Bug 962688
| Summary: | QMP: dump-guest-memory: abort on bad RAM offset | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Sibiao Luo <sluo> |
| Component: | qemu-kvm | Assignee: | Luiz Capitulino <lcapitulino> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | acathrow, chayang, hhuang, juzhang, lcapitulino, michen, qzhang, virt-maint, xfu |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | qemu 1.5.0 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 09:32:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
# cat win8.sh
/usr/libexec/qemu-kvm -M pc-i440fx-1.4 -cpu SandyBridge -enable-kvm -m 2G -smp 4,sockets=2,cores=2,threads=1 -no-kvm-pit-reinjection -usb -device usb-tablet,id=input0 -name sluo-test -uuid 858a4de7-21d4-47f7-a588-d4f6eb6ec19b -rtc base=localtime,clock=host,driftfix=slew -device virtio-serial-pci,id=virtio-serial0,max_ports=16,vectors=0,bus=pci.0,addr=0x3 -chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait -device virtserialport,chardev=channel1,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port1 -chardev socket,id=channel2,path=/tmp/helloworld2,server,nowait -device virtserialport,chardev=channel2,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port2 -drive file=/home/win8-64.qcow3,if=none,id=drive-system-disk,format=qcow2,cache=none,aio=native,werror=stop,rerror=stop -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-system-disk,id=system-disk,bootindex=1 -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device virtio-net-pci,netdev=hostnet0,id=virtio-net-pci0,mac=08:2e:5f:0a:0d:c1,bus=pci.0,addr=0x5,bootindex=2 -device virtio-balloon-pci,id=ballooning,bus=pci.0,addr=0x6 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -k en-us -vnc :2 -spice port=5911,disable-ticketing -vga qxl -global qxl-vga.vram_size=67108864 -qmp tcp:0:5555,server,nowait -monitor stdio
(gdb) bt
#0 0x00007f10277aaa19 in raise () from /lib64/libc.so.6
#1 0x00007f10277ac128 in abort () from /lib64/libc.so.6
#2 0x00007f102be09925 in qemu_get_ram_ptr (addr=<optimized out>) at /usr/src/debug/qemu-1.4.0/exec.c:1242
#3 0x00007f102be0aa82 in ldq_phys_internal (endian=DEVICE_NATIVE_ENDIAN, addr=31525197393383424)
at /usr/src/debug/qemu-1.4.0/exec.c:2249
#4 ldq_phys (addr=addr@entry=31525197393383424) at /usr/src/debug/qemu-1.4.0/exec.c:2269
#5 0x00007f102be69c60 in walk_pdpe (start_line_addr=18446462598732840960, a20_mask=-1, pdpe_start_addr=<optimized out>,
list=0x7f102e205760) at /usr/src/debug/qemu-1.4.0/target-i386/arch_memory_mapping.c:191
#6 walk_pml4e (a20_mask=<optimized out>, pml4e_start_addr=<optimized out>, list=0x7f102e205760)
at /usr/src/debug/qemu-1.4.0/target-i386/arch_memory_mapping.c:235
#7 cpu_get_memory_mapping (list=list@entry=0x7f102e205760, env=env@entry=0x7f102de704d0)
at /usr/src/debug/qemu-1.4.0/target-i386/arch_memory_mapping.c:253
#8 0x00007f102be5bd5b in qemu_get_guest_memory_mapping (list=list@entry=0x7f102e205760)
at /usr/src/debug/qemu-1.4.0/memory_mapping.c:191
#9 0x00007f102be06197 in dump_init (errp=0x7fff4c8afb98, length=<optimized out>, begin=<optimized out>,
has_filter=<optimized out>, paging=true, fd=39, s=0x7f102e205750) at /usr/src/debug/qemu-1.4.0/dump.c:751
#10 qmp_dump_guest_memory (paging=<optimized out>, file=<optimized out>, has_begin=<optimized out>,
begin=<optimized out>, has_length=<optimized out>, length=<optimized out>, errp=errp@entry=0x7fff4c8afb98)
at /usr/src/debug/qemu-1.4.0/dump.c:854
