Bug 1095612 - Machine type rhel6.0.0 & -vga qxl & vnc cause qemu-kvm core dump
Summary: Machine type rhel6.0.0 & -vga qxl & vnc cause qemu-kvm core dump
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm
Version: 6.6
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Gerd Hoffmann
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-05-08 07:46 UTC by FuXiangChun
Modified: 2015-03-10 10:11 UTC (History)
15 users (show)

Fixed In Version: qemu-kvm-0.12.1-2.2.444.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1135372 (view as bug list)
Environment:
Last Closed: 2014-10-14 06:58:39 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1490 normal SHIPPED_LIVE qemu-kvm bug fix and enhancement update 2014-10-14 01:28:27 UTC

Description FuXiangChun 2014-05-08 07:46:09 UTC
Description of problem:
Boot RHEL6.5 guest with machine type rhel6.0.0 & -vga qxl & vnc.  qemu-kvm core dump when guest load GUI(run level 5).

Notes:
1.Machine type rhel6.1.0 ~ rhel6.5.0 don't hit this issue(rhel6.0.0 only).

2.runlevel 3 don't hit this bug(runlevel 5 only)

3.rhel6.0.0 & -vga qxl & spice don't this  issue(rhel6.0.0 & -vga qxl & vnc only).

Question:
For windows guest.  Fail to load qxl driver when booting guest with machine type rhel6.0.0. Are they the same issue?  If not, Do QE need to file another bug to track it?

Version-Release number of selected component (if applicable):
kernel:
2.6.32-459.el6.x86_64
qemu-kvm qemu-kvm-0.12.1.2-2.424.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Boot rhel6.5 guest
/usr/libexec/qemu-kvm -M rhel6.0.0 -cpu SandyBridge -enable-kvm -m 4096 -realtime mlock=off -smp 4,sockets=2,cores=2,threads=1,maxcpus=160 -nodefconfig -nodefaults -monitor stdio -name test-all-qemu-kvm  -drive file=/home/juli/RHEL-Server-6.5-64-virtio.qcow2,if=none,id=drive-scsi-disk,format=qcow2,cache=none,werror=stop,rerror=stop -device ide-drive,drive=drive-scsi-disk,id=disk -vnc :12 -vga qxl

2.
3.

Actual results:
(gdb) bt
#0  0x00007ffff4ce9a31 in memcpy () from /lib64/libc.so.6
#1  0x00007ffff7f70bbb in qxl_blit (qxl=0x7ffff9c98840) at /usr/include/bits/string3.h:52
#2  qxl_render_update_area_unlocked (qxl=0x7ffff9c98840) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl-render.c:139
#3  0x00007ffff7f70e0b in qxl_render_update (qxl=0x7ffff9c98840) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl-render.c:161
#4  0x00007ffff7e78af4 in vnc_refresh (opaque=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vnc.c:2513
#5  0x00007ffff7e78e35 in vnc_init_timer (vd=0x7ffff9cd12a0, csock=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vnc.c:2544
#6  vnc_connect (vd=0x7ffff9cd12a0, csock=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vnc.c:2595
#7  0x00007ffff7e79626 in vnc_listen_read (opaque=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vnc.c:2611
#8  0x00007ffff7dc741b in main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4053
#9  0x00007ffff7dea44a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2245
#10 0x00007ffff7dca2d9 in main_loop (argc=26, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4266
#11 main (argc=26, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6644

Expected results:


Additional info:
I tested qemu-kvm-0.12.1.2-2.424.el6.x86_64 and qemu-kvm-0.12.1.2-2.415.el6.x86_64.  Both hit this issue.  so may not be a regression bug.

Comment 2 Gerd Hoffmann 2014-06-10 12:26:58 UTC
http://patchwork.ozlabs.org/patch/357904/

Comment 3 Gerd Hoffmann 2014-07-02 09:47:27 UTC
upstream commit 788fbf042fc6d5aaeab56757e6dad622ac5f0c21

Comment 4 Gerd Hoffmann 2014-07-02 10:26:49 UTC
patches posted.

Comment 6 Jeff Nelson 2014-07-08 17:40:18 UTC
Fix included in qemu-kvm-0.12.1.2-2.430.el6

Comment 8 Shaolong Hu 2014-07-21 06:08:24 UTC
[root@localhost ~]# rpm -q qemu-kvm
qemu-kvm-0.12.1.2-2.429.el6.x86_64

[root@localhost ~]# /usr/libexec/qemu-kvm -M rhel6.0.0 -cpu SandyBridge -enable-kvm -m 4096 -realtime mlock=off -smp 4,sockets=2,cores=2,threads=1,maxcpus=160 -nodefconfig -nodefaults -monitor stdio -name test-all-qemu-kvm  -drive file=nfs/RHEL-Server-6.6-64-virtio.qcow2,if=none,id=drive-scsi-disk,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-scsi-disk,id=disk -vnc :12 -vga qxl
QEMU 0.12.1 monitor - type 'help' for more information
(qemu) Segmentation fault (core dumped)


Verified on qemu-kvm-0.12.1.2-2.430.el6.x86_64, no crash.

