1684383 – qemu crashed when take screenshot for 2nd head of virtio video device if the display not opened by virt-viewer

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1684383 - qemu crashed when take screenshot for 2nd head of virtio video device if the display not opened by virt-viewer

Summary: qemu crashed when take screenshot for 2nd head of virtio video device if the ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	8.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Gerd Hoffmann
QA Contact:	Guo, Zhiyi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-03-01 06:44 UTC by Yanqiu Zhang
Modified:	2020-01-20 10:27 UTC (History)
CC List:	14 users (show)
Fixed In Version:	qemu-kvm-2.12.0-85.module+el8.1.0+4010+d6842f29
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-05 20:48:05 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
full-bt-gdb.txt (23.51 KB, text/plain) 2019-03-01 06:47 UTC, Yanqiu Zhang	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:3345	0	None	None	None	2019-11-05 20:48:35 UTC

Description Yanqiu Zhang 2019-03-01 06:44:06 UTC

Description of problem:
Start a guest with virtio video device with heads >1, e.g.heads=3.  If do not select the checkbox in virt-viewer to show the 'Display 2', then qemu will crash when take screenshot for the 2nd display.
(If show it by virt-viewer, issue will not happen.)

Version-Release number of selected component (if applicable):
qemu-kvm-core-2.12.0-63.module+el8+2833+c7d6d092
libvirt-4.5.0-23.module+el8+2800+2d311f65.x86_64
kernel-4.18.0-73.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Configure a guest with following xml(a rhel guest as example):
...
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='2'/>
    </channel>
...
    <graphics type='spice' autoport='yes'>
      <listen type='address'/>
    </graphics>
...
    <video>
      <model type='virtio' heads='3' primary='yes'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
    </video>
...
2. Start guest
# virsh start rhel8.0-yqz
Domain rhel8.0-yqz started

...-device virtio-vga,id=video0,max_outputs=3,bus=pci.0,addr=0x2 ...


3. Do not show the 2nd display by virt-viewer, try to take screenshot for each video head:
# virsh screenshot rhel8.0-yqz --screen 0
Screenshot saved to rhel8.0-yqz-2019-02-28-19:46:24.ppm, with type of image/x-portable-pixmap
# virsh screenshot rhel8.0-yqz --screen 1
 
error: could not take a screenshot of rhel8.0-yqz
error: Unable to read from monitor: Connection reset by peer

