qemu-system-x86_64 crashed with SIGSEGV in virtio_pci_mask_vq()

Bug #1029201 reported by C de-Avillez on 2012-07-26
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qemu-kvm (Debian)
Fix Released
Unknown
qemu-kvm (Ubuntu)
Critical
Serge Hallyn

Bug Description

tried to start some VMs today for the Alpha3 testing -- they died with a "kernel: [34396.173557] kvm[16129]: segfault at 10 ip 00007f7e78cdb89e sp 00007f7e6be31ad0 error 4 in qemu-system-x86_64[7f7e78b85000+368000]"; interestingly, apport was not kicked in action.

Tried to start a GDB on a KVM, failed.

Uninstalled PURGE libvirt*, and reinstalled. Run another KVM, and finally I got this bug.

ProblemType: Crash
DistroRelease: Ubuntu 12.10
Package: qemu-kvm 1.1~rc+dfsg-1ubuntu8
ProcVersionSignature: Ubuntu 3.5.0-6.6-generic 3.5.0
Uname: Linux 3.5.0-6-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.4-0ubuntu5
Architecture: amd64
Date: Wed Jul 25 19:35:27 2012
ExecutablePath: /usr/bin/qemu-system-x86_64
InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Alpha amd64 (20120701)
KvmCmdLine: Error: command ['ps', '-C', 'kvm', '-F'] failed with exit code 1: UID PID PPID C SZ RSS PSR STIME TTY TIME CMD
MachineType: Dell Inc. Latitude E6410
ProcEnviron: PATH=(custom, no user)
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.5.0-6-generic root=/dev/mapper/hostname--vg-hostname--root ro
SegvAnalysis:
 Segfault happened at: 0x7f7e78cdb89e <virtio_pci_mask_vq+94>: mov (%r8),%edi
 PC (0x7f7e78cdb89e) ok
 source "(%r8)" (0x00000010) not located in a known VMA region (needed readable region)!
 destination "%edi" ok
 Stack memory exhausted (SP below stack segment)
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: qemu-kvm
StacktraceTop:
 virtio_pci_mask_vq (vector=vector@entry=1, vq=0x7f7e7a00f100, masked=masked@entry=0, dev=<error reading variable: Unhandled dwarf expression opcode 0xfa>) at /build/buildd/qemu-kvm-1.1~rc+dfsg/hw/virtio-pci.c:546
 virtio_pci_mask_notifier (dev=0x7f7e79ff5670, vector=1, masked=0) at /build/buildd/qemu-kvm-1.1~rc+dfsg/hw/virtio-pci.c:576
 msix_set_mask_notifier_for_vector (vector=1, dev=0x7f7e79ff5670) at /build/buildd/qemu-kvm-1.1~rc+dfsg/hw/msix.c:562
 msix_set_mask_notifier (dev=dev@entry=0x7f7e79ff5670, f=f@entry=0x7f7e78cdb930 <virtio_pci_mask_notifier>) at /build/buildd/qemu-kvm-1.1~rc+dfsg/hw/msix.c:577
 virtio_pci_set_guest_notifiers (opaque=0x7f7e79ff5670, assign=true) at /build/buildd/qemu-kvm-1.1~rc+dfsg/hw/virtio-pci.c:651
Title: qemu-system-x86_64 crashed with SIGSEGV in virtio_pci_mask_vq()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:

dmi.bios.date: 05/26/2011
dmi.bios.vendor: Dell Inc.
dmi.bios.version: A09
dmi.board.name: 0K42JR
dmi.board.vendor: Dell Inc.
dmi.board.version: A01
dmi.chassis.type: 9
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.:bvrA09:bd05/26/2011:svnDellInc.:pnLatitudeE6410:pvr0001:rvnDellInc.:rn0K42JR:rvrA01:cvnDellInc.:ct9:cvr:
dmi.product.name: Latitude E6410
dmi.product.version: 0001
dmi.sys.vendor: Dell Inc.

