Bug 1057425 - multiple qxl devices(>9) cause qemu-kvm core dump
Summary: multiple qxl devices(>9) cause qemu-kvm core dump
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Gerd Hoffmann
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-24 04:58 UTC by FuXiangChun
Modified: 2015-03-05 09:43 UTC (History)
9 users (show)

Fixed In Version: qemu 2.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 09:43:47 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0624 normal SHIPPED_LIVE Important: qemu-kvm-rhev security, bug fix, and enhancement update 2015-03-05 14:37:36 UTC

Description FuXiangChun 2014-01-24 04:58:06 UTC
Description of problem:
Boot qemu-kvm process with 9 qxl devices, qemu-kvm and guest works well. Boot qemu-kvm process with 10 qxl devices. qemu-kvm core dump.

Version-Release number of selected component (if applicable):
qemu-kvm-1.5.3-41.el7.x86_64
seabios-1.7.2.2-10.el7.x86_64
3.10.0-64.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Boot guest with 10 qxl device
/usr/libexec/qemu-kvm -M pc -cpu host -enable-kvm -m 2048 -smp 2 -qmp tcp:0:5556,server,nowait -name rhel7 -uuid 6afa5f93-2d4f-420f-81c6-e5fdddbd1c83 -boot menu=on -spice port=5930,disable-ticketing -vga qxl -device qxl,id=video1,bus=pci.0,addr=0x7 -device qxl,id=video2,bus=pci.0,addr=0x8 -device qxl,id=video3,bus=pci.0,addr=0x9 -device qxl,id=video4,bus=pci.0,addr=0xa  -monitor stdio -device qxl,id=video5,bus=pci.0,addr=0xb -device qxl,id=video6,bus=pci.0,addr=0xc -device qxl,id=video7,bus=pci.0,addr=0xd -device qxl,id=video8,bus=pci.0,addr=0xe -device qxl,id=video9,bus=pci.0,addr=0xf -device qxl,id=video10,bus=pci.0,addr=0x10
2.
3.

Actual results:
qemu-kvm core dump:
(gdb) bt
#0  graphic_console_init (dev=0x5555567553e0, hw_ops=hw_ops@entry=0x555555c4af20 <qxl_ops>, 
    opaque=opaque@entry=0x5555567553e0) at ui/console.c:1635
#1  0x00005555557a006d in qxl_init_secondary (dev=0x5555567553e0)
    at /usr/src/debug/qemu-1.5.3/hw/display/qxl.c:2100
#2  0x00005555556c3362 in pci_qdev_init (qdev=0x5555567553e0) at hw/pci/pci.c:1720
#3  0x000055555567f184 in device_realize (dev=0x5555567553e0, err=0x7fffffffdbd0) at hw/core/qdev.c:178
#4  0x00005555556806ab in device_set_realized (obj=0x5555567553e0, value=<optimized out>, err=0x7fffffffdd18)
    at hw/core/qdev.c:693
#5  0x000055555574123e in property_set_bool (obj=0x5555567553e0, v=<optimized out>, opaque=0x5555566a8ea0, 
    name=<optimized out>, errp=0x7fffffffdd18) at qom/object.c:1302
#6  0x0000555555743df7 in object_property_set_qobject (obj=0x5555567553e0, value=<optimized out>, 
    name=0x5555558b9b3a "realized", errp=0x7fffffffdd18) at qom/qom-qobject.c:24
#7  0x0000555555742c00 in object_property_set_bool (obj=obj@entry=0x5555567553e0, value=value@entry=true, 
    name=name@entry=0x5555558b9b3a "realized", errp=errp@entry=0x7fffffffdd18) at qom/object.c:853
#8  0x000055555572f14e in qdev_device_add (opts=0x555556530750) at qdev-monitor.c:551
#9  0x0000555555773649 in device_init_func (opts=<optimized out>, opaque=<optimized out>) at vl.c:2290
#10 0x00005555558a61bb in qemu_opts_foreach (list=<optimized out>, 
    func=func@entry=0x555555773630 <device_init_func>, opaque=opaque@entry=0x0, 
    abort_on_failure=abort_on_failure@entry=1) at util/qemu-option.c:1149
#11 0x0000555555601be1 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4255