# abrt-cli ls
id 1e2225e60b90d41d0677df534053c9631e29439f
reason:         qmp_screendump(): qemu-kvm killed by SIGSEGV
time:           Thu 28 Feb 2019 07:46:25 PM CST
cmdline:        /usr/libexec/qemu-kvm -name guest=rhel8.0-yqz,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-13-rhel8.0-yqz/master-key.aes -machine pc-q35-rhel7.6.0,accel=kvm,usb=off,vmport=off,dump-guest-core=off -cpu Haswell-noTSX-IBRS,vme=on,ds=on,acpi=on,ss=on,ht=on,tm=on,pbe=on,dtes64=on,monitor=on,ds_cpl=on,vmx=on,smx=on,est=on,tm2=on,xtpr=on,pdcm=on,osxsave=on,f16c=on,rdrand=on,arat=on,tsc_adjust=on,stibp=on,xsaveopt=on,pdpe1gb=on,abm=on -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 74e8cfa0-0beb-40ac-9662-17d5da05c52d -no-user-config -nodefaults -chardev socket,id=charmonitor,fd=30,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=delay -no-hpet -no-shutdown -global ICH9-LPC.disable_s3=1 -global ICH9-LPC.disable_s4=1 -boot strict=on -device pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2 -device pcie-root-port,port=0x11,chassis=2,id=pci.2,bus=pcie.0,addr=0x2.0x1 -device pcie-root-port,port=0x12,chassis=3,id=pci.3,bus=pcie.0,addr=0x2.0x2 -device pcie-root-port,port=0x13,chassis=4,id=pci.4,bus=pcie.0,addr=0x2.0x3 -device pcie-root-port,port=0x14,chassis=5,id=pci.5,bus=pcie.0,addr=0x2.0x4 -device pcie-root-port,port=0x15,chassis=6,id=pci.6,bus=pcie.0,addr=0x2.0x5 -device pcie-root-port,port=0x16,chassis=7,id=pci.7,bus=pcie.0,addr=0x2.0x6 -device qemu-xhci,p2=15,p3=15,id=usb,bus=pci.2,addr=0x0 -device virtio-serial-pci,id=virtio-serial0,bus=pci.3,addr=0x0 -drive file=/s3-qe-team/yanqzhan/RHEL-8.0-x86_64-latest.qcow2,format=qcow2,if=none,id=drive-virtio-disk0 -device virtio-blk-pci,scsi=off,bus=pci.4,addr=0x0,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=32,id=hostnet0,vhost=on,vhostfd=33 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:3a:3d:9f,bus=pci.1,addr=0x0 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev socket,id=charchannel0,fd=34,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 -chardev spicevmc,id=charchannel1,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=com.redhat.spice.0 -device usb-tablet,id=input0,bus=usb.0,port=1 -spice port=5900,addr=127.0.0.1,disable-ticketing,seamless-migration=on -device virtio-vga,id=video0,max_outputs=2,bus=pcie.0,addr=0x1 -device ich9-intel-hda,id=sound0,bus=pcie.0,addr=0x1b -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=charredir0,id=redir0,bus=usb.0,port=2 -chardev spicevmc,id=charredir1,name=usbredir -device usb-redir,chardev=charredir1,id=redir1,bus=usb.0,port=3 -device virtio-balloon-pci,id=balloon0,bus=pci.5,addr=0x0 -object rng-random,id=objrng0,filename=/dev/urandom -device virtio-rng-pci,rng=objrng0,id=rng0,bus=pci.6,addr=0x0 -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -msg timestamp=on
package:        15:qemu-kvm-core-2.12.0-63.module+el8+2833+c7d6d092
uid:            107 (qemu)
count:          1
Directory:      /var/spool/abrt/ccpp-2019-02-28-19:46:25-3153
Run 'abrt-cli report /var/spool/abrt/ccpp-2019-02-28-19:46:25-3153' for creating a case in Red Hat Customer Portal


Actual result:
As in step3, qemu crashed when take screenshot for 2nd head of virtio video device when the display not shows in virt-viewer.

Expected result:
qemu should not crash, screenshot could succeed or fail with proper error.

