1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
permissions: 0.964
graphic: 0.963
semantic: 0.959
architecture: 0.956
performance: 0.944
register: 0.944
virtual: 0.936
assembly: 0.929
device: 0.925
arm: 0.915
network: 0.908
debug: 0.904
files: 0.902
kernel: 0.886
PID: 0.882
boot: 0.877
socket: 0.877
TCG: 0.855
ppc: 0.855
peripherals: 0.852
mistranslation: 0.823
user-level: 0.819
risc-v: 0.804
VMM: 0.797
vnc: 0.796
KVM: 0.790
hypervisor: 0.774
x86: 0.755
i386: 0.623
Booting Windows 2016 with qxl video crashes qemu
launched from libvirt.
qemu version: 2.9.0
host: Linux <hostname> 4.9.34-gentoo #1 SMP Sat Jul 29 13:28:43 PDT 2017 x86_64 Intel(R) Core(TM) i7-3930K CPU @ 3.20GHz GenuineIntel GNU/Linux
guest: Windows 2016 64 bit
Thread 28 (Thread 0x7f0e2edff700 (LWP 29860)):
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
set = {__val = {18446744067266837079, 139698892694944, 139699853745096, 139700858749789, 4222451712, 139694281220640, 139694281220741, 139694281220640, 139694281220640, 139694281220810,
139694281220940, 139694281220640, 139694281220940, 0, 0, 0}}
pid = <optimized out>
tid = <optimized out>
#1 0x00007f0ea40b644a in __GI_abort () at abort.c:89
save_stage = 2
act = {__sigaction_handler = {sa_handler = 0x7f0e2edfe5c0, sa_sigaction = 0x7f0e2edfe5c0}, sa_mask = {__val = {139694281219872, 139698106269697, 139698892695344, 4, 2676511744, 0, 139698892695144, 0,
139698892694912, 1, 4737316546111099904, 139700859888720, 4737316546111099904, 139700862161824, 139700911349760, 94211934977482}}, sa_flags = 416,
sa_restorer = 0x55af6ceb0500 <__PRETTY_FUNCTION__.36381>}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007f0ea40abab6 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x55af6ceafdca "offset < qxl->vga.vram_size",
file=file@entry=0x55af6ceaeaa0 "/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c", line=line@entry=416,
function=function@entry=0x55af6ceb0500 <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at assert.c:92
str = 0x7f0d1c026220 "\340r\002\034\r\177"
total = 4096
#3 0x00007f0ea40abb81 in __GI___assert_fail (assertion=assertion@entry=0x55af6ceafdca "offset < qxl->vga.vram_size",
file=file@entry=0x55af6ceaeaa0 "/var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c", line=line@entry=416,
function=function@entry=0x55af6ceb0500 <__PRETTY_FUNCTION__.36381> "qxl_ram_set_dirty") at assert.c:101
No locals.
#4 0x000055af6cc58805 in qxl_ram_set_dirty (qxl=<optimized out>, ptr=<optimized out>) at /var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:416
base = <optimized out>
offset = <optimized out>
qxl = <optimized out>
ptr = <optimized out>
base = <optimized out>
offset = <optimized out>
#5 0x000055af6cc5b9e2 in interface_release_resource (sin=0x55af71a91ed0, ext=...) at /var/tmp/portage/app-emulation/qemu-2.9.0-r2/work/qemu-2.9.0/hw/display/qxl.c:767
qxl = 0x55af71a91450
ring = <optimized out>
item = <optimized out>
id = 18446690739814400920
__func__ = "interface_release_resource"
#6 0x00007f0ea510afa8 in red_drawable_unref (red_drawable=0x7f0d1c026120) at red-worker.c:101
No locals.
#7 0x00007f0ea510b609 in red_drawable_unref (red_drawable=<optimized out>) at red-worker.c:104
No locals.
#8 0x00007f0ea510eae9 in drawable_unref (drawable=drawable@entry=0x7f0e68285ac0) at display-channel.c:1438
display = 0x55af71dbd3c0
__FUNCTION__ = "drawable_unref"
#9 0x00007f0ea51109f7 in draw_until (display=display@entry=0x55af71dbd3c0, surface=surface@entry=0x7f0e6828aae8, last=0x7f0e68285ac0) at display-channel.c:1637
container = 0x0
now = 0x7f0e68285ac0
#10 0x00007f0ea510f93f in display_channel_draw (display=0x55af71dbd3c0, area=0x7f0e2edfe8e0, surface_id=<optimized out>) at display-channel.c:1729
surface = 0x7f0e6828aae8
last = <optimized out>
__FUNCTION__ = "display_channel_draw"
__func__ = "display_channel_draw"
I reproduce it on 2.10.0
Hi Maciej,
Can you clarify:
a) What version of the qxl drivers you have installed in windows
b) Does it crash immediately or only when you do something specific?
c) Can you give the qemu command line and/or libvirt xml
d) What resolution have you got the guest set at?
e) What version are your spice-server libraries at?
Sorry - email with reply got misdirected in inbox:
a) qxldod.sys 02/20/2017,10.0.0.16000
b) Immediately during boot. I assume during loading the driver
c) Attached working configuration. For repro I change cirrus to qxl and delete arguments to have defaults set by libvirt.
d) 1920x1080 I think. I cannot double check as it, well, crashes
e) 0.13.90
Doesn't reproduce. It's a newer driver though (10.0.0.18000).
Does updating the driver help?
It helps but I'm quite sure that lower level security systems (guest) should never be able to crash higher level security systems (hypervisor).
PS. It repros in 2.10.0 as well.
Guest triggerable assert() isn't exactly nice indeed.
But it's not a show stopper.
It doesn't allow exploiting the host, the guest can only DoS itself.
And you must be priviledged in the guest to do so.
Most likely this is the driver placing the qxl commands in the wrong pci bar. See commit 86dbcdd9c7590d06db89ca256c5eaf0b4aba8858. Seems the impact is more than breaking live migration. So, I can raise a error irq and have qxl enter guest bug mode. That doesn't improve the situation much though, the guest will continue running but you will have broken display ...
Does this issue still persist with the latest version of QEMU/libvirt/qxl-drivers ?
[Expired for QEMU because there has been no activity for 60 days.]
|