Arch Linux

mettacrawler

Member

Registered: 2020-09-26

Posts: 26

[SOLVED] qxl_drv.so segfaults during GC when I use spice-vdagent

Hi,

I was running plasma on an Arch x86_64 VM guest on a libvirt/KVM/Qemu stack using the QXL video and everything worked except copy-paste between the VM guest and host so I installed spice-vdagent and now it crashes.

$ uname -rvm
5.8.10-arch1-1 #1 SMP PREEMPT Thu, 17 Sep 2020 18:01:06 +0000 x86_64

$ yay -Q | grep -E 'spice-vdagent|xorg-server\ |qxl'
spice-vdagent 0.20.0+6+g8adf50d-1
xf86-video-qxl 0.1.5-8
xorg-server 1.20.9-2

qxl driver module crashes during garbage collection (GC) after trying to allocate memory.

#6  OsSigHandler (signo=11, sip=0x7ffed6775e30, unused=<optimized out>) at ../xorg-server-1.20.9/os/osinit.c:110
#7  0x00007f4f5607b6a0 in <signal handler called> () at /usr/lib/libc.so.6
#8  0x00007f4f553c53b1 in qxl_bo_map (_bo=0x38) at qxl_mem.c:501
#9  0x00007f4f553c5705 in qxl_garbage_collect_internal (qxl=qxl@entry=0x56415c804d30, id=<optimized out>) at qxl_mem.c:277
#10 0x00007f4f553c5ee8 in qxl_garbage_collect (qxl=0x56415c804d30) at qxl_mem.c:369
#11 qxl_allocnf (qxl=qxl@entry=0x56415c804d30, size=size@entry=191, name=name@entry=0x7f4f553db6cc "drawable command") at qxl_mem.c:417

Using the default video ram settings the entire VM would stop working (could not ssh in).
After changing to 256MB video RAM I was able to ssh in after the crash.

<video>
  <model type="qxl" ram="524288" vram="262144" vgamem="262144" heads="1" primary="yes"/>
  <alias name="video0"/>
  <address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x0"/>
</video>

$ gdb /usr/lib/Xorg
GNU gdb (GDB) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib/Xorg...
(gdb) set pagination off
(gdb) core core.Xorg.0.ea60acfc6c0e42d6a63572f3206d728c.403.1601218326000000 
[New LWP 403]
[New LWP 407]
[New LWP 410]
[New LWP 411]
[New LWP 408]
[New LWP 404]
[New LWP 405]
[New LWP 409]
[New LWP 406]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Core was generated by `/usr/lib/Xorg -nolisten tcp -auth /var/run/sddm/{870e9143-42fa-4ea6-8864-52e653'.
Program terminated with signal SIGABRT, Aborted.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
49	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
[Current thread is 1 (Thread 0x7f4f55771940 (LWP 403))]
(gdb) thread apply all bt

