1026314 – BUG: qemu-kvm hang when use '-sandbox on'+'vnc'+'hda'

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1026314 - BUG: qemu-kvm hang when use '-sandbox on'+'vnc'+'hda'

Summary: BUG: qemu-kvm hang when use '-sandbox on'+'vnc'+'hda'

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Paul Moore
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-04 12:04 UTC by CongLi
Modified:	2015-03-05 08:01 UTC (History)
CC List:	18 users (show)
Fixed In Version:	qemu-kvm-1.5.3-77.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 08:01:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
strace-sandbox.txt (86.46 KB, text/plain) 2013-11-04 12:04 UTC, CongLi	no flags	Details
strace-non-sandbox.txt (208.26 KB, text/plain) 2013-11-04 12:06 UTC, CongLi	no flags	Details
QEMU seccomp patch (1.16 KB, patch) 2013-11-20 16:36 UTC, Paul Moore	no flags	Details \| Diff
strace log (82.48 KB, text/x-log) 2013-12-26 03:00 UTC, Xu Han	no flags	Details
env.txt (8.02 KB, text/plain) 2014-01-03 09:15 UTC, CongLi	no flags	Details
strace-sandbox-off (175.33 KB, text/plain) 2014-02-21 07:23 UTC, langfang	no flags	Details
strace-sandbox-on (97.98 KB, text/plain) 2014-02-21 07:24 UTC, langfang	no flags	Details
01-bz1026314-3.patch (984 bytes, patch) 2014-02-21 14:48 UTC, Paul Moore	no flags	Details \| Diff
strace_sandbox_on (98.41 KB, text/plain) 2014-02-25 03:04 UTC, langfang	no flags	Details
strace_sandbox_off (365.42 KB, text/plain) 2014-02-25 03:05 UTC, langfang	no flags	Details
sandbox_on (461.17 KB, text/plain) 2014-02-26 08:26 UTC, langfang	no flags	Details
sandbox off (266.52 KB, text/plain) 2014-02-26 08:27 UTC, langfang	no flags	Details
01-seccomp-sem_updates.patch (864 bytes, patch) 2014-08-13 16:43 UTC, Paul Moore	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0349	0	normal	SHIPPED_LIVE	Important: qemu-kvm security, bug fix, and enhancement update	2015-03-05 12:27:34 UTC

Description CongLi 2013-11-04 12:04:50 UTC

Created attachment 819116 [details]
strace-sandbox.txt

Description of problem:
qemu-kvm hang when use '-sandbox on'+'vnc'+'hda'

Version-Release number of selected component (if applicable):
kernel-3.10.0-40.el7.x86_64
qemu-kvm-rhev-1.5.3-11.el7.x86_64

How reproducible:
Always (except first boot guest after reboot host)

Steps to Reproduce:
1. /usr/libexec/qemu-kvm -monitor stdio  -sandbox on -device intel-hda -device hda-duplex -vnc :0

2.
3.

Actual results:
qemu-kvm hang

Expected results:
qemu-kvm works well 

Additional info:
1. # ps aux | grep qemu
root      2320  0.0  0.0 113140  1292 pts/1    S+   18:58   0:00 sh qemu.sh
root      2321  0.8  0.0      0     0 pts/1    Zl+  18:58   0:00 [qemu] <defunct>

2. This bug can't be reproduced with the following situations:
   (1) without soundcard
   (2) use spice instead of vnc

Comment 1 CongLi 2013-11-04 12:06:03 UTC

Created attachment 819123 [details]
strace-non-sandbox.txt

Comment 3 Paul Moore 2013-11-19 15:13:16 UTC

Looking at the strace output, an educated guess is that the kill(...) syscall is missing from the seccomp syscall filter.  Assuming a normal RHEL7 install/configuration you should be able to verify this by checking the audit log, please run the following command:

 # ausearch -m SECCOMP

If you see any results and you have libseccomp-devel installed you can resolve the syscall number (the value indicated by "syscall=XXX" in the ausearch output) using the command below:

 # scmp_sys_resolver XXX

Comment 4 CongLi 2013-11-20 01:57:29 UTC

(In reply to Paul Moore from comment #3)

Tested on version:
kernel-3.10.0-48.el7.x86_64
qemu-kvm-1.5.3-19.el7.x86_64
libseccomp-2.1.1-0.el7.x86_64
libseccomp-devel-2.1.1-0.el7.x86_64

1. # ausearch -m SECCOMP
----
time->Wed Nov 20 09:52:08 2013
type=SECCOMP msg=audit(1384912328.482:6656): auid=0 uid=0 gid=0 ses=854 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=12087 comm="qemu-kvm" sig=31 syscall=62 compat=0 ip=0x7f7a1d2abc67 code=0x0

2. # scmp_sys_resolver 62
kill

Comment 5 Paul Moore 2013-11-20 16:19:26 UTC

Thank you for the verification, I'm building a patched qemu-kvm package right now for you to test.

