QEMU

seg fault in ivshmem when using ioeventfd=on

Bug #1314857 reported by Gene Snider on 2014-05-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Fix Released	Undecided	Unassigned
	qemu-kvm (Ubuntu)	Confirmed	Medium	Unassigned

Bug Description

When launching qemu with the ivshmem device and the nahanni guest server there is segmentation fault in the setup_ioeventfds function of ivshmem.c. If the ioeventfd=on flag is set the pci_ivshmem_init will call setup_ioeventfds at line 668. This function relies on the 'peers' member of the server info which is not allocated until line 669.

To reproduce you will need the nahanni guest server code. The driver code is not needed. You will also need a qcow2 or other bootable image to use for launching qemu. The error occurs before the actual image launch.

Start the nahanni ivshmem server with a small global memory space ( although the bug is not allocation specific )
ivshmem -m 1 -n 2 -p /tmp/ivshmem_socket

Next launch qemu with initialization for the ivshmem device.
qemu-system-x86_64 -hda test_iso.qcow2 -localtime -boot c -chardev socket,path="/tmp/ivshmem_socket",id=ivshmem_socket -device ivshmem,chardev=ivshmem_socket,size=1,ioeventfd=on

If gdb is used the following error is recorded:
Program received signal SIGSEGV, Segmentation fault.
0x000055555579dd52 in setup_ioeventfds (s=0x555556619580)
at /home/genes/work/ubuntu/qemu-kvm-1.0+noroms/hw/ivshmem.c:367
367 for (j = 0; j < s->peers[i].nb_eventfds; j++) {
(gdb) print s->peers
$2 = (Peer *) 0x0

Revision history for this message

Gene Snider (gene-4) wrote on 2014-05-01:

When I tried the same thing with git master (latest) I get a different error:
qemu_chr_fe_claim_no_fail: error chardev "(null)" already used

Revision history for this message

Cam Macdonell (cam-cs) wrote on 2014-05-15: Re: [Qemu-devel] [Bug 1314857] Re: seg fault in ivshmem when using ioeventfd=on

Hello,

The patch for this later bug has been proposed. I'm not sure why it's not
merged.

http://patchwork.ozlabs.org/patch/316785/

Cheers,
Cam

On Thu, May 1, 2014 at 10:53 AM, Gene Snider <email address hidden> wrote:

> When I tried the same thing with git master (latest) I get a different
> error:
> qemu_chr_fe_claim_no_fail: error chardev "(null)" already used
>
> ** Also affects: qemu-kvm (Ubuntu)
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are a member of qemu-
> devel-ml, which is subscribed to QEMU.
> https://bugs.launchpad.net/bugs/1314857
>
> Title:
> seg fault in ivshmem when using ioeventfd=on
>
> Status in QEMU:
> New
> Status in “qemu-kvm” package in Ubuntu:
> New
>
> Bug description:
> When launching qemu with the ivshmem device and the nahanni guest
> server there is segmentation fault in the setup_ioeventfds function of
> ivshmem.c. If the ioeventfd=on flag is set the pci_ivshmem_init will
> call setup_ioeventfds at line 668. This function relies on the 'peers'
> member of the server info which is not allocated until line 669.
>
> To reproduce you will need the nahanni guest server code. The driver
> code is not needed. You will also need a qcow2 or other bootable image
> to use for launching qemu. The error occurs before the actual image
> launch.
>
> Start the nahanni ivshmem server with a small global memory space (
> although the bug is not allocation specific )
> ivshmem -m 1 -n 2 -p /tmp/ivshmem_socket
>
> Next launch qemu with initialization for the ivshmem device.
> qemu-system-x86_64 -hda test_iso.qcow2 -localtime -boot c -chardev
> socket,path="/tmp/ivshmem_socket",id=ivshmem_socket -device
> ivshmem,chardev=ivshmem_socket,size=1,ioeventfd=on
>
> If gdb is used the following error is recorded:
> Program received signal SIGSEGV, Segmentation fault.
> 0x000055555579dd52 in setup_ioeventfds (s=0x555556619580)
> at /home/genes/work/ubuntu/qemu-kvm-1.0+noroms/hw/ivshmem.c:367
> 367 for (j = 0; j < s->peers[i].nb_eventfds; j++) {
> (gdb) print s->peers
> $2 = (Peer *) 0x0
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/qemu/+bug/1314857/+subscriptions
>
>

Hello,

The patch for this later bug has been proposed.   I'm not sure why it's not
merged.

http://patchwork.ozlabs.org/patch/316785/

Cheers,
Cam

On Thu, May 1, 2014 at 10:53 AM, Gene Snider <gene@cvtt.net> wrote:

> When I tried the same thing with git master (latest)  I get a different
> error:
> qemu_chr_fe_claim_no_fail: error chardev "(null)" already used
>
> ** Also affects: qemu-kvm (Ubuntu)
>    Importance: Undecided
>        Status: New
>
> --
> You received this bug notification because you are a member of qemu-
> devel-ml, which is subscribed to QEMU.
> https://bugs.launchpad.net/bugs/1314857
>
> Title:
>   seg fault in ivshmem when using ioeventfd=on
>
> Status in QEMU:
>   New
> Status in “qemu-kvm” package in Ubuntu:
>   New
>
> Bug description:
>   When launching qemu with the ivshmem device and the nahanni guest
>   server there is segmentation fault in the setup_ioeventfds function of
>   ivshmem.c. If the ioeventfd=on flag is set the pci_ivshmem_init will
>   call setup_ioeventfds at line 668. This function relies on the 'peers'
>   member of the server info which is not allocated until line 669.
>
>   To reproduce you will need the nahanni guest server code. The driver
>   code is not needed. You will also need a qcow2 or other bootable image
>   to use for launching qemu. The error occurs before the actual image
>   launch.
>
>   Start the nahanni ivshmem server with a small global memory space (
> although the bug is not allocation specific )
>   ivshmem -m 1 -n 2 -p /tmp/ivshmem_socket
>
>   Next launch qemu with initialization for the ivshmem device.
>   qemu-system-x86_64 -hda test_iso.qcow2 -localtime -boot c -chardev
> socket,path="/tmp/ivshmem_socket",id=ivshmem_socket -device
> ivshmem,chardev=ivshmem_socket,size=1,ioeventfd=on
>
>   If gdb is used the following error is recorded:
>   Program received signal SIGSEGV, Segmentation fault.
>   0x000055555579dd52 in setup_ioeventfds (s=0x555556619580)
>       at /home/genes/work/ubuntu/qemu-kvm-1.0+noroms/hw/ivshmem.c:367
>   367             for (j = 0; j < s->peers[i].nb_eventfds; j++) {
>   (gdb) print s->peers
>   $2 = (Peer *) 0x0
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/qemu/+bug/1314857/+subscriptions
>
>

Serge Hallyn (serge-hallyn) on 2014-05-30

Changed in qemu-kvm (Ubuntu):
importance:	Undecided → Medium
status:	New → Confirmed

chenglin (244549843-t) on 2015-02-11

Changed in qemu-kvm (Ubuntu):
status:	Confirmed → Invalid
status:	Invalid → Confirmed

Revision history for this message

Thomas Huth (th-huth) wrote on 2017-10-28:

Fix had been included here:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=e9d21c436f716603b3

Changed in qemu:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.