748810 – qemu crashes if screen dump is called when the vm is stopped

Bug 748810 - qemu crashes if screen dump is called when the vm is stopped

Summary: qemu crashes if screen dump is called when the vm is stopped

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Gerd Hoffmann
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	736631
Blocks:	798195
TreeView+	depends on / blocked

Reported:	2011-10-25 12:47 UTC by Yonit Halperin
Modified:	2013-01-10 00:28 UTC (History)
CC List:	16 users (show)
Fixed In Version:	qemu-kvm-0.12.1.2-2.238.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Run a guest, stop it and try to get a screen dump. Consequence: Qemu-kvm crashes with segmentation fault. Fix: Fix QXL driver to use shared buffer. Result: qemu-kvm doesn't crash
Clone Of:	736631
Clones:	798195 (view as bug list)
Environment:
Last Closed:	2012-06-20 11:35:23 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0746	0	normal	SHIPPED_LIVE	qemu-kvm bug fix and enhancement update	2012-06-19 19:31:48 UTC

Comment 1 Yonit Halperin 2011-10-25 12:53:11 UTC

Hi Dor,

1) Can this bug and bug 736631 be moved to 6.3?
2) This bug was just recently discovered; Have these screen dumps after vm is stopped been added only recently to the auto tests?
3) can these screen dumps be disabled during the auto tests?

Thanks,
Yonit.

Comment 8 Gerd Hoffmann 2012-02-14 15:29:00 UTC

Patches posted.

Comment 12 Shaolong Hu 2012-02-16 08:50:13 UTC

Reproduced on qemu-kvm-0.12.1.2-2.223.el6.x86_64:

steps:
------
1.boot guest with "-vga qxl"
2.in qemu monitor
(qemu) stop
handle_dev_stop: stop
(qemu) screendump /root/sd1
handle_dev_update: ASSERT worker->running failed
...
/usr/lib64/libspice-server.so.1(+0xbe685)[0x7f8d7b9d6685]
/usr/lib64/libspice-server.so.1(+0x353f2)[0x7f8d7b94d3f2]
/usr/lib64/libspice-server.so.1(+0x1aa33)[0x7f8d7b932a33]
/usr/lib64/libspice-server.so.1(+0x33f0c)[0x7f8d7b94bf0c]
/lib64/libpthread.so.0(+0x3bf5a077f1)[0x7f8d7cc057f1]
/lib64/libc.so.6(clone+0x6d)[0x7f8d7a55a70d]
Aborted (core dumped)


Failed on qemu-kvm-0.12.1.2-2.230.el6.x86_64:

(qemu) stop
handle_dev_stop: stop
(qemu) screendump /root/sd1
handle_dev_update: ASSERT worker->running failed
Thread 17 (Thread 0x7fa6678d2700 (LWP 12988)):
#0  0x00007fa66ea5675b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007fa66f12ae07 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329
#3  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 16 (Thread 0x7fa665d34700 (LWP 12989)):
#0  0x00007fa66c2f597d in sigtimedwait () from /lib64/libc.so.6
#1  0x00007fa66f1138b6 in kvm_main_loop_wait (env=0x7fa670c91fd0, timeout=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1858
#2  0x00007fa66f113eed in kvm_main_loop_cpu (_env=0x7fa670c91fd0) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1994
#3  ap_main_loop (_env=0x7fa670c91fd0) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2041
#4  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#5  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 15 (Thread 0x7fa665333700 (LWP 12990)):
#0  0x00007fa66c2f597d in sigtimedwait () from /lib64/libc.so.6
#1  0x00007fa66f1138b6 in kvm_main_loop_wait (env=0x7fa670cab010, timeout=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1858
#2  0x00007fa66f113eed in kvm_main_loop_cpu (_env=0x7fa670cab010) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1994
#3  ap_main_loop (_env=0x7fa670cab010) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2041
#4  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#5  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 14 (Thread 0x7fa657fff700 (LWP 12991)):
#0  0x00007fa66c2f597d in sigtimedwait () from /lib64/libc.so.6
#1  0x00007fa66f1138b6 in kvm_main_loop_wait (env=0x7fa670cb8eb0, timeout=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1858
#2  0x00007fa66f113eed in kvm_main_loop_cpu (_env=0x7fa670cb8eb0) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1994
#3  ap_main_loop (_env=0x7fa670cb8eb0) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2041
#4  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#5  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 13 (Thread 0x7fa6575fe700 (LWP 12992)):
#0  0x00007fa66c2f597d in sigtimedwait () from /lib64/libc.so.6
#1  0x00007fa66f1138b6 in kvm_main_loop_wait (env=0x7fa670cc6d50, timeout=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1858
#2  0x00007fa66f113eed in kvm_main_loop_cpu (_env=0x7fa670cc6d50) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1994
#3  ap_main_loop (_env=0x7fa670cc6d50) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2041
#4  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#5  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 12 (Thread 0x7fa655bfc700 (LWP 12993)):
#0  0x00007fa66ea594ed in read () from /lib64/libpthread.so.0
#1  0x00007fa66d823570 in read () at /usr/include/bits/unistd.h:45
#2  spice_backtrace_gstack () at backtrace.c:97
#3  0x00007fa66d8236c5 in spice_backtrace () at backtrace.c:128
#4  0x00007fa66d79a3f2 in handle_dev_update (opaque=0x7fa655a246c0, payload=<value optimized out>) at red_worker.c:10291
#5  0x00007fa66d77fa33 in dispatcher_handle_single_read (dispatcher=0x7fa6720f2568) at dispatcher.c:120
#6  dispatcher_handle_recv_read (dispatcher=0x7fa6720f2568) at dispatcher.c:143
#7  0x00007fa66d798f0c in red_worker_main (arg=<value optimized out>) at red_worker.c:11192
#8  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#9  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 11 (Thread 0x7fa53f9fc700 (LWP 12997)):
#0  0x00007fa66ea5675b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007fa66f12ae07 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329
#3  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 10 (Thread 0x7fa53effb700 (LWP 12998)):
#0  0x00007fa66ea5675b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007fa66f12ae07 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329
#3  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 9 (Thread 0x7fa53e5fa700 (LWP 12999)):
#0  0x00007fa66ea5675b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007fa66f12ae07 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329
#3  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 8 (Thread 0x7fa53dbf9700 (LWP 13000)):
#0  0x00007fa66ea5675b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007fa66f12ae07 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329
#3  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 7 (Thread 0x7fa53d1f8700 (LWP 13001)):
#0  0x00007fa66ea5675b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007fa66f12ae07 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329
#3  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 6 (Thread 0x7fa53c7f7700 (LWP 13002)):
#0  0x00007fa66ea5675b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007fa66f12ae07 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329
#3  0x00007fa66ea527f1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fa66c3a770d in clone () from /lib64/libc.so.6
Thread 5 (Thread 0x7fa53bdf6700 (LWP 13003)):
#0  0x00007fa66ea5675b in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007fa66f12ae07 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329 out>) at /usr/include/bits/unistd.h:45
#2  read_safe (fd=21, buf=0x7fff98d39f1c, size=4, block=<value optimized out>) at dispatcher.c:57
#3  0x00007fa66d77f8e6 in dispatcher_send_message (dispatcher=0x7fa6720f2568, message_type=1, payload=0x7fff98d39f50) at dispatcher.c:169
#4  0x00007fa66d7800bf in red_dispatcher_update_area (qxl_worker=<value optimized out>, surface_id=<value optimized out>, qxl_area=<value optimized out>, qxl_dirty_rects=<value optimized out>, num_dirty_rects=<value optimized out>, clear_dirty_region=<value optimized out>) at red_dispatcher.c:299
#5  qxl_worker_update_area (qxl_worker=<value optimized out>, surface_id=<value optimized out>, qxl_area=<value optimized out>, qxl_dirty_rects=<value optimized out>, num_dirty_rects=<value optimized out>, clear_dirty_region=<value optimized out>) at red_dispatcher.c:341
#6  0x00007fa66f272396 in qxl_render_update (qxl=0x7fa6720df840) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl-render.c:134
#7  0x00007fa66f27070a in qxl_hw_screen_dump (opaque=0x7fa6720df840, filename=0x7fa671206fe0 "/root/sd1") at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl.c:1485
#8  0x00007fa66f1529ed in vga_hw_screen_dump (filename=<value optimized out>) at console.c:182
#9  0x00007fa66f0f78ab in do_screen_dump (mon=<value optimized out>, qdict=<value optimized out>, ret_data=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:1309
#10 0x00007fa66f0f7f90 in monitor_call_handler (mon=<value optimized out>, cmd=0x7fa66f5b0ed8, params=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4106
#11 0x00007fa66f0fd190 in handle_user_command (mon=0x7fa670d1a010, cmdline=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4143
#12 0x00007fa66f0fd2ca in monitor_command_cb (mon=0x7fa670d1a010, cmdline=<value optimized out>, opaque=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4698
#13 0x00007fa66f15237d in readline_handle_byte (rs=0x7fa672148270, ch=<value optimized out>) at readline.c:369
#14 0x00007fa66f0fd4f0 in monitor_read (opaque=<value optimized out>, buf=0x7fff98d3a330 "\r", size=1) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4684
#15 0x00007fa66f164fab in qemu_chr_read (opaque=0x7fa670afc600) at qemu-char.c:170
#16 fd_chr_read (opaque=0x7fa670afc600) at qemu-char.c:669
#17 0x00007fa66f0f17d0 in main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4018
#18 0x00007fa66f11118a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2225
#19 0x00007fa66f0f340c in main_loop (argc=20, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4228
#20 main (argc=20, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6489
/usr/lib64/libspice-server.so.1(+0xbe685)[0x7fa66d823685]
/usr/lib64/libspice-server.so.1(+0x353f2)[0x7fa66d79a3f2]
/usr/lib64/libspice-server.so.1(+0x1aa33)[0x7fa66d77fa33]
/usr/lib64/libspice-server.so.1(+0x33f0c)[0x7fa66d798f0c]
/lib64/libpthread.so.0(+0x3bf5a077f1)[0x7fa66ea527f1]
/lib64/libc.so.6(clone+0x6d)[0x7fa66c3a770d]
Aborted (core dumped)