Comment 7 Paul Moore 2013-11-20 16:36:35 UTC

Created attachment 826740 [details]
QEMU seccomp patch

Potential fix

Comment 9 Paul Moore 2013-11-21 16:23:51 UTC

The patch has been posted upstream:

 * http://marc.info/?l=qemu-devel&m=138504847432633&w=2

Comment 10 Paul Moore 2013-12-03 15:29:14 UTC

The patch has been merged into the QEMU/seccomp tree and a pull request has been sent:

 * http://marc.info/?l=qemu-devel&m=138607511631440&w=2

Comment 14 Xu Han 2013-12-26 02:48:49 UTC

Reproduce this bug with component:
qemu-kvm-1.5.3-21.el7.x86_64
libseccomp-2.1.1-0.el7.x86_64
kernel-3.10.0-64.el7.x86_64

Steps:
1. boot guest with '-sandbox on'+'vnc'+'hda'.
# /usr/libexec/qemu-kvm -monitor stdio  -sandbox on -device intel-hda -device hda-duplex -vnc :0

Results:
qemu-kvm hang.
# ps aux | grep qemu
root     12574  0.2  0.0      0     0 pts/3    Zl+  18:03   0:00 [qemu-kvm] <defunct>
root     12580  0.0  0.0 112632   972 pts/4    S+   18:03   0:00 grep --color=auto qemu

-------------------------------
Verify this bug with component:
qemu-kvm-1.5.3-30.el7.x86_64
libseccomp-2.1.1-0.el7.x86_64
kernel-3.10.0-64.el7.x86_64

Same steps as above.

Results:
qemu-kvm hang as well.
# ps aux | grep qemu
root     12736  0.4  0.0      0     0 pts/3    Zl+  18:08   0:00 [qemu-kvm] <defunct>
root     12742  0.0  0.0 112632   972 pts/4    S+   18:08   0:00 grep --color=auto qemu

--------------------------------------------
Check this issue following comment 3, found:
# ausearch -m SECCOMP
----
time->Wed Dec 25 18:03:38 2013
type=SECCOMP msg=audit(1387965818.737:694): auid=0 uid=0 gid=0 ses=7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=12574 comm="qemu-kvm" sig=31 syscall=62 compat=0 ip=0x7f6d2160ac67 code=0x0
----
time->Wed Dec 25 18:08:05 2013
type=SECCOMP msg=audit(1387966085.758:703): auid=0 uid=0 gid=0 ses=7 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=12736 comm="qemu-kvm" sig=31 syscall=83 compat=0 ip=0x7f4282694847 code=0x0

# scmp_sys_resolver 62
kill
# scmp_sys_resolver 83
mkdir

As these test results above, I'd set the status as ASSIGNED.

Comment 15 Xu Han 2013-12-26 03:00:36 UTC

Created attachment 841711 [details]
strace log

Attach the strace log.

Comment 16 Paul Moore 2014-01-02 15:32:38 UTC

(In reply to xuhan from comment #14)
> --------------------------------------------
> Check this issue following comment 3, found:
> # ausearch -m SECCOMP
> ----
> time->Wed Dec 25 18:03:38 2013
> type=SECCOMP msg=audit(1387965818.737:694): auid=0 uid=0 gid=0 ses=7
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=12574
> comm="qemu-kvm" sig=31 syscall=62 compat=0 ip=0x7f6d2160ac67 code=0x0
> ----
> time->Wed Dec 25 18:08:05 2013
> type=SECCOMP msg=audit(1387966085.758:703): auid=0 uid=0 gid=0 ses=7
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=12736
> comm="qemu-kvm" sig=31 syscall=83 compat=0 ip=0x7f4282694847 code=0x0
> 
> # scmp_sys_resolver 62
> kill
> # scmp_sys_resolver 83
> mkdir

In the first SECCOMP audit record, the qemu-kvm process ID is 12574 which is the unpatched version; the failure on the kill() syscall is expected.  However, in the second SECCOMP audit record, the process ID is 12736 which is the patched version of the qemu-kvm package; the mkdir() failure is unexpected.

Is there something different from your test environment than what was used by CongLi when the temporary Brew build was tested?

Comment 17 Xu Han 2014-01-03 05:06:50 UTC

(In reply to Paul Moore from comment #16)
> Is there something different from your test environment than what was used
> by CongLi when the temporary Brew build was tested?

Checking this issue with CongLi, will update soon.

Comment 18 Xu Han 2014-01-03 08:16:48 UTC

Boot guest with following cmdline will see such errors below.

