blob: 8b3c4a06a678009aa7ccaa20ca0d5f91210b4589 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
id = 839
title = "qxl in COLO secondary node cause QEMU to segmentation fault"
state = "opened"
created_at = "2022-01-25T07:47:42.134Z"
closed_at = "n/a"
labels = ["device:graphics"]
url = "https://gitlab.com/qemu-project/qemu/-/issues/839"
host-os = "Ubuntu Linux 20.04"
host-arch = "x86"
qemu-version = "v6.2.0"
guest-os = "Windows 10"
guest-arch = "x86"
description = """After COLO checkpoint, the Secondary VM's qemu received segmentation fault while releasing qxl resources in interface_release_resource() routine.
i have used gdb and qemu trace to debug Secondary VM's qemu. the object 'qxl->last_release' is null and object 'ring->items[prod].el' != 0, it leads to null pointer dereference.
During COLO checkpoint,the Secondary VM's qemu has loaded Primary VM's qxl states,so i think it not need to release qxl resources."""
reproduce = """1.Startup Primary VM and Secondary VM of COLO mode, and gdb to Secondary VM's qemu.
2.Connect to Primary VM's spice server.
3.Secondary VM's qemu will receiveing segmentation fault."""
additional = """gdb to Secondary VM's qemu:
```
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ff9e3bff700 (LWP 44703)]
0x0000555555b2e8d6 in interface_release_resource (sin=0x555557d7c8a8, ext=...) at ../hw/display/qxl.c:783
783\t qxl->last_release->next = ext.info->id;
(gdb) bt
#0 0x0000555555b2e8d6 in interface_release_resource (sin=0x555557d7c8a8, ext=...) at ../hw/display/qxl.c:783
#1 0x00007fffd7751dd1 in red_drawable_unref () at /lib64/libspice-server.so.1
#2 0x00007fffd771eabe in drawable_unref () at /lib64/libspice-server.so.1
#3 0x00007fffd77206a7 in draw_until () at /lib64/libspice-server.so.1
#4 0x00007fffd771f7cd in display_channel_draw () at /lib64/libspice-server.so.1
#5 0x00007fffd7721b51 in display_channel_process_draw () at /lib64/libspice-server.so.1
#6 0x00007fffd7752142 in red_process_display () at /lib64/libspice-server.so.1
#7 0x00007fffd77521fb in worker_source_dispatch () at /lib64/libspice-server.so.1
#8 0x00007fffd6c2f049 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#9 0x00007fffd6c2f3a8 in g_main_context_iterate.isra.19 () at /lib64/libglib-2.0.so.0
#10 0x00007fffd6c2f67a in g_main_loop_run () at /lib64/libglib-2.0.so.0
#11 0x00007fffd775166a in red_worker_main () at /lib64/libspice-server.so.1
#12 0x00007fffd5658dd5 in start_thread () at /lib64/libpthread.so.0
#13 0x00007fffd538202d in clone () at /lib64/libc.so.6
(gdb) frame 0
#0 0x0000555555b2e8d6 in interface_release_resource (sin=0x555557d7c8a8, ext=...) at ../hw/display/qxl.c:783
783\t qxl->last_release->next = ext.info->id;
(gdb) print qxl->last_release
$1 = (QXLReleaseInfo *) 0x0
```
qemu trace log:
```
44840@1643012769.363844:colo_send_message Send 'checkpoint-reply' message
44840@1643012773.579053:colo_receive_message Receive 'vmstate-send' message
44840@1643012773.978838:colo_receive_message Receive 'vmstate-size' message
44840@1643012773.979041:colo_send_message Send 'vmstate-received' message
44840@1643012774.180598:qxl_pre_load 0
44703@1643012774.180660:qxl_ring_res_put 0 #res=20
44840@1643012774.182627:qxl_post_load 0 native
44840@1643012774.197993:colo_vm_state_change Change 'stop' => 'run'
44840@1643012774.198030:colo_send_message Send 'vmstate-loaded' message
```"""
|