Comment 13 Alon Levy 2012-02-17 06:58:25 UTC

Hi Shaolong,

Can you please try this:

http://brewweb.devel.redhat.com/brew/taskinfo?taskID=4052823
 - qemu-kvm-0.12.1.2-2.231.el6.alon.bz748810.1

It includes the last patch that Gerd sent to qemu-devel (not to rhvirt yet):

http://patchwork.ozlabs.org/patch/141398/
[v2] qxl: don't render stuff when the vm is stopped.

Alon

Comment 14 Shaolong Hu 2012-02-17 07:57:17 UTC

(In reply to comment #13)
> Hi Shaolong,
> 
> Can you please try this:
> 
> http://brewweb.devel.redhat.com/brew/taskinfo?taskID=4052823
>  - qemu-kvm-0.12.1.2-2.231.el6.alon.bz748810.1

Hi Alon,

It works well.

Comment 15 Gerd Hoffmann 2012-02-17 09:01:52 UTC

Incremental fix posted.

Comment 18 Shaolong Hu 2012-03-08 03:42:04 UTC

Verify this on qemu-kvm-0.12.1.2-2.238.el6.x86_64:

With the same steps in comment 12, no crash, after resume, guest works well, verified.

Comment 20 Suqin Huang 2012-04-26 03:21:53 UTC

Hi Gerd,
This issue also happend in qemu-kvm-0.12.1.2-2.209.el6_2.5

do you plan to fix it in z stream

Thanks & Regards
Suqin

Comment 22 Michal Novotny 2012-05-03 17:55:58 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause:
Run a guest, stop it and try to get a screen dump.

Consequence:
Qemu-kvm crashes with segmentation fault.

Fix:
Fix QXL driver to use shared buffer.

Result:
qemu-kvm doesn't crash

Comment 23 errata-xmlrpc 2012-06-20 11:35:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0746.html

Note You need to log in before you can comment on or make changes to this bug.