# /usr/libexec/qemu-kvm -device intel-hda -device hda-duplex -vnc :0
pulseaudio: pa_context_connect() failed
pulseaudio: Reason: Connection refused
pulseaudio: Failed to initialize PA contextaudio: Could not init `pa' audio driver
ALSA lib confmisc.c:768:(parse_card) cannot find card '0'
ALSA lib conf.c:4248:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4248:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1251:(snd_func_refer) error evaluating name
ALSA lib conf.c:4248:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:4727:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2239:(snd_pcm_open_noupdate) Unknown PCM default
alsa: Could not initialize DAC
alsa: Failed to open `default':
alsa: Reason: No such file or directory
ALSA lib confmisc.c:768:(parse_card) cannot find card '0'
ALSA lib conf.c:4248:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4248:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1251:(snd_func_refer) error evaluating name
ALSA lib conf.c:4248:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:4727:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2239:(snd_pcm_open_noupdate) Unknown PCM default
alsa: Could not initialize DAC
alsa: Failed to open `default':
alsa: Reason: No such file or directory
audio: Failed to create voice `dac'
ALSA lib confmisc.c:768:(parse_card) cannot find card '0'
ALSA lib conf.c:4248:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4248:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1251:(snd_func_refer) error evaluating name
ALSA lib conf.c:4248:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:4727:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2239:(snd_pcm_open_noupdate) Unknown PCM default
alsa: Could not initialize ADC
alsa: Failed to open `default':
alsa: Reason: No such file or directory
ALSA lib confmisc.c:768:(parse_card) cannot find card '0'
ALSA lib conf.c:4248:(_snd_config_evaluate) function snd_func_card_driver returned error: No such file or directory
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4248:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1251:(snd_func_refer) error evaluating name
ALSA lib conf.c:4248:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:4727:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2239:(snd_pcm_open_noupdate) Unknown PCM default
alsa: Could not initialize ADC
alsa: Failed to open `default':
alsa: Reason: No such file or directory
audio: Failed to create voice `adc'

If add '-sandbox on' in cmdline, then would hit the issue in comment 14. if use spice instead vnc, it's failed to these errors above, and using '-sandbox on' would not lead qemu-kvm hang.

But it's weird that I could reproduced this bug via kvm_session or ssh remoting boot the guest with my laptop, but CongLi couldn't by using hers. So, CongLi would like to provide her env, thanks.

Comment 20 CongLi 2014-01-03 09:07:30 UTC

(In reply to Paul Moore from comment #16)
> Is there something different from your test environment than what was used
> by CongLi when the temporary Brew build was tested?

Hi Paul,

Tested this bug on the following version:
kernel-3.10.0-65.el7.x86_64
qemu-kvm-1.5.3-31.el7.x86_64

1. via ssh to access the machine (pass)
# /usr/libexec/qemu-kvm -monitor stdio  -sandbox on -device intel-hda -device hda-duplex -vnc :0
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) pulseaudio: pa_context_connect() failed
pulseaudio: Reason: Connection refused
pulseaudio: Failed to initialize PA contextaudio: Could not init `pa' audio driver

# ps aux | grep qemu
root      9599  5.2  0.0 528368 24252 pts/1    Sl+  16:32   0:03 /usr/libexec/qemu-kvm -monitor stdio -sandbox on -device intel-hda -device hda-duplex -vnc :0
root      9605  0.0  0.0 112640   964 pts/2    S+   16:33   0:00 grep --color=auto qemu

2. via kvm [remote control] to access the machine(fail)
qemu-kvm hang as #comment 1
# /usr/libexec/qemu-kvm -monitor stdio  -sandbox on -device intel-hda -device hda-duplex -vnc :0
(qemu)

# ausearch -m SECCOMP 
----
time->Fri Jan  3 13:58:04 2014
type=SECCOMP msg=audit(1388728684.008:46404): auid=0 uid=0 gid=0 ses=6297 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=18212 comm="qemu-kvm" sig=31 syscall=62 compat=0 ip=0x7f55a39fbc67 code=0x0
----
time->Fri Jan  3 14:40:23 2014
type=SECCOMP msg=audit(1388731223.837:46521): auid=0 uid=0 gid=0 ses=6302 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=18641 comm="qemu-kvm" sig=31 syscall=83 compat=0 ip=0x7fc84b0a9747 code=0x0
----

# scmp_sys_resolver 62
kill
# scmp_sys_resolver 83
mkdir

3. I have also tested on other machine. (both local & ssh are failed)
# /usr/libexec/qemu-kvm -monitor stdio  -sandbox on -device intel-hda -device hda-duplex -vnc :0
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) pulseaudio: pa_context_connect() failed
pulseaudio: Reason: Connection refused
pulseaudio: Failed to initialize PA contextaudio: Could not init `pa' audio driver

