Bug 1264356 - spice qemu seg fault when rhel7 gdm login window appeared
spice qemu seg fault when rhel7 gdm login window appeared
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: spice (Show other bugs)
7.2
x86_64 Linux
medium Severity high
: rc
: ---
Assigned To: Christophe Fergeau
SPICE QE bug list
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-18 05:34 EDT by Xiaoqing Wei
Modified: 2016-11-03 23:43 EDT (History)
5 users (show)

See Also:
Fixed In Version: spice-0.12.4-17.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 23:43:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
crash dump (15.00 MB, application/x-xz)
2015-09-20 23:23 EDT, Xiaoqing Wei
no flags Details
crash dump (15.00 MB, application/octet-stream)
2015-09-20 23:33 EDT, Xiaoqing Wei
no flags Details
crash dump (6.48 MB, application/octet-stream)
2015-09-20 23:35 EDT, Xiaoqing Wei
no flags Details

  None (edit)
Description Xiaoqing Wei 2015-09-18 05:34:08 EDT
Description of problem:
spice qemu seg fault when rhel7 gdm login window appeared

Version-Release number of selected component (if applicable):
kernel-3.10.0-315.el7.x86_64
qemu-kvm-rhev-2.3.0-23.el7.x86_64
spice-server-0.12.4-14.el7.x86_64


How reproducible:
100%

Steps to Reproduce:
1.
/usr/libexec/qemu-kvm -name rhel -S -machine pc-i440fx-rhel7.2.0,accel=kvm,usb=off -cpu Broadwell,+mpx,+rtm,+hle -m 4096 -realtime mlock=off -smp 4,sockets=4,cores=1,threads=1 -uuid 76bec40c-cb32-4af5-9408-fb306efa6722 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/tmp/rhel.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x6.0x7 -device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pci.0,multifunction=on,addr=0x6 -device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pci.0,addr=0x6.0x1 -device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pci.0,addr=0x6.0x2 -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x8 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/home/20G.qcow2,if=none,id=drive-scsi0-0-0-0,format=qcow2,cache=none,aio=native -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1 -netdev tap,id=hostnet0 -device e1000,netdev=hostnet0,id=net0,mac=52:54:00:36:ff:9a,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -spice port=5901,addr=0.0.0.0,disable-ticketing,image-compression=off,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vgamem_mb=16,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=charredir0,id=redir0 -chardev spicevmc,id=charredir1,name=usbredir -device usb-redir,chardev=charredir1,id=redir1 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -msg timestamp=on -monitor stdio

2. remote-viewer spice://skylake:5901
3. wait till guest gdm login window, and qemu crash

Actual results:
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/libexec/qemu-kvm -name rhel -S -machine pc-i440fx-rhel7.2.0,accel=kvm,usb='.
Program terminated with signal 6, Aborted.
#0  0x00007f525b18a5f7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x00007f525b18a5f7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007f525b18bce8 in __GI_abort () at abort.c:90
#2  0x00007f525c1b926c in spice_logv (log_domain=0x7f525c22f826 "Spice", 
    log_level=SPICE_LOG_LEVEL_CRITICAL, strloc=0x7f525c234bc9 "red_memslots.c:94", 
    function=0x7f525c234d4f <__FUNCTION__.19486> "validate_virt", 
    format=0x7f525c234a58 "virtual address out of range\n    virt=0x%lx+0x%x slot_id=%d group_id=%d\n    slot=0x%lx-0x%lx delta=0x%lx", args=args@entry=0x7f51465fe410) at log.c:109
#3  0x00007f525c1b93c5 in spice_log (log_domain=log_domain@entry=0x7f525c22f826 "Spice", 
    log_level=log_level@entry=SPICE_LOG_LEVEL_CRITICAL, 
    strloc=strloc@entry=0x7f525c234bc9 "red_memslots.c:94", 
    function=function@entry=0x7f525c234d4f <__FUNCTION__.19486> "validate_virt", 
    format=format@entry=0x7f525c234a58 "virtual address out of range\n    virt=0x%lx+0x%x slot_id=%d group_id=%d\n    slot=0x%lx-0x%lx delta=0x%lx") at log.c:123
#4  0x00007f525c177521 in validate_virt (info=<optimized out>, virt=4398114144256, slot_id=0, 
    add_size=20, group_id=1) at red_memslots.c:90
#5  0x00007f525c17763b in get_virt (info=info@entry=0x7f5265d15598, addr=<optimized out>, 
    add_size=add_size@entry=20, group_id=group_id@entry=1, error=error@entry=0x7f51465fe5c4)
    at red_memslots.c:142
#6  0x00007f525c177bad in red_get_data_chunks_ptr (slots=slots@entry=0x7f5265d15598, 
    group_id=group_id@entry=1, memslot_id=<optimized out>, red=0x7f5264de5840, red@entry=0x7f51465fe630, 
    qxl=qxl@entry=0x7f514bc5e004) at red_parse_qxl.c:107
#7  0x00007f525c177dfa in red_get_clip_rects (slots=slots@entry=0x7f5265d15598, 
    group_id=group_id@entry=1, addr=72057594059284480) at red_parse_qxl.c:270
#8  0x00007f525c17956f in red_get_clip_ptr (qxl=0x7f514bc7722f, red=0x7f5264d8d000, group_id=1, 
    slots=0x7f5265d15598) at red_parse_qxl.c:913
#9  red_get_native_drawable (flags=0, addr=<optimized out>, red=0x7f5264d8cfc0, group_id=1, 
    slots=0x7f5265d15598) at red_parse_qxl.c:941
#10 red_get_drawable (slots=0x7f5265d15598, group_id=1, red=0x7f5264d8cfc0, addr=<optimized out>, flags=0)
---Type <return> to continue, or q <return> to quit---
    at red_parse_qxl.c:1105
#11 0x00007f525c18d6e2 in red_process_commands (worker=worker@entry=0x7f5265b40000, 
    ring_is_empty=ring_is_empty@entry=0x7f51465fe894, max_pipe_size=50) at red_worker.c:5228
#12 0x00007f525c191913 in handle_dev_oom (opaque=0x7f5265b40000, payload=<optimized out>)
    at red_worker.c:11591
#13 0x00007f525c174523 in dispatcher_handle_single_read (dispatcher=0x7f5264d24a48) at dispatcher.c:139
#14 dispatcher_handle_recv_read (dispatcher=0x7f5264d24a48) at dispatcher.c:162
#15 0x00007f525c198315 in red_worker_main (arg=<optimized out>) at red_worker.c:12266
#16 0x00007f5261660dc5 in start_thread (arg=0x7f51465ff700) at pthread_create.c:308
#17 0x00007f525b24b1cd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
(gdb) q


