Bug 71365

Summary: Repeatable kernel oops on vc switch; drm_crtc_helper_set_mode/qxl_enc_commit/qxl_send_monitors_config
Product: Spice Reporter: Dave Gilbert <freedesktop>
Component: xorg qxlAssignee: Spice Bug List <spice-bugs>
Status: RESOLVED MOVED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Dave Gilbert 2013-11-07 23:54:18 UTC 
I'm running a FC20 x86-64 pre-beta with an Ubuntu guest under KVM
with spice and can reliably trigger an oops in the guest.
The host is running qemu-kvm-1.6.1-1.fc20.x86_64

The oops happens on both Ubuntu's distro kernels (since about 3.10) and anything else recent including current drm-next (212c444ba 7th November) that I've built. 
The user space is Ubuntu Trusty, and X (with Unity etc) works fine.

Note there is also a corrupt text console prior to the oops.

To trigger:
Boot guest and let it sit at lightdm
ssh in
send a ctrl-alt-f1 via virt-manager
 * see a very corrupt text console
send a ctrl-alt-f2
(might oops at this point - check with dmesg via the ssh)
send a ctrl-alt-f3
send a ctrl-alt-f4

I've never had it get past the 4th one without oopsing, with debug on it does it at the second switch.

Here is a log which I turned some drm debug on;

It is sitting at lightdm waiting for me to log in, so I ssh in and do:
echo 255 > debug
and do ctrl-alt-f1

[  266.165815] [drm:drm_crtc_helper_set_config],
[  266.165817] [drm:drm_crtc_helper_set_config], [CRTC:3] [FB:33] #connectors=1 (x y) (0 0)
[  266.165821] [drm:drm_crtc_helper_set_config], crtc has no fb, full mode set
[  266.165823] [drm:qxl_best_encoder],
[  266.165823] [drm:drm_crtc_helper_set_config], encoder changed, full mode switch
[  266.165824] [drm:drm_crtc_helper_set_config], crtc changed, full mode switch
[  266.165825] [drm:drm_crtc_helper_set_config], [CONNECTOR:4:Virtual-1] to [CRTC:3]
[  266.165826] [drm:drm_crtc_helper_set_config], attempting to set mode from userspace
[  266.165828] [drm:drm_mode_debug_printmodeline], Modeline 32:"1024x768" 60 63500 1024 1072 1176 1328 768 771 775 798 0x8 0x6
[  266.165830] [drm:qxl_enc_mode_fixup],
[  266.165845] [drm:drm_crtc_helper_set_mode], [CRTC:3]
[  266.165846] [drm:qxl_enc_prepare],
[  266.165847] [drm:qxl_enc_dpms],
[  266.165847] [drm:qxl_enc_dpms],
[  266.165848] [drm:qxl_enc_dpms],
[  266.165849] [drm:qxl_crtc_prepare], current: 1024x768+0+0 (1).
[  266.165850] [drm:qxl_crtc_mode_set], 0x0: not a native mode
[  266.165851] [drm:qxl_crtc_mode_set], +0+0 (1024,768) => (1024,768)

We have now got a heavily corrupt text console (nothing readable)