# ps aux | grep qemu
root      1833  0.1  0.0      0     0 pts/0    Zl+  16:37   0:00 [qemu-kvm] <defunct>
root      1878  0.0  0.0 112644   932 pts/1    S+   16:38   0:00 grep --color=auto qemu

# ausearch -m SECCOMP
----
time->Fri Jan  3 13:22:59 2014
type=SECCOMP msg=audit(1388726579.897:134): auid=0 uid=0 gid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=8869 comm="qemu-kvm" sig=31 syscall=83 compat=0 ip=0x7fdb41dd2747 code=0x0
----
time->Fri Jan  3 16:37:55 2014
type=SECCOMP msg=audit(1388738275.186:368): auid=0 uid=0 gid=0 ses=21 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1833 comm="qemu-kvm" sig=31 syscall=29 compat=0 ip=0x7f04f3a0da87 code=0x0

# scmp_sys_resolver 83
mkdir
# scmp_sys_resolver 29
shmget


From the above, I think it may be env related, and I will attach my env.txt.

And if you need any info to collect, please tell me.

Thanks,
Cong

Comment 22 CongLi 2014-01-03 09:15:03 UTC

Created attachment 844876 [details]
env.txt

Comment 23 Paul Moore 2014-01-03 16:39:25 UTC

On my test system, the issue appears to be directly related to the "-device intel-hda -device hda-duplex" options and PulseAudio.  Looking at the strace output it appears that PulseAudio (libpulse.so.0 I suspect) is trying to create a directory under "/run" (example from as run as root, UID=0):

 mkdir("/run/user/0/pulse", 0700)        = -1 EEXIST (File exists)

Unfortunately, it appears as though we need to add mkdir(2) to the syscall whitelist to appease PulseAudio.

Comment 24 Paul Moore 2014-01-03 19:27:43 UTC

It appears that fchmod(2) is also needed.

Comment 26 juzhang 2014-01-06 02:17:09 UTC

Hi Xu,

Could you have a try comment25 and update the result in the bz?

Best Regards,
Junyi

Comment 28 Paul Moore 2014-01-06 16:26:03 UTC

That's odd, I don't see shmget(2) in my strace output, do you have a sound card in your test system?  I don't, that might be the difference.

I'll add shmget(2) to the whitelist and do another build for you to test.  Thanks for your patience.

Comment 29 Paul Moore 2014-01-06 16:39:04 UTC

I'm also going to include shmat(2) and shmdt(2) in this new test build as it is likely they would also be needed.  Could you generate a new strace log file for me (hopefully it will include the shmem syscalls, the current ones do not)?  You should create the new strace log without the sandbox enabled, for example:

 # qemu-kvm  -monitor stdio -device intel-hda -device hda-duplex -vnc :0

Comment 34 Paul Moore 2014-01-08 20:48:33 UTC

I'm looking at both attachment #846379 [details] and #846380 and neither of the strace logs has shmget() in the strace ... did you do something different during the most recent tests?

Before I can submit the patches upstream, I'd like to understand what is triggering the shared memory calls, and based on the recent logs you posted it appears that QEMU is not using shmget().

Comment 47 Paul Moore 2014-01-15 19:43:08 UTC

Upstream postings:

 * http://marc.info/?l=qemu-devel&m=138981476927714&w=2
 * http://marc.info/?l=qemu-devel&m=138981475427710&w=2
 * http://marc.info/?l=qemu-devel&m=138981476027713&w=2

Comment 48 Paul Moore 2014-01-20 15:21:39 UTC

Patches have been merged into the upstream QEMU/seccomp maintainer's tree:

 * http://marc.info/?l=qemu-devel&m=139023104626531&w=2

Comment 49 Paul Moore 2014-01-27 21:26:12 UTC

The patches have been merged into the main QEMU tree:

commit 918b94e2873cd5fe8aef06d269b4a4c7d0832ce7
Author: Paul Moore <pmoore>
Date:   Wed Jan 15 14:38:58 2014 -0500

    seccomp: add some basic shared memory syscalls to the whitelist
    
    PulseAudio requires the use of shared memory so add shmget(), shmat(),
    and shmdt() to the syscall whitelist.
    
