1340439 – qemu-kvm crashed when set vram64_size_mb to some vaule

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1340439 - qemu-kvm crashed when set vram64_size_mb to some vaule

Summary: qemu-kvm crashed when set vram64_size_mb to some vaule

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm-rhev
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Gerd Hoffmann
QA Contact:	Guo, Zhiyi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-27 12:08 UTC by yafu
Modified:	2017-08-02 03:27 UTC (History)
CC List:	11 users (show)
Fixed In Version:	QEMU 2.7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 23:32:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:2392	0	normal	SHIPPED_LIVE	Important: qemu-kvm-rhev security, bug fix, and enhancement update	2017-08-01 20:04:36 UTC

Description yafu 2016-05-27 12:08:55 UTC

Description of problem:
qemu-kvm crashed when set vram64_size_mb to some values, such as the value in 2765-3765, but some value work fine, such as 1765,4765 . 


Version-Release number of selected component (if applicable):
qemu-kvm-rhev-2.6.0-4.el7.x86_64

How reproducible:
100%


steps to reproduce:
1.Start a guest with qxl video device and the value of vram64_size_mb to 2765:
  #/usr/libexec/qemu-kvm -name rhel7.1,debug-threads=on -machine pc-i440fx-rhel7.2.0,accel=kvm,usb=off -cpu Broadwell -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1  \
-drive file=/var/lib/libvirt/images/rhel71.qcow2,format=qcow2,if=none,id=drive-virtio-disk0 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x7,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 \
  -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vram64_size_mb=2765,vgamem_mb=16,bus=pci.0,addr=0xa
char device redirected to /dev/pts/2 (label charserial0)
qemu-kvm: /builddir/build/BUILD/qemu-2.6.0/exec.c:1351: find_ram_offset: Assertion `size != 0' failed.
Aborted (core dumped)


Actual results:
qemu-kvm crashed

Expected results:
qemu-kvm should not crash

Additional info:
Core dump of the crashed qemu-kvm:

(gdb) t a a bt

Thread 4 (Thread 0x7fffe6d25700 (LWP 18287)):
#0  0x00007ffff17bf6d5 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x0000555555989699 in qemu_cond_wait (cond=<optimized out>, mutex=mutex@entry=0x555555ef9940 <qemu_global_mutex>)
    at util/qemu-thread-posix.c:123
#2  0x00005555556f0f13 in qemu_kvm_wait_io_event (cpu=<optimized out>) at /usr/src/debug/qemu-2.6.0/cpus.c:1030
#3  qemu_kvm_cpu_thread_fn (arg=0x555557762000) at /usr/src/debug/qemu-2.6.0/cpus.c:1069
#4  0x00007ffff17bbdc5 in start_thread () from /lib64/libpthread.so.0
#5  0x00007fffefef91cd in clone () from /lib64/libc.so.6

Thread 3 (Thread 0x7fffe7526700 (LWP 18285)):
#0  0x00007ffff17c1870 in sem_timedwait () from /lib64/libpthread.so.0
#1  0x00005555559897e7 in qemu_sem_timedwait (sem=sem@entry=0x555556bca888, ms=ms@entry=10000)
    at util/qemu-thread-posix.c:245
#2  0x00005555558f05fc in worker_thread (opaque=0x555556bca820) at thread-pool.c:92
#3  0x00007ffff17bbdc5 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fffefef91cd in clone () from /lib64/libc.so.6

Thread 2 (Thread 0x7fffe7d27700 (LWP 18283)):
#0  0x00007ffff17c296d in nanosleep () from /lib64/libpthread.so.0
#1  0x00007ffff0c5da98 in g_usleep () from /lib64/libglib-2.0.so.0
#2  0x0000555555997e4c in call_rcu_thread (opaque=<optimized out>) at util/rcu.c:245
#3  0x00007ffff17bbdc5 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fffefef91cd in clone () from /lib64/libc.so.6

