qxl in COLO secondary node cause QEMU to segmentation fault
Host environment
- Operating system: Ubuntu Linux 20.04
- OS/kernel version: Kernel 5.4.0-91 x86_64
- Architecture: x86
- QEMU flavor: qemu-system-x86_64
- QEMU version: v6.2.0
- QEMU command line:
./qemu-system-x86_64 -enable-kvm -name guest=pvm -smp 8 -m 16384 -drive if=virtio,id=colo1,driver=quorum,read-pattern=fifo,vote-threshold=1,children.0.file.filename=primary.qcow2,children.0.driver=qcow2 -spice port=5900,addr=0.0.0.0,-device qxl-vga ./qemu-system-x86_64 -enable-kvm -name guest=svm -smp 8 -m 16384 -drive if=none,id=parent1,file.filename=secondary.qcow2,driver=qcow2 -drive if=none,id=childs1,driver=replication,mode=secondary,file.driver=qcow2,top-id=colo1,file.file.filename=secondary-active.qcow2,file.backing.driver=qcow2,file.backing.file.filename=secondary-hidden.qcow2,file.backing.backing=parent1 -drive if=virtio,id=colo1,driver=quorum,read-pattern=fifo,vote-threshold=1,children.0=childs1 -spice port=5900,addr=0.0.0.0 -device qxl-vga -incoming tcp:0.0.0.0:9998
Emulated/Virtualized environment
- Operating system: Windows 10
- Architecture: x86
Description of problem
After COLO checkpoint, the Secondary VM's qemu received segmentation fault while releasing qxl resources in interface_release_resource() routine.
i have used gdb and qemu trace to debug Secondary VM's qemu. the object 'qxl->last_release' is null and object 'ring->items[prod].el' != 0, it leads to null pointer dereference.
During COLO checkpoint,the Secondary VM's qemu has loaded Primary VM's qxl states,so i think it not need to release qxl resources.
Steps to reproduce
1.Startup Primary VM and Secondary VM of COLO mode, and gdb to Secondary VM's qemu.
2.Connect to Primary VM's spice server.
3.Secondary VM's qemu will receiveing segmentation fault.
Additional information
gdb to Secondary VM's qemu:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ff9e3bff700 (LWP 44703)]
0x0000555555b2e8d6 in interface_release_resource (sin=0x555557d7c8a8, ext=...) at ../hw/display/qxl.c:783
783 qxl->last_release->next = ext.info->id;
(gdb) bt
#0 0x0000555555b2e8d6 in interface_release_resource (sin=0x555557d7c8a8, ext=...) at ../hw/display/qxl.c:783
#1 0x00007fffd7751dd1 in red_drawable_unref () at /lib64/libspice-server.so.1
#2 0x00007fffd771eabe in drawable_unref () at /lib64/libspice-server.so.1
#3 0x00007fffd77206a7 in draw_until () at /lib64/libspice-server.so.1
#4 0x00007fffd771f7cd in display_channel_draw () at /lib64/libspice-server.so.1
#5 0x00007fffd7721b51 in display_channel_process_draw () at /lib64/libspice-server.so.1
#6 0x00007fffd7752142 in red_process_display () at /lib64/libspice-server.so.1
#7 0x00007fffd77521fb in worker_source_dispatch () at /lib64/libspice-server.so.1
#8 0x00007fffd6c2f049 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#9 0x00007fffd6c2f3a8 in g_main_context_iterate.isra.19 () at /lib64/libglib-2.0.so.0
#10 0x00007fffd6c2f67a in g_main_loop_run () at /lib64/libglib-2.0.so.0
#11 0x00007fffd775166a in red_worker_main () at /lib64/libspice-server.so.1
#12 0x00007fffd5658dd5 in start_thread () at /lib64/libpthread.so.0
#13 0x00007fffd538202d in clone () at /lib64/libc.so.6
(gdb) frame 0
#0 0x0000555555b2e8d6 in interface_release_resource (sin=0x555557d7c8a8, ext=...) at ../hw/display/qxl.c:783
783 qxl->last_release->next = ext.info->id;
(gdb) print qxl->last_release
$1 = (QXLReleaseInfo *) 0x0qemu trace log:
44840@1643012769.363844:colo_send_message Send 'checkpoint-reply' message
44840@1643012773.579053:colo_receive_message Receive 'vmstate-send' message
44840@1643012773.978838:colo_receive_message Receive 'vmstate-size' message
44840@1643012773.979041:colo_send_message Send 'vmstate-received' message
44840@1643012774.180598:qxl_pre_load 0
44703@1643012774.180660:qxl_ring_res_put 0 #res=20
44840@1643012774.182627:qxl_post_load 0 native
44840@1643012774.197993:colo_vm_state_change Change 'stop' => 'run'
44840@1643012774.198030:colo_send_message Send 'vmstate-loaded' message