.22-3.el6.x86_64 celt051-0.5.1.3-0.el6.x86_64 cyrus-sasl-gssapi-2.1.23-12.el6.x86_64 cyrus-sasl-lib-2.1.23-12.el6.x86_64 cyrus-sasl-md5-2.1.23-12.el6.x86_64 cyrus-sasl-plain-2.1.23-12.el6.x86_64 db4-4.7.25-16.el6.x86_64 dbus-libs-1.2.24-5.el6_1.x86_64 flac-1.2.1-6.1.el6.x86_64 glibc-2.12-1.43.el6.x86_64 gnutls-2.8.5-4.el6.x86_64 keyutils-libs-1.4-3.el6.x86_64 krb5-libs-1.9-21.el6.x86_64 libICE-1.0.6-1.el6.x86_64 libSM-1.1.0-7.1.el6.x86_64 libX11-1.3-2.el6.x86_64 libXau-1.0.5-1.el6.x86_64 libXext-1.1-3.el6.x86_64 libXfixes-4.0.4-1.el6.x86_64 libXi-1.3-3.el6.x86_64 libXrandr-1.3.0-4.el6.x86_64 libXrender-0.9.5-1.el6.x86_64 libXtst-1.0.99.2-3.el6.x86_64 libaio-0.3.107-10.el6.x86_64 libasyncns-0.8-1.1.el6.x86_64 libcom_err-1.41.12-11.el6.x86_64 libgcrypt-1.4.5-9.el6.x86_64 libgpg-error-1.7-4.el6.x86_64 libjpeg-6b-46.el6.x86_64 libogg-1.1.4-2.1.el6.x86_64 libselinux-2.0.94-5.1.el6.x86_64 libsndfile-1.0.20-5.el6.x86_64 libtasn1-2.3-3.el6.x86_64 libuuid-2.17.2-12.4.el6.x86_64 libvorbis-1.2.3-4.el6.x86_64 libxcb-1.5-1.el6.x86_64 nss-softokn-freebl-3.12.9-9.el6.x86_64 openssl-1.0.0-19.el6.x86_64 pixman-0.18.4-1.el6_0.1.x86_64 pulseaudio-libs-0.9.21-13.el6.x86_64 spice-server-0.8.2-4.el6.x86_64 tcp_wrappers-libs-7.6-57.el6.x86_64 zlib-1.2.3-27.el6.x86_64

result:

(gdb) bt
#0  0x00000032eaa479e7 in vfprintf () from /lib64/libc.so.6
#1  0x00000032eaafc970 in __vsnprintf_chk () from /lib64/libc.so.6
#2  0x000000000041342f in vsnprintf (mon=0xed96e0, fmt=<value optimized out>, 
    ap=<value optimized out>) at /usr/include/bits/stdio2.h:78
#3  monitor_vprintf (mon=0xed96e0, fmt=<value optimized out>, 
    ap=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:283
#4  0x0000000000479d57 in error_report (
    fmt=0x592440 "PCI: devfn %d not available for %s, in use by %s")
    at qemu-error.c:206
#5  0x0000000000419913 in do_pci_register_device (pci_dev=0x14294f0, 
    bus=0xeac010, name=<value optimized out>, devfn=21984, 
    config_read=0x4717d0 <assigned_dev_pci_read_config>, 
    config_write=0x473c40 <assigned_dev_pci_write_config>, 
    header_type=0 '\000') at /usr/src/debug/qemu-kvm-0.12.1.2/hw/pci.c:699
#6  0x0000000000419cdb in pci_qdev_init (qdev=0x14294f0, base=0x8dfaa0)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/pci.c:1518
#7  0x00000000004c3f48 in qdev_init (dev=0x14294f0)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qdev.c:278
#8  0x00000000004c42d9 in qdev_device_add (opts=0x1424bd0)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qdev.c:253
#9  0x00000000004c4849 in do_device_add (mon=<value optimized out>, 
    qdict=<value optimized out>, ret_data=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qdev.c:806
#10 0x00000000004124d0 in monitor_call_handler (mon=<value optimized out>, 
    cmd=0x590058, params=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4090
#11 0x0000000000417250 in handle_user_command (mon=0xed96e0, 
    cmdline=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4127
#12 0x000000000041737a in monitor_command_cb (mon=0xed96e0, 
    cmdline=<value optimized out>, opaque=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4682
#13 0x00000000004aa8db in readline_handle_byte (rs=0x230e400, 
    ch=<value optimized out>) at readline.c:369
#14 0x000000000041759c in monitor_read (opaque=<value optimized out>, 
    buf=0x7fffffffbc70 "\r", size=1)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4668
#15 0x00000000004bc56b in qemu_chr_read (opaque=0xcddd10) at qemu-char.c:170
#16 fd_chr_read (opaque=0xcddd10) at qemu-char.c:664
#17 0x000000000040c1ff in main_loop_wait (timeout=1000)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:3854
#18 0x0000000000429fca in kvm_main_loop ()
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2204
#19 0x000000000040db05 in main_loop (argc=<value optimized out>, 
    argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4064
#20 main (argc=<value optimized out>, argv=<value optimized out>, 
    envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6284