If boot guest with 9 qxl devices. can get like this pci message below inside guest:
00:07.0~00:0f.0

        Display controller: Red Hat, Inc. Device 0100 (rev 04)
	Subsystem: Red Hat, Inc Device 1100
	Physical Slot: 15
	Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx-
	Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
	Interrupt: pin A routed to IRQ 11
	Region 0: Memory at f4000000 (32-bit, non-prefetchable) [size=64M]
	Region 1: Memory at f8000000 (32-bit, non-prefetchable) [size=64M]
	Region 2: Memory at fc042000 (32-bit, non-prefetchable) [size=8K]
	Region 3: I/O ports at c180 [size=32]


Expected results:
If exceed pci memory size. qemu-kvm should show warning message. shouldn't core dump. 

Additional info:

Comment 2 FuXiangChun 2014-01-24 07:24:20 UTC
Tested another two scenarios. For this two scenarios. Guest works well. and can see pci memory size inside guest via "lspci -vvv".

S1
Boot guest with below
-device qxl,id=video1,bus=pci.0,vram_size=536870912,addr=0x7 
-device qxl,id=video2,bus=pci.0,vram_size=536870912,addr=0x8 
-device qxl,id=video3,bus=pci.0,vram_size=536870912,addr=0x9  
-device qxl,id=video4,bus=pci.0,addr=0xa 
-device qxl,id=video5,bus=pci.0,addr=0xb

S2
Boot guest with below
-device qxl,id=video1,bus=pci.0,vram_size=268435456,addr=0x7 
-device qxl,id=video2,bus=pci.0,vram_size=268435456,addr=0x8 
-device qxl,id=video3,bus=pci.0,vram_size=268435456,addr=0x9 
-device qxl,id=video4,bus=pci.0,vram_size=268435456,addr=0xa  
-device qxl,id=video5,vram_size=268435456,bus=pci.0,addr=0xb 
-device qxl,id=video6,bus=pci.0,vram_size=268435456,addr=0xc 
-device qxl,id=video7,bus=pci.0,vram_size=268435456,addr=0xd 
-device qxl,id=video8,bus=pci.0,vram_size=268435456,addr=0xe 
-device qxl,id=video9,bus=pci.0,vram_size=268435456,addr=0xf

Comment 3 Gerd Hoffmann 2014-01-27 09:47:19 UTC
Probably a missing sanity check for MAX_CONSOLES somewhere, followed by overflowing the consoles[] array.  The max number of qxl devices supported is 4, thus this isn't critical enougth for 7.0, deferring.

Comment 5 Gerd Hoffmann 2014-05-26 09:30:15 UTC
http://patchwork.ozlabs.org/patch/352454/

Comment 8 langfang 2014-08-26 09:35:30 UTC
Reproduce this bug as follow version:

Host:
# uname -r 
3.10.0-145.el7.x86_64
#rpm -q qemu-kvm-rhev
qemu-kvm-rhev-1.5.3-60.el7_0_0.6.x86_64


Steps:
1)Boot guest with  >9 qxl device
....
-spice port=5930,disable-ticketing -vga qxl -device qxl,id=video1,bus=pci.0,addr=0x7 -device qxl,id=video2,bus=pci.0,addr=0x8 -device qxl,id=video3,bus=pci.0,addr=0x9 -device qxl,id=video4,bus=pci.0,addr=0xa  -monitor stdio -device qxl,id=video5,bus=pci.0,addr=0xb -device qxl,id=video6,bus=pci.0,addr=0xc -device qxl,id=video7,bus=pci.0,addr=0xd -device qxl,id=video8,bus=pci.0,addr=0xe -device qxl,id=video9,bus=pci.0,addr=0xf -device qxl,id=video10,bus=pci.0,addr=0x10  -device qxl,id=video11,bus=pci.0,addr=0x11  -device qxl,id=video12,bus=pci.0,addr=0x12  -device qxl,id=video13,bus=pci.0,addr=0x13  -device qxl,id=video14,bus=pci.0,addr=0x14  