#11 0x00007f102bdc53a0 in qmp_marshal_input_dump_guest_memory (mon=<optimized out>, qdict=<optimized out>,
ret=<optimized out>) at qmp-marshal.c:2914
#12 0x00007f102be5e337 in qmp_call_cmd (cmd=<optimized out>, params=0x7f1033cf2a60, mon=0x7f102de6cfa0)
at /usr/src/debug/qemu-1.4.0/monitor.c:4462
#13 handle_qmp_command (parser=<optimized out>, tokens=<optimized out>) at /usr/src/debug/qemu-1.4.0/monitor.c:4528
#14 0x00007f102bf19992 in json_message_process_token (lexer=0x7f102dd391a0, token=0x7f1033ceac80, type=JSON_OPERATOR, x=
96, y=2) at qobject/json-streamer.c:87
#15 0x00007f102bf2a5ef in json_lexer_feed_char (lexer=lexer@entry=0x7f102dd391a0, ch=<optimized out>, flush=flush@entry=
false) at qobject/json-lexer.c:303
#16 0x00007f102bf2a706 in json_lexer_feed (lexer=0x7f102dd391a0, buffer=<optimized out>, size=<optimized out>)
at qobject/json-lexer.c:356
#17 0x00007f102bf19b91 in json_message_parser_feed (parser=<optimized out>, buffer=<optimized out>, size=<optimized out>)
at qobject/json-streamer.c:110
#18 0x00007f102be5c956 in monitor_control_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>)
at /usr/src/debug/qemu-1.4.0/monitor.c:4549
#19 0x00007f102bdba61e in qemu_chr_be_write (len=<optimized out>, buf=0x7fff4c8afe10 "}", s=0x7f102dcd6470)
at qemu-char.c:180
#20 tcp_chr_read (opaque=0x7f102dcd6470) at qemu-char.c:2440
#21 0x00007f102bd930d7 in qemu_iohandler_poll (readfds=readfds@entry=0x7f102c6fd760 <rfds>, writefds=writefds@entry=
0x7f102c6fd6e0 <wfds>, xfds=xfds@entry=0x7f102c6fd660 <xfds>, ret=ret@entry=1) at iohandler.c:159
#22 0x00007f102bd9862e in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:417
#23 0x00007f102bca8a6d in main_loop () at vl.c:2001
#24 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4326
(gdb)
(gdb) bt full
#0 0x00007f10277aaa19 in raise () from /lib64/libc.so.6
No symbol table info available.
#1 0x00007f10277ac128 in abort () from /lib64/libc.so.6
No symbol table info available.
#2 0x00007f102be09925 in qemu_get_ram_ptr (addr=<optimized out>) at /usr/src/debug/qemu-1.4.0/exec.c:1242
addr = <optimized out>
block = <optimized out>
#3 0x00007f102be0aa82 in ldq_phys_internal (endian=DEVICE_NATIVE_ENDIAN, addr=31525197393383424)
at /usr/src/debug/qemu-1.4.0/exec.c:2249
ptr = <optimized out>
val = <optimized out>
section = 0x7f102e209be0
#4 ldq_phys (addr=addr@entry=31525197393383424) at /usr/src/debug/qemu-1.4.0/exec.c:2269
No locals.
#5 0x00007f102be69c60 in walk_pdpe (start_line_addr=18446462598732840960, a20_mask=-1, pdpe_start_addr=<optimized out>,
list=0x7f102e205760) at /usr/src/debug/qemu-1.4.0/target-i386/arch_memory_mapping.c:191
pdpe_addr = 31525197393383424
pde_start_addr = <optimized out>
i = 0
start_paddr = <optimized out>
pdpe = <optimized out>
line_addr = <optimized out>
start_vaddr = <optimized out>
#6 walk_pml4e (a20_mask=<optimized out>, pml4e_start_addr=<optimized out>, list=0x7f102e205760)
at /usr/src/debug/qemu-1.4.0/target-i386/arch_memory_mapping.c:235
pml4e_addr = 1601536
i = 0
pml4e = <optimized out>
line_addr = 18446462598732840960
#7 cpu_get_memory_mapping (list=list@entry=0x7f102e205760, env=env@entry=0x7f102de704d0)
at /usr/src/debug/qemu-1.4.0/target-i386/arch_memory_mapping.c:253
pml4e_addr = <optimized out>
#8 0x00007f102be5bd5b in qemu_get_guest_memory_mapping (list=list@entry=0x7f102e205760)
at /usr/src/debug/qemu-1.4.0/memory_mapping.c:191
env = 0x7f102de704d0
first_paging_enabled_cpu = <optimized out>
block = <optimized out>
offset = <optimized out>
length = <optimized out>
