Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1264356

Summary: spice qemu seg fault when rhel7 gdm login window appeared
Product: Red Hat Enterprise Linux 7 Reporter: Xiaoqing Wei <xwei>
Component: spiceAssignee: Christophe Fergeau <cfergeau>
Status: CLOSED ERRATA QA Contact: SPICE QE bug list <spice-qe-bugs>
Severity: high Docs Contact:
Priority: medium    
Version: 7.2CC: dblechte, djasa, juzhang, rduda, tpelka
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: spice-0.12.4-17.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 03:43:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
crash dump
none
crash dump
none
crash dump none

Description Xiaoqing Wei 2015-09-18 09:34:08 UTC 
Description of problem:
spice qemu seg fault when rhel7 gdm login window appeared

Version-Release number of selected component (if applicable):
kernel-3.10.0-315.el7.x86_64
qemu-kvm-rhev-2.3.0-23.el7.x86_64
spice-server-0.12.4-14.el7.x86_64


How reproducible:
100%

Steps to Reproduce:
1.
/usr/libexec/qemu-kvm -name rhel -S -machine pc-i440fx-rhel7.2.0,accel=kvm,usb=off -cpu Broadwell,+mpx,+rtm,+hle -m 4096 -realtime mlock=off -smp 4,sockets=4,cores=1,threads=1 -uuid 76bec40c-cb32-4af5-9408-fb306efa6722 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/tmp/rhel.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x6.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x6 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x6.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x6.0x2 -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x8 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/home/20G.qcow2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=none,aio=native -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1 -netdev tap,id=hostnet0 -device e1000,netdev=hostnet0,id=net0,mac=52:54:00:36:ff:9a,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -spice port=5901,addr=0.0.0.0,disable-ticketing,image-compression=off,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vgamem_mb=16,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=charredir0,id=redir0 -chardev spicevmc,id=charredir1,name=usbredir -device usb-redir,chardev=charredir1,id=redir1 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -msg timestamp=on -monitor stdio

2. remote-viewer spice://skylake:5901
3. wait till guest gdm login window, and qemu crash

Actual results:
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/libexec/qemu-kvm -name rhel -S -machine pc-i440fx-rhel7.2.0,accel=kvm,usb='.
Program terminated with signal 6, Aborted.
#0  0x00007f525b18a5f7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x00007f525b18a5f7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007f525b18bce8 in __GI_abort () at abort.c:90
#2  0x00007f525c1b926c in spice_logv (log_domain=0x7f525c22f826 "Spice", 
    log_level=SPICE_LOG_LEVEL_CRITICAL, strloc=0x7f525c234bc9 "red_memslots.c:94", 
    function=0x7f525c234d4f <__FUNCTION__.19486> "validate_virt", 
    format=0x7f525c234a58 "virtual address out of range\n    virt=0x%lx+0x%x slot_id=%d group_id=%d\n    slot=0x%lx-0x%lx delta=0x%lx", args=args@entry=0x7f51465fe410) at log.c:109
#3  0x00007f525c1b93c5 in spice_log (log_domain=log_domain@entry=0x7f525c22f826 "Spice", 
    log_level=log_level@entry=SPICE_LOG_LEVEL_CRITICAL, 
    strloc=strloc@entry=0x7f525c234bc9 "red_memslots.c:94", 
    function=function@entry=0x7f525c234d4f <__FUNCTION__.19486> "validate_virt", 
    format=format@entry=0x7f525c234a58 "virtual address out of range\n    virt=0x%lx+0x%x slot_id=%d group_id=%d\n    slot=0x%lx-0x%lx delta=0x%lx") at log.c:123
#4  0x00007f525c177521 in validate_virt (info=<optimized out>, virt=4398114144256, slot_id=0, 
    add_size=20, group_id=1) at red_memslots.c:90
#5  0x00007f525c17763b in get_virt (info=info@entry=0x7f5265d15598, addr=<optimized out>, 
    add_size=add_size@entry=20, group_id=group_id@entry=1, error=error@entry=0x7f51465fe5c4)
    at red_memslots.c:142
#6  0x00007f525c177bad in red_get_data_chunks_ptr (slots=slots@entry=0x7f5265d15598, 
    group_id=group_id@entry=1, memslot_id=<optimized out>, red=0x7f5264de5840, red@entry=0x7f51465fe630, 
    qxl=qxl@entry=0x7f514bc5e004) at red_parse_qxl.c:107
#7  0x00007f525c177dfa in red_get_clip_rects (slots=slots@entry=0x7f5265d15598, 
    group_id=group_id@entry=1, addr=72057594059284480) at red_parse_qxl.c:270
#8  0x00007f525c17956f in red_get_clip_ptr (qxl=0x7f514bc7722f, red=0x7f5264d8d000, group_id=1, 
    slots=0x7f5265d15598) at red_parse_qxl.c:913
#9  red_get_native_drawable (flags=0, addr=<optimized out>, red=0x7f5264d8cfc0, group_id=1, 
    slots=0x7f5265d15598) at red_parse_qxl.c:941
#10 red_get_drawable (slots=0x7f5265d15598, group_id=1, red=0x7f5264d8cfc0, addr=<optimized out>, flags=0)
---Type <return> to continue, or q <return> to quit---
    at red_parse_qxl.c:1105
#11 0x00007f525c18d6e2 in red_process_commands (worker=worker@entry=0x7f5265b40000, 
    ring_is_empty=ring_is_empty@entry=0x7f51465fe894, max_pipe_size=50) at red_worker.c:5228
#12 0x00007f525c191913 in handle_dev_oom (opaque=0x7f5265b40000, payload=<optimized out>)
    at red_worker.c:11591
#13 0x00007f525c174523 in dispatcher_handle_single_read (dispatcher=0x7f5264d24a48) at dispatcher.c:139
#14 dispatcher_handle_recv_read (dispatcher=0x7f5264d24a48) at dispatcher.c:162
#15 0x00007f525c198315 in red_worker_main (arg=<optimized out>) at red_worker.c:12266
#16 0x00007f5261660dc5 in start_thread (arg=0x7f51465ff700) at pthread_create.c:308
#17 0x00007f525b24b1cd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
(gdb) q


