1185750 – qemu crash when try to save a vm have 2097152M vgamem

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1185750 - qemu crash when try to save a vm have 2097152M vgamem

Summary: qemu crash when try to save a vm have 2097152M vgamem

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm-rhev
Sub Component:
Version:	7.1
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Radim Krčmář
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-01-26 08:31 UTC by Luyao Huang
Modified:	2015-12-04 16:25 UTC (History)
CC List:	10 users (show)
Fixed In Version:	qemu 2.3
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-12-04 16:25:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2546	0	normal	SHIPPED_LIVE	qemu-kvm-rhev bug fix and enhancement update	2015-12-04 21:11:56 UTC

Description Luyao Huang 2015-01-26 08:31:20 UTC

Description of problem:
qemu crash when try to save a vm have 2097152M  vgamem

Version-Release number of selected component (if applicable):
libvirt-1.2.8-15.el7.x86_64
qemu-kvm-rhev-2.1.2-20.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
 
1.prepare a guest have 2T vgamem and have GUI:

# virsh dumpxml r7

    <graphics type='spice' autoport='yes' listen='127.0.0.1'>
      <listen type='address' address='127.0.0.1'/>
    </graphics>

    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='2147483648' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>

2.start it:

# virsh start r7
Domain r7 started

3.after guest os boot up, managedsave vm and qemu will crash:
# virsh managedsave r7
error: Failed to save domain r7 state
error: operation failed: domain is no longer running

Actual results:
qemu crash when try to save a vm have 2097152M vgamem

Expected results:
no crash

Additional info:

Core was generated by `/usr/libexec/qemu-kvm -name r7 -S -machine pc-i440fx-rhel7.0.0,accel=kvm,usb=of'.
Program terminated with signal 11, Segmentation fault.
#0  vm_state_notify (running=running@entry=0, state=state@entry=RUN_STATE_PAUSED) at vl.c:1714
1714	        e->cb(e->opaque, running, state);
Missing separate debuginfos, use: debuginfo-install alsa-lib-1.0.28-2.el7.x86_64 celt051-0.5.1.3-8.el7.x86_64 flac-libs-1.3.0-4.el7.x86_64 glibc-2.17-75.el7.x86_64 gsm-1.0.13-11.el7.x86_64 json-c-0.11-4.el7_0.x86_64 libICE-1.0.8-7.el7.x86_64 libSM-1.2.1-7.el7.x86_64 libX11-1.6.0-2.1.el7.x86_64 libXau-1.0.8-2.1.el7.x86_64 libXext-1.3.2-2.1.el7.x86_64 libXi-1.7.2-2.1.el7.x86_64 libXtst-1.2.2-2.1.el7.x86_64 libaio-0.3.109-12.el7.x86_64 libasyncns-0.8-7.el7.x86_64 libattr-2.4.46-12.el7.x86_64 libffi-3.0.13-11.el7.x86_64 libibverbs-1.1.8-5.el7.x86_64 libiscsi-1.9.0-6.el7.x86_64 libjpeg-turbo-1.2.90-5.el7.x86_64 libogg-1.3.0-7.el7.x86_64 libpng-1.5.13-5.el7.x86_64 librdmacm-1.0.19.1-1.el7.x86_64 libsndfile-1.0.25-9.el7.x86_64 libtasn1-3.8-2.el7.x86_64 libusbx-1.0.15-4.el7.x86_64 libvorbis-1.3.3-8.el7.x86_64 libxcb-1.9-5.el7.x86_64 lzo-2.06-6.el7_0.2.x86_64 pixman-0.32.4-3.el7.x86_64 pulseaudio-libs-3.0-30.el7.x86_64 snappy-1.1.0-3.el7.x86_64 tcp_wrappers-libs-7.6-77.el7.x86_64 trousers-0.3.11.2-3.el7.x86_64 usbredir-0.6-7.el7.x86_64
(gdb) bt
#0  vm_state_notify (running=running@entry=0, state=state@entry=RUN_STATE_PAUSED) at vl.c:1714
#1  0x00007f1570a9d882 in do_vm_stop (state=RUN_STATE_PAUSED) at /usr/src/debug/qemu-2.1.2/cpus.c:543
#2  vm_stop (state=state@entry=RUN_STATE_PAUSED) at /usr/src/debug/qemu-2.1.2/cpus.c:1230
#3  0x00007f1570b8c6d6 in qmp_stop (errp=errp@entry=0x7fffeb8263c0) at qmp.c:98
#4  0x00007f1570b87994 in qmp_marshal_input_stop (mon=<optimized out>, qdict=<optimized out>, ret=<optimized out>) at qmp-marshal.c:2806
#5  0x00007f1570aa08a7 in qmp_call_cmd (cmd=<optimized out>, params=0x7f15722ed2a0, mon=0x7f1572251240) at /usr/src/debug/qemu-2.1.2/monitor.c:5038
#6  handle_qmp_command (parser=<optimized out>, tokens=<optimized out>) at /usr/src/debug/qemu-2.1.2/monitor.c:5104
#7  0x00007f1570cd6f22 in json_message_process_token (lexer=0x7f15722528d0, token=0x7f1572361080, type=JSON_OPERATOR, x=36, y=93) at qobject/json-streamer.c:87
#8  0x00007f1570ce8cdf in json_lexer_feed_char (lexer=lexer@entry=0x7f15722528d0, ch=<optimized out>, flush=flush@entry=false) at qobject/json-lexer.c:303
#9  0x00007f1570ce8dae in json_lexer_feed (lexer=0x7f15722528d0, buffer=<optimized out>, size=<optimized out>) at qobject/json-lexer.c:356
#10 0x00007f1570cd70b9 in json_message_parser_feed (parser=<optimized out>, buffer=<optimized out>, size=<optimized out>) at qobject/json-streamer.c:110
#11 0x00007f1570a9e83f in monitor_control_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>) at /usr/src/debug/qemu-2.1.2/monitor.c:5125
#12 0x00007f1570b73e30 in qemu_chr_be_write (len=<optimized out>, buf=0x7fffeb826530 "}\341\030r\025\177", s=0x7f157219a590) at qemu-char.c:213
#13 tcp_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x7f157219a590) at qemu-char.c:2729
#14 0x00007f156ee999ba in g_main_dispatch (context=0x7f157218e030) at gmain.c:3061
#15 g_main_context_dispatch (context=context@entry=0x7f157218e030) at gmain.c:3660
#16 0x00007f1570c922d8 in glib_pollfds_poll () at main-loop.c:190
#17 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:235
#18 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:484
#19 0x00007f1570a760fe in main_loop () at vl.c:2017
#20 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4606

