Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-113894

[RHEL.10.2][virual network] Hit qemu coredump when removed an interface that the guest is using from the host

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.2
    • qemu-kvm / Networking
    • None
    • Yes
    • None
    • rhel-virt-networking-core
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • Automated
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Hit qemu coredump when removed an interface that the guest is using from the host.

      What is the impact of this issue to you?

      This is negative case to check if can works well afer removed interface from host while guest using it. But hit qemu core dump means that the product is vulnerable, so I think this should be a high priority issue.

      Please provide the package NVR for which the bug is seen:

      kernel-6.12.0-126.el10.x86_64

      qemu-kvm-10.1.0-1.el10.x86_64

      edk2-ovmf-20250523-2.el10.noarch

      How reproducible is this bug?:

      100%

      Steps to reproduce

      1. Boot a guest with virtio-net device

      /usr/libexec/qemu-kvm \
-name 'avocado-vt-vm1'  \
-sandbox on,elevateprivileges=deny,obsolete=deny,resourcecontrol=deny,spawn=deny \
-blockdev '{"node-name": "file_ovmf_code", "driver": "file", "filename": "/usr/share/OVMF/OVMF_CODE.secboot.fd", "auto-read-only": true, "discard": "unmap"}' \
-blockdev '{"node-name": "drive_ovmf_code", "driver": "raw", "read-only": true, "file": "file_ovmf_code"}' \
-blockdev '{"node-name": "file_ovmf_vars", "driver": "file", "filename": "/root/avocado/data/avocado-vt/avocado-vt-vm1_rhel102-64-virtio-scsi-ovmf_qcow2_filesystem_VARS.raw", "auto-read-only": true, "discard": "unmap"}' \
-blockdev '{"node-name": "drive_ovmf_vars", "driver": "raw", "read-only": false, "file": "file_ovmf_vars"}' \
-machine q35,pflash0=drive_ovmf_code,pflash1=drive_ovmf_vars,memory-backend=mem-machine_mem \
-device '{"id": "pcie-root-port-0", "driver": "pcie-root-port", "multifunction": true, "bus": "pcie.0", "addr": "0x1", "chassis": 1}' \
-device '{"id": "pcie-pci-bridge-0", "driver": "pcie-pci-bridge", "addr": "0x0", "bus": "pcie-root-port-0"}'  \
-nodefaults \
-device '{"driver": "VGA", "bus": "pcie.0", "addr": "0x2"}' \
-m 29696 \
-object '{"size": 31138512896, "id": "mem-machine_mem", "qom-type": "memory-backend-ram"}'  \
-smp 24,maxcpus=24,cores=12,threads=1,dies=1,sockets=2  \
-cpu 'Icelake-Server-v2',+kvm_pv_unhalt \
-device '{"id": "pcie-root-port-1", "port": 1, "driver": "pcie-root-port", "addr": "0x1.0x1", "bus": "pcie.0", "chassis": 2}' \
-device '{"driver": "qemu-xhci", "id": "usb1", "bus": "pcie-root-port-1", "addr": "0x0"}' \
-device '{"driver": "usb-tablet", "id": "usb-tablet1", "bus": "usb1.0", "port": "1"}' \
-device '{"id": "pcie-root-port-2", "port": 2, "driver": "pcie-root-port", "addr": "0x1.0x2", "bus": "pcie.0", "chassis": 3}' \
-device '{"id": "virtio_scsi_pci0", "driver": "virtio-scsi-pci", "bus": "pcie-root-port-2", "addr": "0x0"}' \
-blockdev '{"node-name": "file_image1", "driver": "file", "auto-read-only": true, "discard": "unmap", "aio": "threads", "filename": "/home/kvm_autotest_root/images/rhel102-64-virtio-scsi-ovmf.qcow2", "cache": {"direct": true, "no-flush": false}}' \
-blockdev '{"node-name": "drive_image1", "driver": "qcow2", "read-only": false, "cache": {"direct": true, "no-flush": false}, "file": "file_image1"}' \
-device '{"driver": "scsi-hd", "id": "image1", "drive": "drive_image1", "write-cache": "on"}' \
-device '{"id": "pcie-root-port-3", "port": 3, "driver": "pcie-root-port", "addr": "0x1.0x3", "bus": "pcie.0", "chassis": 4}' \
-device '{"driver": "virtio-net-pci", "mac": "9a:14:db:8f:25:b1", "id": "idcqIcT0", "netdev": "idUSnlgF", "bus": "pcie-root-port-3", "addr": "0x0"}' \
-netdev  '{"id": "idUSnlgF", "type": "tap", "vhost": true}'  \
-vnc :0  \
-rtc base=utc,clock=host,driftfix=slew  \
-boot menu=off,order=cdn,once=c,strict=off \
-enable-kvm \
-device '{"id": "pcie_extra_root_port_0", "driver": "pcie-root-port", "multifunction": true, "bus": "pcie.0", "addr": "0x3", "chassis": 5}' \
-monitor stdio \

      2. ping test to verify guest interface works well 

      Ping is: ping 10.72.139.117  -c 20
--- 10.72.139.117 ping statistics ---
 20 packets transmitted, 20 received, 0% packet loss, time 19445ms
 rtt min/avg/max/mdev = 0.047/0.060/0.090/0.012 ms

       

      3. Delete this interface on host, then shutdown guest.

      ip link delete $ifname

Inside guest:
shutdown -h now

      4. Wait a moment hit qemu core dump

      [qemu output] TUNSETVNETHDRSZ ioctl() failed: File descriptor in bad state. Exiting.
[qemu output] /tmp/aexpect_oN9M681t/aexpect-g8z4yqlf.sh: line 1: 231465 Aborted                 (core dumped) MALLOC_PERTURB_=1 /usr/libexec/qemu-kvm -S -name 'avocado-vt...

      5. Unfortunately, the captured core dump information was truncated due to insufficient storage space, so it does not contain any valuable information. I will try to reproduce the issue in subsequent steps and provide detailed core dump information.

      Expected results

      There is no qemu core dump

      Actual results

      Hit qemu core dump

        1. image.png
          image.png
          399 kB
        2. image (1).png
          image (1).png
          412 kB

              hzuo@redhat.com Houqi Zuo
              rhn-support-leiyang Lei Yang
              virt-maint virt-maint
              Lei Yang Lei Yang
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: