748810 – qemu crashes if screen dump is called when the vm is stopped

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 748810 - qemu crashes if screen dump is called when the vm is stopped

Summary: qemu crashes if screen dump is called when the vm is stopped

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Gerd Hoffmann
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	736631
Blocks:	798195
TreeView+	depends on / blocked

Reported:	2011-10-25 12:47 UTC by Yonit Halperin
Modified:	2013-01-10 00:28 UTC (History)
CC List:	16 users (show)
Fixed In Version:	qemu-kvm-0.12.1.2-2.238.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Run a guest, stop it and try to get a screen dump. Consequence: Qemu-kvm crashes with segmentation fault. Fix: Fix QXL driver to use shared buffer. Result: qemu-kvm doesn't crash
Clone Of:	736631
Clones:	798195 (view as bug list)
Environment:
Last Closed:	2012-06-20 11:35:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0746	0	normal	SHIPPED_LIVE	qemu-kvm bug fix and enhancement update	2012-06-19 19:31:48 UTC

Comment 1 Yonit Halperin 2011-10-25 12:53:11 UTC

Hi Dor,

1) Can this bug and bug 736631 be moved to 6.3?
2) This bug was just recently discovered; Have these screen dumps after vm is stopped been added only recently to the auto tests?
3) can these screen dumps be disabled during the auto tests?

Thanks,
Yonit.

Comment 8 Gerd Hoffmann 2012-02-14 15:29:00 UTC

Patches posted.

Comment 12 Shaolong Hu 2012-02-16 08:50:13 UTC

Reproduced on qemu-kvm-0.12.1.2-2.223.el6.x86_64:

steps:
------
1.boot guest with "-vga qxl"
2.in qemu monitor
(qemu) stop
handle_dev_stop: stop
(qemu) screendump /root/sd1
handle_dev_update: ASSERT worker->running failed
...
/usr/lib64/libspice-server.so.1(+0xbe685)[0x7f8d7b9d6685]
/usr/lib64/libspice-server.so.1(+0x353f2)[0x7f8d7b94d3f2]
/usr/lib64/libspice-server.so.1(+0x1aa33)[0x7f8d7b932a33]
/usr/lib64/libspice-server.so.1(+0x33f0c)[0x7f8d7b94bf0c]
/lib64/libpthread.so.0(+0x3bf5a077f1)[0x7f8d7cc057f1]
/lib64/libc.so.6(clone+0x6d)[0x7f8d7a55a70d]
Aborted (core dumped)


Failed on qemu-kvm-0.12.1.2-2.230.el6.x86_64:

