1294409 – qemu core dump when expire_password with vnc protocol

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1294409 - qemu core dump when expire_password with vnc protocol

Summary: qemu core dump when expire_password with vnc protocol

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.8
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Gerd Hoffmann
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-12-28 05:30 UTC by weliao
Modified:	2016-01-15 11:37 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-01-15 11:37:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description weliao 2015-12-28 05:30:34 UTC

Description of problem:
launch guest with spice protocol, then expire_password with vnc protocol on qmp,qemu core dump 

Version-Release number of selected component (if applicable):
2.6.32-595.el6.x86_64
qemu-kvm-0.12.1.2-2.482.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1.launch guest with spice protocol and qmp enable
/usr/libexec/qemu-kvm -name test -machine rhel6.6.0 \
-nodefaults \
-vga qxl  \
-device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pci.0,addr=04 \
-drive id=drive_image1,if=none,cache=none,snapshot=off,format=qcow2,file=/mnt/rhel7.2.z.qcow2 \
-device scsi-hd,id=image1,drive=drive_image1,bus=virtio_scsi_pci0.0,bootindex=0 -netdev tap,id=hostnet0,vhost=on \
-device virtio-net-pci,netdev=hostnet0,mac=06:bc:59:fc:8f:1f,id=net0  \
-m 2048 -smp 2,maxcpus=4,cores=2,threads=1,sockets=1 \
-cpu SandyBridge  \
-rtc base=localtime,clock=host,driftfix=slew \
-boot order=cdn,once=d,menu=off,strict=off \
-enable-kvm -qmp tcp:0:5555,nowait,server \
-monitor stdio  \
-spice port=5900,password=1

2.connect qmp with telnet 
[root@dhcp-65-110 weiliao]# telnet 10.66.8.118 5555
Trying 10.66.8.118...
Connected to 10.66.8.118.
Escape character is '^]'.
{"QMP": {"version": {"qemu": {"micro": 1, "minor": 12, "major": 0}, "package": "(qemu-kvm-0.12.1.2-2.482.el6)"}, "capabilities": []}}
{ 'execute' : 'qmp_capabilities' }
{"return": {}}

3.expire_password with vnc protocol on qmp
{ "execute": "expire_password", "arguments": { "protocol": "vnc", "time":"+6" } }


Actual results:
(qemu) Segmentation fault (core dumped)


Expected results:
can't core dumped.

Additional info:
gdb:
(gdb) bt
#0  vnc_display_pw_expire (ds=0x0, expires=1451279716) at /usr/src/debug/qemu-kvm-0.12.1.2/vnc.c:2706
#1  0x00007ffff7db74fe in expire_password (mon=<value optimized out>, qdict=<value optimized out>, ret_data=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:1400
#2  0x00007ffff7db84c0 in monitor_call_handler (mon=<value optimized out>, cmd=0x7ffff82c01c8, params=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4377
#3  0x00007ffff7db9174 in handle_qmp_command (parser=<value optimized out>, tokens=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:5003
#4  0x00007ffff7e1f274 in json_message_process_token (lexer=0x7ffff92dac60, token=0x7ffff8b4cbc0, type=JSON_OPERATOR, x=81, y=2) at /usr/src/debug/qemu-kvm-0.12.1.2/json-streamer.c:87
#5  0x00007ffff7e1ef10 in json_lexer_feed_char (lexer=0x7ffff92dac60, ch=125 '}', flush=false) at /usr/src/debug/qemu-kvm-0.12.1.2/json-lexer.c:303
#6  0x00007ffff7e1f059 in json_lexer_feed (lexer=0x7ffff92dac60, buffer=0x7fffffffbbd0 "}", size=1) at /usr/src/debug/qemu-kvm-0.12.1.2/json-lexer.c:355
#7  0x00007ffff7db7dcb in monitor_control_read (opaque=<value optimized out>, buf=<value optimized out>, size=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:5024
#8  0x00007ffff7e428ea in qemu_chr_be_write (chan=<value optimized out>, cond=<value optimized out>, opaque=0x7ffff86e2190) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:192
#9  tcp_chr_read (chan=<value optimized out>, cond=<value optimized out>, opaque=0x7ffff86e2190) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-char.c:2286
#10 0x00007ffff7203642 in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#11 0x00007ffff7db0910 in glib_pollfds_poll (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4053
#12 main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4079
#13 0x00007ffff7dd422a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2258
#14 0x00007ffff7db5317 in main_loop (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4273
#15 main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6731

Comment 2 Gerd Hoffmann 2016-01-04 13:00:54 UTC

Does this happen on RHEL-7 too?

Comment 3 weliao 2016-01-05 02:07:51 UTC

RHEL-7 & RHEV no this issue:
3.10.0-309.el7.x86_64
 qemu-kvm-rhev.x86_64 10:2.3.0-31.el7_2.1 

{ "execute": "expire_password", "arguments": { "protocol": "vnc", "time":"+6" } }
{"error": {"class": "GenericError", "desc": "Could not set password"}}

RHEL-7 & QEMU-KVM no this issue:
qemu-kvm.x86_64 10:1.5.3-105.el7

Comment 4 Ademar Reis 2016-01-15 11:37:53 UTC

corner case: changing vnc passwd while using spice, can't happen in practice with our management tools. Fixed in rhel7/upstream.

Note You need to log in before you can comment on or make changes to this bug.