1054077 – qemu crash when reboot win7 guest with spice display

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1054077 - qemu crash when reboot win7 guest with spice display

Summary: qemu crash when reboot win7 guest with spice display

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Gerd Hoffmann
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1003819 (view as bug list)
Depends On:	995931
Blocks:	Virt-S3/S4-7.0 1003819
TreeView+	depends on / blocked

Reported:	2014-01-16 08:12 UTC by xhan
Modified:	2015-03-05 08:03 UTC (History)
CC List:	13 users (show)
Fixed In Version:	qemu-kvm-1.5.3-71.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 08:03:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0349	0	normal	SHIPPED_LIVE	Important: qemu-kvm security, bug fix, and enhancement update	2015-03-05 12:27:34 UTC

Description xhan 2014-01-16 08:12:19 UTC

Description of problem:

When reboot the win7 guest, qemu-kvm crash. 

bt
#0  0x00007f931ce75979 in raise () from /lib64/libc.so.6
#1  0x00007f931ce77088 in abort () from /lib64/libc.so.6
#2  0x00007f931dc3190c in spice_logv (log_domain=0x7f931dca7f86 "Spice", log_level=SPICE_LOG_LEVEL_ERROR, strloc=0x7f931dcad312 "red_parse_qxl.c:489", function=0x7f931dcad8e2 <__FUNCTION__.19719> "red_get_image", 
    format=0x7f931dcad302 "unknown type %d", args=args@entry=0x7f9283ffe800) at log.c:109
#3  0x00007f931dc31a65 in spice_log (log_domain=log_domain@entry=0x7f931dca7f86 "Spice", log_level=log_level@entry=SPICE_LOG_LEVEL_ERROR, strloc=strloc@entry=0x7f931dcad312 "red_parse_qxl.c:489", 
    function=function@entry=0x7f931dcad8e2 <__FUNCTION__.19719> "red_get_image", format=format@entry=0x7f931dcad302 "unknown type %d") at log.c:123
#4  0x00007f931dbf05d5 in red_get_image (slots=slots@entry=0x7f927c1d5e58, group_id=group_id@entry=1, addr=72057594055084504, flags=flags@entry=0, is_mask=is_mask@entry=0) at red_parse_qxl.c:489
#5  0x00007f931dbf1bd5 in red_get_copy_ptr (flags=0, qxl=0x7f9285665c63, red=0x7f927c2214d0, group_id=1, slots=0x7f927c1d5e58) at red_parse_qxl.c:590
#6  red_get_native_drawable (flags=0, addr=<optimized out>, red=0x7f927c221440, group_id=1, slots=0x7f927c1d5e58) at red_parse_qxl.c:967
#7  red_get_drawable (slots=0x7f927c1d5e58, group_id=1, red=0x7f927c221440, addr=<optimized out>, flags=0) at red_parse_qxl.c:1105
#8  0x00007f931dc0ac12 in red_process_commands (worker=<optimized out>, ring_is_empty=<optimized out>, max_pipe_size=50) at red_worker.c:5190
#9  0x00007f931dc10bda in red_worker_main (arg=<optimized out>) at red_worker.c:12292
#10 0x00007f9320228de3 in start_thread () from /lib64/libpthread.so.0
#11 0x00007f931cf3625d in clone () from /lib64/libc.so.6


Version-Release number of selected component (if applicable):
qemu-kvm-rhev-1.5.3-36.el7.x86_64
kernel-3.10.0-69.el7.x86_64

How reproducible:
once

Steps to Reproduce:
1. boot vm 
  /usr/libexec/qemu-kvm \
    -S  \
    -name 'virt-tests-vm1'  \
    -sandbox off  \
    -M pc-q35-rhel7.0.0  \
    -nodefaults  \
    -vga qxl  \
    -global qxl-vga.vram_size=33554432 \
    -device intel-hda,bus=pcie.0,addr=02 \
    -device hda-duplex  \
    -device nec-usb-xhci,id=usb1,bus=pcie.0,addr=04 \
    -device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pcie.0,addr=05 \
    -drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,file=images/win7-64-virtio.qcow2 \
    -device scsi-hd,id=image1,drive=drive_image1 \
    -device virtio-net-pci,mac=9a:8e:8f:90:91:92,id=idoZEhC9,netdev=idPThVd4,bus=pcie.0,addr=06  \
    -netdev tap,id=idPThVd4,vhost=on,script=/etc/qemu-ifup  \
    -m 2048  \
    -smp 1,maxcpus=1,cores=1,threads=1,sockets=2  \
    -cpu 'Opteron_G2',+kvm_pv_unhalt,hv_relaxed,hv_spinlocks=0x1fff,hv_vapic \
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1  \
    -spice port=3000,password=123456,addr=0,tls-port=3200,x509-dir=/tmp/spice_x509d,tls-channel=main,tls-channel=inputs,image-compression=auto_glz,zlib-glz-wan-compression=auto,streaming-video=all,agent-mouse=on,playback-compression=on,ipv4  \
    -rtc base=localtime,clock=host,driftfix=slew  \
    -boot order=cdn,once=c,menu=off \
    -enable-kvm
2. wait to login vm
3. reboot guest and repeat step 2 and step3.

