RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 968174 - qemu-kvm core dump when cpu-add a negative number
Summary: qemu-kvm core dump when cpu-add a negative number
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm
Version: 7.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Igor Mammedov
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-29 07:18 UTC by FuXiangChun
Modified: 2014-06-18 03:28 UTC (History)
8 users (show)

Fixed In Version: qemu-kvm-1.5.1-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 10:12:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
[RHEL7 qemu-kvm PATCH] pc: Fix crash when attempting to hotplug CPU with negative ID (1.40 KB, patch)
2013-06-21 12:37 UTC, Igor Mammedov 		no flags Details | Diff
View All

Description FuXiangChun 2013-05-29 07:18:57 UTC 
Description of problem:
As subuect.  qmp command:
{ "execute": "cpu-add", "arguments": { "id": -1 }}.

From QE point of view, qemu should result a error or warning message. shouldn't core dump.

Version-Release number of selected component (if applicable):
# uname -r
3.10.0-0.rc2.57.el7.x86_64

# rpm -qa|grep qemu-kvm
qemu-kvm-1.5.0-2.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1./usr/libexec/qemu-kvm -cpu Opteron_G2 -M pc-i440fx-1.5 -enable-kvm -m 4G -smp 1,sockets=127,cores=2,threads=1,maxcpus=254 -no-kvm-pit-reinjection -usb -device usb-tablet,id=input0 -name sluo-test -uuid `uuidgen` -rtc base=localtime,clock=host,driftfix=slew -drive file=/home/RHEL-7.0-20130403.0_x86_64.qcow3bk1,if=none,id=drive-system-disk,format=qcow2,cache=none,aio=native,werror=stop,rerror=stop -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-system-disk -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device virtio-net-pci,netdev=hostnet0,id=virtio-net-pci0,mac=08:2e:5f:0a:0d:b3,bus=pci.0,addr=0x5,bootindex=2 -device virtio-balloon-pci,id=ballooning,bus=pci.0,addr=0x6 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -k en-us -vnc :2 -spice port=5931,disable-ticketing -boot menu=on -vga qxl -global qxl-vga.vram_size=67108864 -serial unix:/tmp/ttyS0,server,nowait -qmp tcp:0:4444,server,nowait -monitor stdio

2.qmp command
{ "execute": "cpu-add", "arguments": { "id": -1 }}

3.

Actual results:
(gdb) bt
#0  0x0000555555621de0 in piix4_cpu_hotplug_req (action=PLUG, cpu=0x555556a25d10, s=0x5555566f6aa0) at hw/acpi/piix4.c:646
#1  piix4_cpu_added_req (n=0x5555566f78a8, opaque=<optimized out>) at hw/acpi/piix4.c:657
#2  0x000055555585cc27 in notifier_list_notify (list=list@entry=0x555556052c78 <cpu_added_notifiers>, data=data@entry=0x555556a25d10) at util/notify.c:39
#3  0x00005555556fdefd in cpu_common_realizefn (dev=0x555556a25d10, errp=<optimized out>) at qom/cpu.c:161
#4  0x00005555557a5832 in x86_cpu_realizefn (dev=0x555556a25d10, errp=0x7fffffffc800) at /usr/src/debug/qemu-1.5.0/target-i386/cpu.c:2403
#5  0x0000555555641c0b in device_set_realized (obj=0x555556a25d10, value=<optimized out>, err=0x7fffffffc910) at hw/core/qdev.c:699
#6  0x00005555556fe8de in property_set_bool (obj=0x555556a25d10, v=<optimized out>, opaque=0x5555567332e0, name=<optimized out>, errp=0x7fffffffc910)
    at qom/object.c:1301
#7  0x00005555557011b7 in object_property_set_qobject (obj=0x555556a25d10, value=<optimized out>, name=0x555555870f4d "realized", errp=0x7fffffffc910)
    at qom/qom-qobject.c:24
#8  0x0000555555700150 in object_property_set_bool (obj=obj@entry=0x555556a25d10, value=value@entry=true, name=name@entry=0x555555870f4d "realized", 
    errp=errp@entry=0x7fffffffc910) at qom/object.c:852
#9  0x000055555576c8c7 in pc_new_cpu (cpu_model=<optimized out>, apic_id=4294967295, icc_bridge=<optimized out>, errp=0x7fffffffc958)
    at /usr/src/debug/qemu-1.5.0/hw/i386/pc.c:911
#10 0x00005555556f6abd in qmp_marshal_input_cpu_add (mon=<optimized out>, qdict=<optimized out>, ret=<optimized out>) at qmp-marshal.c:1201
#11 0x0000555555795977 in qmp_call_cmd (cmd=<optimized out>, params=0x555556a20670, mon=0x555556561c90) at /usr/src/debug/qemu-1.5.0/monitor.c:4500
#12 handle_qmp_command (parser=<optimized out>, tokens=<optimized out>) at /usr/src/debug/qemu-1.5.0/monitor.c:4566
#13 0x000055555584dbd2 in json_message_process_token (lexer=0x555556561d40, token=0x5555567330b0, type=JSON_OPERATOR, x=50, y=1) at qobject/json-streamer.c:87
#14 0x000055555585f63f in json_lexer_feed_char (lexer=lexer@entry=0x555556561d40, ch=<optimized out>, flush=flush@entry=false) at qobject/json-lexer.c:303
#15 0x000055555585f756 in json_lexer_feed (lexer=0x555556561d40, buffer=<optimized out>, size=<optimized out>) at qobject/json-lexer.c:356
#16 0x000055555584ddd1 in json_message_parser_feed (parser=<optimized out>, buffer=<optimized out>, size=<optimized out>) at qobject/json-streamer.c:110
#17 0x00005555557944c3 in monitor_control_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>) at /usr/src/debug/qemu-1.5.0/monitor.c:4587
#18 0x00005555556efce1 in qemu_chr_be_write (len=<optimized out>, buf=0x7fffffffcba0 "}", s=0x5555564d2fe0) at qemu-char.c:177
#19 tcp_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x5555564d2fe0) at qemu-char.c:2551
#20 0x00007ffff76edea6 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#21 0x00005555556c825a in glib_pollfds_poll () at main-loop.c:187
#22 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:232
#23 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:464
#24 0x00005555555c8b4d in main_loop () at vl.c:2029
#25 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4419

