1264356 – spice qemu seg fault when rhel7 gdm login window appeared

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1264356 - spice qemu seg fault when rhel7 gdm login window appeared

Summary: spice qemu seg fault when rhel7 gdm login window appeared

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	spice
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Christophe Fergeau
QA Contact:	SPICE QE bug list
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-18 09:34 UTC by Xiaoqing Wei
Modified:	2016-11-04 03:43 UTC (History)
CC List:	5 users (show)
Fixed In Version:	spice-0.12.4-17.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 03:43:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
crash dump (15.00 MB, application/x-xz) 2015-09-21 03:23 UTC, Xiaoqing Wei	no flags	Details
crash dump (15.00 MB, application/octet-stream) 2015-09-21 03:33 UTC, Xiaoqing Wei	no flags	Details
crash dump (6.48 MB, application/octet-stream) 2015-09-21 03:35 UTC, Xiaoqing Wei	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2324	0	normal	SHIPPED_LIVE	spice bug fix and enhancement update	2016-11-03 13:43:33 UTC

Description Xiaoqing Wei 2015-09-18 09:34:08 UTC

Description of problem:
spice qemu seg fault when rhel7 gdm login window appeared

Version-Release number of selected component (if applicable):
kernel-3.10.0-315.el7.x86_64
qemu-kvm-rhev-2.3.0-23.el7.x86_64
spice-server-0.12.4-14.el7.x86_64


How reproducible:
100%

Steps to Reproduce:
1.
/usr/libexec/qemu-kvm -name rhel -S -machine pc-i440fx-rhel7.2.0,accel=kvm,usb=off -cpu Broadwell,+mpx,+rtm,+hle -m 4096 -realtime mlock=off -smp 4,sockets=4,cores=1,threads=1 -uuid 76bec40c-cb32-4af5-9408-fb306efa6722 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/tmp/rhel.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x6.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x6 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x6.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x6.0x2 -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x8 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/home/20G.qcow2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=none,aio=native -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1 -netdev tap,id=hostnet0 -device e1000,netdev=hostnet0,id=net0,mac=52:54:00:36:ff:9a,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -spice port=5901,addr=0.0.0.0,disable-ticketing,image-compression=off,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vgamem_mb=16,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=charredir0,id=redir0 -chardev spicevmc,id=charredir1,name=usbredir -device usb-redir,chardev=charredir1,id=redir1 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -msg timestamp=on -monitor stdio

2. remote-viewer spice://skylake:5901
3. wait till guest gdm login window, and qemu crash

Actual results:
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/libexec/qemu-kvm -name rhel -S -machine pc-i440fx-rhel7.2.0,accel=kvm,usb='.
Program terminated with signal 6, Aborted.
#0  0x00007f525b18a5f7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x00007f525b18a5f7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007f525b18bce8 in __GI_abort () at abort.c:90
#2  0x00007f525c1b926c in spice_logv (log_domain=0x7f525c22f826 "Spice", 
    log_level=SPICE_LOG_LEVEL_CRITICAL, strloc=0x7f525c234bc9 "red_memslots.c:94", 
    function=0x7f525c234d4f <__FUNCTION__.19486> "validate_virt", 
    format=0x7f525c234a58 "virtual address out of range\n    virt=0x%lx+0x%x slot_id=%d group_id=%d\n    slot=0x%lx-0x%lx delta=0x%lx", args=args@entry=0x7f51465fe410) at log.c:109
#3  0x00007f525c1b93c5 in spice_log (log_domain=log_domain@entry=0x7f525c22f826 "Spice", 
    log_level=log_level@entry=SPICE_LOG_LEVEL_CRITICAL, 
    strloc=strloc@entry=0x7f525c234bc9 "red_memslots.c:94", 
    function=function@entry=0x7f525c234d4f <__FUNCTION__.19486> "validate_virt", 
    format=format@entry=0x7f525c234a58 "virtual address out of range\n    virt=0x%lx+0x%x slot_id=%d group_id=%d\n    slot=0x%lx-0x%lx delta=0x%lx") at log.c:123
#4  0x00007f525c177521 in validate_virt (info=<optimized out>, virt=4398114144256, slot_id=0, 
    add_size=20, group_id=1) at red_memslots.c:90
#5  0x00007f525c17763b in get_virt (info=info@entry=0x7f5265d15598, addr=<optimized out>, 
    add_size=add_size@entry=20, group_id=group_id@entry=1, error=error@entry=0x7f51465fe5c4)
    at red_memslots.c:142
#6  0x00007f525c177bad in red_get_data_chunks_ptr (slots=slots@entry=0x7f5265d15598, 
    group_id=group_id@entry=1, memslot_id=<optimized out>, red=0x7f5264de5840, red@entry=0x7f51465fe630, 
    qxl=qxl@entry=0x7f514bc5e004) at red_parse_qxl.c:107
#7  0x00007f525c177dfa in red_get_clip_rects (slots=slots@entry=0x7f5265d15598, 
    group_id=group_id@entry=1, addr=72057594059284480) at red_parse_qxl.c:270
#8  0x00007f525c17956f in red_get_clip_ptr (qxl=0x7f514bc7722f, red=0x7f5264d8d000, group_id=1, 
    slots=0x7f5265d15598) at red_parse_qxl.c:913
#9  red_get_native_drawable (flags=0, addr=<optimized out>, red=0x7f5264d8cfc0, group_id=1, 
    slots=0x7f5265d15598) at red_parse_qxl.c:941
#10 red_get_drawable (slots=0x7f5265d15598, group_id=1, red=0x7f5264d8cfc0, addr=<optimized out>, flags=0)
---Type <return> to continue, or q <return> to quit---
    at red_parse_qxl.c:1105
#11 0x00007f525c18d6e2 in red_process_commands (worker=worker@entry=0x7f5265b40000, 
    ring_is_empty=ring_is_empty@entry=0x7f51465fe894, max_pipe_size=50) at red_worker.c:5228
#12 0x00007f525c191913 in handle_dev_oom (opaque=0x7f5265b40000, payload=<optimized out>)
    at red_worker.c:11591
#13 0x00007f525c174523 in dispatcher_handle_single_read (dispatcher=0x7f5264d24a48) at dispatcher.c:139
#14 dispatcher_handle_recv_read (dispatcher=0x7f5264d24a48) at dispatcher.c:162
#15 0x00007f525c198315 in red_worker_main (arg=<optimized out>) at red_worker.c:12266
#16 0x00007f5261660dc5 in start_thread (arg=0x7f51465ff700) at pthread_create.c:308
#17 0x00007f525b24b1cd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
(gdb) q


