Bug 2136797

Summary: qemu crash when taking screenshot with png format
Product: Red Hat Enterprise Linux 9 Reporter: Guo, Zhiyi <zhguo>
Component: qemu-kvmAssignee: Gerd Hoffmann <kraxel>
qemu-kvm sub component: Graphics QA Contact: Guo, Zhiyi <zhguo>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: coli, jinzhao, juzhang, kraxel, mrezanin, vgoyal, virt-maint, xuwei
Version: 9.2Keywords: Triaged
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: All   
Whiteboard:
Fixed In Version: qemu-kvm-7.2.0-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 07:20:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2135806    
Bug Blocks:    

Description Guo, Zhiyi 2022-10-21 11:13:38 UTC 
Description of problem:
qemu crash when taking screenshot with png format

Version-Release number of selected component (if applicable):
qemu-kvm-7.1.0-3.el9.x86_64
kernel-5.14.0-176.el9.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Boot a VM with qemu cli:
/usr/libexec/qemu-kvm \
-name guest=win-tmp,debug-threads=on \
-machine pc-q35-rhel9.0.0,usb=off,dump-guest-core=off,memory-backend=pc.ram \
-accel kvm \
-cpu Broadwell-IBRS,vme=on,ss=on,vmx=on,pdcm=on,f16c=on,rdrand=on,hypervisor=on,arat=on,tsc-adjust=on,umip=on,md-clear=on,stibp=on,arch-capabilities=on,ssbd=on,xsaveopt=on,pdpe1gb=on,abm=on,ibpb=on,ibrs=on,amd-stibp=on,amd-ssbd=on,skip-l1dfl-vmentry=on,pschange-mc-no=on,hv-time=on,hv-relaxed=on,hv-vapic=on,hv-spinlocks=0x1fff,hv-vpindex=on,hv-runtime=on,hv-synic=on,hv-stimer=on,hv-stimer-direct=on,hv-reset=on,hv-frequencies=on,hv-reenlightenment=on,hv-tlbflush=on,hv-ipi=on,hv-evmcs=on \
-m 8192 \
-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":8589934592}' \
-overcommit mem-lock=off \
-smp 4,sockets=1,dies=1,cores=4,threads=1 \
-uuid 77c895d1-4180-4d0d-aea4-01e04dede02d \
-no-user-config \
-nodefaults \
-rtc base=localtime,driftfix=slew \
-global kvm-pit.lost_tick_policy=delay \
-no-hpet \
-no-shutdown \
-global ICH9-LPC.disable_s3=1 \
-global ICH9-LPC.disable_s4=1 \
-boot strict=on \
-device '{"driver":"pcie-root-port","port":16,"chassis":1,"id":"pci.1","bus":"pcie.0","multifunction":true,"addr":"0x2"}' \
-device '{"driver":"pcie-root-port","port":17,"chassis":2,"id":"pci.2","bus":"pcie.0","addr":"0x2.0x1"}' \
-device '{"driver":"pcie-root-port","port":18,"chassis":3,"id":"pci.3","bus":"pcie.0","addr":"0x2.0x2"}' \
-device '{"driver":"pcie-root-port","port":19,"chassis":4,"id":"pci.4","bus":"pcie.0","addr":"0x2.0x3"}' \
-device '{"driver":"pcie-root-port","port":20,"chassis":5,"id":"pci.5","bus":"pcie.0","addr":"0x2.0x4"}' \
-device '{"driver":"pcie-root-port","port":21,"chassis":6,"id":"pci.6","bus":"pcie.0","addr":"0x2.0x5"}' \
-device '{"driver":"pcie-root-port","port":22,"chassis":7,"id":"pci.7","bus":"pcie.0","addr":"0x2.0x6"}' \
-device '{"driver":"pcie-root-port","port":23,"chassis":8,"id":"pci.8","bus":"pcie.0","addr":"0x2.0x7"}' \
-device '{"driver":"pcie-root-port","port":24,"chassis":9,"id":"pci.9","bus":"pcie.0","multifunction":true,"addr":"0x3"}' \
-device '{"driver":"pcie-root-port","port":25,"chassis":10,"id":"pci.10","bus":"pcie.0","addr":"0x3.0x1"}' \
-device '{"driver":"pcie-root-port","port":26,"chassis":11,"id":"pci.11","bus":"pcie.0","addr":"0x3.0x2"}' \
-device '{"driver":"pcie-root-port","port":27,"chassis":12,"id":"pci.12","bus":"pcie.0","addr":"0x3.0x3"}' \
-device '{"driver":"pcie-root-port","port":28,"chassis":13,"id":"pci.13","bus":"pcie.0","addr":"0x3.0x4"}' \
-device '{"driver":"pcie-root-port","port":29,"chassis":14,"id":"pci.14","bus":"pcie.0","addr":"0x3.0x5"}' \
-device '{"driver":"qemu-xhci","p2":15,"p3":15,"id":"usb","bus":"pci.2","addr":"0x0"}' \
-device '{"driver":"virtio-scsi-pci","id":"scsi0","bus":"pci.3","addr":"0x0"}' \
-blockdev '{"driver":"file","filename":"/home/win-tmp.qcow2","node-name":"libvirt-4-storage","cache":{"direct":true,"no-flush":false},"auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-4-format","read-only":false,"discard":"unmap","cache":{"direct":true,"no-flush":false},"driver":"qcow2","file":"libvirt-4-storage","backing":null}' \
-device '{"driver":"scsi-hd","bus":"scsi0.0","channel":0,"scsi-id":0,"lun":0,"device_id":"drive-scsi0-0-0-0","drive":"libvirt-4-format","id":"scsi0-0-0-0","bootindex":1,"write-cache":"on"}' \
-device '{"driver":"ide-cd","bus":"ide.1","id":"sata0-0-1"}' \
-device '{"driver":"ide-cd","bus":"ide.2","id":"sata0-0-2"}' \
-device '{"driver":"ide-cd","bus":"ide.3","id":"sata0-0-3"}' \
-device '{"driver":"usb-tablet","id":"input0","bus":"usb.0","port":"1"}' \
-audiodev '{"id":"audio1","driver":"none"}' \
-vnc 0.0.0.0:0,audiodev=audio1 \
-device '{"driver":"VGA","id":"video0","vgamem_mb":16,"bus":"pcie.0","addr":"0x1"}' \
-qmp tcp:0.0.0.0:4444,server,nowait \
2.Try to take a screenshot with png format:
{ "execute": "screendump", "arguments": { "filename": "/tmp/image", "format":"png" } }
3.