Expected results:
error message or warning, and qemu-kvm work well

Additional info:
Comment 2 Igor Mammedov 2013-05-30 15:30:57 UTC 
fix queued for inclusion for the next qom-cpu pull
 https://github.com/afaerber/qemu-cpu/commit/5cf62403e2d85449ddadab4f53eb522cf63feb00

I'll post RHEL patch when I have upstream commit id.
Comment 3 Igor Mammedov 2013-06-21 12:04:34 UTC 
Upstream commit id: 8de433cb0820dc1f387a2d580d255744aacd60cc
Will be in qemu 1.6.
Comment 4 Igor Mammedov 2013-06-21 12:37:54 UTC 
Created attachment 763820 [details]
[RHEL7 qemu-kvm PATCH] pc: Fix crash when attempting to hotplug CPU with negative ID
Comment 5 Miroslav Rezanina 2013-07-02 08:39:28 UTC 
Brought in with rebase to 1.5.1 - part of qemu-kvm-1.5.1-1.el7.
Comment 6 Xu Han 2014-01-02 03:01:39 UTC 
Reproduce this bug with component:
qemu-kvm-1.5.0-2.el7.x86_64

Steps:
1. boot guest with cmdline '-smp 2,maxcpus=4,threads=1,cores=2,sockets=1'.
# /usr/libexec/qemu-kvm -nodefaults -uuid 295b5f48-c2cf-4881-9495-2a393aec84ee -name bz968174 -M pc -m 2G -cpu SandyBridge \
-smp 2,maxcpus=4,threads=1,cores=2,sockets=1 \
-qmp tcp:0:5550,server,nowait -rtc base=utc,clock=host,driftfix=slew -vga qxl -boot order=c,menu=off -spice disable-ticketing,port=5930 -drive file=/home/RHEL-7.0-x86_64-Server.qcow2,if=none,id=guest-img,cache=none,aio=native -device ide-hd,drive=guest-img,id=os-disk

2. hot add cpu using a negative number.
{ "execute": "cpu-add", "arguments": { "id": -1 }}

Results:
After step2, qemu-kvm core dumped.
Segmentation fault (core dumped)

----
Verify this bug with component:
qemu-kvm-1.5.3-31.el7.x86_64

Same steps as above.

Results:
After step2, QMP return following error and not core dump.
{"error": {"class": "GenericError", "desc": "Invalid CPU id: -1"}}

Base on these test results above, this bug has been fixed.
Comment 9 Ludek Smid 2014-06-13 10:12:10 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.