947691 – piix-pm triggers assert during iofuzz test

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 947691 - piix-pm triggers assert during iofuzz test

Summary: piix-pm triggers assert during iofuzz test

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Gerd Hoffmann
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-03 03:29 UTC by Xiaoqing Wei
Modified:	2014-01-20 09:49 UTC (History)
CC List:	8 users (show)
Fixed In Version:	1.5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-01-20 09:49:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
tar cJf (88.46 MB, application/octet-stream) 2013-04-03 04:38 UTC, Xiaoqing Wei	no flags	Details
View All

Description Xiaoqing Wei 2013-04-03 03:29:35 UTC

Description of problem:

piix-pm triggers assert during iofuzz test

Per https://bugzilla.redhat.com/show_bug.cgi?id=751937#c20

Version-Release number of selected component (if applicable):

qemu-kvm-1.4.0-1.el7.x86_64
spice-server-0.12.2-1.el7.x86_64
ipxe-roms-qemu-20120328-2.gitaac9718.el7.noarch
kernel-3.8.0-0.40.el7.x86_64


How reproducible:
Only once

Steps to Reproduce:
1. /home/staf-kvm-devel/autotest-devel/client/tests/kvm/qemu
    -S 
    -name 'vm1' 
    -nodefaults 
    -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20130328-150255-hEDZ97E9,server,nowait 
    -mon chardev=qmp_id_qmpmonitor1,mode=control 
    -chardev socket,id=serial_id_serial1,path=/tmp/serial-serial1-20130328-150255-hEDZ97E9,server,nowait 
    -device isa-serial,chardev=serial_id_serial1  
    -chardev socket,id=seabioslog_id_20130328-150255-hEDZ97E9,path=/tmp/seabios-20130328-150255-hEDZ97E9,server,nowait 
    -device isa-debugcon,chardev=seabioslog_id_20130328-150255-hEDZ97E9,iobase=0x402 
    -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=0x4 
    -drive file='/home/staf-kvm-devel/autotest-devel/client/tests/kvm/images/RHEL-Server-6.4-64-virtio.qcow2',if=none,id=drive-virtio-disk1,media=disk,cache=none,boot=off,snapshot=off,format=qcow2,aio=native 
    -device virtio-blk-pci,bus=pci.0,addr=0x5,drive=drive-virtio-disk1,id=virtio-disk1 
    -device virtio-net-pci,netdev=idqT5zN1,mac=9a:0d:0e:0f:10:11,bus=pci.0,addr=0x3,id='idhbkgmh' 
    -netdev tap,id=idqT5zN1,vhost=on,fd=22 
    -m 8192 
    -smp 4,maxcpus=4,cores=2,threads=1,sockets=2 
    -cpu 'SandyBridge' 
    -M pc 
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 
    -spice port=3000,password=123456,addr=0,tls-port=3200,x509-dir=/tmp/spice_x509d,tls-channel=main,tls-channel=inputs,image-compression=auto_glz,jpeg-wan-compression=auto,zlib-glz-wan-compression=auto,streaming-video=all,agent-mouse=on,playback-compression=on,ipv4 
    -vga qxl 
    -global qxl-vga.vram_size=33554432    
    -rtc base=utc,clock=host,driftfix=slew  
    -boot order=cdn,once=c,menu=off       
    -no-kvm-pit-reinjection 
    -enable-kvm

2.


    KVM iofuzz test:
    1) Log into a guest
    2) Enumerate all IO port ranges through /proc/ioports
    3) On each port of the range:
        * Read it
        * Write 0 to it
        * Write a random value to a random port on a random order

3.
  
Actual results:

qemu-kvm core dumps.

(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007fd3fbe6d942 in access_with_adjusted_size (addr=addr@entry=0, value=value@entry=0x7fd3eeba0ae8, size=1, access_size_min=<optimized out>, 
    access_size_max=<optimized out>, access=access@entry=0x7fd3fbe6df60 <memory_region_write_accessor>, opaque=opaque@entry=0x7fd3fed223b8)
    at /usr/src/debug/qemu-1.4.0/memory.c:364
#2  0x00007fd3fbe6efb7 in memory_region_iorange_write (iorange=<optimized out>, offset=0, width=1, data=0) at /usr/src/debug/qemu-1.4.0/memory.c:439
#3  0x00007fd3fbe6bc22 in kvm_handle_io (count=1, size=1, direction=1, data=<optimized out>, port=45064) at /usr/src/debug/qemu-1.4.0/kvm-all.c:1426
#4  kvm_cpu_exec (env=env@entry=0x7fd3fec6b590) at /usr/src/debug/qemu-1.4.0/kvm-all.c:1581
#5  0x00007fd3fbe15871 in qemu_kvm_cpu_thread_fn (arg=0x7fd3fec6b590) at /usr/src/debug/qemu-1.4.0/cpus.c:759
#6  0x00007fd3fa087d15 in start_thread (arg=0x7fd3eeba1700) at pthread_create.c:308
#7  0x00007fd3f67b746d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:114
(gdb) 


Expected results:
guest work well, not crash, qemu no core dump.

