Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1054077 - qemu crash when reboot win7 guest with spice display
Summary: qemu crash when reboot win7 guest with spice display
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Gerd Hoffmann
QA Contact: Virtualization Bugs
URL:
Whiteboard:
: 1003819 (view as bug list)
Depends On: 995931
Blocks: Virt-S3/S4-7.0 1003819
TreeView+ depends on / blocked
 
Reported: 2014-01-16 08:12 UTC by xhan
Modified: 2015-03-05 08:03 UTC (History)
13 users (show)

Fixed In Version: qemu-kvm-1.5.3-71.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 08:03:44 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0349 0 normal SHIPPED_LIVE Important: qemu-kvm security, bug fix, and enhancement update 2015-03-05 12:27:34 UTC

Description xhan 2014-01-16 08:12:19 UTC
Description of problem:

When reboot the win7 guest, qemu-kvm crash. 

bt
#0  0x00007f931ce75979 in raise () from /lib64/libc.so.6
#1  0x00007f931ce77088 in abort () from /lib64/libc.so.6
#2  0x00007f931dc3190c in spice_logv (log_domain=0x7f931dca7f86 "Spice", log_level=SPICE_LOG_LEVEL_ERROR, strloc=0x7f931dcad312 "red_parse_qxl.c:489", function=0x7f931dcad8e2 <__FUNCTION__.19719> "red_get_image", 
    format=0x7f931dcad302 "unknown type %d", args=args@entry=0x7f9283ffe800) at log.c:109
#3  0x00007f931dc31a65 in spice_log (log_domain=log_domain@entry=0x7f931dca7f86 "Spice", log_level=log_level@entry=SPICE_LOG_LEVEL_ERROR, strloc=strloc@entry=0x7f931dcad312 "red_parse_qxl.c:489", 
    function=function@entry=0x7f931dcad8e2 <__FUNCTION__.19719> "red_get_image", format=format@entry=0x7f931dcad302 "unknown type %d") at log.c:123
#4  0x00007f931dbf05d5 in red_get_image (slots=slots@entry=0x7f927c1d5e58, group_id=group_id@entry=1, addr=72057594055084504, flags=flags@entry=0, is_mask=is_mask@entry=0) at red_parse_qxl.c:489
#5  0x00007f931dbf1bd5 in red_get_copy_ptr (flags=0, qxl=0x7f9285665c63, red=0x7f927c2214d0, group_id=1, slots=0x7f927c1d5e58) at red_parse_qxl.c:590
#6  red_get_native_drawable (flags=0, addr=<optimized out>, red=0x7f927c221440, group_id=1, slots=0x7f927c1d5e58) at red_parse_qxl.c:967
#7  red_get_drawable (slots=0x7f927c1d5e58, group_id=1, red=0x7f927c221440, addr=<optimized out>, flags=0) at red_parse_qxl.c:1105
#8  0x00007f931dc0ac12 in red_process_commands (worker=<optimized out>, ring_is_empty=<optimized out>, max_pipe_size=50) at red_worker.c:5190
#9  0x00007f931dc10bda in red_worker_main (arg=<optimized out>) at red_worker.c:12292
#10 0x00007f9320228de3 in start_thread () from /lib64/libpthread.so.0
#11 0x00007f931cf3625d in clone () from /lib64/libc.so.6


Version-Release number of selected component (if applicable):
qemu-kvm-rhev-1.5.3-36.el7.x86_64
kernel-3.10.0-69.el7.x86_64

How reproducible:
once

Steps to Reproduce:
1. boot vm 
  /usr/libexec/qemu-kvm \
    -S  \
    -name 'virt-tests-vm1'  \
    -sandbox off  \
    -M pc-q35-rhel7.0.0  \
    -nodefaults  \
    -vga qxl  \
    -global qxl-vga.vram_size=33554432 \
    -device intel-hda,bus=pcie.0,addr=02 \
    -device hda-duplex  \
    -device nec-usb-xhci,id=usb1,bus=pcie.0,addr=04 \
    -device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pcie.0,addr=05 \
    -drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,file=images/win7-64-virtio.qcow2 \
    -device scsi-hd,id=image1,drive=drive_image1 \
    -device virtio-net-pci,mac=9a:8e:8f:90:91:92,id=idoZEhC9,netdev=idPThVd4,bus=pcie.0,addr=06  \
    -netdev tap,id=idPThVd4,vhost=on,script=/etc/qemu-ifup  \
    -m 2048  \
    -smp 1,maxcpus=1,cores=1,threads=1,sockets=2  \
    -cpu 'Opteron_G2',+kvm_pv_unhalt,hv_relaxed,hv_spinlocks=0x1fff,hv_vapic \
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1  \
    -spice port=3000,password=123456,addr=0,tls-port=3200,x509-dir=/tmp/spice_x509d,tls-channel=main,tls-channel=inputs,image-compression=auto_glz,zlib-glz-wan-compression=auto,streaming-video=all,agent-mouse=on,playback-compression=on,ipv4  \
    -rtc base=localtime,clock=host,driftfix=slew  \
    -boot order=cdn,once=c,menu=off \
    -enable-kvm
2. wait to login vm
3. reboot guest and repeat step 2 and step3.

