RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1057425 - multiple qxl devices(>9) cause qemu-kvm core dump
Summary: multiple qxl devices(>9) cause qemu-kvm core dump
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Gerd Hoffmann
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-24 04:58 UTC by FuXiangChun
Modified: 2015-03-05 09:43 UTC (History)
9 users (show)

Fixed In Version: qemu 2.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 09:43:47 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0624 0 normal SHIPPED_LIVE Important: qemu-kvm-rhev security, bug fix, and enhancement update 2015-03-05 14:37:36 UTC

Description FuXiangChun 2014-01-24 04:58:06 UTC 
Description of problem:
Boot qemu-kvm process with 9 qxl devices, qemu-kvm and guest works well. Boot qemu-kvm process with 10 qxl devices. qemu-kvm core dump.

Version-Release number of selected component (if applicable):
qemu-kvm-1.5.3-41.el7.x86_64
seabios-1.7.2.2-10.el7.x86_64
3.10.0-64.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Boot guest with 10 qxl device
/usr/libexec/qemu-kvm -M pc -cpu host -enable-kvm -m 2048 -smp 2 -qmp tcp:0:5556,server,nowait -name rhel7 -uuid 6afa5f93-2d4f-420f-81c6-e5fdddbd1c83 -boot menu=on -spice port=5930,disable-ticketing -vga qxl -device qxl,id=video1,bus=pci.0,addr=0x7 -device qxl,id=video2,bus=pci.0,addr=0x8 -device qxl,id=video3,bus=pci.0,addr=0x9 -device qxl,id=video4,bus=pci.0,addr=0xa  -monitor stdio -device qxl,id=video5,bus=pci.0,addr=0xb -device qxl,id=video6,bus=pci.0,addr=0xc -device qxl,id=video7,bus=pci.0,addr=0xd -device qxl,id=video8,bus=pci.0,addr=0xe -device qxl,id=video9,bus=pci.0,addr=0xf -device qxl,id=video10,bus=pci.0,addr=0x10
2.
3.

Actual results:
qemu-kvm core dump:
(gdb) bt
#0  graphic_console_init (dev=0x5555567553e0, hw_ops=hw_ops@entry=0x555555c4af20 <qxl_ops>, 
    opaque=opaque@entry=0x5555567553e0) at ui/console.c:1635
#1  0x00005555557a006d in qxl_init_secondary (dev=0x5555567553e0)
    at /usr/src/debug/qemu-1.5.3/hw/display/qxl.c:2100
#2  0x00005555556c3362 in pci_qdev_init (qdev=0x5555567553e0) at hw/pci/pci.c:1720
#3  0x000055555567f184 in device_realize (dev=0x5555567553e0, err=0x7fffffffdbd0) at hw/core/qdev.c:178
#4  0x00005555556806ab in device_set_realized (obj=0x5555567553e0, value=<optimized out>, err=0x7fffffffdd18)
    at hw/core/qdev.c:693
#5  0x000055555574123e in property_set_bool (obj=0x5555567553e0, v=<optimized out>, opaque=0x5555566a8ea0, 
    name=<optimized out>, errp=0x7fffffffdd18) at qom/object.c:1302
#6  0x0000555555743df7 in object_property_set_qobject (obj=0x5555567553e0, value=<optimized out>, 
    name=0x5555558b9b3a "realized", errp=0x7fffffffdd18) at qom/qom-qobject.c:24
#7  0x0000555555742c00 in object_property_set_bool (obj=obj@entry=0x5555567553e0, value=value@entry=true, 
    name=name@entry=0x5555558b9b3a "realized", errp=errp@entry=0x7fffffffdd18) at qom/object.c:853
#8  0x000055555572f14e in qdev_device_add (opts=0x555556530750) at qdev-monitor.c:551
#9  0x0000555555773649 in device_init_func (opts=<optimized out>, opaque=<optimized out>) at vl.c:2290
#10 0x00005555558a61bb in qemu_opts_foreach (list=<optimized out>, 
    func=func@entry=0x555555773630 <device_init_func>, opaque=opaque@entry=0x0, 
    abort_on_failure=abort_on_failure@entry=1) at util/qemu-option.c:1149
#11 0x0000555555601be1 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4255

