Running "setfont ter-118n" causes the qemu-kvm vm to immediately crash/shutdown and go into an "offline" state. It only seems to be associated with the terminus fonts as I can use other console fonts ok, i.e. other lat2 sizes. Version-Release number of selected component (if applicable): qemu-1.4.2-5.fc19.x86_64 kernel-3.10.6-200.fc19.x86_64 virt-manager-0.10.0-1.fc19.noarch terminus-fonts-console-4.36-4.fc19.noarch How reproducible: always Steps to Reproduce: 1. install f19 into a qemu-kvm vm 2. install terminus fonts 3. run "setfont ter-118n" Actual results: crash/shutdown of vm Expected results: console font changed to terminus font Additional info: Not sure if this is the right component but starting here. Outside of the kvm, I can change my console font to terminus fine.
I cannot reproduce this with a Fedora 20 guest on a Fedora 19 host. Can you get a core dump / stack trace from qemu? That's really what we need here.
Created attachment 787342 [details] gdb trace of qemu process
Here's a backtrace of the qemu process just after I run setfont. Hope this helps. If there's more I can do, let me know and I can attempt it. (strange... this crash also happens with me with a Fedora 20 guest)
Ah right, you're using spice (I'm using VNC).
The error that spice tries to emit just before the crash is: red_parse_qxl.c:359: image stride too small for width: %d < ((%d * %d + 7) / 8) (%s=%d) (the values are lost)
Re-assigning this to Yonith, who probably knows this part of the code the best.
The bug is guest driver related: a DRAW_COPY command includes a bitmap with format SPICE_BITMAP_FMT_1BIT, width=10, and stride=1. The stride should be at least 2. I'm moving the bug to qxl.
(In reply to Yonit Halperin from comment #7) > The bug is guest driver related: a DRAW_COPY command includes a bitmap with > format SPICE_BITMAP_FMT_1BIT, width=10, and stride=1. The stride should be > at least 2. > I'm moving the bug to qxl. Hang on, the spice server on the host should *never* crash, even if the X server in the guest sends bogus rubbish.
Also, the bug happens in the console. How is X involved here?
Yonit, First I agree with Richard, we need to fix the server too - we should never crash. Second it's probaby the kernel driver, since X is not involved. So I suggest to clone this bug, and assign this one to the spice server and the clone to the kernel. You can assign me to the kernel one. Alon
Yes, this bug is about stopping SPICE from crashing QEMU when the guest does something bad. If there's a bug in Xorg qxl driver that is triggering the host QEMU / SPICE crash that needs to be dealt with separately.
A patch that fixes the issue is now committed in upstream spice git http://cgit.freedesktop.org/spice/spice/commit/?id=eb09c25c628b5baba069aba3ff72ea71917f533f
There are 93 other calls to spice_error. Are you sure none of them can ever be triggered by client code? To pick one of these at random: static void qxl_process_cursor(RedWorker *worker, RedCursorCmd *cursor_cmd, uint32_t group_id) { CursorItem *cursor_item; int cursor_show = FALSE; cursor_item = get_cursor_item(worker, cursor_cmd, group_id); switch (cursor_cmd->type) { case QXL_CURSOR_SET: [...] break; case QXL_CURSOR_MOVE: [...] break; case QXL_CURSOR_HIDE: [...] break; case QXL_CURSOR_TRAIL: [...] break; default: spice_error("invalid cursor command %u", cursor_cmd->type); } cursor_cmd->type is an 8 bit unsigned int. Doesn't it get passed from the guest (via get_virt)? What if the guest passes an unexpected value here?
(In reply to Richard W.M. Jones from comment #13) > There are 93 other calls to spice_error. Are you sure none > of them can ever be triggered by client code? I did not go over all spice_error calls, only the one hit by this bug. Christophe replaced some more spice_error calls with spice_warning. Likely, some of the remaining spice_error calls are triggered by bad values from the client/driver. Those remaining calls should be reviewed and handled if found problematic.
(In reply to Richard W.M. Jones from comment #13) > There are 93 other calls to spice_error. Are you sure none > of them can ever be triggered by client code? > > To pick one of these at random: > > static void qxl_process_cursor(RedWorker *worker, RedCursorCmd *cursor_cmd, > uint32_t group_id) > { > CursorItem *cursor_item; > int cursor_show = FALSE; > > cursor_item = get_cursor_item(worker, cursor_cmd, group_id); > > switch (cursor_cmd->type) { > case QXL_CURSOR_SET: > [...] > break; > case QXL_CURSOR_MOVE: > [...] > break; > case QXL_CURSOR_HIDE: > [...] > break; > case QXL_CURSOR_TRAIL: > [...] > break; > default: > spice_error("invalid cursor command %u", cursor_cmd->type); > } > > cursor_cmd->type is an 8 bit unsigned int. Doesn't it get passed from > the guest (via get_virt)? What if the guest passes an unexpected > value here? this will very likely abort(). There are tons of way to make the server code abort() from misbehaving client, but I was told we wanted that by default.I managed to convince to have runtime flag SPICE_ABORT_LEVEL to change that behaviour, but the server code is roted in its roots, and there are countless ways to make the server abort or simply crash. Few of us really focused on improving the current server code base...
(In reply to Uri Lublin from comment #14) > (In reply to Richard W.M. Jones from comment #13) > > There are 93 other calls to spice_error. Are you sure none > > of them can ever be triggered by client code? > > I did not go over all spice_error calls, only the one hit by this bug. > Christophe replaced some more spice_error calls with spice_warning. Fwiw, I only looked at the other spice_error() in the same file as that one (red_parse_qxl.c), while feeling bad at the same time not to go over more of these...
*** Bug 1025382 has been marked as a duplicate of this bug. ***
Doesn't look like this is in fedora yet. Maybe time for another upstream spice bugfix release?
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
This message is a notice that Fedora 19 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 19. It is Fedora's policy to close all bug reports from releases that are no longer maintained. Approximately 4 (four) weeks from now this bug will be closed as EOL if it remains open with a Fedora 'version' of '19'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 19 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.