ret = <optimized out>
#9 0x00007f102be06197 in dump_init (errp=0x7fff4c8afb98, length=<optimized out>, begin=<optimized out>,
has_filter=<optimized out>, paging=true, fd=39, s=0x7f102e205750) at /usr/src/debug/qemu-1.4.0/dump.c:751
env = <optimized out>
nr_cpus = <optimized out>
ret = <optimized out>
#10 qmp_dump_guest_memory (paging=<optimized out>, file=<optimized out>, has_begin=<optimized out>,
begin=<optimized out>, has_length=<optimized out>, length=<optimized out>, errp=errp@entry=0x7fff4c8afb98)
at /usr/src/debug/qemu-1.4.0/dump.c:854
p = 0x7f102e205735 "/home/guest-memory"
fd = 39
s = 0x7f102e205750
#11 0x00007f102bdc53a0 in qmp_marshal_input_dump_guest_memory (mon=<optimized out>, qdict=<optimized out>,
ret=<optimized out>) at qmp-marshal.c:2914
local_err = 0x0
errp = 0x7fff4c8afb98
args = <optimized out>
mi = 0x7f102df81010
md = <optimized out>
v = 0x7f102df81010
paging = true
protocol = 0x7f102e205730 "file:/home/guest-memory"
has_begin = false
begin = 139707470076224
has_length = false
length = 0
#12 0x00007f102be5e337 in qmp_call_cmd (cmd=<optimized out>, params=0x7f1033cf2a60, mon=0x7f102de6cfa0)
at /usr/src/debug/qemu-1.4.0/monitor.c:4462
ret = <optimized out>
data = 0x0
#13 handle_qmp_command (parser=<optimized out>, tokens=<optimized out>) at /usr/src/debug/qemu-1.4.0/monitor.c:4528
err = <optimized out>
obj = <optimized out>
input = <optimized out>
args = 0x7f1033cf2a60
cmd_name = <optimized out>
mon = 0x7f102de6cfa0
#14 0x00007f102bf19992 in json_message_process_token (lexer=0x7f102dd391a0, token=0x7f1033ceac80, type=JSON_OPERATOR, x=
96, y=2) at qobject/json-streamer.c:87
parser = 0x7f102dd39198
dict = 0x7f1031952980
#15 0x00007f102bf2a5ef in json_lexer_feed_char (lexer=lexer@entry=0x7f102dd391a0, ch=<optimized out>, flush=flush@entry=
false) at qobject/json-lexer.c:303
new_state = 100
#16 0x00007f102bf2a706 in json_lexer_feed (lexer=0x7f102dd391a0, buffer=<optimized out>, size=<optimized out>)
at qobject/json-lexer.c:356
err = <optimized out>
i = <optimized out>
#17 0x00007f102bf19b91 in json_message_parser_feed (parser=<optimized out>, buffer=<optimized out>, size=<optimized out>)
at qobject/json-streamer.c:110
No locals.
#18 0x00007f102be5c956 in monitor_control_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>)
at /usr/src/debug/qemu-1.4.0/monitor.c:4549
old_mon = 0x0
#19 0x00007f102bdba61e in qemu_chr_be_write (len=<optimized out>, buf=0x7fff4c8afe10 "}", s=0x7f102dcd6470)
at qemu-char.c:180
No locals.
#20 tcp_chr_read (opaque=0x7f102dcd6470) at qemu-char.c:2440
chr = 0x7f102dcd6470
s = 0x7f102dcd6550
buf =
"}\000\000\000\000\000\000\000\200\347\262'\020\177\000\000\060\000\000\000\000\000\000\000\200\071\364-\020\177\000\000\260\071\364-\020\177\000\000\200\347\262'\020\177\000\000\b\000\000\000\000\000\000\000\006\000\000\000\000\000\000\000\260\005 .\020\177\000\000\000P\375-\020\177\000\000`\226o,\020\177\000\000\\P\177'\020\177\000\000#\000\000\000\000\000\000\000\b", '\000' <repeats 15 times>"\275, \256\337+\020\177\000\000\020\177\000\000\000\000\000\000\060;\364-\020\177\000---Type <return> to continue, or q <return> to quit---
\000@9\364-\020\177\000\000\220\373\037.\020\177\000\000\260\005 .\020\177\000\000\000ؽxZ\224\347R\320'\363-\020\177\000\000\000ؽxZ\224\347R\260\005 .\020\177\000\000\200\377\212L\377\177\000\000@9\364-\020\177\000\000\220\373\037.\020\177\000\000\260\005 .\020\177\000\000\201\225\361+\020\177\000\000#\000\000\000\000\000\000\000\000"...
