Bug 1054077

Summary: qemu crash when reboot win7 guest with spice display
Product: Red Hat Enterprise Linux 7 Reporter: xhan
Component: qemu-kvmAssignee: Gerd Hoffmann <kraxel>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: dblechte, hhuang, juzhang, knoel, marcandre.lureau, mazhang, michen, qiguo, rbalakri, sluo, virt-maint, xhan, xwei
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-1.5.3-71.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 08:03:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 995931    
Bug Blocks: 923626, 1003819    

Description xhan 2014-01-16 08:12:19 UTC 
Description of problem:

When reboot the win7 guest, qemu-kvm crash. 

bt
#0  0x00007f931ce75979 in raise () from /lib64/libc.so.6
#1  0x00007f931ce77088 in abort () from /lib64/libc.so.6
#2  0x00007f931dc3190c in spice_logv (log_domain=0x7f931dca7f86 "Spice", log_level=SPICE_LOG_LEVEL_ERROR, strloc=0x7f931dcad312 "red_parse_qxl.c:489", function=0x7f931dcad8e2 <__FUNCTION__.19719> "red_get_image", 
    format=0x7f931dcad302 "unknown type %d", args=args@entry=0x7f9283ffe800) at log.c:109
#3  0x00007f931dc31a65 in spice_log (log_domain=log_domain@entry=0x7f931dca7f86 "Spice", log_level=log_level@entry=SPICE_LOG_LEVEL_ERROR, strloc=strloc@entry=0x7f931dcad312 "red_parse_qxl.c:489", 
    function=function@entry=0x7f931dcad8e2 <__FUNCTION__.19719> "red_get_image", format=format@entry=0x7f931dcad302 "unknown type %d") at log.c:123
#4  0x00007f931dbf05d5 in red_get_image (slots=slots@entry=0x7f927c1d5e58, group_id=group_id@entry=1, addr=72057594055084504, flags=flags@entry=0, is_mask=is_mask@entry=0) at red_parse_qxl.c:489
#5  0x00007f931dbf1bd5 in red_get_copy_ptr (flags=0, qxl=0x7f9285665c63, red=0x7f927c2214d0, group_id=1, slots=0x7f927c1d5e58) at red_parse_qxl.c:590
#6  red_get_native_drawable (flags=0, addr=<optimized out>, red=0x7f927c221440, group_id=1, slots=0x7f927c1d5e58) at red_parse_qxl.c:967
#7  red_get_drawable (slots=0x7f927c1d5e58, group_id=1, red=0x7f927c221440, addr=<optimized out>, flags=0) at red_parse_qxl.c:1105
#8  0x00007f931dc0ac12 in red_process_commands (worker=<optimized out>, ring_is_empty=<optimized out>, max_pipe_size=50) at red_worker.c:5190
#9  0x00007f931dc10bda in red_worker_main (arg=<optimized out>) at red_worker.c:12292
#10 0x00007f9320228de3 in start_thread () from /lib64/libpthread.so.0
#11 0x00007f931cf3625d in clone () from /lib64/libc.so.6


Version-Release number of selected component (if applicable):
qemu-kvm-rhev-1.5.3-36.el7.x86_64
kernel-3.10.0-69.el7.x86_64

How reproducible:
once

Steps to Reproduce:
1. boot vm 
  /usr/libexec/qemu-kvm \
    -S  \
    -name 'virt-tests-vm1'  \
    -sandbox off  \
    -M pc-q35-rhel7.0.0  \
    -nodefaults  \
    -vga qxl  \
    -global qxl-vga.vram_size=33554432 \
    -device intel-hda,bus=pcie.0,addr=02 \
    -device hda-duplex  \
    -device nec-usb-xhci,id=usb1,bus=pcie.0,addr=04 \
    -device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pcie.0,addr=05 \
    -drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,file=images/win7-64-virtio.qcow2 \
    -device scsi-hd,id=image1,drive=drive_image1 \
    -device virtio-net-pci,mac=9a:8e:8f:90:91:92,id=idoZEhC9,netdev=idPThVd4,bus=pcie.0,addr=06  \
    -netdev tap,id=idPThVd4,vhost=on,script=/etc/qemu-ifup  \
    -m 2048  \
    -smp 1,maxcpus=1,cores=1,threads=1,sockets=2  \
    -cpu 'Opteron_G2',+kvm_pv_unhalt,hv_relaxed,hv_spinlocks=0x1fff,hv_vapic \
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1  \
    -spice port=3000,password=123456,addr=0,tls-port=3200,x509-dir=/tmp/spice_x509d,tls-channel=main,tls-channel=inputs,image-compression=auto_glz,zlib-glz-wan-compression=auto,streaming-video=all,agent-mouse=on,playback-compression=on,ipv4  \
    -rtc base=localtime,clock=host,driftfix=slew  \
    -boot order=cdn,once=c,menu=off \
    -enable-kvm
2. wait to login vm
3. reboot guest and repeat step 2 and step3.