I then do a ctrl-alt-f2 here.
[  276.164189] [drm:qxl_monitors_config_set], 0:1024x768+0+0
[  276.164207] [drm:drm_crtc_helper_set_mode], [ENCODER:5:Virtual-5] set [MODE:32:1024x768]
[  276.164209] [drm:qxl_enc_mode_set],
[  276.164212] [drm:qxl_crtc_commit],
[  276.164215] [drm:qxl_write_monitors_config_for_encoder], setting head 0 to +0+0 1024x768 out of 1
[  276.164239] ------------[ cut here ]------------
[  276.164240] Kernel BUG at ffffffffa00c42d6 [verbose debug info unavailable]
[  276.164244] invalid opcode: 0000 [#1] SMP
[  276.164267] Modules linked in: rfcomm bnep bluetooth ppdev(F) nfsd(F) auth_rpcgss(F) nfs_acl(F) nfs(F) lockd(F) sunrpc(F) fscache(F) snd_hda_intel snd_hda_codec snd_hwdep(F) snd_pcm(F) microcode(F) psmouse(F) snd_page_alloc(F) serio_raw(F) snd_seq_midi(F) snd_seq_midi_event(F) snd_rawmidi(F) virtio_console snd_seq(F) snd_seq_device(F) snd_timer(F) snd(F) soundcore(F) qxl parport_pc(F) ttm drm_kms_helper drm i2c_piix4 mac_hid lp(F) parport(F) floppy(F)
[  276.164271] CPU: 1 PID: 972 Comm: Xorg Tainted: GF            3.12.0-1-generic #3-Ubuntu
[  276.164273] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  276.164275] task: ffff88006d8017b0 ti: ffff88006e3fe000 task.ti: ffff88006e3fe000
[  276.164285] RIP: 0010:[<ffffffffa00c42d6>]  [<ffffffffa00c42d6>] qxl_send_monitors_config+0x136/0x140 [qxl]
[  276.164287] RSP: 0018:ffff88006e3ff7a8  EFLAGS: 00010246
[  276.164288] RAX: ffffc900003b4000 RBX: ffff880036944d68 RCX: 0000000000001e60
[  276.164290] RDX: 000000001e601e60 RSI: 000000004dc64dc4 RDI: ffff88007c35a000
[  276.164291] RBP: ffff88006e3ff7b0 R08: 0000000000000092 R09: ffffffff81ebf069
[  276.164293] R10: 0000000000000002 R11: 0000000000040000 R12: ffff88007c35a000
[  276.164294] R13: ffffc9000039e004 R14: ffff880079590420 R15: ffff880036945c18
[  276.164297] FS:  00007fb7227dc980(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000
[  276.164299] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  276.164300] CR2: 00007fb4bff2f000 CR3: 000000006d827000 CR4: 00000000000006e0
[  276.164313] Stack:
[  276.164317]  0000000000000000 ffff88006e3ff800 ffffffffa00c45da ffff880000000000
[  276.164320]  ffff880000000400 0000000000000300 ffffffff00000001 0000000000000092
[  276.164323]  ffff880036944d68 ffff880036898000 ffff880036945c20 ffff88006e3ffa50
[  276.164324] Call Trace:
[  276.164333]  [<ffffffffa00c45da>] qxl_enc_commit+0x12a/0x220 [qxl]
[  276.164340]  [<ffffffffa00a41b1>] drm_crtc_helper_set_mode+0x381/0x510 [drm_kms_helper]
[  276.164349]  [<ffffffffa00a57d5>] drm_crtc_helper_set_config+0x9c5/0xb20 [drm_kms_helper]
[  276.164370]  [<ffffffffa004c5fd>] drm_mode_set_config_internal+0x5d/0xe0 [drm]
[  276.164376]  [<ffffffffa00a3681>] drm_fb_helper_set_par+0x71/0xf0 [drm_kms_helper]
[  276.164382]  [<ffffffff813d1db1>] fb_set_var+0x191/0x430
[  276.164388]  [<ffffffff8109694d>] ? ttwu_do_activate.constprop.75+0x5d/0x70
[  276.164393]  [<ffffffff813deb41>] fbcon_blank+0x1d1/0x2d0
[  276.164399]  [<ffffffff8145e674>] do_unblank_screen+0xb4/0x1e0
[  276.164402]  [<ffffffff814543ba>] complete_change_console+0x5a/0xe0
[  276.164405]  [<ffffffff814553ea>] vt_ioctl+0xfaa/0x11c0
[  276.164408]  [<ffffffff8109b45d>] ? sched_clock_local+0x1d/0x80
[  276.164411]  [<ffffffff8109b5e8>] ? sched_clock_cpu+0xa8/0x100
[  276.164415]  [<ffffffff81448d5d>] tty_ioctl+0x26d/0xbc0
[  276.164420]  [<ffffffff8104f46f>] ? kvm_clock_read+0x1f/0x30
[  276.164425]  [<ffffffff8101b8a9>] ? sched_clock+0x9/0x10
[  276.164427]  [<ffffffff8109b45d>] ? sched_clock_local+0x1d/0x80
[  276.164432]  [<ffffffff811c4615>] do_vfs_ioctl+0x2e5/0x4d0
[  276.164436]  [<ffffffff8109c0b4>] ? vtime_account_user+0x54/0x60
[  276.164439]  [<ffffffff811c4881>] SyS_ioctl+0x81/0xa0
[  276.164443]  [<ffffffff8171ba7f>] tracesys+0xe1/0xe6
[  276.164471] Code: d8 0c a0 31 c0 e8 3b 3f 00 00 c9 c3 45 8b 4a 14 45 8b 42 10 31 d2 41 8b 4a 0c eb a9 45 8b 42 10 41 8b 4a 0c 41 89 c1 31 d2 eb 9a <0f> 0b 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57
[  276.164478] RIP  [<ffffffffa00c42d6>] qxl_send_monitors_config+0x136/0x140 [qxl]
[  276.164479]  RSP <ffff88006e3ff7a8>
[  276.164482] ---[ end trace ca96233a7ea696e9 ]---

