RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 740547 - qxl: migrating in vga mode causes a "panic: virtual address out of range"
Summary: qxl: migrating in vga mode causes a "panic: virtual address out of range"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm
Version: 6.1
Hardware: Unspecified
OS: All
unspecified
high
Target Milestone: rc
: ---
Assignee: Alon Levy
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-22 12:30 UTC by Alon Levy
Modified: 2011-12-06 16:04 UTC (History)
9 users (show)

Fixed In Version: qemu-kvm-0.12.1.2-2.206.el6
Doc Type: Bug Fix
Doc Text:
Cause qxl memory slots are not created after migration if the migration started in vga mode and the guest is actually a native guest temporarily in vga mode. Consequence after migration, when switching from vga mode back to native mode, qemu-kvm will abort. Fix recreate all active memory slots on migration if in vga mode. Result after migration switching back to native mode works fine. For instance this applies to a cmd window in a windows vm in full screen mode (alt-enter).
Clone Of:
Environment:
Last Closed: 2011-12-06 16:04:05 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1531 0 normal SHIPPED_LIVE Moderate: qemu-kvm security, bug fix, and enhancement update 2011-12-06 01:23:30 UTC

Description Alon Levy 2011-09-22 12:30:03 UTC 
Description of problem:
When migrating a vm not in native mode the slots are not recreated on the destination and as a result a "panic: virtual address out of range" occurs at the first usage of slot referenced memory.

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. run a windows vm (will happen in any vm, but this is how we tested)
2. create cmd window
3. alt-enter to change to vga mode
4. migrate
5. alt-enter to exit vga mode
  
Actual results:

qxl-0: QXL_IO_CREATE_PRIMARY async=1
qxl-0: qxl_exit_vga_mode
qxl-0: qxl_destroy_primary
qxl-0: qxl_create_guest_primary: 1280x960
id 0, group 0, virt start 0, virt end ffffffffffffffff, generation 0, delta 0
validate_virt: panic: virtual address out of range
    virt=0x0+0x4b0000 slot_id=1 group_id=1
    slot=0x0-0x0 delta=0x0

Expected results:
normal operation - exit vga mode, return to windows ui.

Additional info:
The following snippet fixes the problem: (will send upstream first, this affects upstream as well)

diff --git a/hw/qxl.c b/hw/qxl.c
index d669a6b..ccc34a9 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -1725,6 +1725,12 @@ static int qxl_post_load(void *opaque, int version)
         qxl_mode_to_string(d->mode));
     newmode = d->mode;
     d->mode = QXL_MODE_UNDEFINED;
+    for (i = 0; i < NUM_MEMSLOTS; i++) {
+        if (!d->guest_slots[i].active) {
+            continue;
+        }
+        qxl_add_memslot(d, i, 0, QXL_SYNC);
+    }
     switch (newmode) {
     case QXL_MODE_UNDEFINED:
         break;
@@ -1732,12 +1738,6 @@ static int qxl_post_load(void *opaque, int version)
         qxl_enter_vga_mode(d);
         break;
     case QXL_MODE_NATIVE:
-        for (i = 0; i < NUM_MEMSLOTS; i++) {
-            if (!d->guest_slots[i].active) {
-                continue;
-            }
-            qxl_add_memslot(d, i, 0, QXL_SYNC);
-        }
         qxl_create_guest_primary(d, 1, QXL_SYNC);
 
         /* replay surface-create and cursor-set commands */
Comment 2 RHEL Program Management 2011-10-07 16:03:36 UTC 
Since RHEL 6.2 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 3 Alon Levy 2011-10-25 13:10:13 UTC 
Better patch posted as a result of Gerd's comments on COMPT mode not requiring any change to behavior:
 
 http://patchwork.ozlabs.org/patch/121670/

Alon
Comment 4 juzhang 2011-10-26 05:34:28 UTC 
Reproduced with qemu-kvm-200,marked qa ack+

bt
-
id 0, group 0, virt start 0, virt end ffffffffffffffff, generation 0, delta 0
validate_virt: panic: virtual address out of range
virt=0x0+0x96000 slot_id=1 group_id=1
slot=0x0-0x0 delta=0x0
Aborted (core dumped)
Comment 5 Alon Levy 2011-10-26 21:57:38 UTC 
(In reply to comment #4)
> Reproduced with qemu-kvm-200,marked qa ack+
> 
> bt
> -
> id 0, group 0, virt start 0, virt end ffffffffffffffff, generation 0, delta 0
> validate_virt: panic: virtual address out of range
> virt=0x0+0x96000 slot_id=1 group_id=1
> slot=0x0-0x0 delta=0x0
> Aborted (core dumped)