Comment 1 Luyao Huang 2015-01-26 08:38:12 UTC

sometimes coredump file like this: 

Core was generated by `/usr/libexec/qemu-kvm -name r7 -S -machine pc-i440fx-rhel7.1.0,accel=kvm,usb=of'.
Program terminated with signal 11, Segmentation fault.
#0  int128_add (b=..., a=...) at /usr/src/debug/qemu-2.1.2/include/qemu/int128.h:75
75	    return (Int128) { lo, (uint64_t)a.hi + b.hi + (lo < a.lo) };
Missing separate debuginfos, use: debuginfo-install alsa-lib-1.0.28-2.el7.x86_64 celt051-0.5.1.3-8.el7.x86_64 flac-libs-1.3.0-4.el7.x86_64 glibc-2.17-75.el7.x86_64 gsm-1.0.13-11.el7.x86_64 json-c-0.11-4.el7_0.x86_64 libICE-1.0.8-7.el7.x86_64 libSM-1.2.1-7.el7.x86_64 libX11-1.6.0-2.1.el7.x86_64 libXau-1.0.8-2.1.el7.x86_64 libXext-1.3.2-2.1.el7.x86_64 libXi-1.7.2-2.1.el7.x86_64 libXtst-1.2.2-2.1.el7.x86_64 libaio-0.3.109-12.el7.x86_64 libasyncns-0.8-7.el7.x86_64 libattr-2.4.46-12.el7.x86_64 libffi-3.0.13-11.el7.x86_64 libibverbs-1.1.8-5.el7.x86_64 libiscsi-1.9.0-6.el7.x86_64 libjpeg-turbo-1.2.90-5.el7.x86_64 libogg-1.3.0-7.el7.x86_64 libpng-1.5.13-5.el7.x86_64 librdmacm-1.0.19.1-1.el7.x86_64 libsndfile-1.0.25-9.el7.x86_64 libtasn1-3.8-2.el7.x86_64 libusbx-1.0.15-4.el7.x86_64 libvorbis-1.3.3-8.el7.x86_64 libxcb-1.9-5.el7.x86_64 lzo-2.06-6.el7_0.2.x86_64 pixman-0.32.4-3.el7.x86_64 pulseaudio-libs-3.0-30.el7.x86_64 snappy-1.1.0-3.el7.x86_64 tcp_wrappers-libs-7.6-77.el7.x86_64 trousers-0.3.11.2-3.el7.x86_64 usbredir-0.6-7.el7.x86_64
(gdb) bt
#0  int128_add (b=..., a=...) at /usr/src/debug/qemu-2.1.2/include/qemu/int128.h:75
#1  int128_addto (b=..., a=<optimized out>) at /usr/src/debug/qemu-2.1.2/include/qemu/int128.h:141
#2  addrrange_shift (delta=..., range=<error reading variable: Cannot access memory at address 0xffffffffffffffff>) at /usr/src/debug/qemu-2.1.2/memory.c:85
#3  address_space_update_ioeventfds (as=as@entry=0x7f2771ba3260 <address_space_io>) at /usr/src/debug/qemu-2.1.2/memory.c:677
#4  0x00007f2771548777 in memory_region_transaction_commit () at /usr/src/debug/qemu-2.1.2/memory.c:815
#5  0x00007f2771549bc2 in memory_region_del_eventfd (mr=mr@entry=0x7f2772a4d428, addr=addr@entry=16, size=size@entry=2, match_data=match_data@entry=true, data=data@entry=0, e=e@entry=0x7f27729cbcf0)
    at /usr/src/debug/qemu-2.1.2/memory.c:1621
#6  0x00007f27716e27f9 in virtio_pci_set_host_notifier_internal (proxy=0x7f2772a4cbe0, n=0, assign=<optimized out>, set_handler=<optimized out>) at hw/virtio/virtio-pci.c:202
#7  0x00007f2771571f11 in vhost_dev_disable_notifiers (hdev=hdev@entry=0x7f27728bd700, vdev=vdev@entry=0x7f2772a4d5b8) at /usr/src/debug/qemu-2.1.2/hw/virtio/vhost.c:964
#8  0x00007f27715691bc in vhost_net_stop_one (net=0x7f27728bd700, dev=0x7f2772a4d5b8) at /usr/src/debug/qemu-2.1.2/hw/net/vhost_net.c:279