(qemu) stop
handle_dev_stop: stop
(qemu) screendump /root/sd1
handle_dev_update: ASSERT worker->running failed
Thread 17 (Thread 0x7fa6678d2700 (LWP 12988)):
#0  0x00007fa66ea5675b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007fa66f12ae07 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329
#3  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 16 (Thread 0x7fa665d34700 (LWP 12989)):
#0  0x00007fa66c2f597d in sigtimedwait () from /lib64/libc.so.6
#1  0x00007fa66f1138b6 in kvm_main_loop_wait (env=0x7fa670c91fd0, timeout=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1858
#2  0x00007fa66f113eed in kvm_main_loop_cpu (_env=0x7fa670c91fd0) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1994
#3  ap_main_loop (_env=0x7fa670c91fd0) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2041
#4  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#5  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 15 (Thread 0x7fa665333700 (LWP 12990)):
#0  0x00007fa66c2f597d in sigtimedwait () from /lib64/libc.so.6
#1  0x00007fa66f1138b6 in kvm_main_loop_wait (env=0x7fa670cab010, timeout=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1858
#2  0x00007fa66f113eed in kvm_main_loop_cpu (_env=0x7fa670cab010) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1994
#3  ap_main_loop (_env=0x7fa670cab010) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2041
#4  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#5  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 14 (Thread 0x7fa657fff700 (LWP 12991)):
#0  0x00007fa66c2f597d in sigtimedwait () from /lib64/libc.so.6
#1  0x00007fa66f1138b6 in kvm_main_loop_wait (env=0x7fa670cb8eb0, timeout=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1858
#2  0x00007fa66f113eed in kvm_main_loop_cpu (_env=0x7fa670cb8eb0) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1994
#3  ap_main_loop (_env=0x7fa670cb8eb0) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2041
#4  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#5  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 13 (Thread 0x7fa6575fe700 (LWP 12992)):
#0  0x00007fa66c2f597d in sigtimedwait () from /lib64/libc.so.6
#1  0x00007fa66f1138b6 in kvm_main_loop_wait (env=0x7fa670cc6d50, timeout=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1858
#2  0x00007fa66f113eed in kvm_main_loop_cpu (_env=0x7fa670cc6d50) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1994
#3  ap_main_loop (_env=0x7fa670cc6d50) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2041
#4  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#5  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 12 (Thread 0x7fa655bfc700 (LWP 12993)):
#0  0x00007fa66ea594ed in read () from /lib64/libpthread.so.0
#1  0x00007fa66d823570 in read () at /usr/include/bits/unistd.h:45
#2  spice_backtrace_gstack () at backtrace.c:97
#3  0x00007fa66d8236c5 in spice_backtrace () at backtrace.c:128
#4  0x00007fa66d79a3f2 in handle_dev_update (opaque=0x7fa655a246c0, payload=<value optimized out>) at red_worker.c:10291
#5  0x00007fa66d77fa33 in dispatcher_handle_single_read (dispatcher=0x7fa6720f2568) at dispatcher.c:120
#6  dispatcher_handle_recv_read (dispatcher=0x7fa6720f2568) at dispatcher.c:143
#7  0x00007fa66d798f0c in red_worker_main (arg=<value optimized out>) at red_worker.c:11192
#8  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#9  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 11 (Thread 0x7fa53f9fc700 (LWP 12997)):
#0  0x00007fa66ea5675b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007fa66f12ae07 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329
#3  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 10 (Thread 0x7fa53effb700 (LWP 12998)):
#0  0x00007fa66ea5675b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007fa66f12ae07 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329
#3  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 9 (Thread 0x7fa53e5fa700 (LWP 12999)):
#0  0x00007fa66ea5675b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007fa66f12ae07 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329
#3  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 8 (Thread 0x7fa53dbf9700 (LWP 13000)):
#0  0x00007fa66ea5675b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007fa66f12ae07 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329
#3  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 7 (Thread 0x7fa53d1f8700 (LWP 13001)):
#0  0x00007fa66ea5675b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007fa66f12ae07 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329
#3  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 6 (Thread 0x7fa53c7f7700 (LWP 13002)):
#0  0x00007fa66ea5675b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007fa66f12ae07 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329
#3  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 5 (Thread 0x7fa53bdf6700 (LWP 13003)):
#0  0x00007fa66ea5675b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007fa66f12ae07 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329 out>) at /usr/include/bits/unistd.h:45
#2  read_safe (fd=21, buf=0x7fff98d39f1c, size=4, block=<value optimized out>) at dispatcher.c:57
#3  0x00007fa66d77f8e6 in dispatcher_send_message (dispatcher=0x7fa6720f2568, message_type=1, payload=0x7fff98d39f50) at dispatcher.c:169
#4  0x00007fa66d7800bf in red_dispatcher_update_area (qxl_worker=<value optimized out>, surface_id=<value optimized out>, qxl_area=<value optimized out>, qxl_dirty_rects=<value optimized out>, num_dirty_rects=<value optimized out>, clear_dirty_region=<value optimized out>) at red_dispatcher.c:299
#5  qxl_worker_update_area (qxl_worker=<value optimized out>, surface_id=<value optimized out>, qxl_area=<value optimized out>, qxl_dirty_rects=<value optimized out>, num_dirty_rects=<value optimized out>, clear_dirty_region=<value optimized out>) at red_dispatcher.c:341
#6  0x00007fa66f272396 in qxl_render_update (qxl=0x7fa6720df840) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl-render.c:134
#7  0x00007fa66f27070a in qxl_hw_screen_dump (opaque=0x7fa6720df840, filename=0x7fa671206fe0 "/root/sd1") at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl.c:1485
#8  0x00007fa66f1529ed in vga_hw_screen_dump (filename=<value optimized out>) at console.c:182
#9  0x00007fa66f0f78ab in do_screen_dump (mon=<value optimized out>, qdict=<value optimized out>, ret_data=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:1309
#10 0x00007fa66f0f7f90 in monitor_call_handler (mon=<value optimized out>, cmd=0x7fa66f5b0ed8, params=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4106
#11 0x00007fa66f0fd190 in handle_user_command (mon=0x7fa670d1a010, cmdline=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4143
#12 0x00007fa66f0fd2ca in monitor_command_cb (mon=0x7fa670d1a010, cmdline=<value optimized out>, opaque=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4698
#13 0x00007fa66f15237d in readline_handle_byte (rs=0x7fa672148270, ch=<value optimized out>) at readline.c:369
#14 0x00007fa66f0fd4f0 in monitor_read (opaque=<value optimized out>, buf=0x7fff98d3a330 "\r", size=1) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4684
#15 0x00007fa66f164fab in qemu_chr_read (opaque=0x7fa670afc600) at qemu-char.c:170
#16 fd_chr_read (opaque=0x7fa670afc600) at qemu-char.c:669
#17 0x00007fa66f0f17d0 in main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4018
#18 0x00007fa66f11118a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2225
#19 0x00007fa66f0f340c in main_loop (argc=20, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4228
#20 main (argc=20, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6489
/usr/lib64/libspice-server.so.1(+0xbe685)[0x7fa66d823685]
/usr/lib64/libspice-server.so.1(+0x353f2)[0x7fa66d79a3f2]
/usr/lib64/libspice-server.so.1(+0x1aa33)[0x7fa66d77fa33]
/usr/lib64/libspice-server.so.1(+0x33f0c)[0x7fa66d798f0c]
/lib64/libpthread.so.0(+0x3bf5a077f1)[0x7fa66ea527f1]
/lib64/libc.so.6(clone+0x6d)[0x7fa66c3a770d]
Aborted (core dumped)

