Bug 678729 - Hotplug VF/PF with invalid addr value leading to qemu-kvm process quit with core dump
Summary: Hotplug VF/PF with invalid addr value leading to qemu-kvm process quit with c...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm
Version: 6.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Don Dutile (Red Hat)
QA Contact: Virtualization Bugs
URL:
Whiteboard:
: 739493 (view as bug list)
Depends On:
Blocks: 580954
TreeView+ depends on / blocked
 
Reported: 2011-02-19 06:31 UTC by juzhang
Modified: 2013-01-09 23:34 UTC (History)
7 users (show)

Fixed In Version: qemu-kvm-0.12.1.2-2.206.el6
Doc Type: Bug Fix
Doc Text:
When doing a device assignment of a VF/PF with invalid PCI configuration address value, the qemu-kvm process would quit with a core dump. This bug has been fixed such that qemu-kvm returns an error and the device assignment fails properly. Cause Performing a device assignment of a PCI(e) PF or VF device with an invalid host PCI configuration address, such as 0Z:88.00, to a KVM guest will cause the guest to immediately quit and core dump. Consequence The qemu-kvm guest process will quit and core dump. Fix Check the value of the B:D.F fields of an assigned device to ensure they are in the proper ranges. Result Performing a device assignment of a PCI(e) PF or VF device with an invalid host PCI configuration address will fail the assignment with an error message, and not crash the runnning KVM guest.
Clone Of:
Environment:
Last Closed: 2011-12-06 15:44:29 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1531 normal SHIPPED_LIVE Moderate: qemu-kvm security, bug fix, and enhancement update 2011-12-06 01:23:30 UTC

Description juzhang 2011-02-19 06:31:55 UTC
Description of problem:
Hot add VF/PF with invalid addr value leading to qemu-kvm process quit with core dump

Version-Release number of selected component (if applicable):
1.Qemu version
qemu-kvm-0.12.1.2-2.144.el6.x86_64
2.Host kernel version
2.6.32-115.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
Take VF for example.
1.Generate VF
#modprobe -r igb
#modprobe igb max_vfs=7
2.Unbind one of vf form host
#lspci -n | grep 03:10.5
03:10.5 0200: 8086:10ca
#echo "17d5 10ca" >/sys/bus/pci/drivers/pci-stub/new_id
#echo 0000:03:10.5 >/sys/bus/pci/devices/0000\:03\:10.5/driver/unbind
#echo 0000:03:10.5 >/sys/bus/pci/drivers/pci-stub/bind
3.Boot guest
#/usr/libexec/qemu-kvm -M rhel6.1.0 -enable-kvm -m 4096 -smp 4 -cpu qemu64,+sse2,+x2apic -name rhel6.1 -uuid `uuidgen` -rtc base=localtime -boot c -drive file=/root/images-rhel6.1/rhel6.1-ide.qcow2,if=none,id=drive-ide0-0-0,media=disk,format=qcow2,cache=none -device ide-drive,drive=drive-ide0-0-0,id=ide0-0-0 -net none -usb -device usb-tablet,id=input0 -spice port=8000,disable-ticketing -vga qxl -monitor stdio -balloon none
4.Hot add vf with addr=abc
#(qemu) device_add pci-assign,host=03:10.5,id=vf44,bus=pci.0,addr=abc
  