#9  0x00007f2771569a3b in vhost_net_stop (dev=dev@entry=0x7f2772a4d5b8, ncs=<optimized out>, total_queues=total_queues@entry=8) at /usr/src/debug/qemu-2.1.2/hw/net/vhost_net.c:357
#10 0x00007f2771565c35 in virtio_net_vhost_status (status=7 '\a', n=0x7f2772a4d5b8) at /usr/src/debug/qemu-2.1.2/hw/net/virtio-net.c:153
#11 virtio_net_set_status (vdev=<optimized out>, status=<optimized out>) at /usr/src/debug/qemu-2.1.2/hw/net/virtio-net.c:165
#12 0x00007f277156dcd8 in virtio_set_status (vdev=0x7f2772a4d5b8, val=<optimized out>) at /usr/src/debug/qemu-2.1.2/hw/virtio/virtio.c:550
#13 0x00007f2771614f2b in vm_state_notify (running=running@entry=0, state=state@entry=RUN_STATE_PAUSED) at vl.c:1714
#14 0x00007f2771535882 in do_vm_stop (state=RUN_STATE_PAUSED) at /usr/src/debug/qemu-2.1.2/cpus.c:543
#15 vm_stop (state=state@entry=RUN_STATE_PAUSED) at /usr/src/debug/qemu-2.1.2/cpus.c:1230
#16 0x00007f27716246d6 in qmp_stop (errp=errp@entry=0x7fff22183bc0) at qmp.c:98
#17 0x00007f277161f994 in qmp_marshal_input_stop (mon=<optimized out>, qdict=<optimized out>, ret=<optimized out>) at qmp-marshal.c:2806
#18 0x00007f27715388a7 in qmp_call_cmd (cmd=<optimized out>, params=0x7f2772a14f90, mon=0x7f27729651c0) at /usr/src/debug/qemu-2.1.2/monitor.c:5038
#19 handle_qmp_command (parser=<optimized out>, tokens=<optimized out>) at /usr/src/debug/qemu-2.1.2/monitor.c:5104
#20 0x00007f277176ef22 in json_message_process_token (lexer=0x7f2772966850, token=0x7f27729e7870, type=JSON_OPERATOR, x=36, y=93) at qobject/json-streamer.c:87
#21 0x00007f2771780cdf in json_lexer_feed_char (lexer=lexer@entry=0x7f2772966850, ch=<optimized out>, flush=flush@entry=false) at qobject/json-lexer.c:303
#22 0x00007f2771780dae in json_lexer_feed (lexer=0x7f2772966850, buffer=<optimized out>, size=<optimized out>) at qobject/json-lexer.c:356
#23 0x00007f277176f0b9 in json_message_parser_feed (parser=<optimized out>, buffer=<optimized out>, size=<optimized out>) at qobject/json-streamer.c:110
#24 0x00007f277153683f in monitor_control_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>) at /usr/src/debug/qemu-2.1.2/monitor.c:5125
#25 0x00007f277160be30 in qemu_chr_be_write (len=<optimized out>, buf=0x7fff22183d30 "}\350\212r'\177", s=0x7f27728ae510) at qemu-char.c:213
#26 tcp_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x7f27728ae510) at qemu-char.c:2729
#27 0x00007f276f9319ba in g_main_dispatch (context=0x7f27728a1f90) at gmain.c:3061
#28 g_main_context_dispatch (context=context@entry=0x7f27728a1f90) at gmain.c:3660
#29 0x00007f277172a2d8 in glib_pollfds_poll () at main-loop.c:190
#30 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:235
#31 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:484
#32 0x00007f277150e0fe in main_loop () at vl.c:2017
#33 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4606