If boot guest with 9 qxl devices. can get like this pci message below inside guest:
00:07.0~00:0f.0

        Display controller: Red Hat, Inc. Device 0100 (rev 04)
	Subsystem: Red Hat, Inc Device 1100
	Physical Slot: 15
	Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx-
	Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
	Interrupt: pin A routed to IRQ 11
	Region 0: Memory at f4000000 (32-bit, non-prefetchable) [size=64M]
	Region 1: Memory at f8000000 (32-bit, non-prefetchable) [size=64M]
	Region 2: Memory at fc042000 (32-bit, non-prefetchable) [size=8K]
	Region 3: I/O ports at c180 [size=32]


Expected results:
If exceed pci memory size. qemu-kvm should show warning message. shouldn't core dump. 

Additional info:
Comment 2 FuXiangChun 2014-01-24 07:24:20 UTC 
Tested another two scenarios. For this two scenarios. Guest works well. and can see pci memory size inside guest via "lspci -vvv".

S1
Boot guest with below
-device qxl,id=video1,bus=pci.0,vram_size=536870912,addr=0x7 
-device qxl,id=video2,bus=pci.0,vram_size=536870912,addr=0x8 
-device qxl,id=video3,bus=pci.0,vram_size=536870912,addr=0x9  
-device qxl,id=video4,bus=pci.0,addr=0xa 
-device qxl,id=video5,bus=pci.0,addr=0xb

S2
Boot guest with below
-device qxl,id=video1,bus=pci.0,vram_size=268435456,addr=0x7 
-device qxl,id=video2,bus=pci.0,vram_size=268435456,addr=0x8 
-device qxl,id=video3,bus=pci.0,vram_size=268435456,addr=0x9 
-device qxl,id=video4,bus=pci.0,vram_size=268435456,addr=0xa  
-device qxl,id=video5,vram_size=268435456,bus=pci.0,addr=0xb 
-device qxl,id=video6,bus=pci.0,vram_size=268435456,addr=0xc 
-device qxl,id=video7,bus=pci.0,vram_size=268435456,addr=0xd 
-device qxl,id=video8,bus=pci.0,vram_size=268435456,addr=0xe 
-device qxl,id=video9,bus=pci.0,vram_size=268435456,addr=0xf
Comment 3 Gerd Hoffmann 2014-01-27 09:47:19 UTC 
Probably a missing sanity check for MAX_CONSOLES somewhere, followed by overflowing the consoles[] array.  The max number of qxl devices supported is 4, thus this isn't critical enougth for 7.0, deferring.
Comment 5 Gerd Hoffmann 2014-05-26 09:30:15 UTC 
http://patchwork.ozlabs.org/patch/352454/
Comment 8 langfang 2014-08-26 09:35:30 UTC 
Reproduce this bug as follow version:

Host:
# uname -r 
3.10.0-145.el7.x86_64
#rpm -q qemu-kvm-rhev
qemu-kvm-rhev-1.5.3-60.el7_0_0.6.x86_64


Steps:
1)Boot guest with  >9 qxl device
....
-spice port=5930,disable-ticketing -vga qxl -device qxl,id=video1,bus=pci.0,addr=0x7 -device qxl,id=video2,bus=pci.0,addr=0x8 -device qxl,id=video3,bus=pci.0,addr=0x9 -device qxl,id=video4,bus=pci.0,addr=0xa  -monitor stdio -device qxl,id=video5,bus=pci.0,addr=0xb -device qxl,id=video6,bus=pci.0,addr=0xc -device qxl,id=video7,bus=pci.0,addr=0xd -device qxl,id=video8,bus=pci.0,addr=0xe -device qxl,id=video9,bus=pci.0,addr=0xf -device qxl,id=video10,bus=pci.0,addr=0x10  -device qxl,id=video11,bus=pci.0,addr=0x11  -device qxl,id=video12,bus=pci.0,addr=0x12  -device qxl,id=video13,bus=pci.0,addr=0x13  -device qxl,id=video14,bus=pci.0,addr=0x14  