It's still happily responsive via the ssh at this point but the console
is still toast.

The addresses in the trace don't make too much sense to me; the qxl_send_monitors_config+0x136 seems to correspond to a ud2 undefined after the last jmp in qxl_send_monitors_config, and the qxl_enc_commit+0x12a I think corresponds to the jump just before the DRM_DEBUG print at the end of the routine.

I have a FC19 guest also on the same host that doesn't seem to exhibit any problems.

For reference this corresponds to Ubuntu bug:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1247906
Comment 1 Dave Gilbert 2013-11-08 00:50:08 UTC 
The heavily corrupted console got me thinking and there's a more telling/simpler
way to see the problem:

Boot guest to lighdm

ssh in twice and get root.

in the 1st ssh do a   chvt 1
  This doesn't return

so that's probably the underlying problem.
In the 2nd vt I did an
echo t > /proc/sysrq-trigger

and for chvt I got:

[   85.553746] chvt            S ffff88007fd14500     0  1800   1799 0x00000000
[   85.553746]  ffff88006b8ddd08 0000000000000002 ffff88006b8ddfd8 0000000000014500
[   85.553746]  ffff88006b8ddfd8 0000000000014500 ffff880067815ec0 ffff88006b8ddd9c
[   85.553746]  ffff880067815ec0 0000000000005607 ffff880036991c00 00000000fffffffa
[   85.553746] Call Trace:
[   85.553746]  [<ffffffff81710659>] schedule+0x29/0x70
[   85.553746]  [<ffffffff8145409a>] __vt_event_wait.isra.0.part.1+0x5a/0x90
[   85.553746]  [<ffffffff81089020>] ? wake_up_atomic_t+0x30/0x30
[   85.553746]  [<ffffffff81454285>] vt_waitactive+0x65/0xb0
[   85.553746]  [<ffffffff8106e069>] ? ns_capable+0x29/0x50
[   85.553746]  [<ffffffff81454bf7>] vt_ioctl+0x7b7/0x11c0
[   85.553746]  [<ffffffff81448d5d>] tty_ioctl+0x26d/0xbc0
[   85.553746]  [<ffffffff8104f46f>] ? kvm_clock_read+0x1f/0x30
[   85.553746]  [<ffffffff8101b8a9>] ? sched_clock+0x9/0x10
[   85.553746]  [<ffffffff8109b45d>] ? sched_clock_local+0x1d/0x80
[   85.553746]  [<ffffffff811c4615>] do_vfs_ioctl+0x2e5/0x4d0
[   85.553746]  [<ffffffff8109c0b4>] ? vtime_account_user+0x54/0x60
[   85.553746]  [<ffffffff811c4881>] SyS_ioctl+0x81/0xa0
[   85.553746]  [<ffffffff8171ba7f>] tracesys+0xe1/0xe6