Thread 9 (Thread 0x7f4f1ad2b640 (LWP 406)):
#0  futex_wait_cancelable (private=0, expected=0, futex_word=0x56415c8bb358) at ../sysdeps/nptl/futex-internal.h:183
#1  __pthread_cond_wait_common (abstime=0x0, clockid=0, mutex=0x56415c8bb308, cond=0x56415c8bb330) at pthread_cond_wait.c:508
#2  __pthread_cond_wait (cond=0x56415c8bb330, mutex=0x56415c8bb308) at pthread_cond_wait.c:638
#3  0x00007f4f2399a584 in  () at /usr/lib/dri/swrast_dri.so
#4  0x00007f4f23979b48 in  () at /usr/lib/dri/swrast_dri.so
#5  0x00007f4f55f2b3e9 in start_thread (arg=0x7f4f1ad2b640) at pthread_create.c:463
#6  0x00007f4f5613e293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 8 (Thread 0x7f4f19528640 (LWP 409)):
#0  futex_wait_cancelable (private=0, expected=0, futex_word=0x56415c8bcee0) at ../sysdeps/nptl/futex-internal.h:183
#1  __pthread_cond_wait_common (abstime=0x0, clockid=0, mutex=0x56415c8bce90, cond=0x56415c8bceb8) at pthread_cond_wait.c:508
#2  __pthread_cond_wait (cond=0x56415c8bceb8, mutex=0x56415c8bce90) at pthread_cond_wait.c:638
#3  0x00007f4f23981e04 in  () at /usr/lib/dri/swrast_dri.so
#4  0x00007f4f23979b18 in  () at /usr/lib/dri/swrast_dri.so
#5  0x00007f4f55f2b3e9 in start_thread (arg=0x7f4f19528640) at pthread_create.c:463
#6  0x00007f4f5613e293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 7 (Thread 0x7f4f1b52c640 (LWP 405)):
#0  futex_wait_cancelable (private=0, expected=0, futex_word=0x56415c8bb1f8) at ../sysdeps/nptl/futex-internal.h:183
#1  __pthread_cond_wait_common (abstime=0x0, clockid=0, mutex=0x56415c8bb1a8, cond=0x56415c8bb1d0) at pthread_cond_wait.c:508
#2  __pthread_cond_wait (cond=0x56415c8bb1d0, mutex=0x56415c8bb1a8) at pthread_cond_wait.c:638
#3  0x00007f4f2399a584 in  () at /usr/lib/dri/swrast_dri.so
#4  0x00007f4f23979b48 in  () at /usr/lib/dri/swrast_dri.so
#5  0x00007f4f55f2b3e9 in start_thread (arg=0x7f4f1b52c640) at pthread_create.c:463
#6  0x00007f4f5613e293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 6 (Thread 0x7f4f1bd2d640 (LWP 404)):
#0  futex_wait_cancelable (private=0, expected=0, futex_word=0x56415c8bb098) at ../sysdeps/nptl/futex-internal.h:183
#1  __pthread_cond_wait_common (abstime=0x0, clockid=0, mutex=0x56415c8bb048, cond=0x56415c8bb070) at pthread_cond_wait.c:508
#2  __pthread_cond_wait (cond=0x56415c8bb070, mutex=0x56415c8bb048) at pthread_cond_wait.c:638
#3  0x00007f4f2399a584 in  () at /usr/lib/dri/swrast_dri.so
#4  0x00007f4f23979b48 in  () at /usr/lib/dri/swrast_dri.so
#5  0x00007f4f55f2b3e9 in start_thread (arg=0x7f4f1bd2d640) at pthread_create.c:463
#6  0x00007f4f5613e293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 5 (Thread 0x7f4f19d29640 (LWP 408)):
#0  futex_wait_cancelable (private=0, expected=0, futex_word=0x56415c8bcee0) at ../sysdeps/nptl/futex-internal.h:183
#1  __pthread_cond_wait_common (abstime=0x0, clockid=0, mutex=0x56415c8bce90, cond=0x56415c8bceb8) at pthread_cond_wait.c:508
#2  __pthread_cond_wait (cond=0x56415c8bceb8, mutex=0x56415c8bce90) at pthread_cond_wait.c:638
#3  0x00007f4f23981e04 in  () at /usr/lib/dri/swrast_dri.so
#4  0x00007f4f23979b18 in  () at /usr/lib/dri/swrast_dri.so
#5  0x00007f4f55f2b3e9 in start_thread (arg=0x7f4f19d29640) at pthread_create.c:463
