Bug 632458 – Guest may core dump when booting with spice and qxl.

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 632458 - Guest may core dump when booting with spice and qxl.

Summary:	Guest may core dump when booting with spice and qxl.

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm (Show other bugs)
Sub Component:
Version:	6.0
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	beta
Target Release:	6.1
Assigned To:	Gerd Hoffmann
QA Contact:	Virtualization Bugs
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	580954
	Show dependency tree / graph

Reported:	2010-09-09 22:04 EDT by YangFeng
Modified:	2013-01-09 18:06 EST (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	qemu-kvm-0.12.1.2-2.133.el6
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2011-05-19 07:29:20 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0534	normal	SHIPPED_LIVE	Important: qemu-kvm security, bug fix, and enhancement update	2011-05-19 07:20:36 EDT

Groups: None (edit)

Description YangFeng 2010-09-09 22:04:31 EDT

Description of problem:
Sometimes, Guest core dump when booting with spice and qxl.
(qemu) /bin/sh: line 1: 11186 Segmentation fault      (core dumped) /usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/qemu -name 'vm1' -chardev socket,id=human_monitor_3vth,path=/tmp/monitor-humanmonitor1-20100907-165150-LxE6,server,nowait -mon chardev=human_monitor_3vth,mode=readline -chardev socket,id=serial_SSFT,path=/tmp/serial-20100907-165150-LxE6,server,nowait -device isa-serial,chardev=serial_SSFT -drive file='/usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/images/RHEL-4.8-64-virtio.raw',index=0,if=none,id=drive-virtio-disk1,media=disk,cache=writethrough,boot=on,format=raw,aio=native -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk1,id=virtio-disk1 -device virtio-net-pci,netdev=idLt8NpY,id=ndev00idLt8NpY,mac='02:C6:F5:F9:0e:cc',bus=pci.0,addr=0x3 -netdev tap,id=idLt8NpY,ifname='virtio_0_8000',script='/usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/scripts/qemu-ifup-switch',downscript='no' -m 8192 -smp 4 -cpu cpu64-rhel6,+x2apic -vnc :0 -spice port=8000,disable-ticketing -vga qxl -rtc base=utc,clock=host,driftfix=none -M rhel6.0.0 -usbdevice tablet -no-kvm-pit-reinjection
(qemu) (Process terminated with status 139)



Version-Release number of selected component (if applicable):
Host kernel: 2.6.32-71.el6.x86_64
qemu-kvm version: qemu-kvm-0.12.1.2-2.113.el6.x86_64


How reproducible:
Random issue,rarely reproduce

Steps to Reproduce:
1. Boot up guest with spice and qxl. e.g. /usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/qemu -name 'vm1' -chardev socket,id=human_monitor_3vth,path=/tmp/monitor-humanmonitor1-20100907-165150-LxE6,server,nowait -mon chardev=human_monitor_3vth,mode=readline -chardev socket,id=serial_SSFT,path=/tmp/serial-20100907-165150-LxE6,server,nowait -device isa-serial,chardev=serial_SSFT -drive file='/usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/images/RHEL-4.8-64-virtio.raw',index=0,if=none,id=drive-virtio-disk1,media=disk,cache=writethrough,boot=on,format=raw,aio=native -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk1,id=virtio-disk1 -device virtio-net-pci,netdev=idLt8NpY,id=ndev00idLt8NpY,mac='02:C6:F5:F9:0e:cc',bus=pci.0,addr=0x3 -netdev tap,id=idLt8NpY,ifname='virtio_0_8000',script='/usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/scripts/qemu-ifup-switch',downscript='no' -m 8192 -smp 4 -cpu cpu64-rhel6,+x2apic -vnc :0 -spice port=8000,disable-ticketing -vga qxl -rtc base=utc,clock=host,driftfix=none -M rhel6.0.0 -usbdevice tablet -no-kvm-pit-reinjection
2. 
3.
  