Actual results:
qemu crash

Expected results:
qemu and guest can work without crash.

Additional info:
cat /proc/cpuinfo 
processor	: 0
vendor_id	: AuthenticAMD
cpu family	: 15
model		: 107
model name	: AMD Athlon(tm) 64 X2 Dual Core Processor 5600+
stepping	: 2
cpu MHz		: 1000.000
cache size	: 512 KB
physical id	: 0
siblings	: 2
core id		: 0
cpu cores	: 2
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 1
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow rep_good nopl extd_apicid pni cx16 lahf_lm cmp_legacy svm extapic cr8_legacy 3dnowprefetch lbrv
bogomips	: 2004.29
TLB size	: 1024 4K pages
clflush size	: 64
cache_alignment	: 64
address sizes	: 40 bits physical, 48 bits virtual
power management: ts fid vid ttp tm stc 100mhzsteps


The core dump:
bt full
#0  0x00007f931ce75979 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f931ce77088 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007f931dc3190c in spice_logv (log_domain=0x7f931dca7f86 "Spice", 
    log_level=SPICE_LOG_LEVEL_ERROR, strloc=0x7f931dcad312 "red_parse_qxl.c:489", 
    function=0x7f931dcad8e2 <__FUNCTION__.19719> "red_get_image", 
    format=0x7f931dcad302 "unknown type %d", args=args@entry=0x7f9283ffe800) at log.c:109
        level = 0x7f931dcb82f8 "ERROR"
#3  0x00007f931dc31a65 in spice_log (log_domain=log_domain@entry=0x7f931dca7f86 "Spice", 
    log_level=log_level@entry=SPICE_LOG_LEVEL_ERROR, 
    strloc=strloc@entry=0x7f931dcad312 "red_parse_qxl.c:489", 
    function=function@entry=0x7f931dcad8e2 <__FUNCTION__.19719> "red_get_image", 
    format=format@entry=0x7f931dcad302 "unknown type %d") at log.c:123
        args = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7f9283ffe8e0, 
            reg_save_area = 0x7f9283ffe820}}
#4  0x00007f931dbf05d5 in red_get_image (slots=slots@entry=0x7f927c1d5e58, 
    group_id=group_id@entry=1, addr=72057594055084504, flags=flags@entry=0, is_mask=is_mask@entry=0)
    at red_parse_qxl.c:489
        chunks = {data_size = 1, prev_chunk = 0x7f9283ffe9a4, next_chunk = 0x7f9285665be8, 
          data = 0x7f931dbefa6b <get_virt+203> "\211\302L\211\360\205\322u\316A\307E"}
        qxl = 0x7f928505c9d8
        red = 0x7f927c221530
        rp = 0x0
        bitmap_size = <optimized out>
---Type <return> to continue, or q <return> to quit---
        size = <optimized out>
        qxl_flags = <optimized out>
        error = 0
        __FUNCTION__ = "red_get_image"
#5  0x00007f931dbf1bd5 in red_get_copy_ptr (flags=0, qxl=0x7f9285665c63, red=0x7f927c2214d0, 
    group_id=1, slots=0x7f927c1d5e58) at red_parse_qxl.c:590
No locals.
#6  red_get_native_drawable (flags=0, addr=<optimized out>, red=0x7f927c221440, group_id=1, 
    slots=0x7f927c1d5e58) at red_parse_qxl.c:967
        qxl = 0x7f9285665be8
        i = <optimized out>
        error = <optimized out>
#7  red_get_drawable (slots=0x7f927c1d5e58, group_id=1, red=0x7f927c221440, addr=<optimized out>, 
    flags=0) at red_parse_qxl.c:1105
        ret = <optimized out>
#8  0x00007f931dc0ac12 in red_process_commands (worker=<optimized out>, 
    ring_is_empty=<optimized out>, max_pipe_size=50) at red_worker.c:5190
        ext_cmd = {cmd = {data = 72057594061413352, type = 1, padding = 0}, group_id = 1, flags = 0}
        n = 15
        start = <optimized out>
#9  0x00007f931dc10bda in red_worker_main (arg=<optimized out>) at red_worker.c:12292
        worker = <optimized out>
        __FUNCTION__ = "red_worker_main"
#10 0x00007f9320228de3 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#11 0x00007f931cf3625d in clone () from /lib64/libc.so.6
No symbol table info available.
Comment 3 Gerd Hoffmann 2014-01-16 13:49:39 UTC 
qxl command parser in spice server errors out on invalid input (unknown image type).  Assigning to spice for invesitgation.  Not sure this actually is a spice server bug, could also be something in the windows qxl guest driver.
Comment 4 Marc-Andre Lureau 2014-03-05 15:51:14 UTC 
I can't reproduce, I have setup a win7-x64 VM with virt-manager on rhel7, and rebooted several time at logon screen with success. The qxl driver I installed is from http://www.spice-space.org/download/windows/spice-guest-tools/spice-guest-tools-0.74.exe

It's very hard to use the same command line arguments as yours, given that Windows is very picky about configuration changes and refuses to boot, and it takes hours to setup a win7 vm.

