Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1095612

Summary: Machine type rhel6.0.0 & -vga qxl & vnc cause qemu-kvm core dump
Product: Red Hat Enterprise Linux 6 Reporter: FuXiangChun <xfu>
Component: qemu-kvmAssignee: Gerd Hoffmann <kraxel>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 6.6CC: bsarathy, chayang, djasa, huding, jen, juzhang, kraxel, lmiksik, mazhang, michen, mkenneth, qzhang, rbalakri, shu, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: qemu-kvm-0.12.1-2.2.444.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1135372 (view as bug list) Environment:
Last Closed: 2014-10-14 06:58:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description FuXiangChun 2014-05-08 07:46:09 UTC 
Description of problem:
Boot RHEL6.5 guest with machine type rhel6.0.0 & -vga qxl & vnc.  qemu-kvm core dump when guest load GUI(run level 5).

Notes:
1.Machine type rhel6.1.0 ~ rhel6.5.0 don't hit this issue(rhel6.0.0 only).

2.runlevel 3 don't hit this bug(runlevel 5 only)

3.rhel6.0.0 & -vga qxl & spice don't this  issue(rhel6.0.0 & -vga qxl & vnc only).

Question:
For windows guest.  Fail to load qxl driver when booting guest with machine type rhel6.0.0. Are they the same issue?  If not, Do QE need to file another bug to track it?

Version-Release number of selected component (if applicable):
kernel:
2.6.32-459.el6.x86_64
qemu-kvm qemu-kvm-0.12.1.2-2.424.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Boot rhel6.5 guest
/usr/libexec/qemu-kvm -M rhel6.0.0 -cpu SandyBridge -enable-kvm -m 4096 -realtime mlock=off -smp 4,sockets=2,cores=2,threads=1,maxcpus=160 -nodefconfig -nodefaults -monitor stdio -name test-all-qemu-kvm  -drive file=/home/juli/RHEL-Server-6.5-64-virtio.qcow2,if=none,id=drive-scsi-disk,format=qcow2,cache=none,werror=stop,rerror=stop -device ide-drive,drive=drive-scsi-disk,id=disk -vnc :12 -vga qxl

2.
3.

Actual results:
(gdb) bt
#0  0x00007ffff4ce9a31 in memcpy () from /lib64/libc.so.6
#1  0x00007ffff7f70bbb in qxl_blit (qxl=0x7ffff9c98840) at /usr/include/bits/string3.h:52
#2  qxl_render_update_area_unlocked (qxl=0x7ffff9c98840) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl-render.c:139
#3  0x00007ffff7f70e0b in qxl_render_update (qxl=0x7ffff9c98840) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl-render.c:161
#4  0x00007ffff7e78af4 in vnc_refresh (opaque=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vnc.c:2513
#5  0x00007ffff7e78e35 in vnc_init_timer (vd=0x7ffff9cd12a0, csock=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vnc.c:2544
#6  vnc_connect (vd=0x7ffff9cd12a0, csock=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vnc.c:2595
#7  0x00007ffff7e79626 in vnc_listen_read (opaque=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vnc.c:2611
#8  0x00007ffff7dc741b in main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4053
#9  0x00007ffff7dea44a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2245
#10 0x00007ffff7dca2d9 in main_loop (argc=26, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4266
#11 main (argc=26, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6644

Expected results:


Additional info:
I tested qemu-kvm-0.12.1.2-2.424.el6.x86_64 and qemu-kvm-0.12.1.2-2.415.el6.x86_64.  Both hit this issue.  so may not be a regression bug.
Comment 2 Gerd Hoffmann 2014-06-10 12:26:58 UTC 
http://patchwork.ozlabs.org/patch/357904/
Comment 3 Gerd Hoffmann 2014-07-02 09:47:27 UTC 
upstream commit 788fbf042fc6d5aaeab56757e6dad622ac5f0c21
Comment 4 Gerd Hoffmann 2014-07-02 10:26:49 UTC 
patches posted.
Comment 6 Jeff Nelson 2014-07-08 17:40:18 UTC 
Fix included in qemu-kvm-0.12.1.2-2.430.el6
Comment 8 Shaolong Hu 2014-07-21 06:08:24 UTC 
[root@localhost ~]# rpm -q qemu-kvm
qemu-kvm-0.12.1.2-2.429.el6.x86_64

[root@localhost ~]# /usr/libexec/qemu-kvm -M rhel6.0.0 -cpu SandyBridge -enable-kvm -m 4096 -realtime mlock=off -smp 4,sockets=2,cores=2,threads=1,maxcpus=160 -nodefconfig -nodefaults -monitor stdio -name test-all-qemu-kvm  -drive file=nfs/RHEL-Server-6.6-64-virtio.qcow2,if=none,id=drive-scsi-disk,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-scsi-disk,id=disk -vnc :12 -vga qxl
QEMU 0.12.1 monitor - type 'help' for more information
(qemu) Segmentation fault (core dumped)