Additional info:
1.(gdb) bt
#0  0x0000559c66413595 in ppm_save (errp=0x7ffdff574a58, ds=0x0, filename=0x559c69054490 "/var/cache/libvirt/qemu/qemu.screendump.89EaXo") at ui/console.c:373
#1  0x0000559c66413595 in qmp_screendump
    (filename=0x559c69054490 "/var/cache/libvirt/qemu/qemu.screendump.89EaXo", has_device=<optimized out>, device=<optimized out>, has_head=<optimized out>, head=<optimized out>, errp=errp@entry=0x7ffdff574a58)
    at ui/console.c:373
#2  0x0000559c663017a7 in qmp_marshal_screendump (args=<optimized out>, ret=<optimized out>, errp=0x7ffdff574ac8) at qapi/qapi-commands-ui.c:110
#3  0x0000559c664e93bb in do_qmp_dispatch (errp=0x7ffdff574ac0, request=0x7ffdff574ac0, cmds=<optimized out>) at qapi/qmp-dispatch.c:111
#4  0x0000559c664e93bb in qmp_dispatch (cmds=<optimized out>, request=request@entry=0x559c67de0e80) at qapi/qmp-dispatch.c:160
#5  0x0000559c6620b62e in monitor_qmp_dispatch_one (req_obj=<optimized out>) at /usr/src/debug/qemu-kvm-2.12.0-63.module+el8+2833+c7d6d092.x86_64/monitor.c:4084
#6  0x0000559c6620b8cc in monitor_qmp_bh_dispatcher (data=<optimized out>) at /usr/src/debug/qemu-kvm-2.12.0-63.module+el8+2833+c7d6d092.x86_64/monitor.c:4142
#7  0x0000559c664f3bf6 in aio_bh_call (bh=0x559c67c0e950) at util/async.c:118
#8  0x0000559c664f3bf6 in aio_bh_poll (ctx=ctx@entry=0x559c67bc7d70) at util/async.c:118
#9  0x0000559c664f6d74 in aio_dispatch (ctx=0x559c67bc7d70) at util/aio-posix.c:440
#10 0x0000559c664f3ad2 in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at util/async.c:261
#11 0x00007f4f0ebb989d in g_main_dispatch (context=0x559c67bc8540) at gmain.c:3176
#12 0x00007f4f0ebb989d in g_main_context_dispatch (context=context@entry=0x559c67bc8540) at gmain.c:3829
#13 0x0000559c664f5ff0 in glib_pollfds_poll () at util/main-loop.c:215
#14 0x0000559c664f5ff0 in os_host_main_loop_wait (timeout=<optimized out>) at util/main-loop.c:238
#15 0x0000559c664f5ff0 in main_loop_wait (nonblocking=<optimized out>) at util/main-loop.c:497
#16 0x0000559c661c04b5 in main_loop () at vl.c:1964
#17 0x0000559c661c04b5 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4789

2. If select to show 'Display 2' in virt-viewer, screenshot succeed:
# virsh screenshot avocado-vt-vm1 --screen 1
Screenshot saved to avocado-vt-vm1-2019-02-28-07:20:57.ppm, with type of image/x-portable-pixmap

Comment 1 Yanqiu Zhang 2019-03-01 06:47:34 UTC

Created attachment 1539732 [details]
full-bt-gdb.txt

Comment 2 Gerd Hoffmann 2019-08-13 10:26:58 UTC

> #0  0x0000559c66413595 in ppm_save (errp=0x7ffdff574a58, ds=0x0,
> filename=0x559c69054490 "/var/cache/libvirt/qemu/qemu.screendump.89EaXo") at
> ui/console.c:373

ds=0x0

=> DisplaySurface NULL pointer dereference.

Comment 3 Gerd Hoffmann 2019-08-13 11:08:00 UTC

Fixed by commit 08d9864fa4e0c616e076ca8b225d39a7ecb189af (qemu 3.0).

Comment 5 Danilo de Paula 2019-08-15 23:53:11 UTC

QA_ACK, please?

Comment 8 Guo, Zhiyi 2019-08-21 10:03:29 UTC

Reproduce this issue against qemu-kvm-2.12.0-84.module+el8.1.0+3980+a02d9447.x86_64

Steps:
1.start vm with qemu options:
...-device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 -chardev spicevmc,id=charchannel1,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=com.redhat.spice.0 -device usb-tablet,id=input0,bus=usb.0,port=1 -spice port=5900,addr=0.0.0.0,disable-ticketing,image-compression=off,seamless-migration=on -device virtio-vga,id=video0,max_outputs=4,bus=pcie.0,addr=0x1 ...

2.try to screenshot head 1 by qmp:
{ "execute": "screendump","arguments": {"filename": "/tmp/screen.png", "device": "video0", "head": 1} }'


result:
qemu will coredump

Verify this issue against qemu-kvm-2.12.0-85.module+el8.1.0+4010+d6842f29.x86_64, no qemu-kvm coredump happen when trying to screenshot head 1-3

Comment 9 Guo, Zhiyi 2019-08-21 10:04:00 UTC

Verified per comment 8

Comment 11 errata-xmlrpc 2019-11-05 20:48:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3345

Note You need to log in before you can comment on or make changes to this bug.