Bug 1294409 - qemu core dump when expire_password with vnc protocol
Summary: qemu core dump when expire_password with vnc protocol
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm
Version: 6.8
Hardware: x86_64
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Gerd Hoffmann
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-28 05:30 UTC by weliao
Modified: 2016-01-15 11:37 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-15 11:37:53 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description weliao 2015-12-28 05:30:34 UTC 
Description of problem:
launch guest with spice protocol, then expire_password with vnc protocol on qmp,qemu core dump 

Version-Release number of selected component (if applicable):
2.6.32-595.el6.x86_64
qemu-kvm-0.12.1.2-2.482.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1.launch guest with spice protocol and qmp enable
/usr/libexec/qemu-kvm -name test -machine rhel6.6.0 \
-nodefaults \
-vga qxl  \
-device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pci.0,addr=04 \
-drive id=drive_image1,if=none,cache=none,snapshot=off,format=qcow2,file=/mnt/rhel7.2.z.qcow2 \
-device scsi-hd,id=image1,drive=drive_image1,bus=virtio_scsi_pci0.0,bootindex=0 -netdev tap,id=hostnet0,vhost=on \
-device virtio-net-pci,netdev=hostnet0,mac=06:bc:59:fc:8f:1f,id=net0  \
-m 2048 -smp 2,maxcpus=4,cores=2,threads=1,sockets=1 \
-cpu SandyBridge  \
-rtc base=localtime,clock=host,driftfix=slew \
-boot order=cdn,once=d,menu=off,strict=off \
-enable-kvm -qmp tcp:0:5555,nowait,server \
-monitor stdio  \
-spice port=5900,password=1

2.connect qmp with telnet 
[root@dhcp-65-110 weiliao]# telnet 10.66.8.118 5555
Trying 10.66.8.118...
Connected to 10.66.8.118.
Escape character is '^]'.
{"QMP": {"version": {"qemu": {"micro": 1, "minor": 12, "major": 0}, "package": "(qemu-kvm-0.12.1.2-2.482.el6)"}, "capabilities": []}}
{ 'execute' : 'qmp_capabilities' }
{"return": {}}

3.expire_password with vnc protocol on qmp
{ "execute": "expire_password", "arguments": { "protocol": "vnc", "time":"+6" } }


Actual results:
(qemu) Segmentation fault (core dumped)


Expected results:
can't core dumped.

Additional info:
gdb:
(gdb) bt
#0  vnc_display_pw_expire (ds=0x0, expires=1451279716) at /usr/src/debug/qemu-kvm-0.12.1.2/vnc.c:2706
#1  0x00007ffff7db74fe in expire_password (mon=<value optimized out>, qdict=<value optimized out>, ret_data=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:1400
#2  0x00007ffff7db84c0 in monitor_call_handler (mon=<value optimized out>, cmd=0x7ffff82c01c8, params=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4377
#3  0x00007ffff7db9174 in handle_qmp_command (parser=<value optimized out>, tokens=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:5003
#4  0x00007ffff7e1f274 in json_message_process_token (lexer=0x7ffff92dac60, token=0x7ffff8b4cbc0, type=JSON_OPERATOR, x=81, y=2) at /usr/src/debug/qemu-kvm-0.12.1.2/json-streamer.c:87
#5  0x00007ffff7e1ef10 in json_lexer_feed_char (lexer=0x7ffff92dac60, ch=125 '}', flush=false) at /usr/src/debug/qemu-kvm-0.12.1.2/json-lexer.c:303
#6  0x00007ffff7e1f059 in json_lexer_feed (lexer=0x7ffff92dac60, buffer=0x7fffffffbbd0 "}", size=1) at /usr/src/debug/qemu-kvm-0.12.1.2/json-lexer.c:355
#7  0x00007ffff7db7dcb in monitor_control_read (opaque=<value optimized out>, buf=<value optimized out>, size=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:5024
#8  0x00007ffff7e428ea in qemu_chr_be_write (chan=<value optimized out>, cond=<value optimized out>, opaque=0x7ffff86e2190) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:192
#9  tcp_chr_read (chan=<value optimized out>, cond=<value optimized out>, opaque=0x7ffff86e2190) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:2286
#10 0x00007ffff7203642 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#11 0x00007ffff7db0910 in glib_pollfds_poll (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4053
#12 main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4079
#13 0x00007ffff7dd422a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2258
#14 0x00007ffff7db5317 in main_loop (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4273
#15 main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6731
Comment 2 Gerd Hoffmann 2016-01-04 13:00:54 UTC 
Does this happen on RHEL-7 too?
Comment 3 weliao 2016-01-05 02:07:51 UTC 
RHEL-7 & RHEV no this issue:
3.10.0-309.el7.x86_64
 qemu-kvm-rhev.x86_64 10:2.3.0-31.el7_2.1 

{ "execute": "expire_password", "arguments": { "protocol": "vnc", "time":"+6" } }
{"error": {"class": "GenericError", "desc": "Could not set password"}}

RHEL-7 & QEMU-KVM no this issue:
qemu-kvm.x86_64 10:1.5.3-105.el7
Comment 4 Ademar Reis 2016-01-15 11:37:53 UTC 
corner case: changing vnc passwd while using spice, can't happen in practice with our management tools. Fixed in rhel7/upstream.
Note You need to log in before you can comment on or make changes to this bug.