Actual results:
qemu crash with log:
Thread 1 "qemu-kvm" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff6135f00 (LWP 3713)]
0x00007ffff716d4e9 in malloc () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff716d4e9 in malloc () from /lib64/libc.so.6
#1  0x00007ffff74241e9 in g_malloc () from /lib64/libglib-2.0.so.0
#2  0x0000555555ece6c0 in qemu_iovec_init_extended (qiov=0x7ffdc018fe00, head_buf=0x0, head_len=0, mid_qiov=<optimized out>, 
    mid_offset=<optimized out>, mid_len=65536, tail_buf=0x0, tail_len=0) at ../util/iov.c:451
#3  0x0000555555d208b2 in bdrv_driver_pwritev (bs=0x5555567f6110, offset=10338041856, bytes=65536, qiov=0x5, 
    qiov_offset=65536, flags=0) at ../util/iov.c:514
#4  0x0000555555d1fbac in bdrv_aligned_pwritev (child=0x555556802f50, req=0x7ffdc018ff68, offset=22894965138, bytes=65536, 
    align=<optimized out>, qiov=0x5, qiov_offset=65536, flags=<optimized out>) at ../block/io.c:2097
#5  0x0000555555d1e5c9 in bdrv_co_pwritev_part (child=0x555556802f50, offset=10338041856, bytes=65536, qiov=0x7ffdc018fe00, 
    qiov_offset=<optimized out>, flags=0) at ../block/io.c:2289
#6  0x0000555555d55781 in qcow2_co_pwritev_task (bs=0x5555567fd960, host_offset=22894965138, offset=10237247488, bytes=65536, 
    qiov=0x5, qiov_offset=0, l2meta=0x555557c61990) at ../block/qcow2.c:2573
#7  qcow2_co_pwritev_task_entry (task=<optimized out>) at ../block/qcow2.c:2603
#8  0x0000555555d00645 in aio_task_co (opaque=0x1f) at ../block/aio_task.c:45
#9  0x0000555555eca6f6 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at ../util/coroutine-ucontext.c:177
#10 0x00007ffff70e8360 in ?? () from /lib64/libc.so.6
#11 0x00007ffff6132980 in ?? ()
#12 0x0000000000000000 in ?? ()

Expected results:
No qemu crash happen

Additional info:
No qemu crash happen when taking  screenshot with ppm format
Comment 1 Guo, Zhiyi 2022-10-21 11:24:54 UTC 
I see there is an upstream fix "[PATCH v2] ui/console: fix three double frees in png_save()" seems address this issue. But I cannot reproduce the issue with the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/1210. 
Gerd, could you help to check this issue?

Zhiyi
Comment 2 John Ferlan 2022-10-22 11:57:31 UTC 
If the above MR resolves the issue, then this bug can be moved to POST, set ITR=9.2.0 w/ DTM=15, dependent bug 2135806 (qemu rebase), and add 'resolved by qemu-7.2 commit ######' to the devel whiteboard....
Comment 4 Gerd Hoffmann 2022-11-09 17:59:22 UTC 
reproduces on upstream 7.1.0
does not reproduce on upstream 7.2.0-rc0

So the patch referenced in comment 1 most likely fixes the problem and the rebase should pick up the fix.
Comment 6 Yanan Fu 2022-12-20 09:18:52 UTC 
QE bot(pre verify): Set 'Verified:Tested,SanityOnly' as gating/tier1 test pass.
Comment 9 Guo, Zhiyi 2022-12-28 14:24:33 UTC 
Test against qemu-kvm-7.2.0-2.el9.x86_64, not able to reproduce this issue anymore. So mark this bug verified
Comment 11 errata-xmlrpc 2023-05-09 07:20:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: qemu-kvm security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2162