Can you verify http://brewweb.devel.redhat.com/brew/taskinfo?taskID=3747158 fixes the issue?
Comment 6 FuXiangChun 2011-10-27 07:50:41 UTC 
> Can you verify http://brewweb.devel.redhat.com/brew/taskinfo?taskID=3747158
> fixes the issue?
Tested with qemu-kvm-0.12.1.2-2.204.el6.alon.bz740547.v1.x86_64.guest black screen instead of core dump.the following is the detailed infos:

steps:
1. boot a windows-xp vm 
/usr/libexec/qemu-kvm  -m 2G -smp 2 -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device virtio-net-pci,netdev=hostnet0,id=net0,mac=1C:C1:DE:32:A3:F8 -uuid 7c73a852-c316-4d61-b913-9dde17367a30  -drive file=/home/winxp.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,werror=ignore,rerror=ignore -device virtio-blk-pci,drive=drive-virtio-disk0,id=virtio-blk-pci0  -monitor stdio -spice disable-ticketing,port=5911 -balloon none -vga qxl

2. create cmd window
3. alt-enter to change to vga mode
4. migrate
5. alt-enter to exit vga mode

actual result:
windows UI show black screen after entering alt-enter to exit vga mode, guest cann't normal return to windows ui
Comment 7 Alon Levy 2011-10-27 08:04:45 UTC 
ok, so a few question:
 1. after migration, can you see the cursor blinking, can you send key presses via the spice client and see the letters appear?
 2. after alt-enter to exit vga mode, can you post the qemu log output, the qemu backtrace.

Thanks,
Alon
Comment 8 Michal Novotny 2011-10-27 12:11:59 UTC 
Patches acked:
* Patch: qxl: create slots on post_load in vga state
  (Message-Id: <1319666296-3180-1-git-send-email-alevy>)
  - Acked-by: Gerd Hoffmann <kraxel>
  - Acked-by: Yonit Halperin <yhalperi>
  - Acked-by: Hans de Goede <hdegoede>
Comment 9 Michal Novotny 2011-10-27 12:31:14 UTC 
Patch(es) included on qemu-kvm-0.12.1.2-2.205.el6
Comment 10 FuXiangChun 2011-10-28 05:03:39 UTC 
verify on qemu-kvm-0.12.1.2-2.205.el6

steps to verify:
steps:
1. boot a windows-xp vm 
/usr/libexec/qemu-kvm  -m 2G -smp 2 -netdev
tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device
virtio-net-pci,netdev=hostnet0,id=net0,mac=1C:C1:DE:32:A3:F8 -uuid
7c73a852-c316-4d61-b913-9dde17367a30  -drive
file=/home/winxp.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,werror=ignore,rerror=ignore
-device virtio-blk-pci,drive=drive-virtio-disk0,id=virtio-blk-pci0  -monitor
stdio -spice disable-ticketing,port=5911 -balloon none -vga qxl

2. create cmd window
3. alt-enter to change to vga mode
4. migrate
5. alt-enter to exit vga mode

actual result:
  after alt-enter to exit vga mode in destination, return to windows ui.

base on above testing result, this bug has been fixed.   


(In reply to comment #7)
> ok, so a few question:
>  1. after migration, can you see the cursor blinking, can you send key presses
> via the spice client and see the letters appear?
>  2. after alt-enter to exit vga mode, can you post the qemu log output, the
> qemu backtrace.
> 
> Thanks,
> Alon

Alon, Maybe my testing host have some questions, just i use another host to reproduce it for qemu-kvm-0.12.1.2-2.204.el6.alon.bz740547.v1.x86_64.guest,  after alt-enter to exit vga mode it can return to windows UI.
Comment 13 Eduardo Habkost 2011-10-28 17:58:25 UTC 
Moving to ON_QA because Errata Tool did not do it
Comment 15 Alon Levy 2011-11-17 18:16:43 UTC 
Adding technical note and updating the bug title to what was actually the problem (COMPAT_MODE turned out to be ok not requiring any update).
Comment 16 Alon Levy 2011-11-17 18:16:43 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause
    qxl memory slots are not created after migration if the migration started in vga mode and the guest is actually a native guest temporarily in vga mode.
Consequence
    after migration, when switching from vga mode back to native mode, qemu-kvm will abort.
Fix
    recreate all active memory slots on migration if in vga mode.
Result
    after migration switching back to native mode works fine. For instance this applies to a cmd window in a windows vm in full screen mode (alt-enter).
Comment 17 errata-xmlrpc 2011-12-06 16:04:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1531.html
Note You need to log in before you can comment on or make changes to this bug.