Thread 1 (Thread 0x7ffff7f8dc40 (LWP 18279)):
#0  0x00007fffefe385f7 in raise () from /lib64/libc.so.6
#1  0x00007fffefe39ce8 in abort () from /lib64/libc.so.6
#2  0x00007fffefe31566 in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007fffefe31612 in __assert_fail () from /lib64/libc.so.6
#4  0x00005555556c7e44 in find_ram_offset (size=0) at /usr/src/debug/qemu-2.6.0/exec.c:1351
#5  ram_block_add (new_block=new_block@entry=0x5555591d3600, errp=errp@entry=0x7fffffffd790)
    at /usr/src/debug/qemu-2.6.0/exec.c:1585
#6  0x00005555556c7f26 in qemu_ram_alloc_internal (size=size@entry=0, max_size=max_size@entry=0,
    resized=resized@entry=0x0, host=host@entry=0x0, resizeable=resizeable@entry=false, mr=mr@entry=0x55555919fbc0,
    errp=errp@entry=0x555556316b30 <error_fatal>) at /usr/src/debug/qemu-2.6.0/exec.c:1728
#7  0x00005555556c8aaa in qemu_ram_alloc (size=size@entry=0, mr=mr@entry=0x55555919fbc0,
    errp=errp@entry=0x555556316b30 <error_fatal>) at /usr/src/debug/qemu-2.6.0/exec.c:1745
#8  0x0000555555706f46 in memory_region_init_ram (mr=mr@entry=0x55555919fbc0, owner=owner@entry=0x55555918e000,
    name=name@entry=0x5555559e9676 "qxl.vram", size=0, errp=0x555556316b30 <error_fatal>)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/debug/qemu-2.6.0/memory.c:1315
#9  0x000055555583098c in qxl_realize_common (qxl=qxl@entry=0x55555918e000, errp=errp@entry=0x7fffffffd870)
    at hw/display/qxl.c:1981
#10 0x0000555555830f6e in qxl_realize_primary (dev=0x55555918e000, errp=0x7fffffffd8f0) at hw/display/qxl.c:2065
#11 0x0000555555864238 in pci_qdev_realize (qdev=0x55555918e000, errp=0x7fffffffd970) at hw/pci/pci.c:1865
#12 0x000055555580e7f0 in device_set_realized (obj=0x55555918e000, value=<optimized out>, errp=0x7fffffffdaa8)
    at hw/core/qdev.c:1066
#13 0x00005555558eb9fe in property_set_bool (obj=0x55555918e000, v=<optimized out>, name=<optimized out>,
    opaque=0x555557b5c4d0, errp=0x7fffffffdaa8) at qom/object.c:1853
#14 0x00005555558ef657 in object_property_set_qobject (obj=0x55555918e000, value=<optimized out>,
    name=0x5555559e5d6d "realized", errp=0x7fffffffdaa8) at qom/qom-qobject.c:26
#15 0x00005555558ed4d0 in object_property_set_bool (obj=0x55555918e000, value=<optimized out>,
    name=0x5555559e5d6d "realized", errp=0x7fffffffdaa8) at qom/object.c:1150
#16 0x00005555557bfbdc in qdev_device_add (opts=0x555556b34230, errp=errp@entry=0x7fffffffdb80) at qdev-monitor.c:618
#17 0x00005555557c9907 in device_init_func (opaque=<optimized out>, opts=<optimized out>, errp=<optimized out>)
    at vl.c:2362
#18 0x0000555555995c5a in qemu_opts_foreach (list=<optimized out>, func=func@entry=0x5555557c98e0 <device_init_func>,
    opaque=opaque@entry=0x0, errp=errp@entry=0x0) at util/qemu-option.c:1116
#19 0x00005555556bf900 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4552

Comment 2 Gerd Hoffmann 2016-06-08 12:40:40 UTC

It's broken for vram64_size_mb values larger than 2048 (aka 2G).
Setting to low priority, I doubt this is used in practice.

Comment 3 Gerd Hoffmann 2016-06-08 12:48:09 UTC

https://patchwork.ozlabs.org/patch/632207/

Comment 4 Ademar Reis 2016-12-22 13:42:59 UTC

Fix is upstream: de1b9b85eff3dca42fe2cabe6e026cd2a2d5c769

Comment 6 Guo, Zhiyi 2017-03-17 08:41:31 UTC

Reproduce this issue with qemu-kvm-rhev-2.6.0-27.el7.x86_64.