Expected results:

qemu should not crash.

Additional info:
Comment 1 Xiaoqing Wei 2015-09-18 06:01:54 EDT
tried downgrade to spice-server-0.12.4-9.el7.x86_64, still reproducible.
Comment 3 Fabiano Fidêncio 2015-09-18 06:12:44 EDT
Are you able to reproduce the problem using virsh or virt-manager to start the virtual machine?

Digging into the QEMU command line trying to find if there is something wrong there (or already tweaked from a standard one) is not exactly a simple task.
Comment 4 Xiaoqing Wei 2015-09-18 06:23:50 EDT
downgrade to 7.1 GA qemu also still reproducible
qemu-kvm-rhev-2.1.2-23.el7.x86_64
spice-server-0.12.4-14.el7.x86_64

no a regression.
Comment 5 Xiaoqing Wei 2015-09-18 06:26:39 EDT
(In reply to Fabiano Fidêncio from comment #3)
> Are you able to reproduce the problem using virsh or virt-manager to start
> the virtual machine?
> 

Yes, the cli was copied from /var/log/libvirt



> Digging into the QEMU command line trying to find if there is something
> wrong there (or already tweaked from a standard one) is not exactly a simple
> task.

Well, tweaking libvirt xml isn't a easy task for me either :(

FYI,

the vm definition which met this issue is as below:
[root@intel-skylake-dh-01 ~]# virsh dumpxml rhel
<domain type='kvm'>
  <name>rhel</name>
  <uuid>76bec40c-cb32-4af5-9408-fb306efa6722</uuid>
  <memory unit='KiB'>4194304</memory>
  <currentMemory unit='KiB'>4194304</currentMemory>
  <vcpu placement='static'>4</vcpu>
  <os>
    <type arch='x86_64' machine='pc-i440fx-rhel7.2.0'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
  </features>
  <cpu mode='custom' match='exact'>
    <model fallback='allow'>Broadwell</model>
    <feature policy='force' name='mpx'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' cache='none' io='native'/>
      <source file='/home/20G.qcow2'/>
      <target dev='sda' bus='scsi'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <controller type='usb' index='0' model='ich9-ehci1'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x7'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
      <master startport='0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0' multifunction='on'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
      <master startport='2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
      <master startport='4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </controller>
    <controller type='scsi' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
    </controller>
    <interface type='bridge'>
      <mac address='52:54:00:36:ff:9a'/>
      <source bridge='switch'/>
      <model type='e1000'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <input type='mouse' bus='ps2'/>
    <input type='keyboard' bus='ps2'/>
    <graphics type='spice' autoport='yes'>
      <image compression='off'/>
    </graphics>
    <sound model='ich6'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </sound>
    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <redirdev bus='usb' type='spicevmc'>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
    </redirdev>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
    </memballoon>
  </devices>
</domain>
Comment 6 Xiaoqing Wei 2015-09-20 23:23 EDT
Created attachment 1075379 [details]
crash dump
Comment 7 Xiaoqing Wei 2015-09-20 23:33 EDT
Created attachment 1075380 [details]
crash dump
Comment 8 Xiaoqing Wei 2015-09-20 23:35 EDT
Created attachment 1075381 [details]
crash dump
Comment 9 Xiaoqing Wei 2015-09-21 00:24:23 EDT
cat bz1264356.tar.xz-aa bz1264356.tar.xz-ab bz1264356.tar.xz-ac > bz1264356.tar.xz
Comment 11 Frediano Ziglio 2016-02-17 10:38:05 EST
The spice_critical (server/memslot.c: "spice_critical("virtual address out of range\n"") should be demoted as spice_warning as could be easily triggered from the client.
Comment 13 Mike McCune 2016-03-28 18:37:22 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 18 errata-xmlrpc 2016-11-03 23:43:35 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2324.html

Note You need to log in before you can comment on or make changes to this bug.