    Reported-by: xuhan
    Signed-off-by: Paul Moore <pmoore>

commit 0c2acb163fbb4579dad2d45595570b0a9ff71149
Author: Paul Moore <pmoore>
Date:   Wed Jan 15 14:38:51 2014 -0500

    seccomp: add mkdir() and fchmod() to the whitelist
    
    The PulseAudio library attempts to do a mkdir(2) and fchmod(2) on
    "/run/user/<UID>/pulse" which is currently blocked by the syscall
    filter; this patch adds the two missing syscalls to the whitelist.
    You can reproduce this problem with the following command:
    
     # qemu -monitor stdio -device intel-hda -device hda-duplex
    
    If watched under strace the following syscalls are shown:
    
     mkdir("/run/user/0/pulse", 0700)
     fchmod(11, 0700) [NOTE: 11 is the fd for /run/user/0/pulse]
    
    Reported-by: xuhan
    Signed-off-by: Paul Moore <pmoore>

Comment 52 Miroslav Rezanina 2014-02-12 11:59:18 UTC

Fix included in qemu-kvm-1.5.3-47.el7

Comment 53 langfang 2014-02-18 06:30:28 UTC

Reproduce this bug as follow version:
Host:
# uname -r
3.10.0-86.el7.x86_64
# rpm -q qemu-kvm
qemu-kvm-1.5.3-46.el7.x86_64

Stesp:
1.Boot guest
/usr/libexec/qemu-kvm -monitor stdio  -sandbox on -device intel-hda -device hda-duplex -vnc :0

2.Check qemu

Results:
qemu hang

# ps -ef |grep qemu
root      1895  1699  0 13:28 pts/0    00:00:00 [qemu-kvm] <defunct>
root      1943  1904  0 13:31 pts/1    00:00:00 grep --color=auto qemu
# ausearch -m SECCOMP
----
time->Tue Feb 18 13:28:12 2014
type=SECCOMP msg=audit(1392701292.621:206): auid=0 uid=0 gid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1895 comm="qemu-kvm" sig=31 syscall=83 compat=0 ip=0x7f9d3176d977 code=0x0

Latest version:
Host:
# uname -r
3.10.0-86.el7.x86_64
# rpm -q qemu-kvm
qemu-kvm-1.5.3-48.el7.x86_64

Steps:
1.# /usr/libexec/qemu-kvm -monitor stdio  -sandbox on -device intel-hda -device hda-duplex -vnc :0
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) pulseaudio: pa_context_connect() failed
pulseaudio: Reason: Connection refused
pulseaudio: Failed to initialize PA contextaudio: Could not init `pa' audio driver

Results: qemu hang
# ps -ef |grep qemu
root      2086  2054  0 13:44 pts/0    00:00:00 [qemu-kvm] <defunct>
root      2092  1904  0 13:44 pts/1    00:00:00 grep --color=auto qemu

#  ausearch -m SECCOMP
----
time->Tue Feb 18 13:28:12 2014
type=SECCOMP msg=audit(1392701292.621:206): auid=0 uid=0 gid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=1895 comm="qemu-kvm" sig=31 syscall=83 compat=0 ip=0x7f9d3176d977 code=0x0
----
time->Tue Feb 18 13:41:56 2014
type=SECCOMP msg=audit(1392702116.733:238): auid=0 uid=0 gid=0 ses=18 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2027 comm="qemu-kvm" sig=31 syscall=149 compat=0 ip=0x7ff2e04bbe67 code=0x0
----
time->Tue Feb 18 13:44:02 2014
type=SECCOMP msg=audit(1392702242.974:263): auid=0 uid=0 gid=0 ses=21 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=2086 comm="qemu-kvm" sig=31 syscall=149 compat=0 ip=0x7ff67077ae67 code=0x0

# scmp_sys_resolver 149
mlock

According to above test ,this bug not fixed. 

Hi Paul
   please help see .

thanks 
fang lang

Comment 54 Paul Moore 2014-02-18 19:24:40 UTC

I just checked it on my system and everything worked as expected.  Is this the same test system that was used previously?

# rpm -q qemu-kvm libseccomp
qemu-kvm-1.5.3-48.el7.x86_64
libseccomp-2.1.1-1.el7.x86_64

Comment 57 langfang 2014-02-21 04:33:40 UTC

Test this bug on latest version 
Host:
# uname -r
3.10.0-86.el7.x86_64
# rpm -q qemu-kvm
qemu-kvm-1.5.3-48.el7.x86_64
# rpm -q seabios
seabios-1.7.2.2-11.el7.x86_64

Senario 1)with "-sandbox on"

Steps:
1.# /usr/libexec/qemu-kvm -monitor stdio  -sandbox on -device intel-hda -device hda-duplex -vnc :0
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) pulseaudio: pa_context_connect() failed
pulseaudio: Reason: Connection refused
pulseaudio: Failed to initialize PA contextaudio: Could not init `pa' audio driver

Results: qemu hang
# ps -ef |grep qemu
root      2086  2054  0 13:44 pts/0    00:00:00 [qemu-kvm] <defunct>
root      2092  1904  0 13:44 pts/1    00:00:00 grep --color=auto qemu