Expected results:

qemu should not crash.

Additional info:
Comment 1 Xiaoqing Wei 2015-09-18 10:01:54 UTC 
tried downgrade to spice-server-0.12.4-9.el7.x86_64, still reproducible.
Comment 3 Fabiano FidĂȘncio 2015-09-18 10:12:44 UTC 
Are you able to reproduce the problem using virsh or virt-manager to start the virtual machine?

Digging into the QEMU command line trying to find if there is something wrong there (or already tweaked from a standard one) is not exactly a simple task.
Comment 4 Xiaoqing Wei 2015-09-18 10:23:50 UTC 
downgrade to 7.1 GA qemu also still reproducible
qemu-kvm-rhev-2.1.2-23.el7.x86_64
spice-server-0.12.4-14.el7.x86_64

no a regression.
Comment 5 Xiaoqing Wei 2015-09-18 10:26:39 UTC 
(In reply to Fabiano FidĂȘncio from comment #3)
> Are you able to reproduce the problem using virsh or virt-manager to start
> the virtual machine?
> 

Yes, the cli was copied from /var/log/libvirt



> Digging into the QEMU command line trying to find if there is something
> wrong there (or already tweaked from a standard one) is not exactly a simple
> task.

Well, tweaking libvirt xml isn't a easy task for me either :(

FYI,

the vm definition which met this issue is as below:
[root@intel-skylake-dh-01 ~]# virsh dumpxml rhel
<domain type='kvm'>
  <name>rhel</name>
  <uuid>76bec40c-cb32-4af5-9408-fb306efa6722</uuid>
  <memory unit='KiB'>4194304</memory>
  <currentMemory unit='KiB'>4194304</currentMemory>
  <vcpu placement='static'>4</vcpu>
  <os>
    <type arch='x86_64' machine='pc-i440fx-rhel7.2.0'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
  </features>
  <cpu mode='custom' match='exact'>
    <model fallback='allow'>Broadwell</model>
    <feature policy='force' name='mpx'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' cache='none' io='native'/>
      <source file='/home/20G.qcow2'/>
      <target dev='sda' bus='scsi'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <controller type='usb' index='0' model='ich9-ehci1'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x7'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
      <master startport='0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0' multifunction='on'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
      <master startport='2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
      <master startport='4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </controller>
    <controller type='scsi' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
    </controller>
    <interface type='bridge'>
      <mac address='52:54:00:36:ff:9a'/>
      <source bridge='switch'/>
      <model type='e1000'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='spice' autoport='yes'>
      <image compression='off'/>
    </graphics>
    <sound model='ich6'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </sound>
    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <redirdev bus='usb' type='spicevmc'>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
    </redirdev>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
    </memballoon>
  </devices>
</domain>
Comment 6 Xiaoqing Wei 2015-09-21 03:23:41 UTC 
Created attachment 1075379 [details]
crash dump
Comment 7 Xiaoqing Wei 2015-09-21 03:33:54 UTC 
Created attachment 1075380 [details]
crash dump
Comment 8 Xiaoqing Wei 2015-09-21 03:35:41 UTC 
Created attachment 1075381 [details]
crash dump
Comment 9 Xiaoqing Wei 2015-09-21 04:24:23 UTC 
cat bz1264356.tar.xz-aa bz1264356.tar.xz-ab bz1264356.tar.xz-ac > bz1264356.tar.xz
Comment 11 Frediano Ziglio 2016-02-17 15:38:05 UTC 
The spice_critical (server/memslot.c: "spice_critical("virtual address out of range\n"") should be demoted as spice_warning as could be easily triggered from the client.
Comment 12 Frediano Ziglio 2016-02-18 10:40:05 UTC 
Fixed by https://cgit.freedesktop.org/spice/spice/commit/?id=aa724b170b7ff742b77f2a247797f0003a6d1b73
Comment 13 Mike McCune 2016-03-28 22:37:22 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 18 errata-xmlrpc 2016-11-04 03:43:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2324.html