with the X processes in:
[   85.553746] Xorg            x ffff88007fc14500     0   950    928 0x00000000
[   85.553746]  ffff88006e48b510 0000000000000002 ffff88006e48bfd8 0000000000014500
[   85.553746]  ffff88006e48bfd8 0000000000014500 ffff880078968000 ffff880078968650
[   85.553746]  ffff880078967ff0 ffff88006d995ec0 ffff880078967ff0 ffff880078968000
[   85.553746] Call Trace:
[   85.553746]  [<ffffffff81710659>] schedule+0x29/0x70
[   85.553746]  [<ffffffff81066edf>] do_exit+0x6ff/0xa50
[   85.553746]  [<ffffffff817142af>] oops_end+0xaf/0x150
[   85.553746]  [<ffffffff810172bb>] die+0x4b/0x70
[   85.553746]  [<ffffffff817139f0>] do_trap+0x60/0x170
[   85.553746]  [<ffffffff81014512>] do_invalid_op+0xa2/0x100
[   85.553746]  [<ffffffffa00d12d6>] ? qxl_send_monitors_config+0x136/0x140 [qxl]
[   85.553746]  [<ffffffff81088ec8>] ? finish_wait+0x58/0x70
[   85.553746]  [<ffffffffa00d4a2a>] ? wait_for_io_cmd_user+0x20a/0x3c0 [qxl]
[   85.553746]  [<ffffffff8171d09e>] invalid_op+0x1e/0x30
[   85.553746]  [<ffffffffa00d12d6>] ? qxl_send_monitors_config+0x136/0x140 [qxl]
[   85.553746]  [<ffffffffa00d15da>] qxl_enc_commit+0x12a/0x220 [qxl]
[   85.553746]  [<ffffffffa00ac1b1>] drm_crtc_helper_set_mode+0x381/0x510 [drm_kms_helper]
[   85.553746]  [<ffffffffa00ad7d5>] drm_crtc_helper_set_config+0x9c5/0xb20 [drm_kms_helper]
[   85.553746]  [<ffffffffa00545fd>] drm_mode_set_config_internal+0x5d/0xe0 [drm]
[   85.553746]  [<ffffffffa00ab681>] drm_fb_helper_set_par+0x71/0xf0 [drm_kms_helper]
[   85.553746]  [<ffffffff813d1db1>] fb_set_var+0x191/0x430
[   85.553746]  [<ffffffff8109694d>] ? ttwu_do_activate.constprop.75+0x5d/0x70
[   85.553746]  [<ffffffff813deb41>] fbcon_blank+0x1d1/0x2d0
[   85.553746]  [<ffffffff8145e674>] do_unblank_screen+0xb4/0x1e0
[   85.553746]  [<ffffffff814543ba>] complete_change_console+0x5a/0xe0
[   85.553746]  [<ffffffff814553ea>] vt_ioctl+0xfaa/0x11c0
[   85.553746]  [<ffffffff81448d5d>] tty_ioctl+0x26d/0xbc0
[   85.553746]  [<ffffffff8104f46f>] ? kvm_clock_read+0x1f/0x30
[   85.553746]  [<ffffffff8101b8a9>] ? sched_clock+0x9/0x10
[   85.553746]  [<ffffffff8109b45d>] ? sched_clock_local+0x1d/0x80
[   85.553746]  [<ffffffff811c4615>] do_vfs_ioctl+0x2e5/0x4d0
[   85.553746]  [<ffffffff8109c0b4>] ? vtime_account_user+0x54/0x60
[   85.553746]  [<ffffffff811c4881>] SyS_ioctl+0x81/0xa0
[   85.553746]  [<ffffffff8171ba7f>] tracesys+0xe1/0xe6
[   85.553746] Xorg            S ffff88007fd14500     0  1168    928 0x00400000
[   85.553746]  ffff88006d83bce0 0000000000000006 ffff88006d83bfd8 0000000000014500
[   85.553746]  ffff88006d83bfd8 0000000000014500 ffff88006d995ec0 ffff88006d995ec0