Actual results:
qemu crash

Expected results:
qemu and guest can work without crash.

Additional info:
cat /proc/cpuinfo 
processor	: 0
vendor_id	: AuthenticAMD
cpu family	: 15
model		: 107
model name	: AMD Athlon(tm) 64 X2 Dual Core Processor 5600+
stepping	: 2
cpu MHz		: 1000.000
cache size	: 512 KB
physical id	: 0
siblings	: 2
core id		: 0
cpu cores	: 2
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 1
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow rep_good nopl extd_apicid pni cx16 lahf_lm cmp_legacy svm extapic cr8_legacy 3dnowprefetch lbrv
bogomips	: 2004.29
TLB size	: 1024 4K pages
clflush size	: 64
cache_alignment	: 64
address sizes	: 40 bits physical, 48 bits virtual
power management: ts fid vid ttp tm stc 100mhzsteps


The core dump:
bt full
#0  0x00007f931ce75979 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f931ce77088 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007f931dc3190c in spice_logv (log_domain=0x7f931dca7f86 "Spice", 
    log_level=SPICE_LOG_LEVEL_ERROR, strloc=0x7f931dcad312 "red_parse_qxl.c:489", 
    function=0x7f931dcad8e2 <__FUNCTION__.19719> "red_get_image", 
    format=0x7f931dcad302 "unknown type %d", args=args@entry=0x7f9283ffe800) at log.c:109
        level = 0x7f931dcb82f8 "ERROR"
#3  0x00007f931dc31a65 in spice_log (log_domain=log_domain@entry=0x7f931dca7f86 "Spice", 
    log_level=log_level@entry=SPICE_LOG_LEVEL_ERROR, 
    strloc=strloc@entry=0x7f931dcad312 "red_parse_qxl.c:489", 
    function=function@entry=0x7f931dcad8e2 <__FUNCTION__.19719> "red_get_image", 
    format=format@entry=0x7f931dcad302 "unknown type %d") at log.c:123
        args = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7f9283ffe8e0, 
            reg_save_area = 0x7f9283ffe820}}
#4  0x00007f931dbf05d5 in red_get_image (slots=slots@entry=0x7f927c1d5e58, 
    group_id=group_id@entry=1, addr=72057594055084504, flags=flags@entry=0, is_mask=is_mask@entry=0)
    at red_parse_qxl.c:489
        chunks = {data_size = 1, prev_chunk = 0x7f9283ffe9a4, next_chunk = 0x7f9285665be8, 
          data = 0x7f931dbefa6b <get_virt+203> "\211\302L\211\360\205\322u\316A\307E"}
        qxl = 0x7f928505c9d8
        red = 0x7f927c221530
        rp = 0x0
        bitmap_size = <optimized out>
---Type <return> to continue, or q <return> to quit---
        size = <optimized out>
        qxl_flags = <optimized out>
        error = 0
        __FUNCTION__ = "red_get_image"
#5  0x00007f931dbf1bd5 in red_get_copy_ptr (flags=0, qxl=0x7f9285665c63, red=0x7f927c2214d0, 
    group_id=1, slots=0x7f927c1d5e58) at red_parse_qxl.c:590
No locals.
#6  red_get_native_drawable (flags=0, addr=<optimized out>, red=0x7f927c221440, group_id=1, 
    slots=0x7f927c1d5e58) at red_parse_qxl.c:967
        qxl = 0x7f9285665be8
        i = <optimized out>
        error = <optimized out>
#7  red_get_drawable (slots=0x7f927c1d5e58, group_id=1, red=0x7f927c221440, addr=<optimized out>, 
    flags=0) at red_parse_qxl.c:1105
        ret = <optimized out>
#8  0x00007f931dc0ac12 in red_process_commands (worker=<optimized out>, 
    ring_is_empty=<optimized out>, max_pipe_size=50) at red_worker.c:5190
        ext_cmd = {cmd = {data = 72057594061413352, type = 1, padding = 0}, group_id = 1, flags = 0}
        n = 15
        start = <optimized out>
#9  0x00007f931dc10bda in red_worker_main (arg=<optimized out>) at red_worker.c:12292
        worker = <optimized out>
        __FUNCTION__ = "red_worker_main"
#10 0x00007f9320228de3 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#11 0x00007f931cf3625d in clone () from /lib64/libc.so.6
No symbol table info available.

Comment 3 Gerd Hoffmann 2014-01-16 13:49:39 UTC

qxl command parser in spice server errors out on invalid input (unknown image type).  Assigning to spice for invesitgation.  Not sure this actually is a spice server bug, could also be something in the windows qxl guest driver.

Comment 4 Marc-Andre Lureau 2014-03-05 15:51:14 UTC

I can't reproduce, I have setup a win7-x64 VM with virt-manager on rhel7, and rebooted several time at logon screen with success. The qxl driver I installed is from http://www.spice-space.org/download/windows/spice-guest-tools/spice-guest-tools-0.74.exe

It's very hard to use the same command line arguments as yours, given that Windows is very picky about configuration changes and refuses to boot, and it takes hours to setup a win7 vm.