Comment 13 Alon Levy 2012-02-17 06:58:25 UTC

Hi Shaolong,

Can you please try this:

http://brewweb.devel.redhat.com/brew/taskinfo?taskID=4052823
 - qemu-kvm-0.12.1.2-2.231.el6.alon.bz748810.1

It includes the last patch that Gerd sent to qemu-devel (not to rhvirt yet):

http://patchwork.ozlabs.org/patch/141398/
[v2] qxl: don't render stuff when the vm is stopped.

Alon

Comment 14 Shaolong Hu 2012-02-17 07:57:17 UTC

(In reply to comment #13)
> Hi Shaolong,
> 
> Can you please try this:
> 
> http://brewweb.devel.redhat.com/brew/taskinfo?taskID=4052823
>  - qemu-kvm-0.12.1.2-2.231.el6.alon.bz748810.1

Hi Alon,

It works well.

Comment 15 Gerd Hoffmann 2012-02-17 09:01:52 UTC

Incremental fix posted.

Comment 18 Shaolong Hu 2012-03-08 03:42:04 UTC

Verify this on qemu-kvm-0.12.1.2-2.238.el6.x86_64:

With the same steps in comment 12, no crash, after resume, guest works well, verified.

Comment 20 Suqin Huang 2012-04-26 03:21:53 UTC

Hi Gerd,
This issue also happend in qemu-kvm-0.12.1.2-2.209.el6_2.5

do you plan to fix it in z stream

Thanks & Regards
Suqin

Comment 22 Michal Novotny 2012-05-03 17:55:58 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause:
Run a guest, stop it and try to get a screen dump.

Consequence:
Qemu-kvm crashes with segmentation fault.

Fix:
Fix QXL driver to use shared buffer.

Result:
qemu-kvm doesn't crash

Comment 23 errata-xmlrpc 2012-06-20 11:35:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0746.html

Note You need to log in before you can comment on or make changes to this bug.