Actual results:
qemu crash

Expected results:
qemu and guest can work without crash.

Additional info:
cat /proc/cpuinfo 
processor	: 0
vendor_id	: AuthenticAMD
cpu family	: 15
model		: 107
model name	: AMD Athlon(tm) 64 X2 Dual Core Processor 5600+
stepping	: 2
cpu MHz		: 1000.000
cache size	: 512 KB
physical id	: 0
siblings	: 2
core id		: 0
cpu cores	: 2
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 1
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow rep_good nopl extd_apicid pni cx16 lahf_lm cmp_legacy svm extapic cr8_legacy 3dnowprefetch lbrv
bogomips	: 2004.29
TLB size	: 1024 4K pages
clflush size	: 64
cache_alignment	: 64
address sizes	: 40 bits physical, 48 bits virtual
power management: ts fid vid ttp tm stc 100mhzsteps


The core dump:
bt full
#0  0x00007f931ce75979 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f931ce77088 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007f931dc3190c in spice_logv (log_domain=0x7f931dca7f86 "Spice", 
    log_level=SPICE_LOG_LEVEL_ERROR, strloc=0x7f931dcad312 "red_parse_qxl.c:489", 
    function=0x7f931dcad8e2 <__FUNCTION__.19719> "red_get_image", 
    format=0x7f931dcad302 "unknown type %d", args=args@entry=0x7f9283ffe800) at log.c:109
        level = 0x7f931dcb82f8 "ERROR"
#3  0x00007f931dc31a65 in spice_log (log_domain=log_domain@entry=0x7f931dca7f86 "Spice", 
    log_level=log_level@entry=SPICE_LOG_LEVEL_ERROR, 
    strloc=strloc@entry=0x7f931dcad312 "red_parse_qxl.c:489", 
    function=function@entry=0x7f931dcad8e2 <__FUNCTION__.19719> "red_get_image", 
    format=format@entry=0x7f931dcad302 "unknown type %d") at log.c:123
        args = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7f9283ffe8e0, 
            reg_save_area = 0x7f9283ffe820}}
#4  0x00007f931dbf05d5 in red_get_image (slots=slots@entry=0x7f927c1d5e58, 
    group_id=group_id@entry=1, addr=72057594055084504, flags=flags@entry=0, is_mask=is_mask@entry=0)
    at red_parse_qxl.c:489
        chunks = {data_size = 1, prev_chunk = 0x7f9283ffe9a4, next_chunk = 0x7f9285665be8, 
          data = 0x7f931dbefa6b <get_virt+203> "\211\302L\211\360\205\322u\316A\307E"}
        qxl = 0x7f928505c9d8
        red = 0x7f927c221530
        rp = 0x0
        bitmap_size = <optimized out>
---Type <return> to continue, or q <return> to quit---
        size = <optimized out>
        qxl_flags = <optimized out>
        error = 0
        __FUNCTION__ = "red_get_image"
#5  0x00007f931dbf1bd5 in red_get_copy_ptr (flags=0, qxl=0x7f9285665c63, red=0x7f927c2214d0, 
    group_id=1, slots=0x7f927c1d5e58) at red_parse_qxl.c:590
No locals.
#6  red_get_native_drawable (flags=0, addr=<optimized out>, red=0x7f927c221440, group_id=1, 
    slots=0x7f927c1d5e58) at red_parse_qxl.c:967
        qxl = 0x7f9285665be8
        i = <optimized out>
        error = <optimized out>
#7  red_get_drawable (slots=0x7f927c1d5e58, group_id=1, red=0x7f927c221440, addr=<optimized out>, 
    flags=0) at red_parse_qxl.c:1105
        ret = <optimized out>
#8  0x00007f931dc0ac12 in red_process_commands (worker=<optimized out>, 
    ring_is_empty=<optimized out>, max_pipe_size=50) at red_worker.c:5190
        ext_cmd = {cmd = {data = 72057594061413352, type = 1, padding = 0}, group_id = 1, flags = 0}
        n = 15
        start = <optimized out>
#9  0x00007f931dc10bda in red_worker_main (arg=<optimized out>) at red_worker.c:12292
        worker = <optimized out>
        __FUNCTION__ = "red_worker_main"
#10 0x00007f9320228de3 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#11 0x00007f931cf3625d in clone () from /lib64/libc.so.6
No symbol table info available.

Comment 3 Gerd Hoffmann 2014-01-16 13:49:39 UTC
qxl command parser in spice server errors out on invalid input (unknown image type).  Assigning to spice for invesitgation.  Not sure this actually is a spice server bug, could also be something in the windows qxl guest driver.

Comment 4 Marc-Andre Lureau 2014-03-05 15:51:14 UTC
I can't reproduce, I have setup a win7-x64 VM with virt-manager on rhel7, and rebooted several time at logon screen with success. The qxl driver I installed is from http://www.spice-space.org/download/windows/spice-guest-tools/spice-guest-tools-0.74.exe

It's very hard to use the same command line arguments as yours, given that Windows is very picky about configuration changes and refuses to boot, and it takes hours to setup a win7 vm.