Comment 9 Qunfang Zhang 2014-08-27 09:25:22 UTC
During the bug re-verification work for rhel6.6, I still could reproduce the bug on the following version:

kernel-2.6.32-498.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.441.el6.x86_64
spice-server-0.12.4-11.el6.x86_64

And also I tried the following version, all could reproduce the bug. 

qemu-kvm-rhev-0.12.1.2-2.428.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.430.el6.x86_64

Re-test with "-M rhel6.1.0", could not reproduce. The issue still happens on "-M rhel6.0.0". 

Command line: 
Same as comment 8.

(gdb) r  -M rhel6.0.0 -cpu SandyBridge -enable-kvm -m 4096 -realtime mlock=off -smp 4,sockets=2,cores=2,threads=1,maxcpus=160 -nodefconfig -nodefaults -monitor stdio -name test-all-qemu-kvm  -drive file=/root/RHEL-Server-6.6-64-virtio.qcow2,if=none,id=drive-scsi-disk,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-scsi-disk,id=disk -vnc :12 -vga qxl
Starting program: /usr/libexec/qemu-kvm -M rhel6.0.0 -cpu SandyBridge -enable-kvm -m 4096 -realtime mlock=off -smp 4,sockets=2,cores=2,threads=1,maxcpus=160 -nodefconfig -nodefaults -monitor stdio -name test-all-qemu-kvm  -drive file=/root/RHEL-Server-6.6-64-virtio.qcow2,if=none,id=drive-scsi-disk,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-scsi-disk,id=disk -vnc :12 -vga qxl
[Thread debugging using libthread_db enabled]
[New Thread 0x7fffeeb6c700 (LWP 13540)]
QEMU 0.12.1 monitor - type 'help' for more information
(qemu) 
(qemu) 
(qemu) [New Thread 0x7ffecfbfd700 (LWP 13547)]
(qemu) 
(qemu) 
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff48ad9b7 in memcpy () from /lib64/libc.so.6

(gdb) bt
#0  0x00007ffff48ad9b7 in memcpy () from /lib64/libc.so.6
#1  0x00007ffff7f6abac in qxl_blit (qxl=0x7ffff9c9d840)
    at /usr/include/bits/string3.h:52
#2  qxl_render_update_area_unlocked (qxl=0x7ffff9c9d840)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl-render.c:146
#3  0x00007ffff7f6adb8 in qxl_render_update_area_bh (opaque=0x7ffff9c9d840)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl-render.c:188
#4  0x00007ffff7de7101 in qemu_bh_poll ()
    at /usr/src/debug/qemu-kvm-0.12.1.2/async.c:70
#5  0x00007ffff7daecb9 in main_loop_wait (timeout=1000)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4098
#6  0x00007ffff7dd24ea in kvm_main_loop ()
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2258
#7  0x00007ffff7db3767 in main_loop (argc=<value optimized out>, 
    argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4268
#8  main (argc=<value optimized out>, argv=<value optimized out>, 
    envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6725
(gdb)

Comment 10 Qunfang Zhang 2014-08-27 09:26:03 UTC
According to comment 9, re-assign this bug. :(

Comment 11 Qunfang Zhang 2014-08-27 10:28:20 UTC
In the unfixed version qemu-kvm-rhev-0.12.1.2-2.428.el6.x86_64:

Guest core dump at once after guest boot up. (Have not login guest)

In the fixed or latest version:

Guest core dump after login guest and wait for a few seconds. (I wait for about 5s ~ 10s).

Comment 12 Gerd Hoffmann 2014-08-29 07:34:43 UTC
(gdb) up
#1  0x00007f437ce7a016 in memcpy (__len=16, __src=0x7f43183d3cb4, __dest=<optimized out>)
    at /usr/include/bits/string3.h:51
51        return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) up
#2  qxl_blit (rect=0x7f437e23b310, qxl=0x7f437e2299b0)
    at /home/kraxel/rhel/7/qemu-kvm/hw/display/qxl-render.c:51
51              memcpy(dst, src, len);
(gdb) print *rect
$1 = {top = -7, left = 1069, bottom = 0, right = 1073}

We get dirty rectangles with negative values from spice-server.  Oops.

Comment 13 Gerd Hoffmann 2014-08-29 07:39:44 UTC
http://patchwork.ozlabs.org/patch/384069/

Comment 14 Gerd Hoffmann 2014-08-29 08:10:47 UTC
Oops, patch screwed up.   New one:
http://patchwork.ozlabs.org/patch/384079/

Comment 15 Qunfang Zhang 2014-09-01 03:04:57 UTC
Hi, Ademar and Gerd

Thanks for replying this bug so quick. Do you think we still have a chance to include this fix in rhel6.6? 