Actual results:
qemu-kvm process quit with core dump
(gdb) bt
#0  0x0000003a5ec48037 in vfprintf () from /lib64/libc.so.6
#1  0x0000003a5ecfd0e0 in __vsnprintf_chk () from /lib64/libc.so.6
#2  0x0000000000414d5f in vsnprintf (mon=0x11ed770,
    fmt=<value optimized out>, ap=<value optimized out>)
    at /usr/include/bits/stdio2.h:78
#3  monitor_vprintf (mon=0x11ed770, fmt=<value optimized out>,
    ap=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:283
#4  0x000000000047b037 in error_report (
    fmt=0x591070 "PCI: devfn %d not available for %s, in use by %s")
    at qemu-error.c:206
#5  0x000000000041b34b in do_pci_register_device (pci_dev=0x16f2010,
    bus=0x11c06d0, name=<value optimized out>, devfn=21984,
    config_read=0x473e60 <assigned_dev_pci_read_config>,
    config_write=0x4761d0 <assigned_dev_pci_write_config>,
    header_type=0 '\000') at /usr/src/debug/qemu-kvm-0.12.1.2/hw/pci.c:648
#6  0x000000000041b6fb in pci_qdev_init (qdev=0x16f2010, base=0x8d8840)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/pci.c:1462
#7  0x00000000004c5af8 in qdev_init (dev=0x16f2010)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qdev.c:286
#8  0x00000000004c5f39 in qdev_device_add (opts=0x10419b0)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qdev.c:261
#9  0x00000000004c64a9 in do_device_add (mon=<value optimized out>,
    qdict=<value optimized out>, ret_data=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qdev.c:809
#10 0x0000000000413e10 in monitor_call_handler (mon=0x11ed770, cmd=0x58ecb8,
    params=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4338
#11 0x0000000000418d60 in handle_user_command (mon=0x11ed770,
    cmdline=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4375
#12 0x0000000000418e8a in monitor_command_cb (mon=0x11ed770,
    cmdline=<value optimized out>, opaque=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4930
#13 0x00000000004a580b in readline_handle_byte (rs=0x2626110,
    ch=<value optimized out>) at readline.c:369
#14 0x00000000004190ac in monitor_read (opaque=<value optimized out>,
    buf=0x7fff388c39c0 "\r", size=1)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4916
#15 0x00000000004be1fb in qemu_chr_read (opaque=0xffad20) at qemu-char.c:171
#16 fd_chr_read (opaque=0xffad20) at qemu-char.c:657
#17 0x000000000040b95f in main_loop_wait (timeout=1000)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4424
#18 0x000000000042b29a in kvm_main_loop ()
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2165
#19 0x000000000040ef0f in main_loop (argc=<value optimized out>,
    argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4634
#20 main (argc=<value optimized out>, argv=<value optimized out>,
    envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6848
(gdb)

Expected results:
Prevent to hotplug PF/VF. 

Additional info:
I also tried hot plug emulation nic with addr=abc,this plug can't be hot-plugged with the following messages.
#{"execute": "netdev_add", "arguments": { "type":"tap","id":"hostnet2"}}
#{"execute": "device_add", "arguments": {"driver":"e1000","netdev":"hostnet2","mac":"22:11:22:45:61:97","id": "net2","bus":"pci.0","addr":"abc"}}
{"error": {"class": "DeviceInitFailed", "desc": "Device 'e1000' could not be initialized", "data": {"device": "e1000"}}}

Comment 4 Don Dutile (Red Hat) 2011-09-27 21:16:26 UTC
*** Bug 739493 has been marked as a duplicate of this bug. ***

Comment 6 FuXiangChun 2011-10-14 09:25:28 UTC
1.reproduce on qemu-kvm-0.12.1.2-2.190.el6.x86_64

steps:
 1.1 #gdb /usr/libexec/qemu-kvm
(gdb) r -M rhel6.1.0 -enable-kvm -m 4096 -smp 4 -cpu qemu64,+sse2,+x2apic -name rhel6.1 -uuid `uuidgen` -rtc base=localtime -boot c -drive file=rhel61.qcow2,if=none,id=drive-ide0-0-0,media=disk,format=qcow2,cache=none -device ide-drive,drive=drive-ide0-0-0,id=ide0-0-0 -net none -usb -device usb-tablet,id=input0 -spice port=8000,disable-ticketing -vga qxl -monitor stdio -balloon none
1.2 (qemu) device_add pci-assign,host=03:10.5,id=vf44,bus=pci.0,addr=abc

