Bug 731644

Summary: BSOD as a result of switch user followed by a log-in to another user
Product: Red Hat Enterprise Linux 8 Reporter: Yonit Halperin <yhalperi>
Component: spice-qxl-xddmAssignee: Yonit Halperin <yhalperi>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: ---CC: acathrow, alevy, bsanford, cmeadors, cpelland, dblechte, jbiddle, mkrcmari, sgrinber, uril
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qxl-win-0.1-10 Doc Type: Bug Fix
Doc Text:
Switching users or logging off Windows guests while dynamic content was being displayed sometimes caused memory corruption. This ultimately led to a Stop Error (also known as Blue Screen of Death, or BSOD) in the guest. The driver has been updated to ensure that this does not occur when switching users or logging off.
 Story Points: ---
Clone Of:
: 790446 (view as bug list) Environment:
Last Closed: 2012-12-04 18:16:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 790446    

Description Yonit Halperin 2011-08-18 08:00:24 UTC 
Description of problem:
Winxp guest. Dual monitor.
Played a movie, opened a web page with dynamic content.
Swithced User (through the Log Off menu)
Logged in with another user
==>BSOD
qxldd: ASSERT failed @ FreeMem, 00000000 not in [EF0B2000, F30B2000) (1)
sometimes instead of BSOD we get a server crash.

When switching users on Winxp (and sometimes on log off in Win7 guest),
the driver is disabled and all the its globals are erased. It looks like the BSOD resulted since all the drivers data structures where initialized, but
RESET has not occurred in the spice-server side, and it requested to release
memory that was no longer allocated.
The crash occurred after RESET did occur in the server side. However after that
no surface was created at the server but drawing operations occurred (and the server didn't find the corresponding surfaces).

here is the log for the crash
qxl-1: QXL_IO_RESET
qxl-1: qxl_hard_reset: start
qxl-1: qxl_reset_surfaces:
qxl-1: qxl_reset_memslots:
qxl-1: qxl_soft_reset:
qxl-1: qxl_hard_reset: done
qxl-1: qxl_add_memslot: slot 1: guest phys 0xec000000 - 0xefffe000
qxl-1: qxl_add_memslot: slot 1: host virt 0x7ff9efe00000 - 0x7ff9f3dfe000
qxl/guest-1: qxlmp: HWReset: done
qxl/guest-1: qxlmp: StartIO: OK
qxl-0: ioport_write: unexpected port 0x1 (QXL_IO_NOTIFY_CURSOR) in vga mode
qxl-0: ioport_write: unexpected port 0x0 (QXL_IO_NOTIFY_CMD) in vga mode
validate_surface: panic !worker->surfaces[surface_id].context.canvas


Version-Release number of selected component (if applicable):
I tried it with several self built qxl that are equivalent to qxl-0.10, qxl-0.8 and event earlier versions.

I also tried it with qemu-kvm-0.12.1.2-2.183.el6 and qemu-kvm-0.12.1.2-2.178.el6
and reproduced in both. This means, this bug is not related to the async_io support.
Comment 1 Yonit Halperin 2011-08-18 08:02:33 UTC 
It doesn't occur with 1 monitor.
Comment 2 Alon Levy 2011-08-29 13:44:34 UTC 
Fixed (by Yonit) in commits 7ca68eb00f396a3c2a9763afa9667e2b1e513fe9 in rhev-3.0 branch, 6dca8c709936f743958a322f75dde41b24535db4 master in upstream, brew build qxl-win-0.1-10 (x.x.1010) at:

 https://brewweb.devel.redhat.com/buildinfo?buildID=177280

Tagged with rhev-m-3-spice-candidate, is not going into an ic build.

Alon
Comment 3 Alon Levy 2012-01-03 13:29:32 UTC 
This bug has been fixed in the commit mentioned in comment 2, but the bug status  has not been updated to reflect this nor has the "fixed-in-version" field been filled. Fix is in qxl-win-0.1-10, -11, -12, -13 and -14, My apologies,

Alon
Comment 4 Bill Sanford 2012-01-05 18:17:04 UTC 
Before the BSOD, you say you have:

Description of problem:
Winxp guest. Dual monitor.
Played a movie, opened a web page with dynamic content.
Swithced User (through the Log Off menu)
Logged in with another user

WinXP guest - did it have the tools ISO installed?
Client machine?
Played a movie? From a DVD, file, or website?
Opened up a web page with dynamic content? Where?
Comment 5 Yonit Halperin 2012-02-13 06:49:50 UTC 
(In reply to comment #4)
> Before the BSOD, you say you have:
> 
> Description of problem:
> Winxp guest. Dual monitor.
> Played a movie, opened a web page with dynamic content.
> Swithced User (through the Log Off menu)
> Logged in with another user
> 
> WinXP guest - did it have the tools ISO installed?
The tools are not relevant. Except for the qxl driver.
> Client machine?
> Played a movie? From a DVD, file, or website?
> Opened up a web page with dynamic content? Where?
Playing a movie and/or opening a web page with dynamic content are only means to continuously create qxl commands during the event of user switching. It is not important which movie or web page you open. You can also try reproducing it using other apps that display graphic with high refresh rate, e.g, Tom 2D.

In any case, this bug was only relevant for the "off-screen surfaces driver".
Comment 7 Uri Lublin 2012-08-16 11:32:37 UTC 
Technical Notes copied from 790446
Comment 8 Uri Lublin 2012-08-16 11:32:37 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When switching users or logging off Windows guests while dynamic content was being displayed would sometimes cause memory corruption. This ultimately led to a Stop Error (also known as Blue Screen of Death, or BSOD) in the guest. The driver has been updated to ensure that this does not occur when switching users or logging off.
Comment 9 Marian Krcmarik 2012-10-10 16:46:12 UTC 
Verified on qxl-win-0.1-10.
Comment 10 Marian Krcmarik 2012-10-18 09:14:36 UTC 
(In reply to comment #9)
> Verified on qxl-win-0.1-10.

I meant qxl-win-0.1-14 and qxl-win-0.1-15-unsigned
Comment 15 errata-xmlrpc 2012-12-04 18:16:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-1503.html