What driver did you install?

Could you provide a simpler way to reproduce, only using virt-manager? Could you detail how you configured the VM with virt-manager in this case, and what updates/driver install you added later in the guest?

Comment 6 xhan 2014-03-20 08:46:45 UTC

I tried to reproduce it. Don't hit this problem. 
The basic install process what I had done with autotest is installing guest with virtio-blk and virtio-net for nic, then install the virtio drive with virtio-win-prewhql-74.

Comment 7 Marc-Andre Lureau 2014-03-20 09:59:01 UTC

(In reply to Gerd Hoffmann from comment #3)
> qxl command parser in spice server errors out on invalid input (unknown
> image type).  Assigning to spice for invesitgation.  Not sure this actually
> is a spice server bug, could also be something in the windows qxl guest
> driver.

Since it can't be reproduced, I think we should make the server not error/abort on invalid data from guest (although this might be pretty hard to solve over all code paths), at least we should solve for this particular error.

Comment 8 RHEL Program Management 2014-03-28 05:47:54 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 10 Marc-Andre Lureau 2014-07-03 22:32:07 UTC

very very likely a dup of bug 995931, adding dep

Comment 12 Marc-Andre Lureau 2014-08-29 13:46:46 UTC

please try to reproduce with qemu > qemu-kvm-0.12.1.2-2.438.el6

Most likely this is fixed with bug 995931 and should be closed as duplicate.

Thanks

Comment 13 juzhang 2014-09-01 02:09:54 UTC

(In reply to Marc-Andre Lureau from comment #12)
> please try to reproduce with qemu > qemu-kvm-0.12.1.2-2.438.el6
> 
> Most likely this is fixed with bug 995931 and should be closed as duplicate.
> 
> Thanks

Hi Sluo,

Could you have a try?

Best Regards,
Junyi

Comment 14 Sibiao Luo 2014-09-01 07:41:35 UTC

(In reply to juzhang from comment #13)
> (In reply to Marc-Andre Lureau from comment #12)
> > please try to reproduce with qemu > qemu-kvm-0.12.1.2-2.438.el6
> > 
> > Most likely this is fixed with bug 995931 and should be closed as duplicate.
> > 
> > Thanks
> 
here this bug is for rhel7, but bug 995931 is just for rhel6, i don't think they are duplicate. I will try it if need, thanks for your checking.
> Hi Sluo,
> 
> Could you have a try?
> 
> Best Regards,
> Junyi

Comment 15 Marc-Andre Lureau 2014-09-01 10:49:17 UTC

(In reply to Sibiao Luo from comment #14)
> (In reply to juzhang from comment #13)
> > (In reply to Marc-Andre Lureau from comment #12)
> > > please try to reproduce with qemu > qemu-kvm-0.12.1.2-2.438.el6
> > > 
> > > Most likely this is fixed with bug 995931 and should be closed as duplicate.
> > > 
> > > Thanks
> > 
> here this bug is for rhel7, but bug 995931 is just for rhel6, i don't think
> they are duplicate. I will try it if need, thanks for your checking.

oops, I missed that.

The patches:
75c70e37bc4a6bdc394b4d1b163fe730abb82c72 & 50f3e42b9438e033074222671c0502ecfeba82c

Seem to be missing from rhel7 qemu. Reassigning

Comment 16 Sibiao Luo 2014-09-02 08:14:53 UTC

(In reply to Marc-Andre Lureau from comment #15)
> (In reply to Sibiao Luo from comment #14)
> > (In reply to juzhang from comment #13)
> > > (In reply to Marc-Andre Lureau from comment #12)
> > > > please try to reproduce with qemu > qemu-kvm-0.12.1.2-2.438.el6
> > > > 
> > > > Most likely this is fixed with bug 995931 and should be closed as duplicate.
> > > > 
> > > > Thanks
> > > 
> > here this bug is for rhel7, but bug 995931 is just for rhel6, i don't think
> > they are duplicate. I will try it if need, thanks for your checking.
> 
> oops, I missed that.
> 
> The patches:
> 75c70e37bc4a6bdc394b4d1b163fe730abb82c72 &
> 50f3e42b9438e033074222671c0502ecfeba82c
> 
> Seem to be missing from rhel7 qemu. Reassigning

Thanks a lot.

Comment 17 Gerd Hoffmann 2014-09-02 10:26:49 UTC

Thanks for the hashes.  Backport posted.

Comment 18 Miroslav Rezanina 2014-09-18 15:31:07 UTC

Fix included in qemu-kvm-1.5.3-71.el7

Comment 21 Gerd Hoffmann 2014-10-30 08:46:27 UTC

*** Bug 1003819 has been marked as a duplicate of this bug. ***

Comment 23 errata-xmlrpc 2015-03-05 08:03:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0349.html

Note You need to log in before you can comment on or make changes to this bug.