Results:

qemu coredump

QEMU 1.5.3 monitor - type 'help' for more information
(qemu) 
Program received signal SIGSEGV, Segmentation fault.
graphic_console_init (dev=0x555556781020, 
    hw_ops=hw_ops@entry=0x555555bfdc60 <qxl_ops>, 
    opaque=opaque@entry=0x555556781020) at ui/console.c:1635
1635	    s->hw_ops = hw_ops;
Missing separate debuginfos, use: debuginfo-install glibc-2.17-55.el7.x86_64
(gdb) bt
#0  graphic_console_init (dev=0x555556781020, 
    hw_ops=hw_ops@entry=0x555555bfdc60 <qxl_ops>, 
    opaque=opaque@entry=0x555556781020) at ui/console.c:1635
#1  0x000055555576ed9d in qxl_init_secondary (dev=0x555556781020)
    at /usr/src/debug/qemu-1.5.3/hw/display/qxl.c:2079
#2  0x00005555556ae212 in pci_qdev_init (qdev=0x555556781020)
    at hw/pci/pci.c:1720
#3  0x0000555555676c44 in device_realize (dev=0x555556781020, 
    err=0x7fffffffd9f0) at hw/core/qdev.c:178
#4  0x0000555555677bab in device_set_realized (obj=0x555556781020, 
    value=<optimized out>, err=0x7fffffffdb18) at hw/core/qdev.c:693
#5  0x000055555571cd6e in property_set_bool (obj=0x555556781020, 
    v=<optimized out>, opaque=0x5555567d9170, name=<optimized out>, 
    errp=0x7fffffffdb18) at qom/object.c:1302
#6  0x000055555571ee47 in object_property_set_qobject (
    obj=0x555556781020, value=<optimized out>, 
    name=0x5555558731fa "realized", errp=0x7fffffffdb18)
    at qom/qom-qobject.c:24
#7  0x000055555571e030 in object_property_set_bool (
    obj=obj@entry=0x555556781020, value=value@entry=true, 
    name=name@entry=0x5555558731fa "realized", 
    errp=errp@entry=0x7fffffffdb18) at qom/object.c:853
#8  0x000055555570be7f in qdev_device_add (opts=0x5555564e7420)
---Type <return> to continue, or q <return> to quit---
    at qdev-monitor.c:556
#9  0x00005555557493d9 in device_init_func (opts=<optimized out>, 
    opaque=<optimized out>) at vl.c:2290
#10 0x000055555585ea2b in qemu_opts_foreach (list=<optimized out>, 
    func=func@entry=0x5555557493d0 <device_init_func>, 
    opaque=opaque@entry=0x0, abort_on_failure=abort_on_failure@entry=1)
    at util/qemu-option.c:1198
#11 0x0000555555602df1 in main (argc=<optimized out>, 
    argv=<optimized out>, envp=<optimized out>) at vl.c:4257

Verify this bug as follow version:
Host:

# uname -r
3.10.0-144.el7.x86_64
# rpm -q qemu-kvm-rhev
qemu-kvm-rhev-2.1.0-2.el7.x86_64

Steps as same as reproduce

Results:
Guest work well,not hit qemu coredump

According to above test ,this bug has been fixed

Comment 9 langfang 2014-08-27 05:14:04 UTC
Hi Gerd
   as above test this bug has been fixed on latest qemu-kvm-rhev version. Qemu core dump is a serious problem.Do you plan to modify it on qemu-kvm component ?

best regards
fang lang

Comment 10 Gerd Hoffmann 2014-08-27 05:32:04 UTC
(In reply to langfang from comment #9)
> Hi Gerd
>    as above test this bug has been fixed on latest qemu-kvm-rhev version.
> Qemu core dump is a serious problem.Do you plan to modify it on qemu-kvm
> component ?

No plans, not critical.

Segfaults which the guest can trigger are a serious problem indeed.  But that isn't the case here.  The segfault happens on startup, on a unsupported configuration.

Comment 13 errata-xmlrpc 2015-03-05 09:43:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0624.html


Note You need to log in before you can comment on or make changes to this bug.