Verified on qemu-kvm-0.12.1.2-2.430.el6.x86_64, no crash.
Comment 9 Qunfang Zhang 2014-08-27 09:25:22 UTC 
During the bug re-verification work for rhel6.6, I still could reproduce the bug on the following version:

kernel-2.6.32-498.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.441.el6.x86_64
spice-server-0.12.4-11.el6.x86_64

And also I tried the following version, all could reproduce the bug. 

qemu-kvm-rhev-0.12.1.2-2.428.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.430.el6.x86_64

Re-test with "-M rhel6.1.0", could not reproduce. The issue still happens on "-M rhel6.0.0". 

Command line: 
Same as comment 8.

(gdb) r  -M rhel6.0.0 -cpu SandyBridge -enable-kvm -m 4096 -realtime mlock=off -smp 4,sockets=2,cores=2,threads=1,maxcpus=160 -nodefconfig -nodefaults -monitor stdio -name test-all-qemu-kvm  -drive file=/root/RHEL-Server-6.6-64-virtio.qcow2,if=none,id=drive-scsi-disk,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-scsi-disk,id=disk -vnc :12 -vga qxl
Starting program: /usr/libexec/qemu-kvm -M rhel6.0.0 -cpu SandyBridge -enable-kvm -m 4096 -realtime mlock=off -smp 4,sockets=2,cores=2,threads=1,maxcpus=160 -nodefconfig -nodefaults -monitor stdio -name test-all-qemu-kvm  -drive file=/root/RHEL-Server-6.6-64-virtio.qcow2,if=none,id=drive-scsi-disk,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-scsi-disk,id=disk -vnc :12 -vga qxl
[Thread debugging using libthread_db enabled]
[New Thread 0x7fffeeb6c700 (LWP 13540)]
QEMU 0.12.1 monitor - type 'help' for more information
(qemu) 
(qemu) 
(qemu) [New Thread 0x7ffecfbfd700 (LWP 13547)]
(qemu) 
(qemu) 
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff48ad9b7 in memcpy () from /lib64/libc.so.6

(gdb) bt
#0  0x00007ffff48ad9b7 in memcpy () from /lib64/libc.so.6
#1  0x00007ffff7f6abac in qxl_blit (qxl=0x7ffff9c9d840)
    at /usr/include/bits/string3.h:52
#2  qxl_render_update_area_unlocked (qxl=0x7ffff9c9d840)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl-render.c:146
#3  0x00007ffff7f6adb8 in qxl_render_update_area_bh (opaque=0x7ffff9c9d840)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl-render.c:188
#4  0x00007ffff7de7101 in qemu_bh_poll ()
    at /usr/src/debug/qemu-kvm-0.12.1.2/async.c:70
#5  0x00007ffff7daecb9 in main_loop_wait (timeout=1000)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4098
#6  0x00007ffff7dd24ea in kvm_main_loop ()
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2258
#7  0x00007ffff7db3767 in main_loop (argc=<value optimized out>, 
    argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4268
#8  main (argc=<value optimized out>, argv=<value optimized out>, 
    envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6725
(gdb)
Comment 10 Qunfang Zhang 2014-08-27 09:26:03 UTC 
According to comment 9, re-assign this bug. :(
Comment 11 Qunfang Zhang 2014-08-27 10:28:20 UTC 
In the unfixed version qemu-kvm-rhev-0.12.1.2-2.428.el6.x86_64:

Guest core dump at once after guest boot up. (Have not login guest)

In the fixed or latest version:

Guest core dump after login guest and wait for a few seconds. (I wait for about 5s ~ 10s).
Comment 12 Gerd Hoffmann 2014-08-29 07:34:43 UTC 
(gdb) up
#1  0x00007f437ce7a016 in memcpy (__len=16, __src=0x7f43183d3cb4, __dest=<optimized out>)
    at /usr/include/bits/string3.h:51
51        return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
(gdb) up
#2  qxl_blit (rect=0x7f437e23b310, qxl=0x7f437e2299b0)
    at /home/kraxel/rhel/7/qemu-kvm/hw/display/qxl-render.c:51
51              memcpy(dst, src, len);
(gdb) print *rect
$1 = {top = -7, left = 1069, bottom = 0, right = 1073}

We get dirty rectangles with negative values from spice-server.  Oops.
Comment 13 Gerd Hoffmann 2014-08-29 07:39:44 UTC 
http://patchwork.ozlabs.org/patch/384069/
Comment 14 Gerd Hoffmann 2014-08-29 08:10:47 UTC 
Oops, patch screwed up.   New one:
http://patchwork.ozlabs.org/patch/384079/
Comment 15 Qunfang Zhang 2014-09-01 03:04:57 UTC 
Hi, Ademar and Gerd

Thanks for replying this bug so quick. Do you think we still have a chance to include this fix in rhel6.6? 

