All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stefan Berger <1784900@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [Bug 1784900] Re: QEMU (frontend) crashes upon warm reboot with virtio-gpu device and vga=775 on Linux cmdline
Date: Thu, 02 Aug 2018 00:03:04 -0000	[thread overview]
Message-ID: <153316818472.18210.7680271968873338296.malone@soybean.canonical.com> (raw)
In-Reply-To: 153314156256.17371.7866837258800403867.malonedeb@soybean.canonical.com

The reason for this bug is memory corruption in glibc's memory chunk
header that is in front of some bitmap pixman is allocating and
maintaining as image->bits.free_me. I set a memory watchpoint to this
memory location and this code here triggered it and corrupted what seems
to be a memory chunk size indicator, which upon free() causes print of
'invalid pointer' by glibc:

Thread 1 "qemu-system-x86" hit Hardware watchpoint 2: *0x7f6160361d88

Old value = 3145749
New value = 0
vga_draw_line8 (vga=vga@entry=0x556d68549b30, d=0x7f6160361d80 "", d@entry=0x7f61603615e0 "", addr=983528, width=<optimized out>)
    at /home/stefanb/tmp/qemu-tip/hw/display/vga-helpers.h:297
297	        ((uint32_t *)d)[3] = palette[vga_read_byte(vga, addr + 3)];


(gdb) bt
#0  vga_draw_line8 (vga=vga@entry=0x556d68549b30, d=0x7f6160361d80 "", d@entry=0x7f61603615e0 "", addr=983528, width=<optimized out>)
    at /home/stefanb/tmp/qemu-tip/hw/display/vga-helpers.h:297
#1  0x0000556d659918ee in vga_draw_graphic (full_update=0, s=0x556d68549b30) at /home/stefanb/tmp/qemu-tip/hw/display/vga.c:1695
#2  vga_update_display (opaque=0x556d68549b30) at /home/stefanb/tmp/qemu-tip/hw/display/vga.c:1782
#3  0x0000556d65c0cd92 in vnc_refresh (dcl=0x556d683055a8) at ui/vnc.c:3046
#4  0x0000556d65bff702 in dpy_refresh (s=0x556d686be540) at ui/console.c:1658
#5  gui_update (opaque=0x556d686be540) at ui/console.c:205
#6  0x0000556d65d0deac in timerlist_run_timers (timer_list=0x556d66de0e00) at util/qemu-timer.c:536
#7  0x0000556d65d0e0f7 in qemu_clock_run_timers (type=QEMU_CLOCK_REALTIME) at util/qemu-timer.c:547
#8  qemu_clock_run_all_timers () at util/qemu-timer.c:674
#9  0x0000556d65d0e5d1 in main_loop_wait (nonblocking=<optimized out>) at util/main-loop.c:503
#10 0x0000556d65a5f2ee in main_loop () at vl.c:1865
#11 0x0000556d658ff166 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4643

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1784900

Title:
  QEMU (frontend) crashes upon warm reboot with virtio-gpu device and
  vga=775 on Linux cmdline

Status in QEMU:
  New

Bug description:
  With vga=775 on the Linux command line a first boot of the VM running
  Linux works fine. After a warm reboot it crashes during Linux boot.
  The VM was used remotely via virt-manager and VNC.

  Bisecting the code lead to the following patch that introduced the
  bug:

  commit 1fccd7c5a9a722a9cbf1bc91693f4618034f01ac (HEAD, refs/bisect/bad)
  Author: Gerd Hoffmann <kraxel@redhat.com>
  Date:   Mon Jul 2 18:24:43 2018 +0200

      virtio-gpu: disable scanout when backing resource is destroyed

      Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
      Message-id: 20180702162443.16796-4-kraxel@redhat.com

  diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
  index 336dc59007..08cd567218 100644
  --- a/hw/display/virtio-gpu.c
  +++ b/hw/display/virtio-gpu.c
  @@ -430,6 +430,16 @@ static void virtio_gpu_disable_scanout(VirtIOGPU *g, int scanout_id)
   static void virtio_gpu_resource_destroy(VirtIOGPU *g,
                                           struct virtio_gpu_simple_resource *res)
   {
  +    int i;
  +
  +    if (res->scanout_bitmask) {
  +        for (i = 0; i < g->conf.max_outputs; i++) {
  +            if (res->scanout_bitmask & (1 << i)) {
  +                virtio_gpu_disable_scanout(g, i);
  +            }
  +        }
  +    }
  +
       pixman_image_unref(res->image);
       virtio_gpu_cleanup_mapping(res);
       QTAILQ_REMOVE(&g->reslist, res, next);

  
  Reported backtraces can be found here:  https://paste.fedoraproject.org/paste/OUDEfCk1IY7xiy0I0PDlkw

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1784900/+subscriptions

  parent reply	other threads:[~2018-08-02  0:10 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-01 16:39 [Qemu-devel] [Bug 1784900] [NEW] QEMU (frontend) crashes upon warm reboot with virtio-gpu device and vga=775 on Linux cmdline Stefan Berger
2018-08-01 16:40 ` [Qemu-devel] [Bug 1784900] " Daniel Berrange
2018-08-01 17:19 ` Dr. David Alan Gilbert
2018-08-02  0:03 ` Stefan Berger [this message]
2018-08-02  1:00 ` Stefan Berger
2018-08-02 12:05 ` Stefan Berger
2018-08-02 12:13   ` no-reply
2018-08-02 16:06 ` Stefan Berger
2018-08-06  9:57 ` elmarco
2018-08-15  7:34 ` Thomas Huth

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=153316818472.18210.7680271968873338296.malone@soybean.canonical.com \
    --to=1784900@bugs.launchpad.net \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.