#  ausearch -m SECCOMP
----
time->Fri Feb 21 12:27:17 2014
type=SECCOMP msg=audit(1392956837.869:4462): auid=0 uid=0 gid=0 ses=536 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=13693 comm="qemu-kvm" sig=31 syscall=149 compat=0 ip=0x7f0679274e67 code=0x0


# scmp_sys_resolver 149
mlock


Senario 2)with "-sandbox off"

Steps as same as senario 1),except boot guest with "-sandbox off"

Results:
# /usr/libexec/qemu-kvm -monitor stdio  -sandbox off -device intel-hda -device hda-duplex -vnc :0
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) pulseaudio: pa_context_connect() failed
pulseaudio: Reason: Connection refused
pulseaudio: Failed to initialize PA contextaudio: Could not init `pa' audio driver

(qemu) info status
VM status: running
(qemu) 

# ps -ef |grep qemu
root     13747 13524  3 12:30 pts/0    00:00:03 /usr/libexec/qemu-kvm -monitor stdio -sandbox off -device intel-hda -device hda-duplex -vnc :0
root     13757 13703  0 12:32 pts/1    00:00:00 grep --color=auto qemu

#ausearch -m SECCOMP
----
time->Fri Feb 21 12:27:17 2014
type=SECCOMP msg=audit(1392956837.869:4462): auid=0 uid=0 gid=0 ses=536 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=13693 comm="qemu-kvm" sig=31 syscall=149 compat=0 ip=0x7f0679274e67 code=0x0
[root@localhost ~]# scmp_sys_resolver 149
mlock

Comment 58 langfang 2014-02-21 07:23:33 UTC

Created attachment 865825 [details]
strace-sandbox-off

Comment 59 langfang 2014-02-21 07:24:45 UTC

Created attachment 865827 [details]
strace-sandbox-on

Comment 60 Paul Moore 2014-02-21 13:48:51 UTC

Thank you for the strace logs; it appears to still be PulseAudio related.  I'm going to move this back to ASSIGNED until we have a fix.

I'm still not sure why this didn't surface earlier, there must be something machine/driver specific.

Comment 62 Paul Moore 2014-02-21 14:48:13 UTC

Created attachment 866047 [details]
01-bz1026314-3.patch

Comment 63 Paul Moore 2014-02-21 14:49:25 UTC

Could you test the fix above and let me know if it solves the problem you are seeing?

Comment 65 langfang 2014-02-25 03:04:27 UTC

Created attachment 867241 [details]
strace_sandbox_on

Comment 66 langfang 2014-02-25 03:05:05 UTC

Created attachment 867242 [details]
strace_sandbox_off

Comment 69 langfang 2014-02-26 08:26:01 UTC

Created attachment 867844 [details]
sandbox_on

Comment 70 langfang 2014-02-26 08:27:12 UTC

Created attachment 867845 [details]
sandbox off

Comment 71 Paul Moore 2014-02-26 15:44:04 UTC

Patch posted upstream, I'll submit it internally as soon as it is merged.

 * http://marc.info/?l=qemu-devel&m=139342834013276&w=2

Comment 73 Paul Moore 2014-03-13 19:10:13 UTC

The patch has been merged into the QEMU/seccomp tree, as soon as it hits the main QEMU tree I'll post it internally.

 * http://marc.info/?l=qemu-devel&m=139471820103798&w=2

Comment 74 Eric Paris 2014-03-13 19:20:45 UTC

This has still not landed in the QEMU upstream tree.  As we do not see a large number of customers who will need to share their sound card into the VM and, as a work around, they an use spice, this bug is being moved to 7.1.

Comment 81 Miroslav Rezanina 2014-07-09 12:17:10 UTC

Fix included in qemu-kvm-1.5.3-66.el7

Comment 82 huiqingding 2014-08-05 05:34:59 UTC

Reproduce this bug using the following version:
qemu-kvm-1.5.3-63.el7.x86_64
kernel-3.10.0-140.el7.x86_64

Stesp:
1.Boot guest
/usr/libexec/qemu-kvm -monitor stdio  -sandbox on -device intel-hda -device hda-duplex -vnc :0

2.Check qemu

Results:
qemu hang

# ps -ef |grep qemu
root       914  6288  0 13:25 pts/0    00:00:00 [qemu-kvm] <defunct>
root     28287 23407  0 13:32 pts/1    00:00:00 grep --color=auto qemu

# ausearch -m SECCOMP
----
time->Tue Aug  5 13:25:52 2014
type=SECCOMP msg=audit(1407216352.200:1587): auid=0 uid=0 gid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=914 comm="qemu-kvm" sig=31 syscall=149 compat=0 ip=0x7f7b6d111ea7 code=0x0