Thanks,
Qunfang
Comment 16 Ademar Reis 2014-09-01 22:51:14 UTC 
(In reply to Qunfang Zhang from comment #15)
> Hi, Ademar and Gerd
> 
> Thanks for replying this bug so quick. Do you think we still have a chance
> to include this fix in rhel6.6? 
> 

Yes, I think we should try it, at least fix the segfault in qemu-kvm (it's a small patch)
Comment 17 Qunfang Zhang 2014-09-02 00:57:21 UTC 
Thanks for the reply.
Comment 18 Gerd Hoffmann 2014-09-02 09:01:50 UTC 
pull request sent, upstream commit id will most likely be 503b3b33feca818baa4459aba286e54a528e5567
Comment 19 Gerd Hoffmann 2014-09-02 10:21:38 UTC 
patches posted.
Comment 20 Jeff Nelson 2014-09-08 06:34:37 UTC 
Fix included in qemu-kvm-0.12.1.2-2.443.el6
Comment 21 Jeff Nelson 2014-09-08 06:36:33 UTC 
Fix included in qemu-kvm-0.12.1.2-2.444.el6
Comment 23 mazhang 2014-09-09 06:22:45 UTC 
Reproduce this bug on qemu-kvm-0.12.1.2-2.429.el6.x86_64.

Host:
qemu-kvm-debuginfo-0.12.1.2-2.429.el6.x86_64
qemu-img-0.12.1.2-2.429.el6.x86_64
qemu-kvm-0.12.1.2-2.429.el6.x86_64
gpxe-roms-qemu-0.9.7-6.11.el6.noarch
qemu-kvm-tools-0.12.1.2-2.429.el6.x86_64
kernel-2.6.32-500.el6.x86_64

Guest:
RHEL-6.5 GA (RHEL6.6 guest can't reproduce this bug)

Cli:
/usr/libexec/qemu-kvm -M rhel6.0.0 -cpu SandyBridge -enable-kvm -m 4096 -realtime mlock=off -smp 4,sockets=2,cores=2,threads=1,maxcpus=160 -nodefconfig -nodefaults -monitor stdio -name test-all-qemu-kvm  -drive file=/home/RHEL-Server-6.6-64-1.qcow2,if=none,id=drive-scsi-disk,format=qcow2,cache=none,werror=stop,rerror=stop -device ide-drive,drive=drive-scsi-disk,id=disk -vnc :0 -vga qxl

Result:
qemu-kvm segmentation fault.
#0  0x00007ffff489aa41 in memcpy () from /lib64/libc.so.6
#1  0x00007ffff7f6d532 in qxl_blit (qxl=0x7ffff9c9b840) at /usr/include/bits/string3.h:52
#2  qxl_render_update_area_unlocked (qxl=0x7ffff9c9b840) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl-render.c:144
#3  0x00007ffff7f6d6f8 in qxl_render_update_area_bh (opaque=0x7ffff9c9b840)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl-render.c:186
#4  0x00007ffff7df1f11 in qemu_bh_poll () at /usr/src/debug/qemu-kvm-0.12.1.2/async.c:70
#5  0x00007ffff7dba039 in main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4098
#6  0x00007ffff7ddd2fa in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2258
#7  0x00007ffff7dbccf0 in main_loop (argc=26, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4268
#8  main (argc=26, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6711


Verify this bug on qemu-kvm-0.12.1.2-2.444.el6.x86_64.

Host:
qemu-kvm-tools-0.12.1.2-2.444.el6.x86_64
qemu-img-0.12.1.2-2.444.el6.x86_64
qemu-kvm-0.12.1.2-2.444.el6.x86_64
gpxe-roms-qemu-0.9.7-6.11.el6.noarch
qemu-kvm-debuginfo-0.12.1.2-2.444.el6.x86_64
kernel-2.6.32-500.el6.x86_64

Guest:
RHEL-6.5 GA

Cli:
/usr/libexec/qemu-kvm -M rhel6.0.0 -cpu SandyBridge -enable-kvm -m 4096 -realtime mlock=off -smp 4,sockets=2,cores=2,threads=1,maxcpus=160 -nodefconfig -nodefaults -monitor stdio -name test-all-qemu-kvm  -drive file=/home/RHEL-Server-6.6-64-1.qcow2,if=none,id=drive-scsi-disk,format=qcow2,cache=none,werror=stop,rerror=stop -device ide-drive,drive=drive-scsi-disk,id=disk -vnc :0 -vga qxl

Result:
1. Qemu-kvm works well.
2. Guest works well except mouse missing, (since qxl + vnc not support officially, so will not file bug).

So this bug has been fixed.
Comment 26 errata-xmlrpc 2014-10-14 06:58:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1490.html