Expected results:

qemu should not crash.

Additional info:

Comment 1 Xiaoqing Wei 2015-09-18 10:01:54 UTC

tried downgrade to spice-server-0.12.4-9.el7.x86_64, still reproducible.

Comment 3 Fabiano Fidêncio 2015-09-18 10:12:44 UTC

Are you able to reproduce the problem using virsh or virt-manager to start the virtual machine?

Digging into the QEMU command line trying to find if there is something wrong there (or already tweaked from a standard one) is not exactly a simple task.

Comment 4 Xiaoqing Wei 2015-09-18 10:23:50 UTC

downgrade to 7.1 GA qemu also still reproducible
qemu-kvm-rhev-2.1.2-23.el7.x86_64
spice-server-0.12.4-14.el7.x86_64

no a regression.

Comment 5 Xiaoqing Wei 2015-09-18 10:26:39 UTC

(In reply to Fabiano Fidêncio from comment #3)
> Are you able to reproduce the problem using virsh or virt-manager to start
> the virtual machine?
> 

Yes, the cli was copied from /var/log/libvirt



> Digging into the QEMU command line trying to find if there is something
> wrong there (or already tweaked from a standard one) is not exactly a simple
> task.

Well, tweaking libvirt xml isn't a easy task for me either :(

FYI,

the vm definition which met this issue is as below:
[root@intel-skylake-dh-01 ~]# virsh dumpxml rhel
<domain type='kvm'>
  <name>rhel</name>
  <uuid>76bec40c-cb32-4af5-9408-fb306efa6722</uuid>
  <memory unit='KiB'>4194304</memory>
  <currentMemory unit='KiB'>4194304</currentMemory>
  <vcpu placement='static'>4</vcpu>
  <os>
    <type arch='x86_64' machine='pc-i440fx-rhel7.2.0'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
  </features>
  <cpu mode='custom' match='exact'>
    <model fallback='allow'>Broadwell</model>
    <feature policy='force' name='mpx'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' cache='none' io='native'/>
      <source file='/home/20G.qcow2'/>
      <target dev='sda' bus='scsi'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <controller type='usb' index='0' model='ich9-ehci1'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x7'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
      <master startport='0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0' multifunction='on'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
      <master startport='2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
      <master startport='4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </controller>
    <controller type='scsi' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
    </controller>
    <interface type='bridge'>
      <mac address='52:54:00:36:ff:9a'/>
      <source bridge='switch'/>
      <model type='e1000'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='spice' autoport='yes'>
      <image compression='off'/>
    </graphics>
    <sound model='ich6'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </sound>
    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <redirdev bus='usb' type='spicevmc'>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
    </redirdev>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
    </memballoon>
  </devices>
</domain>

Comment 6 Xiaoqing Wei 2015-09-21 03:23:41 UTC

Created attachment 1075379 [details]
crash dump

Comment 7 Xiaoqing Wei 2015-09-21 03:33:54 UTC

Created attachment 1075380 [details]
crash dump

Comment 8 Xiaoqing Wei 2015-09-21 03:35:41 UTC

Created attachment 1075381 [details]
crash dump

Comment 9 Xiaoqing Wei 2015-09-21 04:24:23 UTC

cat bz1264356.tar.xz-aa bz1264356.tar.xz-ab bz1264356.tar.xz-ac > bz1264356.tar.xz

Comment 11 Frediano Ziglio 2016-02-17 15:38:05 UTC

The spice_critical (server/memslot.c: "spice_critical("virtual address out of range\n"") should be demoted as spice_warning as could be easily triggered from the client.

Comment 12 Frediano Ziglio 2016-02-18 10:40:05 UTC

Fixed by https://cgit.freedesktop.org/spice/spice/commit/?id=aa724b170b7ff742b77f2a247797f0003a6d1b73

Comment 13 Mike McCune 2016-03-28 22:37:22 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 18 errata-xmlrpc 2016-11-04 03:43:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2324.html

Note You need to log in before you can comment on or make changes to this bug.