#6  0x00007f4f5613e293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 4 (Thread 0x7f4efffff640 (LWP 411)):
#0  futex_wait_cancelable (private=0, expected=0, futex_word=0x56415c8bcee0) at ../sysdeps/nptl/futex-internal.h:183
#1  __pthread_cond_wait_common (abstime=0x0, clockid=0, mutex=0x56415c8bce90, cond=0x56415c8bceb8) at pthread_cond_wait.c:508
#2  __pthread_cond_wait (cond=0x56415c8bceb8, mutex=0x56415c8bce90) at pthread_cond_wait.c:638
#3  0x00007f4f23981e04 in  () at /usr/lib/dri/swrast_dri.so
#4  0x00007f4f23979b18 in  () at /usr/lib/dri/swrast_dri.so
#5  0x00007f4f55f2b3e9 in start_thread (arg=0x7f4efffff640) at pthread_create.c:463
#6  0x00007f4f5613e293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 3 (Thread 0x7f4f18d27640 (LWP 410)):
#0  futex_wait_cancelable (private=0, expected=0, futex_word=0x56415c8bcee0) at ../sysdeps/nptl/futex-internal.h:183
#1  __pthread_cond_wait_common (abstime=0x0, clockid=0, mutex=0x56415c8bce90, cond=0x56415c8bceb8) at pthread_cond_wait.c:508
#2  __pthread_cond_wait (cond=0x56415c8bceb8, mutex=0x56415c8bce90) at pthread_cond_wait.c:638
#3  0x00007f4f23981e04 in  () at /usr/lib/dri/swrast_dri.so
#4  0x00007f4f23979b18 in  () at /usr/lib/dri/swrast_dri.so
#5  0x00007f4f55f2b3e9 in start_thread (arg=0x7f4f18d27640) at pthread_create.c:463
#6  0x00007f4f5613e293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 2 (Thread 0x7f4f1a52a640 (LWP 407)):
#0  futex_wait_cancelable (private=0, expected=0, futex_word=0x56415c8bb4b8) at ../sysdeps/nptl/futex-internal.h:183
#1  __pthread_cond_wait_common (abstime=0x0, clockid=0, mutex=0x56415c8bb468, cond=0x56415c8bb490) at pthread_cond_wait.c:508
#2  __pthread_cond_wait (cond=0x56415c8bb490, mutex=0x56415c8bb468) at pthread_cond_wait.c:638
#3  0x00007f4f2399a584 in  () at /usr/lib/dri/swrast_dri.so
#4  0x00007f4f23979b48 in  () at /usr/lib/dri/swrast_dri.so
#5  0x00007f4f55f2b3e9 in start_thread (arg=0x7f4f1a52a640) at pthread_create.c:463
#6  0x00007f4f5613e293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 1 (Thread 0x7f4f55771940 (LWP 403)):
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
#1  0x00007f4f56064862 in __GI_abort () at abort.c:79
#2  0x000056415b95821a in OsAbort () at ../xorg-server-1.20.9/os/utils.c:1351
#3  0x000056415b959ce1 in AbortServer () at ../xorg-server-1.20.9/os/log.c:879
#4  FatalError (f=f@entry=0x56415b9e5098 "Caught signal %d (%s). Server aborting\n") at ../xorg-server-1.20.9/os/log.c:1017
#5  0x000056415b95f8f9 in OsSigHandler (unused=<optimized out>, sip=0x7ffed6775e30, signo=11) at ../xorg-server-1.20.9/os/osinit.c:156
#6  OsSigHandler (signo=11, sip=0x7ffed6775e30, unused=<optimized out>) at ../xorg-server-1.20.9/os/osinit.c:110
#7  0x00007f4f5607b6a0 in <signal handler called> () at /usr/lib/libc.so.6
#8  0x00007f4f553c53b1 in qxl_bo_map (_bo=0x38) at qxl_mem.c:501
#9  0x00007f4f553c5705 in qxl_garbage_collect_internal (qxl=qxl@entry=0x56415c804d30, id=<optimized out>) at qxl_mem.c:277
#10 0x00007f4f553c5ee8 in qxl_garbage_collect (qxl=0x56415c804d30) at qxl_mem.c:369
#11 qxl_allocnf (qxl=qxl@entry=0x56415c804d30, size=size@entry=191, name=name@entry=0x7f4f553db6cc "drawable command") at qxl_mem.c:417
#12 0x00007f4f553c60e1 in qxl_bo_alloc_internal (name=0x7f4f553db6cc "drawable command", size=191, flags=0, type=4, qxl=0x56415c804d30) at qxl_mem.c:480