What driver did you install?

Could you provide a simpler way to reproduce, only using virt-manager? Could you detail how you configured the VM with virt-manager in this case, and what updates/driver install you added later in the guest?

Comment 6 xhan 2014-03-20 08:46:45 UTC
I tried to reproduce it. Don't hit this problem. 
The basic install process what I had done with autotest is installing guest with virtio-blk and virtio-net for nic, then install the virtio drive with virtio-win-prewhql-74.

Comment 7 Marc-Andre Lureau 2014-03-20 09:59:01 UTC
(In reply to Gerd Hoffmann from comment #3)
> qxl command parser in spice server errors out on invalid input (unknown
> image type).  Assigning to spice for invesitgation.  Not sure this actually
> is a spice server bug, could also be something in the windows qxl guest
> driver.

Since it can't be reproduced, I think we should make the server not error/abort on invalid data from guest (although this might be pretty hard to solve over all code paths), at least we should solve for this particular error.

Comment 8 RHEL Program Management 2014-03-28 05:47:54 UTC
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 10 Marc-Andre Lureau 2014-07-03 22:32:07 UTC
very very likely a dup of bug 995931, adding dep

Comment 12 Marc-Andre Lureau 2014-08-29 13:46:46 UTC
please try to reproduce with qemu > qemu-kvm-0.12.1.2-2.438.el6

Most likely this is fixed with bug 995931 and should be closed as duplicate.

Thanks

Comment 13 juzhang 2014-09-01 02:09:54 UTC
(In reply to Marc-Andre Lureau from comment #12)
> please try to reproduce with qemu > qemu-kvm-0.12.1.2-2.438.el6
> 
> Most likely this is fixed with bug 995931 and should be closed as duplicate.
> 
> Thanks

Hi Sluo,

Could you have a try?

Best Regards,
Junyi

Comment 14 Sibiao Luo 2014-09-01 07:41:35 UTC
(In reply to juzhang from comment #13)
> (In reply to Marc-Andre Lureau from comment #12)
> > please try to reproduce with qemu > qemu-kvm-0.12.1.2-2.438.el6
> > 
> > Most likely this is fixed with bug 995931 and should be closed as duplicate.
> > 
> > Thanks
> 
here this bug is for rhel7, but bug 995931 is just for rhel6, i don't think they are duplicate. I will try it if need, thanks for your checking.
> Hi Sluo,
> 
> Could you have a try?
> 
> Best Regards,
> Junyi

Comment 15 Marc-Andre Lureau 2014-09-01 10:49:17 UTC
(In reply to Sibiao Luo from comment #14)
> (In reply to juzhang from comment #13)
> > (In reply to Marc-Andre Lureau from comment #12)
> > > please try to reproduce with qemu > qemu-kvm-0.12.1.2-2.438.el6
> > > 
> > > Most likely this is fixed with bug 995931 and should be closed as duplicate.
> > > 
> > > Thanks
> > 
> here this bug is for rhel7, but bug 995931 is just for rhel6, i don't think
> they are duplicate. I will try it if need, thanks for your checking.

oops, I missed that.

The patches:
75c70e37bc4a6bdc394b4d1b163fe730abb82c72 & 50f3e42b9438e033074222671c0502ecfeba82c

Seem to be missing from rhel7 qemu. Reassigning

Comment 16 Sibiao Luo 2014-09-02 08:14:53 UTC
(In reply to Marc-Andre Lureau from comment #15)
> (In reply to Sibiao Luo from comment #14)
> > (In reply to juzhang from comment #13)
> > > (In reply to Marc-Andre Lureau from comment #12)
> > > > please try to reproduce with qemu > qemu-kvm-0.12.1.2-2.438.el6
> > > > 
> > > > Most likely this is fixed with bug 995931 and should be closed as duplicate.
> > > > 
> > > > Thanks
> > > 
> > here this bug is for rhel7, but bug 995931 is just for rhel6, i don't think
> > they are duplicate. I will try it if need, thanks for your checking.
> 
> oops, I missed that.
> 
> The patches:
> 75c70e37bc4a6bdc394b4d1b163fe730abb82c72 &
> 50f3e42b9438e033074222671c0502ecfeba82c
> 
> Seem to be missing from rhel7 qemu. Reassigning

Thanks a lot.

Comment 17 Gerd Hoffmann 2014-09-02 10:26:49 UTC
Thanks for the hashes.  Backport posted.

Comment 18 Miroslav Rezanina 2014-09-18 15:31:07 UTC
Fix included in qemu-kvm-1.5.3-71.el7

Comment 21 Gerd Hoffmann 2014-10-30 08:46:27 UTC
*** Bug 1003819 has been marked as a duplicate of this bug. ***

Comment 23 errata-xmlrpc 2015-03-05 08:03:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0349.html


Note You need to log in before you can comment on or make changes to this bug.