743269 – Hot unplug of snapshot device crashes

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 743269 - Hot unplug of snapshot device crashes

Summary: Hot unplug of snapshot device crashes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Markus Armbruster
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	742458 748554
TreeView+	depends on / blocked

Reported:	2011-10-04 12:57 UTC by Markus Armbruster
Modified:	2013-01-10 00:24 UTC (History)
CC List:	6 users (show)
Fixed In Version:	qemu-kvm-0.12.1.2-2.206.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Snapshot device bookkeeping wasn't prepared for hot unplug Consequence: Unplugging the "wrong" block device could make a future snapshot operation behave unpredictably or crash Fix: Fix the bookkeeping Result: Unplugging block devices no longer endangers future snapshot operations
Clone Of:
Environment:
Last Closed:	2011-12-06 16:04:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1531	0	normal	SHIPPED_LIVE	Moderate: qemu-kvm security, bug fix, and enhancement update	2011-12-06 01:23:30 UTC

Description Markus Armbruster 2011-10-04 12:57:51 UTC

Description of problem:
savevm.c keeps a pointer to the snapshot block device.  If you manage to get that device deleted, the pointer dangles, and the next snapshot operation will crash & burn.

Version-Release number of selected component (if applicable):
qemu-kvm-0.12.1.2-2.195.el6

How reproducible:
100% for me, but use-after-free bugs like this one are always somewhat unpredictable

Steps to Reproduce:
1. Start a VM without a snapshot device
2. Create a snapshot device, examine it, and destroy it
3. Examine the (destroyed) snapshot device

Actual results:
$ MALLOC_PERTURB_=234 rhel6-qemu-kvm --nodefaults --enable-kvm -vnc :0 -S -m 384 -monitor stdio -usb
QEMU 0.12.1 monitor - type 'help' for more information
(qemu) info snapshots
No available block device supports snapshots
(qemu) __com.redhat_drive_add id=none1,file=tmp.qcow2
(qemu) device_add usb-storage,id=foo,drive=none1
(qemu) info snapshots
Snapshot devices: none1
Snapshot list (from none1):
ID        TAG                 VM SIZE                DATE       VM CLOCK
(qemu) device_del foo
(qemu) info snapshots
Snapshot devices:
Segmentation fault (core dumped)

Expected results:
Print "No available block device supports snapshots" instead of crashing.

Additional info:
Fixed in upstream qemu commit f9092b10.

Comment 6 juzhang 2011-10-20 08:46:17 UTC

Reproduced with qemu-kvm-0.12.1.2-2.195.el6.
1. boot guest
#MALLOC_PERTURB_=234 /usr/libexec/qemu-kvm -m 384 --enable-kvm --nodefaults -monitor stdio -usb -S -vnc :0
2.(qemu) info snapshots 
No available block device supports snapshots
3.(qemu) __com.redhat_drive_add id=none1,file=tmp.qcow2
4.(qemu) device_add usb-storage,id=foo,drive=none1
(qemu) info snapshots 
5.Snapshot devices: none1
Snapshot list (from none1):
ID        TAG                 VM SIZE                DATE       VM CLOCK
6.(qemu) device_del foo
7.(qemu) info snapshots 

Results:
Snapshot devices:
Segmentation fault (core dumped)

Verified with qemu-kvm-0.12.1.2-2.199.el6.
After step7

Results:
(qemu) info snapshots 
No available block device supports snapshots

Comment 7 juzhang 2011-10-28 05:32:55 UTC

We also did virtual block and usb device functional testing,did not find block
or regression bugs.
https://tcms.engineering.redhat.com/run/29499/
https://tcms.engineering.redhat.com/run/29338/

Comment 10 Eduardo Habkost 2011-10-28 17:58:35 UTC

Moving to ON_QA because Errata Tool did not do it

Comment 12 Markus Armbruster 2011-11-18 09:30:35 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Snapshot device bookkeeping wasn't prepared for hot unplug
Consequence: Unplugging the snapshot device could make a future snapshot operation behave unpredictably or crash
Fix: Fix the bookkeeping
Result: Unplugging the snapshot device is now safe

Comment 13 Markus Armbruster 2011-11-18 09:38:05 UTC

    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1,4 @@
 Cause: Snapshot device bookkeeping wasn't prepared for hot unplug
-Consequence: Unplugging the snapshot device could make a future snapshot operation behave unpredictably or crash
+Consequence: Unplugging the "wrong" block device could make a future snapshot operation behave unpredictably or crash
 Fix: Fix the bookkeeping
-Result: Unplugging the snapshot device is now safe+Result: Unplugging block devices no longer endangers future snapshot operations

Comment 14 errata-xmlrpc 2011-12-06 16:04:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1531.html

Note You need to log in before you can comment on or make changes to this bug.