qemu-cli used:
/usr/libexec/qemu-kvm -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vram64_size_mb=2765,vgamem_mb=16

result:
qemu crash and gdb back trace is:
(gdb) bt
#0  0x00007fa57de521d7 in raise () at /lib64/libc.so.6
#1  0x00007fa57de538c8 in abort () at /lib64/libc.so.6
#2  0x00007fa57de4b146 in __assert_fail_base () at /lib64/libc.so.6
#3  0x00007fa57de4b1f2 in  () at /lib64/libc.so.6
#4  0x00007fa5886f9084 in ram_block_add (size=0)
    at /usr/src/debug/qemu-2.6.0/exec.c:1343
#5  0x00007fa5886f9084 in ram_block_add (new_block=new_block@entry=0x7fa58bd971e0, errp=errp@entry=0x7fffbda776e0) at /usr/src/debug/qemu-2.6.0/exec.c:1577
#6  0x00007fa5886f9166 in qemu_ram_alloc_internal (size=size@entry=0, max_size=max_size@entry=0, resized=resized@entry=
    0x0, host=host@entry=0x0, resizeable=resizeable@entry=false, mr=mr@entry=0x7fa58c1d3d10, errp=errp@entry=0x7fa5893bfd30 <error_fatal>)
    at /usr/src/debug/qemu-2.6.0/exec.c:1720
#7  0x00007fa5886f9d1a in qemu_ram_alloc (size=size@entry=0, mr=mr@entry=0x7fa58c1d3d10, errp=errp@entry=0x7fa5893bfd30 <error_fatal>) at /usr/src/debug/qemu-2.6.0/exec.c:1737
#8  0x00007fa5887385b6 in memory_region_init_ram (mr=mr@entry=0x7fa58c1d3d10, owner=owner@entry=0x7fa58c1c2000, name=name@entry=0x7fa588a19f9e "qxl.vram", size=0, errp=0x7fa5893bfd30 <error_fatal>) at /usr/src/debug/qemu-2.6.0/memory.c:1315
#9  0x00007fa588866b5c in qxl_realize_common (qxl=qxl@entry=0x7fa58c1c2000, errp=errp@entry=0x7fffbda777c0) at hw/display/qxl.c:2011
#10 0x00007fa58886713e in qxl_realize_primary (dev=0x7fa58c1c2000, errp=0x7fffbda77850)
    at hw/display/qxl.c:2095
#11 0x00007fa588895b8c in pci_qdev_realize (qdev=0x7fa58c1c2000, errp=0x7fffbda778e0)
    at hw/pci/pci.c:1966
#12 0x00007fa588844766 in device_set_realized (obj=<optimized out>, value=<optimized out>, errp=0x7fffbda77a18) at hw/core/qdev.c:1076
#13 0x00007fa58891907e in property_set_bool (obj=0x7fa58c1c2000, v=<optimized out>, name=<optimized out>, opaque=0x7fa58b94d730, errp=0x7fffbda77a18) at qom/object.c:1861
#14 0x00007fa58891cd47 in object_property_set_qobject (obj=0x7fa58c1c2000, value=<optimized out>, name=0x7fa588a1666d "realized", errp=0x7fffbda77a18) at qom/qom-qobject.c:26
#15 0x00007fa58891abc0 in object_property_set_bool (obj=0x7fa58c1c2000, value=<optimized out>, name=0x7fa588a1666d "realized", errp=0x7fffbda77a18) at qom/object.c:1158
#16 0x00007fa5887f2f9c in qdev_device_add (opts=0x7fa589fdcb90, errp=errp@entry=0x7fffbda77af0) at qdev-monitor.c:617
#17 0x00007fa5887fcfd7 in device_init_func (opaque=<optimized out>, opts=<optimized out>,---Type <return> to continue, or q <return> to quit---
 errp=<optimized out>) at vl.c:2365
#18 0x00007fa5889c50da in qemu_opts_foreach (list=<optimized out>, func=func@entry=
    0x7fa5887fcfb0 <device_init_func>, opaque=opaque@entry=0x0, errp=errp@entry=0x0)
    at util/qemu-option.c:1116
#19 0x00007fa5886f0ba5 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4578

Verified with qemu-kvm-rhev-2.8.0-5.el7.x86_64
No crash occur after using same qemu cli

Comment 7 Guo, Zhiyi 2017-03-17 08:42:13 UTC

Verified per comment 6

Comment 9 errata-xmlrpc 2017-08-01 23:32:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Comment 10 errata-xmlrpc 2017-08-02 01:09:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Comment 11 errata-xmlrpc 2017-08-02 02:01:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Comment 12 errata-xmlrpc 2017-08-02 02:42:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Comment 13 errata-xmlrpc 2017-08-02 03:07:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Comment 14 errata-xmlrpc 2017-08-02 03:27:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2392

Note You need to log in before you can comment on or make changes to this bug.