Comment 83 huiqingding 2014-08-05 05:39:58 UTC

Test this bug on an intel host using the following version:
qemu-kvm-1.5.3-66.el7.x86_64
kernel-3.10.0-140.el7.x86_64

Steps to Test:
1.Boot guest
/usr/libexec/qemu-kvm -monitor stdio  -sandbox on -device intel-hda -device hda-duplex -vnc :0
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) pulseaudio: pa_context_connect() failed
pulseaudio: Reason: Connection refused
pulseaudio: Failed to initialize PA contextaudio: Could not init `pa' audio driver

(qemu) info status
VM status: running

Results:
qemu-kvm works well and not hang

#  ps -ef |grep qemu
root     23317  6288  2 13:35 pts/0    00:00:03 /usr/libexec/qemu-kvm -monitor stdio -sandbox on -device intel-hda -device hda-duplex -vnc :0
root     24174 23407  0 13:37 pts/1    00:00:00 grep --color=auto qemu

# ausearch -m SECCOMP
----
time->Tue Aug  5 13:25:52 2014
type=SECCOMP msg=audit(1407216352.200:1587): auid=0 uid=0 gid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=914 comm="qemu-kvm" sig=31 syscall=149 compat=0 ip=0x7f7b6d111ea7 code=0x0

Addtional test:
boot guest with "-sandbox off",get same results.

Comment 84 huiqingding 2014-08-05 06:10:40 UTC

Test this bug on an intel host using the following version:
qemu-kvm-rhev-2.1.0-3.el7ev.preview.x86_64
kernel-3.10.0-140.el7.x86_64

Steps to Test:
1.Boot guest
# /usr/libexec/qemu-kvm -monitor stdio  -sandbox on -device intel-hda -device hda-duplex -vnc :0
QEMU 2.0.92 monitor - type 'help' for more information
(qemu) pulseaudio: pa_context_connect() failed
pulseaudio: Reason: Connection refused
pulseaudio: Failed to initialize PA contextaudio: Could not init `pa' audio driver

(qemu) info status
VM status: running
(qemu) 

Results:
qemu-kvm works well and not hang

when quit qemu-kvm, qemu-kvm hang, file a new bug bz1126704

Comment 85 Paul Moore 2014-08-05 15:14:39 UTC

Information from BZ #1126704 ...

Description of problem:
boot a vm with '-sandbox on'+'vnc'+'hda', quit qemu-kvm, qemu-kvm hang.

Version-Release number of selected component (if applicable):
qemu-kvm-rhev-2.1.0-3.el7ev.preview.x86_64
kernel-3.10.0-140.el7.x86_64
libseccomp-2.1.1-2.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. boot a vm with '-sandbox on'+'vnc'+'hda'
# strace -o strace_sandbox_on.txt /usr/libexec/qemu-kvm -monitor stdio  -sandbox on -device intel-hda -device hda-duplex -vnc :0
2. quit qemu-kvm
(qemu) q
3.

Actual results:
after step1, qemu-kvm works well
QEMU 2.0.92 monitor - type 'help' for more information
(qemu) pulseaudio: pa_context_connect() failed
pulseaudio: Reason: Connection refused
pulseaudio: Failed to initialize PA contextaudio: Could not init `pa' audio driver

(qemu) info status
VM status: running

after step2, qemu-kvm hang
#  ps -ef |grep qemu
root     19784  6288  0 13:55 pts/0    00:00:00 strace -o strace_sandbox_on.txt /usr/libexec/qemu-kvm -monitor stdio -sandbox on -device intel-hda -device hda-duplex -vnc :0
root     19931 19784 24 13:55 pts/0    00:00:02 [qemu-kvm] <defunct>
root     32352 23407  0 13:55 pts/1    00:00:00 grep --color=auto qemu

# ausearch -m SECCOMP
----
time->Tue Aug  5 13:25:52 2014
type=SECCOMP msg=audit(1407216352.200:1587): auid=0 uid=0 gid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=914 comm="qemu-kvm" sig=31 syscall=149 compat=0 ip=0x7f7b6d111ea7 code=0x0
----
time->Tue Aug  5 13:41:45 2014
type=SECCOMP msg=audit(1407217305.536:1588): auid=0 uid=0 gid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=24124 comm="qemu-kvm" sig=31 syscall=66 compat=0 ip=0x7faa42cfec3a code=0x0
----
time->Tue Aug  5 13:46:00 2014
type=SECCOMP msg=audit(1407217560.084:1589): auid=0 uid=0 gid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=22409 comm="qemu-kvm" sig=31 syscall=66 compat=0 ip=0x7fbb0a27bc3a code=0x0
----
time->Tue Aug  5 13:47:03 2014
type=SECCOMP msg=audit(1407217623.757:1590): auid=0 uid=0 gid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=15252 comm="qemu-kvm" sig=31 syscall=66 compat=0 ip=0x7f13e2f0ac3a code=0x0
----
time->Tue Aug  5 13:51:54 2014
type=SECCOMP msg=audit(1407217914.975:1591): auid=0 uid=0 gid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=20845 comm="qemu-kvm" sig=31 syscall=66 compat=0 ip=0x7f54a16e1c3a code=0x0
----
time->Tue Aug  5 13:55:45 2014
type=SECCOMP msg=audit(1407218145.647:1592): auid=0 uid=0 gid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=19931 comm="qemu-kvm" sig=31 syscall=66 compat=0 ip=0x7fe3b805ec3a code=0x0