What driver did you install?

Could you provide a simpler way to reproduce, only using virt-manager? Could you detail how you configured the VM with virt-manager in this case, and what updates/driver install you added later in the guest?
Comment 6 xhan 2014-03-20 08:46:45 UTC 
I tried to reproduce it. Don't hit this problem. 
The basic install process what I had done with autotest is installing guest with virtio-blk and virtio-net for nic, then install the virtio drive with virtio-win-prewhql-74.
Comment 7 Marc-Andre Lureau 2014-03-20 09:59:01 UTC 
(In reply to Gerd Hoffmann from comment #3)
> qxl command parser in spice server errors out on invalid input (unknown
> image type).  Assigning to spice for invesitgation.  Not sure this actually
> is a spice server bug, could also be something in the windows qxl guest
> driver.

Since it can't be reproduced, I think we should make the server not error/abort on invalid data from guest (although this might be pretty hard to solve over all code paths), at least we should solve for this particular error.
Comment 8 RHEL Program Management 2014-03-28 05:47:54 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 10 Marc-Andre Lureau 2014-07-03 22:32:07 UTC 
very very likely a dup of bug 995931, adding dep
Comment 12 Marc-Andre Lureau 2014-08-29 13:46:46 UTC 
please try to reproduce with qemu > qemu-kvm-0.12.1.2-2.438.el6

Most likely this is fixed with bug 995931 and should be closed as duplicate.

Thanks
Comment 13 juzhang 2014-09-01 02:09:54 UTC 
(In reply to Marc-Andre Lureau from comment #12)
> please try to reproduce with qemu > qemu-kvm-0.12.1.2-2.438.el6
> 
> Most likely this is fixed with bug 995931 and should be closed as duplicate.
> 
> Thanks

Hi Sluo,

Could you have a try?

Best Regards,
Junyi
Comment 14 Sibiao Luo 2014-09-01 07:41:35 UTC 
(In reply to juzhang from comment #13)
> (In reply to Marc-Andre Lureau from comment #12)
> > please try to reproduce with qemu > qemu-kvm-0.12.1.2-2.438.el6
> > 
> > Most likely this is fixed with bug 995931 and should be closed as duplicate.
> > 
> > Thanks
> 
here this bug is for rhel7, but bug 995931 is just for rhel6, i don't think they are duplicate. I will try it if need, thanks for your checking.
> Hi Sluo,
> 
> Could you have a try?
> 
> Best Regards,
> Junyi
Comment 15 Marc-Andre Lureau 2014-09-01 10:49:17 UTC 
(In reply to Sibiao Luo from comment #14)
> (In reply to juzhang from comment #13)
> > (In reply to Marc-Andre Lureau from comment #12)
> > > please try to reproduce with qemu > qemu-kvm-0.12.1.2-2.438.el6
> > > 
> > > Most likely this is fixed with bug 995931 and should be closed as duplicate.
> > > 
> > > Thanks
> > 
> here this bug is for rhel7, but bug 995931 is just for rhel6, i don't think
> they are duplicate. I will try it if need, thanks for your checking.

oops, I missed that.

The patches:
75c70e37bc4a6bdc394b4d1b163fe730abb82c72 & 50f3e42b9438e033074222671c0502ecfeba82c

Seem to be missing from rhel7 qemu. Reassigning
Comment 16 Sibiao Luo 2014-09-02 08:14:53 UTC 
(In reply to Marc-Andre Lureau from comment #15)
> (In reply to Sibiao Luo from comment #14)
> > (In reply to juzhang from comment #13)
> > > (In reply to Marc-Andre Lureau from comment #12)
> > > > please try to reproduce with qemu > qemu-kvm-0.12.1.2-2.438.el6
> > > > 
> > > > Most likely this is fixed with bug 995931 and should be closed as duplicate.
> > > > 
> > > > Thanks
> > > 
> > here this bug is for rhel7, but bug 995931 is just for rhel6, i don't think
> > they are duplicate. I will try it if need, thanks for your checking.
> 
> oops, I missed that.
> 
> The patches:
> 75c70e37bc4a6bdc394b4d1b163fe730abb82c72 &
> 50f3e42b9438e033074222671c0502ecfeba82c
> 
> Seem to be missing from rhel7 qemu. Reassigning

Thanks a lot.
Comment 17 Gerd Hoffmann 2014-09-02 10:26:49 UTC 
Thanks for the hashes.  Backport posted.
Comment 18 Miroslav Rezanina 2014-09-18 15:31:07 UTC 
Fix included in qemu-kvm-1.5.3-71.el7
Comment 21 Gerd Hoffmann 2014-10-30 08:46:27 UTC 
*** Bug 1003819 has been marked as a duplicate of this bug. ***
Comment 23 errata-xmlrpc 2015-03-05 08:03:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0349.html