Thanks,
Qunfang

Comment 16 Ademar Reis 2014-09-01 22:51:14 UTC
(In reply to Qunfang Zhang from comment #15)
> Hi, Ademar and Gerd
> 
> Thanks for replying this bug so quick. Do you think we still have a chance
> to include this fix in rhel6.6? 
> 

Yes, I think we should try it, at least fix the segfault in qemu-kvm (it's a small patch)

Comment 17 Qunfang Zhang 2014-09-02 00:57:21 UTC
Thanks for the reply.

Comment 18 Gerd Hoffmann 2014-09-02 09:01:50 UTC
pull request sent, upstream commit id will most likely be 503b3b33feca818baa4459aba286e54a528e5567

Comment 19 Gerd Hoffmann 2014-09-02 10:21:38 UTC
patches posted.

Comment 20 Jeff Nelson 2014-09-08 06:34:37 UTC
Fix included in qemu-kvm-0.12.1.2-2.443.el6

Comment 21 Jeff Nelson 2014-09-08 06:36:33 UTC
Fix included in qemu-kvm-0.12.1.2-2.444.el6

Comment 23 mazhang 2014-09-09 06:22:45 UTC
Reproduce this bug on qemu-kvm-0.12.1.2-2.429.el6.x86_64.

Host:
qemu-kvm-debuginfo-0.12.1.2-2.429.el6.x86_64
qemu-img-0.12.1.2-2.429.el6.x86_64
qemu-kvm-0.12.1.2-2.429.el6.x86_64
gpxe-roms-qemu-0.9.7-6.11.el6.noarch
qemu-kvm-tools-0.12.1.2-2.429.el6.x86_64
kernel-2.6.32-500.el6.x86_64

Guest:
RHEL-6.5 GA (RHEL6.6 guest can't reproduce this bug)

Cli:
/usr/libexec/qemu-kvm -M rhel6.0.0 -cpu SandyBridge -enable-kvm -m 4096 -realtime mlock=off -smp 4,sockets=2,cores=2,threads=1,maxcpus=160 -nodefconfig -nodefaults -monitor stdio -name test-all-qemu-kvm  -drive file=/home/RHEL-Server-6.6-64-1.qcow2,if=none,id=drive-scsi-disk,format=qcow2,cache=none,werror=stop,rerror=stop -device ide-drive,drive=drive-scsi-disk,id=disk -vnc :0 -vga qxl

Result:
qemu-kvm segmentation fault.
#0  0x00007ffff489aa41 in memcpy () from /lib64/libc.so.6
#1  0x00007ffff7f6d532 in qxl_blit (qxl=0x7ffff9c9b840) at /usr/include/bits/string3.h:52
#2  qxl_render_update_area_unlocked (qxl=0x7ffff9c9b840) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl-render.c:144
#3  0x00007ffff7f6d6f8 in qxl_render_update_area_bh (opaque=0x7ffff9c9b840)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl-render.c:186
#4  0x00007ffff7df1f11 in qemu_bh_poll () at /usr/src/debug/qemu-kvm-0.12.1.2/async.c:70
#5  0x00007ffff7dba039 in main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4098
#6  0x00007ffff7ddd2fa in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2258
#7  0x00007ffff7dbccf0 in main_loop (argc=26, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4268
#8  main (argc=26, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6711


Verify this bug on qemu-kvm-0.12.1.2-2.444.el6.x86_64.

Host:
qemu-kvm-tools-0.12.1.2-2.444.el6.x86_64
qemu-img-0.12.1.2-2.444.el6.x86_64
qemu-kvm-0.12.1.2-2.444.el6.x86_64
gpxe-roms-qemu-0.9.7-6.11.el6.noarch
qemu-kvm-debuginfo-0.12.1.2-2.444.el6.x86_64
kernel-2.6.32-500.el6.x86_64

Guest:
RHEL-6.5 GA

Cli:
/usr/libexec/qemu-kvm -M rhel6.0.0 -cpu SandyBridge -enable-kvm -m 4096 -realtime mlock=off -smp 4,sockets=2,cores=2,threads=1,maxcpus=160 -nodefconfig -nodefaults -monitor stdio -name test-all-qemu-kvm  -drive file=/home/RHEL-Server-6.6-64-1.qcow2,if=none,id=drive-scsi-disk,format=qcow2,cache=none,werror=stop,rerror=stop -device ide-drive,drive=drive-scsi-disk,id=disk -vnc :0 -vga qxl

Result:
1. Qemu-kvm works well.
2. Guest works well except mouse missing, (since qxl + vnc not support officially, so will not file bug).

So this bug has been fixed.

Comment 26 errata-xmlrpc 2014-10-14 06:58:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1490.html


Note You need to log in before you can comment on or make changes to this bug.