Bug 1003162
| Summary: | qemu segfaults when libvirt queries query-tpm-types (i686) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Richard W.M. Jones <rjones> |
| Component: | qemu | Assignee: | Fedora Virtualization Maintainers <virt-maint> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | amit.shah, berrange, cfergeau, crobinso, dwmw2, itamar, john_antony40, pbonzini, rjones, scottt.tw, virt-maint |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-09-04 13:09:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 910269 | ||
|
Description
Richard W.M. Jones
2013-08-31 10:43:25 UTC
So I realized I had an out of date repository link, hence qemu wasn't fully up to date. However, this still happens with qemu-1.6.0-5.fc21.i686 which is the latest version. Finally I managed to get a stack trace. Rawhide is especially
buggy today.
Thread 1 (Thread 0xb3d5b900 (LWP 4581)):
#0 output_type_enum (v=0xb9810590, obj=0x10,
strings=0xb7817ea0 <TpmType_lookup>, kind=0xb76c7dd0 "TpmType", name=0x0,
errp=0xbfa1ddf8) at qapi/qapi-visit-core.c:306
#1 0xb7674125 in visit_type_enum (v=v@entry=0xb9810590, obj=0x10,
strings=0xb7817ea0 <TpmType_lookup>, kind=kind@entry=0xb76c7dd0 "TpmType",
name=name@entry=0x0, errp=errp@entry=0xbfa1ddf8)
at qapi/qapi-visit-core.c:114
#2 0xb7577b74 in visit_type_TpmType (errp=0xbfa1ddf8, name=0x0,
obj=<optimized out>, m=0xb9810590) at qapi-visit.c:5220
#3 visit_type_TpmTypeList (m=0xb9810590, obj=obj@entry=0xbfa1de48,
name=name@entry=0xb769f952 "unused", errp=errp@entry=0xbfa1de44)
at qapi-visit.c:5206
#4 0xb759211e in qmp_marshal_output_query_tpm_types (errp=0xbfa1de44,
ret_out=0xbfa1dea8, ret_in=0xb9811420) at qmp-marshal.c:3795
#5 qmp_marshal_input_query_tpm_types (mon=0xb98054d0, qdict=0xb9809cd8,
ret=0xbfa1dea8) at qmp-marshal.c:3817
#6 0xb7637e6a in qmp_call_cmd (cmd=<optimized out>, params=0xb9809cd8,
mon=0xb98054d0) at /usr/src/debug/qemu-1.6.0/monitor.c:4501
#7 handle_qmp_command (parser=0xb980552c, tokens=0xb9805078)
at /usr/src/debug/qemu-1.6.0/monitor.c:4567
#8 0xb767a6df in json_message_process_token (lexer=0xb9805530,
token=0xb980ff08, type=JSON_OPERATOR, x=47, y=26)
at qobject/json-streamer.c:87
#9 0xb768e29b in json_lexer_feed_char (lexer=lexer@entry=0xb9805530,
ch=<optimized out>, flush=flush@entry=false) at qobject/json-lexer.c:303
#10 0xb768e3c8 in json_lexer_feed (lexer=lexer@entry=0xb9805530,
buffer=buffer@entry=0xbfa1e06c "}", size=size@entry=1)
at qobject/json-lexer.c:356
#11 0xb767a8fb in json_message_parser_feed (parser=0xb980552c,
buffer=buffer@entry=0xbfa1e06c "}", size=size@entry=1)
at qobject/json-streamer.c:110
#12 0xb76368eb in monitor_control_read (opaque=0xb98054d0, buf=0xbfa1e06c "}",
size=1) at /usr/src/debug/qemu-1.6.0/monitor.c:4588
#13 0xb757f6ba in qemu_chr_be_write (len=1, buf=0xbfa1e06c "}", s=0xb9803a00)
at qemu-char.c:165
#14 tcp_chr_read (chan=0xb9805bc0, cond=G_IO_IN, opaque=0xb9803a00)
at qemu-char.c:2509
#15 0xb72e0876 in g_io_unix_dispatch () from /usr/lib/libglib-2.0.so.0
#16 0xb729a286 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#17 0xb7547d9a in glib_pollfds_poll () at main-loop.c:188
#18 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:233
#19 main_loop_wait (nonblocking=1) at main-loop.c:465
#20 0xb73edd21 in main_loop () at vl.c:2090
#21 main (argc=12, argv=0xbfa1f414, envp=0xbfa1f448) at vl.c:4432
Unfortunately the full monitor command is optimized out, but looking at the stack trace it seems as if libvirt is sending the json command "query-tpm-types", and qemu is segfaulting when trying to print the reply. OK, it's a qemu bug. Here is a simple reproducer:
$ qemu-system-i386 -S -nodefaults -nographic -M none -qmp stdio
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 6, "major": 1}, "package": ""}, "capabilities": []}}
{"execute":"qmp_capabilities"}
{"return": {}}
{"execute":"query-status"}
{"return": {"status": "prelaunch", "singlestep": false, "running": false}}
{"execute":"query-tpm-types"}
Segmentation fault (core dumped)
Reproducer in one (long) line of code:
(sleep 5; printf '{"execute":"qmp_capabilities"}\n{"execute":"query-tpm-types"}\n') | qemu-system-i386 -S -nodefaults -nographic -M none -qmp stdio
For me:
- Fails: Fedora qemu-1.6.0-5.fc21.i686
- Works: upstream qemu git on x86-64
- Works: upstream qemu git on i686
- Works: qemu @ v1.6.0 on i686
So it must be a patch that we're applying in Fedora, or else
some stack hardening stuff.
Actually it's because Fedora uses ./configure --enable-tpm Building with that flag: - Fails: Fedora qemu-1.6.0-5.fc21.i686 - Works: upstream qemu git on x86-64 - Fails: upstream qemu git on i686 - Fails: qemu @ v1.6.0 on i686 Since this is an upstream bug, I have filed a bug there: https://bugs.launchpad.net/qemu/+bug/1219207 *** Bug 998759 has been marked as a duplicate of this bug. *** I've posted a patch upstream for this. Fixed in qemu-1.6.0-6.fc21 |