Program received signal SIGSEGV, Segmentation fault.
0x00000032eaa479e7 in vfprintf () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install alsa-lib-1.0.22-3.el6.x86_64 celt051-0.5.1.3-0.el6.x86_64 cyrus-sasl-gssapi-2.1.23-12.el6.x86_64 cyrus-sasl-lib-2.1.23-12.el6.x86_64 cyrus-sasl-md5-2.1.23-12.el6.x86_64 cyrus-sasl-plain-2.1.23-12.el6.x86_64 db4-4.7.25-16.el6.x86_64 dbus-libs-1.2.24-5.el6_1.x86_64 flac-1.2.1-6.1.el6.x86_64 glibc-2.12-1.43.el6.x86_64 gnutls-2.8.5-4.el6.x86_64 keyutils-libs-1.4-3.el6.x86_64 krb5-libs-1.9-21.el6.x86_64 libICE-1.0.6-1.el6.x86_64 libSM-1.1.0-7.1.el6.x86_64 libX11-1.3-2.el6.x86_64 libXau-1.0.5-1.el6.x86_64 libXext-1.1-3.el6.x86_64 libXfixes-4.0.4-1.el6.x86_64 libXi-1.3-3.el6.x86_64 libXrandr-1.3.0-4.el6.x86_64 libXrender-0.9.5-1.el6.x86_64 libXtst-1.0.99.2-3.el6.x86_64 libaio-0.3.107-10.el6.x86_64 libasyncns-0.8-1.1.el6.x86_64 libcom_err-1.41.12-11.el6.x86_64 libgcrypt-1.4.5-9.el6.x86_64 libgpg-error-1.7-4.el6.x86_64 libjpeg-6b-46.el6.x86_64 libogg-1.1.4-2.1.el6.x86_64 libselinux-2.0.94-5.1.el6.x86_64 libsndfile-1.0.20-5.el6.x86_64 libtasn1-2.3-3.el6.x86_64 libuuid-2.17.2-12.4.el6.x86_64 libvorbis-1.2.3-4.el6.x86_64 libxcb-1.5-1.el6.x86_64 nss-softokn-freebl-3.12.9-9.el6.x86_64 openssl-1.0.0-19.el6.x86_64 pixman-0.18.4-1.el6_0.1.x86_64 pulseaudio-libs-0.9.21-13.el6.x86_64 spice-server-0.8.2-4.el6.x86_64 tcp_wrappers-libs-7.6-57.el6.x86_64 zlib-1.2.3-27.el6.x86_64

result:

(gdb) bt
#0  0x00000032eaa479e7 in vfprintf () from /lib64/libc.so.6
#1  0x00000032eaafc970 in __vsnprintf_chk () from /lib64/libc.so.6
#2  0x000000000041342f in vsnprintf (mon=0xed96e0, fmt=<value optimized out>, 
    ap=<value optimized out>) at /usr/include/bits/stdio2.h:78
#3  monitor_vprintf (mon=0xed96e0, fmt=<value optimized out>, 
    ap=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:283
#4  0x0000000000479d57 in error_report (
    fmt=0x592440 "PCI: devfn %d not available for %s, in use by %s")
    at qemu-error.c:206
#5  0x0000000000419913 in do_pci_register_device (pci_dev=0x14294f0, 
    bus=0xeac010, name=<value optimized out>, devfn=21984, 
    config_read=0x4717d0 <assigned_dev_pci_read_config>, 
    config_write=0x473c40 <assigned_dev_pci_write_config>, 
    header_type=0 '\000') at /usr/src/debug/qemu-kvm-0.12.1.2/hw/pci.c:699
#6  0x0000000000419cdb in pci_qdev_init (qdev=0x14294f0, base=0x8dfaa0)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/pci.c:1518
#7  0x00000000004c3f48 in qdev_init (dev=0x14294f0)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qdev.c:278
#8  0x00000000004c42d9 in qdev_device_add (opts=0x1424bd0)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qdev.c:253
#9  0x00000000004c4849 in do_device_add (mon=<value optimized out>, 
    qdict=<value optimized out>, ret_data=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qdev.c:806
#10 0x00000000004124d0 in monitor_call_handler (mon=<value optimized out>, 
    cmd=0x590058, params=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4090
#11 0x0000000000417250 in handle_user_command (mon=0xed96e0, 
    cmdline=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4127
#12 0x000000000041737a in monitor_command_cb (mon=0xed96e0, 
    cmdline=<value optimized out>, opaque=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4682
#13 0x00000000004aa8db in readline_handle_byte (rs=0x230e400, 
    ch=<value optimized out>) at readline.c:369
#14 0x000000000041759c in monitor_read (opaque=<value optimized out>, 
    buf=0x7fffffffbc70 "\r", size=1)
    at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4668
#15 0x00000000004bc56b in qemu_chr_read (opaque=0xcddd10) at qemu-char.c:170
#16 fd_chr_read (opaque=0xcddd10) at qemu-char.c:664
#17 0x000000000040c1ff in main_loop_wait (timeout=1000)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:3854
#18 0x0000000000429fca in kvm_main_loop ()
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2204
#19 0x000000000040db05 in main_loop (argc=<value optimized out>, 
    argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4064
#20 main (argc=<value optimized out>, argv=<value optimized out>, 
    envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6284