CVE References

C de-Avillez (hggdh2) wrote :

StacktraceTop:
 virtio_pci_mask_vq (vector=vector@entry=1, vq=0x7f7e7a00f100, masked=masked@entry=0, dev=<error reading variable: Unhandled dwarf expression opcode 0xfa>) at /build/buildd/qemu-kvm-1.1~rc+dfsg/hw/virtio-pci.c:546
 virtio_pci_mask_notifier (dev=0x7f7e79ff5670, vector=1, masked=0) at /build/buildd/qemu-kvm-1.1~rc+dfsg/hw/virtio-pci.c:576
 msix_set_mask_notifier_for_vector (vector=1, dev=0x7f7e79ff5670) at /build/buildd/qemu-kvm-1.1~rc+dfsg/hw/msix.c:562
 msix_set_mask_notifier (dev=dev@entry=0x7f7e79ff5670, f=f@entry=0x7f7e78cdb930 <virtio_pci_mask_notifier>) at /build/buildd/qemu-kvm-1.1~rc+dfsg/hw/msix.c:577
 virtio_pci_set_guest_notifiers (opaque=0x7f7e79ff5670, assign=true) at /build/buildd/qemu-kvm-1.1~rc+dfsg/hw/virtio-pci.c:651

Changed in qemu-kvm (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
Serge Hallyn (serge-hallyn) wrote :

I'm not getting this on my quantal laptop. Can you tell me what guest you were running, and post the guest xml?

Changed in qemu-kvm (Ubuntu):
status: New → Incomplete
C de-Avillez (hggdh2) wrote :

Running a quantal server image, already built, with snapshot. The default XML is:

<domain type='kvm'>
  <name>clean-quantal-server-amd64</name>
  <uuid>b9c140ad-ceb8-0829-cdc1-9dfa2b00a5b9</uuid>
  <memory unit='KiB'>524288</memory>
  <currentMemory unit='KiB'>524288</currentMemory>
  <vcpu placement='static'>1</vcpu>
  <os>
    <type arch='x86_64' machine='pc-1.0'>hvm</type>
    <boot dev='cdrom'/>
    <boot dev='hd'/>
    <bootmenu enable='yes'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' cache='writeback'/>
      <source file='/opt/VM/img/clean-quantal-server-amd64/disk0.qcow2'/>
      <target dev='vda' bus='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <target dev='hdc' bus='ide'/>
      <readonly/>
      <address type='drive' controller='0' bus='1' target='0' unit='0'/>
    </disk>
    <controller type='ide' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='usb' index='0'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:b5:86:fb'/>
      <source network='default'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <target port='0'/>
    </serial>
    <console type='pty'>
      <target type='serial' port='0'/>
    </console>
    <input type='mouse' bus='ps2'/>
    <graphics type='vnc' port='-1' autoport='yes'/>
    <video>
      <model type='cirrus' vram='9216' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <memballoon model='virtio'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </memballoon>
  </devices>
</domain>

Changed in qemu-kvm (Ubuntu):
status: Incomplete → New
Serge Hallyn (serge-hallyn) wrote :

Hm, verified. I'm not sure whether the problem is qcow, or something else in your xml. When I use virt-manager to create a VM it runs fine with quantal server, but using your xml tweaked for my paths, it crashes. Investigating.

Changed in qemu-kvm (Ubuntu):
status: New → Triaged
importance: Medium → Critical
Serge Hallyn (serge-hallyn) wrote :

The problem is introduced by using the pc-1.0 machine type. pc-1.1 seems to work for me.

Serge Hallyn (serge-hallyn) wrote :

Testing the patches (from upstream) which solved this in Debian.

After a3 closes I will merge the new debian qemu-kvm.

Changed in qemu-kvm (Ubuntu):
assignee: nobody → Serge Hallyn (serge-hallyn)
status: Triaged → In Progress
Serge Hallyn (serge-hallyn) wrote :

This debdiff fixes the issue for me.

tags: added: patch
Changed in qemu-kvm (Debian):
status: Unknown → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu-kvm - 1.1~rc+dfsg-1ubuntu9

---------------
qemu-kvm (1.1~rc+dfsg-1ubuntu9) quantal; urgency=low

  [ Michael Tokarev ]
  * added two patches from upstream qemu-kvm/stable-1.1 branch:
    qemu-kvm-Add-missing-default-machine-options.patch
    qemu-kvm-virtio-Do-not-register-mask-notifiers-witho.patch
    (Closes: #679788) (LP: #1029201)

  [ Serge Hallyn ]
  * remove ubuntu/CVE-2011-2212-virtqueue-indirect-overflow.patch
    patch, which was actually fixed in qemu 0.15 by
    "virtio: fix indirect descriptor buffer overflow" (Thanks to
    Michael Tokarev for pointing that out)
 -- Serge Hallyn <email address hidden> Thu, 26 Jul 2012 10:31:53 -0500

Changed in qemu-kvm (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.