Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1003162 - qemu segfaults when libvirt queries query-tpm-types (i686)
Summary: qemu segfaults when libvirt queries query-tpm-types (i686)
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: qemu
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Fedora Virtualization Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 998759 (view as bug list)
Depends On:
Blocks: TRACKER-bugs-affecting-libguestfs
TreeView+ depends on / blocked
 
Reported: 2013-08-31 10:43 UTC by Richard W.M. Jones
Modified: 2013-09-04 13:09 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-09-04 13:09:04 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Richard W.M. Jones 2013-08-31 10:43:25 UTC 
Description of problem:

When 32 bit rawhide boots, you can see lots of segfaults (apparently
coming from libvirtd as it tries to test for capabilities):

[   88.578661] qemu-system-alp[995]: segfault at 10 ip b7641bd9 sp bfbf1a60 error 4 in qemu-system-alpha[b737f000+3c3000]
[   89.270417] qemu-system-arm[999]: segfault at 10 ip b75f8bc9 sp bff75fe0 error 4 in qemu-system-arm[b725f000+4de000]
[   90.353598] qemu-system-cri[1005]: segfault at 10 ip b7684039 sp bf8f2990 error 4 in qemu-system-cris[b749f000+2a1000]
[   91.350915] qemu-system-i38[1023]: segfault at 10 ip b75f0459 sp bfe10d80 error 4 in qemu-system-i386[b727d000+495000]
[   92.324018] qemu-system-lm3[1035]: segfault at 10 ip b771c569 sp bf97e760 error 4 in qemu-system-lm32[b7543000+294000]
[   93.246371] qemu-system-m68[1041]: segfault at 10 ip b7669169 sp bfdb3c30 error 4 in qemu-system-m68k[b73de000+380000]
[   94.066910] qemu-system-mic[1045]: segfault at 10 ip b7720219 sp bf9ea0c0 error 4 in qemu-system-microblaze[b7542000+298000]
[   94.824833] qemu-system-mic[1055]: segfault at 10 ip b7733ef9 sp bfcbca00 error 4 in qemu-system-microblazeel[b7556000+298000]
[   95.392414] qemu-system-mip[1081]: segfault at 10 ip b7697a79 sp bf80e6a0 error 4 in qemu-system-mips[b7344000+467000]
[   95.979270] qemu-system-mip[1089]: segfault at 10 ip b76c6669 sp bfcd1900 error 4 in qemu-system-mipsel[b7373000+467000]
[   96.558308] qemu-system-mip[1121]: segfault at 10 ip b76975a9 sp bfddfec0 error 4 in qemu-system-mips64[b72c6000+4e8000]
[   97.102704] qemu-system-mip[1129]: segfault at 10 ip b76cf139 sp bfba8540 error 4 in qemu-system-mips64el[b72fb000+4eb000]
[   97.664494] qemu-system-ppc[1161]: segfault at 10 ip b75f21a9 sp bfef3fb0 error 4 in qemu-system-ppc[b7226000+500000]
[   98.753931] qemu-system-ppc[1183]: segfault at 10 ip b766ab69 sp bfd75fa0 error 4 in qemu-system-ppc64[b71b2000+5f7000]
[   99.352690] qemu-system-ppc[1204]: segfault at 10 ip b7626439 sp bfb8b6f0 error 4 in qemu-system-ppcemb[b725d000+4fd000]
[   99.884794] qemu-system-s39[1233]: segfault at 10 ip b7693329 sp bfe74650 error 4 in qemu-system-s390x[b7472000+2ec000]
[  100.426612] qemu-system-sh4[1244]: segfault at 10 ip b7654f79 sp bfd95340 error 4 in qemu-system-sh4[b73bc000+38e000]
[  101.036654] qemu-system-sh4[1268]: segfault at 10 ip b76b7369 sp bfb338b0 error 4 in qemu-system-sh4eb[b741e000+38e000]
[  101.816074] qemu-system-spa[1303]: segfault at 10 ip b7717cb9 sp bf91d8f0 error 4 in qemu-system-sparc[b7517000+2c1000]
[  102.381421] qemu-system-spa[1352]: segfault at 10 ip b76311b9 sp bfdfd370 error 4 in qemu-system-sparc64[b735b000+3d0000]
[  102.888573] qemu-system-uni[1358]: segfault at 10 ip b7689679 sp bf86de30 error 4 in qemu-system-unicore32[b74bb000+285000]
[  103.326221] qemu-system-x86[1366]: segfault at 10 ip b7680869 sp bffb88e0 error 4 in qemu-system-x86_64[b72d1000+4d2000]
[  103.837951] qemu-system-xte[1398]: segfault at 10 ip b7704a79 sp bfaf10e0 error 4 in qemu-system-xtensa[b752a000+294000]
[  104.329860] qemu-system-xte[1406]: segfault at 10 ip b7726c19 sp bffd4150 error 4 in qemu-system-xtensaeb[b754c000+294000]