2. verify on qemu-kvm-0.12.1.2-2.195.el6.x86_64

2.1 # /usr/libexec/qemu-kvm -M rhel6.1.0 -enable-kvm -m 4096 -smp 4 -cpu qemu64,+sse2,+x2apic -name rhel6.1 -uuid `uuidgen` -rtc base=localtime -boot c -drive file=rhel61.qcow2,if=none,id=drive-ide0-0-0,media=disk,format=qcow2,cache=none -device ide-drive,drive=drive-ide0-0-0,id=ide0-0-0 -net none -usb -device usb-tablet,id=input0 -spice port=8000,disable-ticketing -vga qxl -monitor stdio -balloon none
do_spice_init: starting 0.8.3
spice_server_add_interface: SPICE_INTERFACE_MIGRATION
spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
spice_server_add_interface: SPICE_INTERFACE_MOUSE
spice_server_add_interface: SPICE_INTERFACE_QXL
red_worker_main: begin
handle_dev_input: start
QEMU 0.12.1 monitor - type 'help' for more information
(qemu) spice_server_add_interface: SPICE_INTERFACE_TABLET

2.2 (qemu) device_add pci-assign,host=03:10.5,id=vf44,bus=pci.0,addr=abc

result:
Property 'pci-assign.addr' doesn't take value 'abc'

base on above testing result, this bug has been fixed.

Comment 9 Eduardo Habkost 2011-10-28 18:00:46 UTC
Moving to ON_QA because Errata Tool did not do it

Comment 12 Don Dutile (Red Hat) 2011-11-16 20:08:04 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When doing a device assignment of a VF/PF with invalid PCI configuration address value, the qemu-kvm process would quit with a core dump.  This bug has been fixed such that qemu-kvm returns an error and the device assignment fails properly.

Comment 13 Don Dutile (Red Hat) 2011-11-16 20:17:31 UTC
Update Tech note to have CCRF errata format.

Comment 14 Don Dutile (Red Hat) 2011-11-16 20:17:31 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1,10 @@
-When doing a device assignment of a VF/PF with invalid PCI configuration address value, the qemu-kvm process would quit with a core dump.  This bug has been fixed such that qemu-kvm returns an error and the device assignment fails properly.+When doing a device assignment of a VF/PF with invalid PCI configuration address value, the qemu-kvm process would quit with a core dump.  This bug has been fixed such that qemu-kvm returns an error and the device assignment fails properly.
+
+Cause
+Performing a device assignment of a PCI(e) PF or VF device with an invalid host PCI configuration address, such as 0Z:88.00, to a KVM guest will cause the guest to immediately quit and core dump.
+Consequence
+The qemu-kvm guest process will quit and core dump.
+Fix
+Check the value of the B:D.F fields of an assigned device to ensure they are in the proper ranges.
+Result
+Performing a device assignment of a PCI(e) PF or VF device with an invalid host PCI configuration address will fail the assignment with an error message, and not crash the runnning KVM guest.

Comment 15 errata-xmlrpc 2011-12-06 15:44:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1531.html


Note You need to log in before you can comment on or make changes to this bug.