Bug 968174 - qemu-kvm core dump when cpu-add a negative number
qemu-kvm core dump when cpu-add a negative number
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm (Show other bugs)
7.0
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Igor Mammedov
Virtualization Bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-29 03:18 EDT by FuXiangChun
Modified: 2014-06-17 23:28 EDT (History)
8 users (show)

See Also:
Fixed In Version: qemu-kvm-1.5.1-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 06:12:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
[RHEL7 qemu-kvm PATCH] pc: Fix crash when attempting to hotplug CPU with negative ID (1.40 KB, patch)
2013-06-21 08:37 EDT, Igor Mammedov
no flags Details | Diff

  None (edit)
Description FuXiangChun 2013-05-29 03:18:57 EDT
Description of problem:
As subuect.  qmp command:
{ "execute": "cpu-add", "arguments": { "id": -1 }}.

From QE point of view, qemu should result a error or warning message. shouldn't core dump.

Version-Release number of selected component (if applicable):
# uname -r
3.10.0-0.rc2.57.el7.x86_64

# rpm -qa|grep qemu-kvm
qemu-kvm-1.5.0-2.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1./usr/libexec/qemu-kvm -cpu Opteron_G2 -M pc-i440fx-1.5 -enable-kvm -m 4G -smp 1,sockets=127,cores=2,threads=1,maxcpus=254 -no-kvm-pit-reinjection -usb -device usb-tablet,id=input0 -name sluo-test -uuid `uuidgen` -rtc base=localtime,clock=host,driftfix=slew -drive file=/home/RHEL-7.0-20130403.0_x86_64.qcow3bk1,if=none,id=drive-system-disk,format=qcow2,cache=none,aio=native,werror=stop,rerror=stop -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-system-disk -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device virtio-net-pci,netdev=hostnet0,id=virtio-net-pci0,mac=08:2e:5f:0a:0d:b3,bus=pci.0,addr=0x5,bootindex=2 -device virtio-balloon-pci,id=ballooning,bus=pci.0,addr=0x6 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -k en-us -vnc :2 -spice port=5931,disable-ticketing -boot menu=on -vga qxl -global qxl-vga.vram_size=67108864 -serial unix:/tmp/ttyS0,server,nowait -qmp tcp:0:4444,server,nowait -monitor stdio

2.qmp command
{ "execute": "cpu-add", "arguments": { "id": -1 }}

3.

Actual results:
(gdb) bt
#0  0x0000555555621de0 in piix4_cpu_hotplug_req (action=PLUG, cpu=0x555556a25d10, s=0x5555566f6aa0) at hw/acpi/piix4.c:646
#1  piix4_cpu_added_req (n=0x5555566f78a8, opaque=<optimized out>) at hw/acpi/piix4.c:657
#2  0x000055555585cc27 in notifier_list_notify (list=list@entry=0x555556052c78 <cpu_added_notifiers>, data=data@entry=0x555556a25d10) at util/notify.c:39
#3  0x00005555556fdefd in cpu_common_realizefn (dev=0x555556a25d10, errp=<optimized out>) at qom/cpu.c:161
#4  0x00005555557a5832 in x86_cpu_realizefn (dev=0x555556a25d10, errp=0x7fffffffc800) at /usr/src/debug/qemu-1.5.0/target-i386/cpu.c:2403
#5  0x0000555555641c0b in device_set_realized (obj=0x555556a25d10, value=<optimized out>, err=0x7fffffffc910) at hw/core/qdev.c:699
#6  0x00005555556fe8de in property_set_bool (obj=0x555556a25d10, v=<optimized out>, opaque=0x5555567332e0, name=<optimized out>, errp=0x7fffffffc910)
    at qom/object.c:1301
#7  0x00005555557011b7 in object_property_set_qobject (obj=0x555556a25d10, value=<optimized out>, name=0x555555870f4d "realized", errp=0x7fffffffc910)
    at qom/qom-qobject.c:24
#8  0x0000555555700150 in object_property_set_bool (obj=obj@entry=0x555556a25d10, value=value@entry=true, name=name@entry=0x555555870f4d "realized", 
    errp=errp@entry=0x7fffffffc910) at qom/object.c:852
#9  0x000055555576c8c7 in pc_new_cpu (cpu_model=<optimized out>, apic_id=4294967295, icc_bridge=<optimized out>, errp=0x7fffffffc958)
    at /usr/src/debug/qemu-1.5.0/hw/i386/pc.c:911
#10 0x00005555556f6abd in qmp_marshal_input_cpu_add (mon=<optimized out>, qdict=<optimized out>, ret=<optimized out>) at qmp-marshal.c:1201
#11 0x0000555555795977 in qmp_call_cmd (cmd=<optimized out>, params=0x555556a20670, mon=0x555556561c90) at /usr/src/debug/qemu-1.5.0/monitor.c:4500
#12 handle_qmp_command (parser=<optimized out>, tokens=<optimized out>) at /usr/src/debug/qemu-1.5.0/monitor.c:4566
#13 0x000055555584dbd2 in json_message_process_token (lexer=0x555556561d40, token=0x5555567330b0, type=JSON_OPERATOR, x=50, y=1) at qobject/json-streamer.c:87
#14 0x000055555585f63f in json_lexer_feed_char (lexer=lexer@entry=0x555556561d40, ch=<optimized out>, flush=flush@entry=false) at qobject/json-lexer.c:303
#15 0x000055555585f756 in json_lexer_feed (lexer=0x555556561d40, buffer=<optimized out>, size=<optimized out>) at qobject/json-lexer.c:356
#16 0x000055555584ddd1 in json_message_parser_feed (parser=<optimized out>, buffer=<optimized out>, size=<optimized out>) at qobject/json-streamer.c:110
#17 0x00005555557944c3 in monitor_control_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>) at /usr/src/debug/qemu-1.5.0/monitor.c:4587
#18 0x00005555556efce1 in qemu_chr_be_write (len=<optimized out>, buf=0x7fffffffcba0 "}", s=0x5555564d2fe0) at qemu-char.c:177
#19 tcp_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x5555564d2fe0) at qemu-char.c:2551
#20 0x00007ffff76edea6 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#21 0x00005555556c825a in glib_pollfds_poll () at main-loop.c:187
#22 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:232
#23 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:464
#24 0x00005555555c8b4d in main_loop () at vl.c:2029
#25 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4419