However just running qemu works OK, so still investigating.

Version-Release number of selected component (if applicable):

qemu-1.6.0-1.fc20.i686

How reproducible:

Unknown.

Steps to Reproduce:

Unknown.
Comment 1 Richard W.M. Jones 2013-08-31 11:06:11 UTC 
So I realized I had an out of date repository link, hence qemu
wasn't fully up to date.  However, this still happens with
qemu-1.6.0-5.fc21.i686 which is the latest version.
Comment 2 Richard W.M. Jones 2013-08-31 11:34:53 UTC 
Finally I managed to get a stack trace.  Rawhide is especially
buggy today.

Thread 1 (Thread 0xb3d5b900 (LWP 4581)):
#0  output_type_enum (v=0xb9810590, obj=0x10, 
    strings=0xb7817ea0 <TpmType_lookup>, kind=0xb76c7dd0 "TpmType", name=0x0, 
    errp=0xbfa1ddf8) at qapi/qapi-visit-core.c:306
#1  0xb7674125 in visit_type_enum (v=v@entry=0xb9810590, obj=0x10, 
    strings=0xb7817ea0 <TpmType_lookup>, kind=kind@entry=0xb76c7dd0 "TpmType", 
    name=name@entry=0x0, errp=errp@entry=0xbfa1ddf8)
    at qapi/qapi-visit-core.c:114
#2  0xb7577b74 in visit_type_TpmType (errp=0xbfa1ddf8, name=0x0, 
    obj=<optimized out>, m=0xb9810590) at qapi-visit.c:5220
#3  visit_type_TpmTypeList (m=0xb9810590, obj=obj@entry=0xbfa1de48, 
    name=name@entry=0xb769f952 "unused", errp=errp@entry=0xbfa1de44)
    at qapi-visit.c:5206
#4  0xb759211e in qmp_marshal_output_query_tpm_types (errp=0xbfa1de44, 
    ret_out=0xbfa1dea8, ret_in=0xb9811420) at qmp-marshal.c:3795
#5  qmp_marshal_input_query_tpm_types (mon=0xb98054d0, qdict=0xb9809cd8, 
    ret=0xbfa1dea8) at qmp-marshal.c:3817
#6  0xb7637e6a in qmp_call_cmd (cmd=<optimized out>, params=0xb9809cd8, 
    mon=0xb98054d0) at /usr/src/debug/qemu-1.6.0/monitor.c:4501
#7  handle_qmp_command (parser=0xb980552c, tokens=0xb9805078)
    at /usr/src/debug/qemu-1.6.0/monitor.c:4567
#8  0xb767a6df in json_message_process_token (lexer=0xb9805530, 
    token=0xb980ff08, type=JSON_OPERATOR, x=47, y=26)
    at qobject/json-streamer.c:87
#9  0xb768e29b in json_lexer_feed_char (lexer=lexer@entry=0xb9805530, 
    ch=<optimized out>, flush=flush@entry=false) at qobject/json-lexer.c:303
#10 0xb768e3c8 in json_lexer_feed (lexer=lexer@entry=0xb9805530, 
    buffer=buffer@entry=0xbfa1e06c "}", size=size@entry=1)
    at qobject/json-lexer.c:356
#11 0xb767a8fb in json_message_parser_feed (parser=0xb980552c, 
    buffer=buffer@entry=0xbfa1e06c "}", size=size@entry=1)
    at qobject/json-streamer.c:110
#12 0xb76368eb in monitor_control_read (opaque=0xb98054d0, buf=0xbfa1e06c "}", 
    size=1) at /usr/src/debug/qemu-1.6.0/monitor.c:4588
#13 0xb757f6ba in qemu_chr_be_write (len=1, buf=0xbfa1e06c "}", s=0xb9803a00)
    at qemu-char.c:165
#14 tcp_chr_read (chan=0xb9805bc0, cond=G_IO_IN, opaque=0xb9803a00)
    at qemu-char.c:2509
#15 0xb72e0876 in g_io_unix_dispatch () from /usr/lib/libglib-2.0.so.0
#16 0xb729a286 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#17 0xb7547d9a in glib_pollfds_poll () at main-loop.c:188
#18 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:233
#19 main_loop_wait (nonblocking=1) at main-loop.c:465
#20 0xb73edd21 in main_loop () at vl.c:2090
#21 main (argc=12, argv=0xbfa1f414, envp=0xbfa1f448) at vl.c:4432
Comment 3 Richard W.M. Jones 2013-08-31 11:43:39 UTC 
Unfortunately the full monitor command is optimized out, but
looking at the stack trace it seems as if libvirt is sending
the json command "query-tpm-types", and qemu is segfaulting
when trying to print the reply.
Comment 4 Richard W.M. Jones 2013-08-31 12:04:08 UTC 
OK, it's a qemu bug.  Here is a simple reproducer:

$ qemu-system-i386 -S -nodefaults -nographic -M none -qmp stdio
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 6, "major": 1}, "package": ""}, "capabilities": []}}
{"execute":"qmp_capabilities"}
{"return": {}}
{"execute":"query-status"}
{"return": {"status": "prelaunch", "singlestep": false, "running": false}}
{"execute":"query-tpm-types"}
Segmentation fault (core dumped)
Comment 5 Richard W.M. Jones 2013-08-31 12:28:49 UTC 
Reproducer in one (long) line of code:

(sleep 5; printf '{"execute":"qmp_capabilities"}\n{"execute":"query-tpm-types"}\n') | qemu-system-i386 -S -nodefaults -nographic -M none -qmp stdio

For me:

- Fails: Fedora qemu-1.6.0-5.fc21.i686
- Works: upstream qemu git on x86-64
- Works: upstream qemu git on i686
- Works: qemu @ v1.6.0 on i686

So it must be a patch that we're applying in Fedora, or else
some stack hardening stuff.
Comment 6 Richard W.M. Jones 2013-08-31 12:43:46 UTC 
Actually it's because Fedora uses

  ./configure --enable-tpm

Building with that flag:

- Fails: Fedora qemu-1.6.0-5.fc21.i686
- Works: upstream qemu git on x86-64
- Fails: upstream qemu git on i686
- Fails: qemu @ v1.6.0 on i686

Since this is an upstream bug, I have filed a bug there:

https://bugs.launchpad.net/qemu/+bug/1219207
Comment 7 Cole Robinson 2013-08-31 13:52:27 UTC 
*** Bug 998759 has been marked as a duplicate of this bug. ***
Comment 8 Cole Robinson 2013-08-31 22:37:06 UTC 
I've posted a patch upstream for this.
Comment 9 Cole Robinson 2013-09-04 13:09:04 UTC 
Fixed in qemu-1.6.0-6.fc21
Note You need to log in before you can comment on or make changes to this bug.