Actual results:
Guest core dump
(qemu) /bin/sh: line 1: 11186 Segmentation fault      (core dumped) /usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/qemu -name 'vm1' -chardev socket,id=human_monitor_3vth,path=/tmp/monitor-humanmonitor1-20100907-165150-LxE6,server,nowait -mon chardev=human_monitor_3vth,mode=readline -chardev socket,id=serial_SSFT,path=/tmp/serial-20100907-165150-LxE6,server,nowait -device isa-serial,chardev=serial_SSFT -drive file='/usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/images/RHEL-4.8-64-virtio.raw',index=0,if=none,id=drive-virtio-disk1,media=disk,cache=writethrough,boot=on,format=raw,aio=native -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk1,id=virtio-disk1 -device virtio-net-pci,netdev=idLt8NpY,id=ndev00idLt8NpY,mac='02:C6:F5:F9:0e:cc',bus=pci.0,addr=0x3 -netdev tap,id=idLt8NpY,ifname='virtio_0_8000',script='/usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/scripts/qemu-ifup-switch',downscript='no' -m 8192 -smp 4 -cpu cpu64-rhel6,+x2apic -vnc :0 -spice port=8000,disable-ticketing -vga qxl -rtc base=utc,clock=host,driftfix=none -M rhel6.0.0 -usbdevice tablet -no-kvm-pit-reinjection
(qemu) (Process terminated with status 139)

Expected results:
Guest could boot up successfully.


Additional info:
(gdb) bt
#0  0x00000037ed683ddb in memcpy () from /lib64/libc.so.6
#1  0x0000000000471dd0 in qemu_spice_display_create_update (ds=0x2831c10, dirty=<value optimized out>, unique=<value optimized out>) at /usr/include/bits/string3.h:52
#2  0x0000000000473267 in _qxl_get_command (d=0x50217c0, cmd=0x7f4de61b6290) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl.c:288
#3  0x00000037f8e2deb2 in ?? () from /usr/lib64/libspice-server.so.0
#4  0x00000037f8e2fd81 in red_worker_main () from /usr/lib64/libspice-server.so.0
#5  0x00000037ede077e1 in start_thread () from /lib64/libpthread.so.0
#6  0x00000037ed6e153d in clone () from /lib64/libc.so.6
(gdb)

Comment 2 Amos Kong 2010-10-12 22:17:44 EDT

can reproduce with qemu-kvm-0.12.1.2-2.113.el6_0.1.x86_64.

Comment 3 YangFeng 2010-10-13 02:31:38 EDT

(gdb) bt
#0  0x00000033178329a5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003317834185 in abort () at abort.c:92
#2  0x0000000000471f07 in qemu_spice_display_create_update (ds=0x24c6940, dirty=<value optimized out>, unique=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/spice-display.c:109
#3  0x0000000000473467 in _qxl_get_command (d=0x4cb67c0, cmd=0x7fafc75b8290) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl.c:288
#4  0x000000332242deb2 in red_process_commands (worker=0x7fafc75b83d0, max_pipe_size=50) at red_worker.c:4541
#5  0x000000332242fd81 in red_worker_main (arg=<value optimized out>) at red_worker.c:8864
#6  0x0000003317c077e1 in start_thread (arg=0x7fafc75fe710) at pthread_create.c:301
#7  0x00000033178e153d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
(gdb) 

qemu-kvm: qemu-kvm-0.12.1.2-2.113.el6_0.1.x86_64
kernel: 2.6.32-71.2.1.el6_0.x86_64

Comment 4 Amit Shah 2010-10-13 08:07:42 EDT

Can you reproduce this with qemu-kvm-0.12.1.2-2.114?

Comment 5 YangFeng 2010-10-14 04:55:11 EDT

(In reply to comment #4)
> Can you reproduce this with qemu-kvm-0.12.1.2-2.114?

This is a random issue,rarely reproduce on qemu-kvm-0.12.1.2-2.113.el6_0.1.x86_64.

Have tried 60 times on qemu-kvm-0.12.1.2-2.114. Did not reproduce it.

Will try more and update result late.

Comment 13 Qingtang Zhou 2011-02-25 01:14:04 EST

This bug reproduced on 

# rpm -q qemu-kvm
qemu-kvm-0.12.1.2-2.113.el6_0.7

It's in 6.0.z stream.

Comment 15 Miya Chen 2011-03-10 00:56:10 EST

move to verified based on comment#12, will re-open it if find it again.

Comment 16 Suqin Huang 2011-05-03 22:35:19 EDT

hi kraxel,
can you clone this bug to rhel6.0z, this bug reproduce on qemu-kvm-0.12.1.2-2.113.el6_0.8.x86_64

Comment 17 errata-xmlrpc 2011-05-19 07:29:20 EDT

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0534.html

Comment 18 errata-xmlrpc 2011-05-19 08:48:17 EDT

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0534.html

Note You need to log in before you can comment on or make changes to this bug.