Expected results:
error message or warning, and qemu-kvm work well

Additional info:
Comment 2 Igor Mammedov 2013-05-30 11:30:57 EDT
fix queued for inclusion for the next qom-cpu pull
 https://github.com/afaerber/qemu-cpu/commit/5cf62403e2d85449ddadab4f53eb522cf63feb00

I'll post RHEL patch when I have upstream commit id.
Comment 3 Igor Mammedov 2013-06-21 08:04:34 EDT
Upstream commit id: 8de433cb0820dc1f387a2d580d255744aacd60cc
Will be in qemu 1.6.
Comment 4 Igor Mammedov 2013-06-21 08:37:54 EDT
Created attachment 763820 [details]
[RHEL7 qemu-kvm PATCH] pc: Fix crash when attempting to hotplug CPU with negative ID
Comment 5 Miroslav Rezanina 2013-07-02 04:39:28 EDT
Brought in with rebase to 1.5.1 - part of qemu-kvm-1.5.1-1.el7.
Comment 6 Xu Han 2014-01-01 22:01:39 EST
Reproduce this bug with component:
qemu-kvm-1.5.0-2.el7.x86_64

Steps:
1. boot guest with cmdline '-smp 2,maxcpus=4,threads=1,cores=2,sockets=1'.
# /usr/libexec/qemu-kvm -nodefaults -uuid 295b5f48-c2cf-4881-9495-2a393aec84ee -name bz968174 -M pc -m 2G -cpu SandyBridge \
-smp 2,maxcpus=4,threads=1,cores=2,sockets=1 \
-qmp tcp:0:5550,server,nowait -rtc base=utc,clock=host,driftfix=slew -vga qxl -boot order=c,menu=off -spice disable-ticketing,port=5930 -drive file=/home/RHEL-7.0-x86_64-Server.qcow2,if=none,id=guest-img,cache=none,aio=native -device ide-hd,drive=guest-img,id=os-disk

2. hot add cpu using a negative number.
{ "execute": "cpu-add", "arguments": { "id": -1 }}

Results:
After step2, qemu-kvm core dumped.
Segmentation fault (core dumped)

----
Verify this bug with component:
qemu-kvm-1.5.3-31.el7.x86_64

Same steps as above.

Results:
After step2, QMP return following error and not core dump.
{"error": {"class": "GenericError", "desc": "Invalid CPU id: -1"}}

Base on these test results above, this bug has been fixed.
Comment 9 Ludek Smid 2014-06-13 06:12:10 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.