Comment 2 Radim Krčmář 2015-07-23 16:10:09 UTC

Fixed by rebase in qemu-kvm-rhev-2.3.0-1.el7.

Comment 4 Xiaoqing Wei 2015-08-03 09:58:58 UTC

kernel-3.10.0-300.el7.x86_64
qemu-kvm-rhev-2.3.0-13.el7.x86_64 - fixed
qemu-kvm-rhev-2.2.0-9.el7.x86_64  - buggy
spice-server-0.12.4-13.el7.x86_64


----------------------------------------------
qemu-kvm-rhev-2.2.0-9.el7.x86_64  - buggy
[root@dhcp-11-50 ~]# virsh edit fstrim
Domain fstrim XML configuration not changed.

[root@dhcp-11-50 ~]# virsh managedsave fstrim
error: Failed to save domain fstrim state
error: Unable to read from monitor: Connection reset by peer

[root@dhcp-11-50 ~]# echo $?
1

==============================================
qemu-kvm-rhev-2.3.0-13.el7.x86_64 - fixed
[root@dhcp-11-50 ~]# virsh start fstrim
Domain fstrim started

[root@dhcp-11-50 ~]# virsh managedsave fstrim

Domain fstrim state saved by libvirt

[root@dhcp-11-50 ~]# echo $?
0


###############################################
xml snip

    <graphics type='spice' port='5900' autoport='yes' listen='0.0.0.0'>
      <listen type='address' address='0.0.0.0'/>
    </graphics>
    <sound model='ich6'>
      <alias name='sound0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </sound>
    <video>
      <model type='qxl' ram='524288' vram='65536' vgamem='262144' heads='1'/>
      <alias name='video0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>




Based on above, move to VERIFIED.

Comment 6 errata-xmlrpc 2015-12-04 16:25:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2546.html

Note You need to log in before you can comment on or make changes to this bug.