[   85.553746]  0000000000000000 ffff88006d995ec0 ffff88006d83bd88 ffffffff81f17608
[   85.553746] Call Trace:
[   85.553746]  [<ffffffff81710659>] schedule+0x29/0x70
[   85.553746]  [<ffffffff810cd55d>] futex_wait_queue_me+0xdd/0x140
[   85.553746]  [<ffffffff810ce202>] futex_wait+0x182/0x290
[   85.553746]  [<ffffffff81098810>] ? wake_up_state+0x10/0x20
[   85.553746]  [<ffffffff810cd626>] ? wake_futex+0x66/0x80
[   85.553746]  [<ffffffff8104f46f>] ? kvm_clock_read+0x1f/0x30
[   85.553746]  [<ffffffff8104f46f>] ? kvm_clock_read+0x1f/0x30
[   85.553746]  [<ffffffff810d040e>] do_futex+0xde/0x670
[   85.553746]  [<ffffffff8110b1ac>] ? acct_account_cputime+0x1c/0x20
[   85.553746]  [<ffffffff8109ba8c>] ? account_user_time+0x8c/0xa0
[   85.553746]  [<ffffffff810d0a11>] SyS_futex+0x71/0x150
[   85.553746]  [<ffffffff81020e15>] ? syscall_trace_enter+0x145/0x250
[   85.553746]  [<ffffffff8171ba7f>] tracesys+0xe1/0xe6
[   85.553746] Xorg            S ffff88007fd14500     0  1169    928 0x00400000
[   85.553746]  ffff88006d861ce0 0000000000000006 ffff88006d861fd8 0000000000014500
[   85.553746]  ffff88006d861fd8 0000000000014500 ffff88006d994710 ffff88006d994710
[   85.553746]  0000000000000000 ffff88006d994710 ffff88006d861d88 ffffffff81f16180
[   85.553746] Call Trace:
[   85.553746]  [<ffffffff81710659>] schedule+0x29/0x70
[   85.553746]  [<ffffffff810cd55d>] futex_wait_queue_me+0xdd/0x140
[   85.553746]  [<ffffffff810ce202>] futex_wait+0x182/0x290
[   85.553746]  [<ffffffff8104f46f>] ? kvm_clock_read+0x1f/0x30
[   85.553746]  [<ffffffff8104f46f>] ? kvm_clock_read+0x1f/0x30
[   85.553746]  [<ffffffff810d040e>] do_futex+0xde/0x670
[   85.553746]  [<ffffffff8110b1ac>] ? acct_account_cputime+0x1c/0x20
[   85.553746]  [<ffffffff8109ba8c>] ? account_user_time+0x8c/0xa0
[   85.553746]  [<ffffffff810d0a11>] SyS_futex+0x71/0x150
[   85.553746]  [<ffffffff81020e15>] ? syscall_trace_enter+0x145/0x250
[   85.553746]  [<ffffffff8171ba7f>] tracesys+0xe1/0xe6
Comment 2 Dave Gilbert 2013-11-10 15:39:48 UTC 
On the Ubuntu 'Trusty' guest this problem has still gone away, but it's still there with the 'Saucy' guest; Trusty has just had an X and spice update - so looking at that last trace I posted I wonder if the problem is X stopping the first chvt from working and then once in that state further chvt's breaking things?
(I guess it going away is a good thing - but if the kernel oops was still triggerable with a bad X server I guess that's still a problem)
Comment 3 GitLab Migration User 2018-06-05 14:18:46 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/spice/spice-gtk/issues/45.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.