#13 qxl_cmd_alloc (qxl=0x56415c804d30, size=191, name=0x7f4f553db6cc "drawable command") at qxl_mem.c:495
#14 0x00007f4f553c2a50 in make_drawable (qxl=qxl@entry=0x56415c804d30, surf=surf@entry=0x56415c802d80, type=type@entry=3 '\003', rect=rect@entry=0x7ffed67763a0) at qxl_surface.c:55
#15 0x00007f4f553c3e24 in qxl_surface_put_image (dest=0x56415c802d80, x=<optimized out>, y=<optimized out>, width=480, height=624, src=0x7f4eff26b000 "\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\333\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\333\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\340\335\332\377\340\335\332\377\340\335\332\377\340\335\332\377\340\335\332\377\340\335\332\377\337\335\332\377"..., src_pitch=4096) at qxl_surface.c:789
#16 0x00007f4f553cd989 in uxa_copy_n_to_n (pSrcDrawable=pSrcDrawable@entry=0x56415c8121d0, pDstDrawable=pDstDrawable@entry=0x56415cd43d50, pGC=pGC@entry=0x56415cdaca60, pbox=pbox@entry=0x7ffed6776610, nbox=0, dx=dx@entry=0, dy=<optimized out>, reverse=0, upsidedown=0, bitplane=0, closure=0x0) at uxa-accel.c:582
#17 0x000056415b852507 in miCopyRegion (pSrcDrawable=pSrcDrawable@entry=0x56415c8121d0, pDstDrawable=pDstDrawable@entry=0x56415cd43d50, pGC=pGC@entry=0x56415cdaca60, pDstRegion=pDstRegion@entry=0x7ffed6776610, dx=dx@entry=0, dy=dy@entry=-108, copyProc=0x7f4f553ccf90 <uxa_copy_n_to_n>, bitPlane=0, closure=0x0) at ../xorg-server-1.20.9/mi/micopy.c:121
#18 0x000056415b8563c6 in miDoCopy (pSrcDrawable=0x56415c8121d0, pDstDrawable=0x56415cd43d50, pGC=0x56415cdaca60, xIn=0, yIn=0, widthSrc=480, heightSrc=624, xOut=0, yOut=108, copyProc=0x7f4f553ccf90 <uxa_copy_n_to_n>, bitPlane=0, closure=0x0) at ../xorg-server-1.20.9/mi/micopy.c:296
#19 0x00007f4f553ccac5 in uxa_copy_area (pSrcDrawable=<optimized out>, pDstDrawable=<optimized out>, pGC=<optimized out>, srcx=<optimized out>, srcy=<optimized out>, width=<optimized out>, height=624, dstx=0, dsty=108) at uxa-accel.c:642
#20 0x000056415b8d3906 in damageCopyArea (pSrc=0x56415c8121d0, pDst=0x56415cd43d50, pGC=0x56415cdaca60, srcx=<optimized out>, srcy=<optimized out>, width=480, height=624, dstx=0, dsty=108) at ../xorg-server-1.20.9/miext/damage/damage.c:775
#21 0x000056415b8f1bd1 in doShmPutImage (data=0x7f4eff26b000 "\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\333\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\333\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\337\335\332\377\340\335\332\377\340\335\332\377\340\335\332\377\340\335\332\377\340\335\332\377\340\335\332\377\337\335\332\377"..., dy=<optimized out>, dx=<optimized out>, sh=624, sw=480, sy=0, sx=<optimized out>, h=624, w=<optimized out>, format=<optimized out>, depth=<optimized out>, pGC=<optimized out>, dst=0x56415cd43d50) at ../xorg-server-1.20.9/Xext/shm.c:484
#22 ProcShmPutImage (client=0x56415c858770) at ../xorg-server-1.20.9/Xext/shm.c:594
#23 0x000056415b848195 in Dispatch () at ../xorg-server-1.20.9/dix/dispatch.c:478
#24 dix_main (envp=<optimized out>, argv=<optimized out>, argc=<optimized out>) at ../xorg-server-1.20.9/dix/main.c:276
#25 main (argc=13, argv=0x7ffed67769a8, envp=<optimized out>) at ../xorg-server-1.20.9/dix/stubmain.c:34
(gdb) 