2. verify on qemu-kvm-0.12.1.2-2.195.el6.x86_64

2.1 # /usr/libexec/qemu-kvm -M rhel6.1.0 -enable-kvm -m 4096 -smp 4 -cpu qemu64,+sse2,+x2apic -name rhel6.1 -uuid `uuidgen` -rtc base=localtime -boot c -drive file=rhel61.qcow2,if=none,id=drive-ide0-0-0,media=disk,format=qcow2,cache=none -device ide-drive,drive=drive-ide0-0-0,id=ide0-0-0 -net none -usb -device usb-tablet,id=input0 -spice port=8000,disable-ticketing -vga qxl -monitor stdio -balloon none
do_spice_init: starting 0.8.3
spice_server_add_interface: SPICE_INTERFACE_MIGRATION
spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
spice_server_add_interface: SPICE_INTERFACE_MOUSE
spice_server_add_interface: SPICE_INTERFACE_QXL
red_worker_main: begin
handle_dev_input: start
QEMU 0.12.1 monitor - type 'help' for more information
(qemu) spice_server_add_interface: SPICE_INTERFACE_TABLET

2.2 (qemu) device_add pci-assign,host=03:10.5,id=vf44,bus=pci.0,addr=abc

result:
Property 'pci-assign.addr' doesn't take value 'abc'

base on above testing result, this bug has been fixed.

Comment 9 Eduardo Habkost 2011-10-28 18:00:46 UTC

Moving to ON_QA because Errata Tool did not do it

Comment 12 Don Dutile (Red Hat) 2011-11-16 20:08:04 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When doing a device assignment of a VF/PF with invalid PCI configuration address value, the qemu-kvm process would quit with a core dump.  This bug has been fixed such that qemu-kvm returns an error and the device assignment fails properly.

Comment 13 Don Dutile (Red Hat) 2011-11-16 20:17:31 UTC

Update Tech note to have CCRF errata format.

Comment 14 Don Dutile (Red Hat) 2011-11-16 20:17:31 UTC

    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1,10 @@
-When doing a device assignment of a VF/PF with invalid PCI configuration address value, the qemu-kvm process would quit with a core dump.  This bug has been fixed such that qemu-kvm returns an error and the device assignment fails properly.+When doing a device assignment of a VF/PF with invalid PCI configuration address value, the qemu-kvm process would quit with a core dump.  This bug has been fixed such that qemu-kvm returns an error and the device assignment fails properly.
+
+Cause
+Performing a device assignment of a PCI(e) PF or VF device with an invalid host PCI configuration address, such as 0Z:88.00, to a KVM guest will cause the guest to immediately quit and core dump.
+Consequence
+The qemu-kvm guest process will quit and core dump.
+Fix
+Check the value of the B:D.F fields of an assigned device to ensure they are in the proper ranges.
+Result
+Performing a device assignment of a PCI(e) PF or VF device with an invalid host PCI configuration address will fail the assignment with an error message, and not crash the runnning KVM guest.

Comment 15 errata-xmlrpc 2011-12-06 15:44:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1531.html

Note You need to log in before you can comment on or make changes to this bug.