Additional info:
Host hw
processor	: 7
vendor_id	: GenuineIntel
cpu family	: 6
model		: 58
model name	: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz
stepping	: 9
microcode	: 0x13
cpu MHz		: 1600.000
cache size	: 8192 KB
physical id	: 0
siblings	: 8
core id		: 3
cpu cores	: 4
apicid		: 7
initial apicid	: 7
fpu		: yes
fpu_exception	: yes
cpuid level	: 13
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm ida arat epb xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms
bogomips	: 6784.31
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

[root@hp-z220-02 client]# free -m
             total       used       free     shared    buffers     cached
Mem:         15668      15345        323          0          1      14809
-/+ buffers/cache:        534      15133
Swap:         7967          0       7967
[root@hp-z220-02 client]#

Comment 1 Xiaoqing Wei 2013-04-03 03:30:40 UTC

# gdb qemu-kvm /home/staf-kvm-devel/autotest-devel/client/results/default/kvm.smp4.8192m.repeat1.Host_RHEL.7.0.spice.qcow2.virtio_blk.virtio_net.RHEL.6.4.64.iofuzz/debug/crash.qemu.18456/core < bt.full 
GNU gdb (GDB) Red Hat Enterprise Linux (7.5.1-34.el7)
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/qemu-kvm...Reading symbols from /usr/lib/debug/usr/libexec/qemu-kvm.debug...done.
done.

warning: core file may not match specified executable file.
[New LWP 18460]
[New LWP 18464]
[New LWP 18456]
[New LWP 18463]
[New LWP 18461]
[New LWP 18462]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

warning: Skipping deprecated .gdb_index section in /usr/lib/debug/lib64/libkeyutils.so.1.4.debug.
Do "set use-deprecated-index-sections on" before the file is read
to use the section anyway.
Core was generated by `/home/staf-kvm-devel/autotest-devel/client/tests/kvm/qemu -S -name vm1 -nodefau'.
Program terminated with signal 11, Segmentation fault.
#0  0x0000000000000000 in ?? ()
(gdb) #0  0x0000000000000000 in ?? ()
No symbol table info available.
#1  0x00007fd3fbe6d942 in access_with_adjusted_size (addr=addr@entry=0, value=value@entry=0x7fd3eeba0ae8, size=1, access_size_min=<optimized out>, 
    access_size_max=<optimized out>, access=access@entry=0x7fd3fbe6df60 <memory_region_write_accessor>, opaque=opaque@entry=0x7fd3fed223b8)
    at /usr/src/debug/qemu-1.4.0/memory.c:364
        access_mask = 255
        access_size = 1
        i = <optimized out>
#2  0x00007fd3fbe6efb7 in memory_region_iorange_write (iorange=<optimized out>, offset=0, width=1, data=0) at /usr/src/debug/qemu-1.4.0/memory.c:439
        mrio = <optimized out>
        mr = 0x7fd3fed223b8
        __PRETTY_FUNCTION__ = "memory_region_iorange_write"
#3  0x00007fd3fbe6bc22 in kvm_handle_io (count=1, size=1, direction=1, data=<optimized out>, port=45064) at /usr/src/debug/qemu-1.4.0/kvm-all.c:1426
        i = 0
        ptr = 0x7fd3fbbf1000 <Address 0x7fd3fbbf1000 out of bounds>
#4  kvm_cpu_exec (env=env@entry=0x7fd3fec6b590) at /usr/src/debug/qemu-1.4.0/kvm-all.c:1581
        cpu = 0x7fd3fec6b4a0
        run = 0x7fd3fbbf0000
        ret = <optimized out>
        run_ret = <optimized out>
#5  0x00007fd3fbe15871 in qemu_kvm_cpu_thread_fn (arg=0x7fd3fec6b590) at /usr/src/debug/qemu-1.4.0/cpus.c:759
---Type <return> to continue, or q <return> to quit---        cpu = 0x7fd3fec6b4a0
        r = <optimized out>
#6  0x00007fd3fa087d15 in start_thread (arg=0x7fd3eeba1700) at pthread_create.c:308
        __res = <optimized out>
        pd = 0x7fd3eeba1700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140548220000000, -4763835060918303541, 0, 140548438478848, 140548220000000, 140548442151884, 
                4775126448736945355, 4775083687543293131}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, 
              canceltype = 0}}}
        not_first_call = 0
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
#7  0x00007fd3f67b746d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:114
No locals.
(gdb) quit
[root@hp-z220-02 client]#

Comment 3 Xiaoqing Wei 2013-04-03 04:38:41 UTC

Created attachment 731042 [details]
tar cJf

Comment 4 Gerd Hoffmann 2013-05-14 12:30:03 UTC

http://patchwork.ozlabs.org/patch/243694/

Comment 5 Gerd Hoffmann 2013-06-12 12:23:59 UTC

upstream commit 2d3b989529727ccace243b953a181fbae04a30d1

Comment 7 Gerd Hoffmann 2014-01-20 09:49:02 UTC

Made it into upstream release 1.5, so rhel7 has the fix.

Note You need to log in before you can comment on or make changes to this bug.