[    47.518] (**) spice vdagent tablet: (accel) selected scheme none/0
[    47.518] (**) spice vdagent tablet: (accel) acceleration factor: 2.000
[    47.518] (**) spice vdagent tablet: (accel) acceleration threshold: 4
[    47.518] (II) event5  - spice vdagent tablet: is tagged by udev as: Mouse
[    47.518] (II) event5  - spice vdagent tablet: device is a pointer
[   970.568] (EE) 
[   970.568] (EE) Backtrace:
[   970.569] (EE) 0: /usr/lib/Xorg (xorg_backtrace+0x53) [0x56415b954ba3]
[   970.569] (EE) 1: /usr/lib/Xorg (0x56415b80e000+0x151895) [0x56415b95f895]
[   970.570] (EE) 2: /usr/lib/libc.so.6 (0x7f4f5603e000+0x3d6a0) [0x7f4f5607b6a0]
[   970.570] (EE) 3: /usr/lib/xorg/modules/drivers/qxl_drv.so (0x7f4f553bc000+0x93b1) [0x7f4f553c53b1]
[   970.570] (EE) 4: /usr/lib/xorg/modules/drivers/qxl_drv.so (0x7f4f553bc000+0x9705) [0x7f4f553c5705]
[   970.570] (EE) 5: /usr/lib/xorg/modules/drivers/qxl_drv.so (0x7f4f553bc000+0x9ee8) [0x7f4f553c5ee8]
[   970.570] (EE) 6: /usr/lib/xorg/modules/drivers/qxl_drv.so (0x7f4f553bc000+0xa0e1) [0x7f4f553c60e1]
[   970.570] (EE) 7: /usr/lib/xorg/modules/drivers/qxl_drv.so (0x7f4f553bc000+0x6a50) [0x7f4f553c2a50]
[   970.571] (EE) 8: /usr/lib/xorg/modules/drivers/qxl_drv.so (0x7f4f553bc000+0x7e24) [0x7f4f553c3e24]
[   970.571] (EE) 9: /usr/lib/xorg/modules/drivers/qxl_drv.so (0x7f4f553bc000+0x11989) [0x7f4f553cd989]
[   970.571] (EE) 10: /usr/lib/Xorg (miCopyRegion+0x97) [0x56415b852507]
[   970.571] (EE) 11: /usr/lib/Xorg (miDoCopy+0x466) [0x56415b8563c6]
[   970.571] (EE) 12: /usr/lib/xorg/modules/drivers/qxl_drv.so (0x7f4f553bc000+0x10ac5) [0x7f4f553ccac5]
[   970.571] (EE) 13: /usr/lib/Xorg (0x56415b80e000+0xc5906) [0x56415b8d3906]
[   970.572] (EE) 14: /usr/lib/Xorg (0x56415b80e000+0xe3bd1) [0x56415b8f1bd1]
[   970.572] (EE) 15: /usr/lib/Xorg (0x56415b80e000+0x3a195) [0x56415b848195]
[   970.572] (EE) 16: /usr/lib/libc.so.6 (__libc_start_main+0xf2) [0x7f4f56066152]
[   970.572] (EE) 17: /usr/lib/Xorg (_start+0x2e) [0x56415b8485de]
[   970.572] (EE) 
[   970.572] (EE) Segmentation fault at address 0x38
[   970.573] (EE) 
Fatal server error:
[   970.573] (EE) Caught signal 11 (Segmentation fault). Server aborting
[   970.573] (EE) 
[   970.573] (EE) 

Last edited by mettacrawler (2020-09-27 20:38:09)

mettacrawler

Member

Registered: 2020-09-26

Posts: 26

Re: [SOLVED] qxl_drv.so segfaults during GC when I use spice-vdagent

I just had to upgrade from xf86-video-qxl to xf86-video-qxl-git (and fix xf86-video-qxl-git).  Now it's not crashing and I can copy-paste from the guest to the host.
https://aur.archlinux.org/packages/xf86-video-qxl-git/

brickstonedog

Member

Registered: 2022-09-11

Posts: 1

Re: [SOLVED] qxl_drv.so segfaults during GC when I use spice-vdagent

Thx @mettacrawler. You saved my day Worked for me too, after adding qxl to be loaded in KMS or disabling them showed no effect.