len = <optimized out>
size = <optimized out>
#21 0x00007f102bd930d7 in qemu_iohandler_poll (readfds=readfds@entry=0x7f102c6fd760 <rfds>, writefds=writefds@entry=
0x7f102c6fd6e0 <wfds>, xfds=xfds@entry=0x7f102c6fd660 <xfds>, ret=ret@entry=1) at iohandler.c:159
pioh = 0x7f102df23b40
ioh = 0x7f102dce2ce0
#22 0x00007f102bd9862e in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:417
ret = 1
timeout = 4294967295
#23 0x00007f102bca8a6d in main_loop () at vl.c:2001
nonblocking = <optimized out>
last_io = 1
#24 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4326
i = <optimized out>
snapshot = 0
linux_boot = <optimized out>
icount_option = 0x0
initrd_filename = <optimized out>
kernel_filename = <optimized out>
kernel_cmdline = <optimized out>
boot_devices = '\000' <repeats 32 times>
ds = <optimized out>
cyls = 0
heads = 0
secs = 0
translation = 0
hda_opts = <optimized out>
opts = <optimized out>
machine_opts = <optimized out>
olist = <optimized out>
optind = 58
optarg = 0x7fff4c8b3871 "stdio"
loadvm = 0x0
machine = 0x7f102c2eb8a0 <pc_i440fx_machine_v1_4>
cpu_model = 0x7fff4c8b3373 "SandyBridge"
vga_model = 0x7fff4c8b3823 "qxl"
pid_file = 0x0
incoming = 0x0
show_vnc_port = <optimized out>
defconfig = <optimized out>
userconfig = 192
log_mask = 0x0
log_file = 0x0
mem_trace = {malloc = 0x7f102bdfaea0 <malloc_and_trace>, realloc = 0x7f102bdfae60 <realloc_and_trace>, free =
0x7f102bdfae20 <free_and_trace>, calloc = 0x0, try_malloc = 0x0, try_realloc = 0x0}
trace_events = 0x0
trace_file = 0x0
args = {ram_size = 2147483648, boot_device = 0x7f102bf42a29 "cad", kernel_filename = 0x0, kernel_cmdline =
0x7f102bf758b0 ""
, initrd_filename = 0x0, cpu_model = 0x7fff4c8b3373 "SandyBridge"}
(gdb)
Can you please try with RHEL6.4? I think you'll hit the same issue there. Will work on this soon. I've tried to reproduce this with a Windows 2008 VM I had around but didn't succeeded. Could you please, try the following: 1. Try with RHEL6.4, as suggested in comment 2 2. Try with one or two different Windows versions I should have access to a Windows 8 VM soon, but case that not happens I may try with other versions. I've manged to reproduce this on win8. Two important points about this bug: 1. I haven't managed to reproduce with other versions of windows, but win8 2. I can't reproduce with RHEL6 qemu-kvm, which probably means the bug was introduced upstream after we backported the code to RHEL6 Will keep debugging this. Sorry for late reply. Luiz Capitulino, you could give me a needinfo when you need some info in the future.
I tried the rhel6.5 host(kernel-2.6.32-376.el6.x86_64&qemu-kvm-0.12.1.2-2.370.el6.x86_64) withe win7 64bit and win8 64bit, both of them did not hit this issue.
Also tried the win7 64bit guest in rhel7 host, it also can hit this issue, it will core dump with paging=true, the qemu will prompt 'Bad ram offset 700000001b5000'.
{"execute":"qmp_capabilities"}
{"return": {}}
{"execute":"dump-guest-memory","arguments":{"paging":false,"protocol":"file:/home/guest-memory"}}
{"timestamp": {"seconds": 1369628604, "microseconds": 582097}, "event": "STOP"}
{"timestamp": {"seconds": 1369628614, "microseconds": 292251}, "event": "RESUME"}
{"return": {}}
{"execute":"dump-guest-memory","arguments":{"paging":true,"protocol":"file:/home/guest-memory"}}
{"timestamp": {"seconds": 1369628616, "microseconds": 812052}, "event": "STOP"}
Connection closed by foreign host.