Expected results:
qemu-kvm can quit normally.

Additional info:
The host has an audio device:
# lspci | grep Audio
00:1b.0 Audio device: Intel Corporation 7 Series/C210 Series Chipset Family High Definition Audio Controller (rev 04)

Comment 86 Paul Moore 2014-08-05 15:15:57 UTC

Let's keep the above problem with this BZ so we can retain the BZ history, there is no need to create a new BZ.  I'm going to close the other BZ as a duplicate of this BZ.

Comment 87 Paul Moore 2014-08-05 15:16:48 UTC

*** Bug 1126704 has been marked as a duplicate of this bug. ***

Comment 88 Paul Moore 2014-08-05 15:19:30 UTC

The latest offending syscall:

 # scmp_sys_resolver -a x86_64 66
 semctl

... we probably want to add some other sem*() syscalls as well.

Comment 89 Paul Moore 2014-08-13 16:43:01 UTC

Created attachment 926521 [details]
01-seccomp-sem_updates.patch

Comment 91 Paul Moore 2014-08-13 16:44:28 UTC

Could you verify the patch above solves your problem?  If it does I'll submit it upstream.

Comment 95 Paul Moore 2014-08-14 17:23:44 UTC

Upstream patch posting:

 * http://marc.info/?l=qemu-devel&m=140803679515013&w=2

Comment 96 Paul Moore 2014-08-21 13:01:32 UTC

Upstream commit ID:

 * b22876cc2f863c58cfebd4a5301fc47e8ec89228

Comment 99 Miroslav Rezanina 2014-10-24 12:03:47 UTC

Fix included in qemu-kvm-1.5.3-77.el7

Comment 101 mazhang 2014-11-03 06:50:22 UTC

Reproduce this bug on qemu-kvm-1.5.3-36.el7.x86_64.

Host:
qemu-kvm-1.5.3-36.el7.x86_64
qemu-kvm-debuginfo-1.5.3-36.el7.x86_64
qemu-img-1.5.3-36.el7.x86_64
qemu-kvm-tools-1.5.3-36.el7.x86_64
qemu-kvm-common-1.5.3-36.el7.x86_64
kernel-3.10.0-193.el7.x86_64

Steps:
1. Start qemu with follow command line:
[root@intel-e31225-8-1 ~]# /usr/libexec/qemu-kvm -monitor stdio  -sandbox on -device intel-hda -device hda-duplex -vnc :0

Result:
qemu-kvm hang.

[root@intel-e31225-8-2 ~]# ps ax |grep qemu
 2044 pts/2    Zl+    0:00 [qemu-kvm] <defunct>
 2065 pts/1    S+     0:00 grep --color=auto qemu

[root@intel-e31225-8-2 ~]# ausearch -m SECCOMP
----
time->Mon Nov  3 14:38:26 2014
type=SECCOMP msg=audit(1414996706.807:6396): auid=0 uid=0 gid=0 ses=854 pid=2044 comm="qemu-kvm" sig=31 arch=c000003e syscall=83 compat=0 ip=0x7f06b8639637 code=0x0
[root@intel-e31225-8-2 ~]# scmp_sys_resolver 31
shmctl


Verified this bug on qemu-kvm-1.5.3-77.el7.x86_64.

host:
qemu-kvm-debuginfo-1.5.3-77.el7.x86_64
qemu-img-1.5.3-77.el7.x86_64
qemu-kvm-tools-1.5.3-77.el7.x86_64
qemu-kvm-common-1.5.3-77.el7.x86_64
qemu-kvm-1.5.3-77.el7.x86_64
kernel-3.10.0-193.el7.x86_64

Result:
Start qemu-kvm with '-sandbox on'+'vnc'+'hda', qemu-kvm works well, then quit normally.

So this bug has been fixed.

Comment 103 errata-xmlrpc 2015-03-05 08:01:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0349.html

Note You need to log in before you can comment on or make changes to this bug.