Results:

qemu coredump

QEMU 1.5.3 monitor - type 'help' for more information
(qemu) 
Program received signal SIGSEGV, Segmentation fault.
graphic_console_init (dev=0x555556781020, 
    hw_ops=hw_ops@entry=0x555555bfdc60 <qxl_ops>, 
    opaque=opaque@entry=0x555556781020) at ui/console.c:1635
1635	    s->hw_ops = hw_ops;
Missing separate debuginfos, use: debuginfo-install glibc-2.17-55.el7.x86_64
(gdb) bt
#0  graphic_console_init (dev=0x555556781020, 
    hw_ops=hw_ops@entry=0x555555bfdc60 <qxl_ops>, 
    opaque=opaque@entry=0x555556781020) at ui/console.c:1635
#1  0x000055555576ed9d in qxl_init_secondary (dev=0x555556781020)
    at /usr/src/debug/qemu-1.5.3/hw/display/qxl.c:2079
#2  0x00005555556ae212 in pci_qdev_init (qdev=0x555556781020)
    at hw/pci/pci.c:1720
#3  0x0000555555676c44 in device_realize (dev=0x555556781020, 
    err=0x7fffffffd9f0) at hw/core/qdev.c:178
#4  0x0000555555677bab in device_set_realized (obj=0x555556781020, 
    value=<optimized out>, err=0x7fffffffdb18) at hw/core/qdev.c:693
#5  0x000055555571cd6e in property_set_bool (obj=0x555556781020, 
    v=<optimized out>, opaque=0x5555567d9170, name=<optimized out>, 
    errp=0x7fffffffdb18) at qom/object.c:1302
#6  0x000055555571ee47 in object_property_set_qobject (
    obj=0x555556781020, value=<optimized out>, 
    name=0x5555558731fa "realized", errp=0x7fffffffdb18)
    at qom/qom-qobject.c:24
#7  0x000055555571e030 in object_property_set_bool (
    obj=obj@entry=0x555556781020, value=value@entry=true, 
    name=name@entry=0x5555558731fa "realized", 
    errp=errp@entry=0x7fffffffdb18) at qom/object.c:853
#8  0x000055555570be7f in qdev_device_add (opts=0x5555564e7420)
---Type <return> to continue, or q <return> to quit---
    at qdev-monitor.c:556
#9  0x00005555557493d9 in device_init_func (opts=<optimized out>, 
    opaque=<optimized out>) at vl.c:2290
#10 0x000055555585ea2b in qemu_opts_foreach (list=<optimized out>, 
    func=func@entry=0x5555557493d0 <device_init_func>, 
    opaque=opaque@entry=0x0, abort_on_failure=abort_on_failure@entry=1)
    at util/qemu-option.c:1198
#11 0x0000555555602df1 in main (argc=<optimized out>, 
    argv=<optimized out>, envp=<optimized out>) at vl.c:4257

Verify this bug as follow version:
Host:

# uname -r
3.10.0-144.el7.x86_64
# rpm -q qemu-kvm-rhev
qemu-kvm-rhev-2.1.0-2.el7.x86_64

Steps as same as reproduce

Results:
Guest work well,not hit qemu coredump

According to above test ,this bug has been fixed
Comment 9 langfang 2014-08-27 05:14:04 UTC 
Hi Gerd
   as above test this bug has been fixed on latest qemu-kvm-rhev version. Qemu core dump is a serious problem.Do you plan to modify it on qemu-kvm component ?

best regards
fang lang
Comment 10 Gerd Hoffmann 2014-08-27 05:32:04 UTC 
(In reply to langfang from comment #9)
> Hi Gerd
>    as above test this bug has been fixed on latest qemu-kvm-rhev version.
> Qemu core dump is a serious problem.Do you plan to modify it on qemu-kvm
> component ?

No plans, not critical.

Segfaults which the guest can trigger are a serious problem indeed.  But that isn't the case here.  The segfault happens on startup, on a unsupported configuration.
Comment 13 errata-xmlrpc 2015-03-05 09:43:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0624.html
Note You need to log in before you can comment on or make changes to this bug.