(qemu) Bad ram offset 7000002d302000
Aborted (core dumped)
Best Regards,
sluo
Posted fix upstream: https://lists.gnu.org/archive/html/qemu-devel/2013-05/msg04110.html Hi Luiz Capitulino, I have tested your new build that did not met the qemu core dump any more. that's to say your new build can fixed this issue successfully. thx host info: kernel-3.10.0-0.rc2.57.el7.x86_64 qemu-kvm-1.5.0-2.el7.test.x86_64 (comment #7) guest info: win8 64bit Results: the qemu core dump has gone, it can do dump-guest-memory successuflly with paging=true. {"execute":"qmp_capabilities"} {"return": {}} {"execute":"dump-guest-memory","arguments":{"paging":false,"protocol":"file:/home/guest-memory"}} {"timestamp": {"seconds": 1369791562, "microseconds": 549824}, "event": "STOP"} {"timestamp": {"seconds": 1369791571, "microseconds": 829008}, "event": "RESUME"} {"return": {}} {"timestamp": {"seconds": 1369791583, "microseconds": 619950}, "event": "RESET"} {"timestamp": {"seconds": 1369791583, "microseconds": 652944}, "event": "RESET"} {"execute":"dump-guest-memory","arguments":{"paging":true,"protocol":"file:/home/guest-memory"}} {"timestamp": {"seconds": 1369791592, "microseconds": 7353}, "event": "STOP"} {"timestamp": {"seconds": 1369791601, "microseconds": 43946}, "event": "RESUME"} {"return": {}} (qemu) info status VM status: running Best Regards, sluo I'll post the patch downstream as soon as it's (at least) reviewed upstream. I haven't tried to understand why it doesn't happen on RHEL6 though. The most likely reason is that cpuid in RHEL6 doesn't report Execute-Disable (XD) as supported, if this is the case then RHEL6 isn't affected for sure. Commit fixing this issue:
commit fbc2ed9518efcdcdcbf0adb9539c17a65addd20a
Author: Luiz Capitulino <lcapitulino>
Date: Tue May 28 14:19:22 2013 -0400
target-i386: fix abort on bad PML4E/PDPTE/PDE/PTE addresses
Verify this issue with qemu-kvm-1.5.3-30.el7.x86_64 that did not met the qemu core dump any more.
host info:
3.10.0-64.el7.x86_64
qemu-kvm-1.5.3-30.el7.x86_64
guest info:
win7 64bit
Results:
the qemu core dump has gone, it can do dump-guest-memory successuflly with paging=true.
{"execute":"qmp_capabilities"}
{"return": {}}
{"execute":"dump-guest-memory","arguments":{"paging":false,"protocol":"file:/home/guest-memory"}}
{"timestamp": {"seconds": 1388726018, "microseconds": 377631}, "event": "STOP"}
{"timestamp": {"seconds": 1388726027, "microseconds": 324879}, "event": "RESUME"}
{"return": {}}
{"execute":"dump-guest-memory","arguments":{"paging":true,"protocol":"file:/home/guest-memory"}}
{"timestamp": {"seconds": 1388726039, "microseconds": 408122}, "event": "STOP"}
{"timestamp": {"seconds": 1388726058, "microseconds": 695885}, "event": "RESUME"}
{"return": {}}
(qemu) info status
VM status: running
Base on above, move this issue to VERIFIED status, please correct me if any mistake.
Best Regards,
sluo
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: when i dump guest memory to file var QMP with paging=true, the qemu will prompt 'Bad ram offset 700000001b5000' and core dump at last. if i use paging=false, it has no such issue. btw, this issue only hit with windows guest, rhel guest did not met it. Version-Release number of selected component (if applicable): host info: kernel-3.9.0-0.55.el7.x86_64 qemu-kvm-1.4.0-4.el7.x86_64 seabios-bin-1.7.2-0.2.gita810e4e7.el7.noarch guest info: win8 64bit virtio-win-prewhql-0.1-59 How reproducible: 3/3 Steps to Reproduce: 1.boot a guest with QMP enabled. eg: # <qemu-kvm-command-line>...-qmp tcp:0:5555,server,nowait 2.from any box with telnet client. $ telnet $HostIP 5555 3.query the dump-guest-memory command. ->{"execute":"qmp_capabilities"} ->{"execute":"query-commands"} 4.dump guest memory to file with QMP monitor, -> {"execute":"dump-guest-memory","arguments":{"paging":true | false,"protocol":"file:/path/to/guest-memory"}} Actual results: after step 4, qemu will prompt 'Bad ram offset 700000001b5000' and core dump. {"execute":"qmp_capabilities"} {"return": {}} {"execute":"dump-guest-memory","arguments":{"paging":false,"protocol":"file:/home/guest-memory"}} {"timestamp": {"seconds": 1368521666, "microseconds": 393669}, "event": "STOP"} {"timestamp": {"seconds": 1368521683, "microseconds": 631729}, "event": "RESUME"} {"return": {}} {"execute":"dump-guest-memory","arguments":{"paging":true,"protocol":"file:/home/guest-memory"}} {"timestamp": {"seconds": 1368521695, "microseconds": 133136}, "event": "STOP"} Connection closed by foreign host. # sh win8.sh Warning: option deprecated, use lost_tick_policy property of kvm-pit instead. QEMU 1.4.0 monitor - type 'help' for more information (qemu) Bad ram offset 700000001b5000 win8.sh: line 1: 14793 Aborted (core dumped) Expected results: it can dump guest memory to file successfully without any core dump. Additional info: