RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2042820 - qemu crash when try to copy and paste contents from client to VM
Summary: qemu crash when try to copy and paste contents from client to VM
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: qemu-kvm
Version: 9.0
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Gerd Hoffmann
QA Contact: Guo, Zhiyi
URL:
Whiteboard:
Depends On:
Blocks: 1874926
TreeView+ depends on / blocked
 
Reported: 2022-01-20 08:16 UTC by Guo, Zhiyi
Modified: 2022-05-17 12:32 UTC (History)
10 users (show)

Fixed In Version: qemu-kvm-6.2.0-10.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-17 12:25:11 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Gitlab redhat/centos-stream/src qemu-kvm merge_requests 75 0 None None None 2022-02-23 12:11:50 UTC
Red Hat Issue Tracker RHELPLAN-108882 0 None None None 2022-01-20 08:24:10 UTC
Red Hat Product Errata RHBA-2022:2307 0 None None None 2022-05-17 12:25:55 UTC

Description Guo, Zhiyi 2022-01-20 08:16:23 UTC 
Description of problem:
qemu crash when try to copy and paste contents from client to VM

Version-Release number of selected component (if applicable):
qemu-kvm-6.2.0-4.el9.x86_64
kernel-5.14.0-42.el9.x86_64
tigervnc-1.11.0-9.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Boot rhel 9 VM with qemu cli:
/usr/libexec/qemu-kvm \
-S \
-name guest=rhel9GA-qemu-vdagent,debug-threads=on \
-machine pc-q35-rhel8.5.0,usb=off,dump-guest-core=off,memory-backend=pc.ram \
-accel kvm \
-cpu Cascadelake-Server,ss=on,vmx=on,pdcm=on,hypervisor=on,tsc-adjust=on,umip=on,pku=on,md-clear=on,stibp=on,arch-capabilities=on,xsaves=on,ibpb=on,ibrs=on,amd-stibp=on,amd-ssbd=on,rdctl-no=on,ibrs-all=on,skip-l1dfl-vmentry=on,mds-no=on,pschange-mc-no=on,tsx-ctrl=on,hle=off,rtm=off \
-m 8192 \
-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":8589934592}' \
-overcommit mem-lock=off \
-smp 2,sockets=1,dies=1,cores=1,threads=2 \
-uuid e4a61f53-d23f-4fc7-a648-d24798509e48 \
-no-user-config \
-nodefaults \
-rtc base=utc,driftfix=slew \
-global kvm-pit.lost_tick_policy=delay \
-no-hpet \
-no-shutdown \
-global ICH9-LPC.disable_s3=1 \
-global ICH9-LPC.disable_s4=1 \
-boot strict=on \
-device pcie-root-port,port=16,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2 \
-device pcie-root-port,port=17,chassis=2,id=pci.2,bus=pcie.0,addr=0x2.0x1 \
-device pcie-root-port,port=18,chassis=3,id=pci.3,bus=pcie.0,addr=0x2.0x2 \
-device pcie-root-port,port=19,chassis=4,id=pci.4,bus=pcie.0,addr=0x2.0x3 \
-device ich9-usb-ehci1,id=usb,bus=pcie.0,addr=0x1d.0x7 \
-device ich9-usb-uhci1,masterbus=usb.0,firstport=0,bus=pcie.0,multifunction=on,addr=0x1d \
-device ich9-usb-uhci2,masterbus=usb.0,firstport=2,bus=pcie.0,addr=0x1d.0x1 \
-device ich9-usb-uhci3,masterbus=usb.0,firstport=4,bus=pcie.0,addr=0x1d.0x2 \
-device virtio-scsi-pci,id=scsi0,bus=pci.2,addr=0x0 \
-blockdev '{"driver":"file","filename":"/home/rhel9GA-qemu-vdagent.qcow2","node-name":"libvirt-1-storage","cache":{"direct":true,"no-flush":false},"auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-1-format","read-only":false,"cache":{"direct":true,"no-flush":false},"driver":"raw","file":"libvirt-1-storage"}' \
-device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,device_id=drive-scsi0-0-0-0,drive=libvirt-1-format,id=scsi0-0-0-0,bootindex=1,write-cache=on \
-device usb-tablet,id=input0,bus=usb.0,port=1 \
-audiodev '{"id":"audio1","driver":"none"}' \
-vnc 0.0.0.0:0,audiodev=audio1 \
-device virtio-vga,id=video0,max_outputs=1,bus=pcie.0,addr=0x1 \
-device virtio-balloon-pci,id=balloon0,bus=pci.3,addr=0x0 \
-device virtio-serial-pci \
-device virtserialport,chardev=ch1,id=ch1,name=com.redhat.spice.0 \
-chardev qemu-vdagent,id=ch1,name=vdagent,clipboard=on \
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
-monitor stdio \

2.Connect vncviewer to VM
3.Now on client, use gedit open a file, type "Français" and copy the content. On VM, create an empty file called French.txt, open it with gedit and paste the content
4.

Actual results:
After step 3, meet two different crash:

1:free(): double free detected in tcache 2
--Type <RET> for more, q to quit, c to continue without paging--

Thread 1 "qemu-kvm" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff67a2ec0 (LWP 19741)]
0x00007ffff78017fc in __pthread_kill_implementation () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff78017fc in __pthread_kill_implementation () from /lib64/libc.so.6
#1  0x00007ffff77b4676 in raise () from /lib64/libc.so.6
#2  0x00007ffff779e7d3 in abort () from /lib64/libc.so.6
#3  0x00007ffff77f59d7 in __libc_message () from /lib64/libc.so.6
#4  0x00007ffff780b7ec in malloc_printerr () from /lib64/libc.so.6
#5  0x00007ffff780d70f in _int_free () from /lib64/libc.so.6
#6  0x00007ffff780fb75 in free () from /lib64/libc.so.6
#7  0x00007ffff7ad8ccd in g_free () from /lib64/libglib-2.0.so.0
#8  0x00005555558ee298 in qemu_clipboard_update (info=0x5555569459d0) at ../ui/clipboard.c:54
#9  vnc_client_cut_text_ext (vs=<optimized out>, len=<optimized out>, flags=<optimized out>, data=<optimized out>)
    at ../ui/vnc-clipboard.c:256
#10 0x00005555558ce46b in protocol_client_msg (vs=0x555557049000, data=<optimized out>, len=12) at ../ui/vnc.c:2459
#11 0x00005555558cbb2c in vnc_client_io (ioc=<optimized out>, condition=G_IO_IN, opaque=0x555557049000)
    at ../ui/vnc.c:1621
#12 0x00007ffff7ad3f6f in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#13 0x0000555555eddbc3 in main_loop_wait (nonblocking=<optimized out>) at ../util/main-loop.c:232
#14 0x0000555555b57d57 in qemu_main_loop () at ../softmmu/runstate.c:726
#15 0x00005555558b06f2 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>)
    at ../softmmu/main.c:50

2:malloc_consolidate(): unaligned fastbin chunk detected
Thread 1 "qemu-kvm" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff67a2ec0 (LWP 19939)]
0x00007ffff78017fc in __pthread_kill_implementation () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff78017fc in __pthread_kill_implementation () from /lib64/libc.so.6
#1  0x00007ffff77b4676 in raise () from /lib64/libc.so.6
#2  0x00007ffff779e7d3 in abort () from /lib64/libc.so.6
#3  0x00007ffff77f59d7 in __libc_message () from /lib64/libc.so.6
#4  0x00007ffff780b7ec in malloc_printerr () from /lib64/libc.so.6
#5  0x00007ffff780c55c in malloc_consolidate () from /lib64/libc.so.6
#6  0x00007ffff780e138 in _int_malloc () from /lib64/libc.so.6
#7  0x00007ffff780f649 in malloc () from /lib64/libc.so.6
#8  0x00007ffff7ecd2c9 in deflateInit2_ () from /lib64/libz.so.1
#9  0x00007ffff7ecd4f2 in deflateInit_ () from /lib64/libz.so.1
#10 0x00005555558ee543 in vnc_clipboard_provide (vs=0x555557049000, info=<optimized out>, 
    type=QEMU_CLIPBOARD_TYPE_TEXT) at ../ui/vnc-clipboard.c:97
#11 0x00005555558eec9c in vnc_clipboard_notify (notifier=<optimized out>, data=0x555556dac650)
    at ../ui/vnc-clipboard.c:221
#12 0x00005555558bb289 in qemu_clipboard_set_data (peer=<optimized out>, info=0x555556dac650, 
    type=<optimized out>, size=2, data=0x55555740731c, update=true) at ../util/notify.c:39
#13 0x00005555558c7fd3 in vdagent_chr_recv_msg (vd=<optimized out>, msg=<optimized out>) at ../ui/vdagent.c:544
#14 0x00005555558c7a8b in vdagent_chr_write (chr=0x55555673c610, buf=<optimized out>, len=0) at ../ui/vdagent.c:698
#15 0x0000555555d9ae21 in qemu_chr_write_buffer (s=0x55555673c610, buf=0x7ffe91f03ac0 "\001", len=38, 
    offset=0x7ffff679fd74, write_all=<optimized out>) at ../chardev/char.c:121
#16 0x0000555555d9abb4 in qemu_chr_write (s=0x55555673c610, buf=0x7ffe91f03ac0 "\001", len=38, 
    write_all=<optimized out>) at ../chardev/char.c:173
#17 0x00005555559b2f2c in qemu_chr_fe_write (buf=0x4de3 <error: Cannot access memory at address 0x4de3>, len=38, 
    be=<optimized out>) at ../chardev/char-fe.c:42
#18 flush_buf (port=0x555556de82c0, buf=0x4de3 <error: Cannot access memory at address 0x4de3>, len=38)
    at ../hw/char/virtio-console.c:63
#19 0x0000555555b9af5b in do_flush_queued_data (port=0x555556de82c0, vq=0x7fffefe5b330, vdev=0x5555578ab850)
    at ../hw/char/virtio-serial-bus.c:188
#20 0x0000555555bd6372 in virtio_queue_host_notifier_read (n=<optimized out>) at ../hw/virtio/virtio.c:2331
#21 0x0000555555eb6e5f in aio_dispatch_handler (ctx=0x5555565e21c0, node=0x7ffde10ffdd0) at ../util/aio-posix.c:329
#22 0x0000555555eb6d0c in aio_dispatch_handlers (ctx=0x5555565e21c0) at ../util/aio-posix.c:372
#23 aio_dispatch (ctx=0x5555565e21c0) at ../util/aio-posix.c:382
#24 0x0000555555ed0f02 in aio_ctx_dispatch (source=0x4de3, callback=0x4de3, user_data=0x6) at ../util/async.c:311
#25 0x00007ffff7ad3f6f in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#26 0x0000555555eddbc3 in main_loop_wait (nonblocking=<optimized out>) at ../util/main-loop.c:232
#27 0x0000555555b57d57 in qemu_main_loop () at ../softmmu/runstate.c:726
#28 0x00005555558b06f2 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>)
    at ../softmmu/main.c:50

Expected results:
No qemu crash happen
Additional info:
Seems no other kinds of crash found here...
Comment 1 Guo, Zhiyi 2022-01-20 08:56:16 UTC 
Update, for crash message "malloc_consolidate(): unaligned fastbin chunk detected", the correct reproducer:
Inside VM, select some characters and then qemu will crash
Comment 2 Guo, Zhiyi 2022-01-20 09:07:17 UTC 
For crash message "free(): double free detected in tcache 2", a simple reproducer:
1.Copy some characters from Client
2.Inside VM, open terminal and paste them twice.

With the reproduce, can also hit crash with stack:
corrupted double-linked list
--Type <RET> for more, q to quit, c to continue without paging--

Thread 1 "qemu-kvm" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff67a2ec0 (LWP 20283)]
0x00007ffff78017fc in __pthread_kill_implementation () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff78017fc in __pthread_kill_implementation () from /lib64/libc.so.6
#1  0x00007ffff77b4676 in raise () from /lib64/libc.so.6
#2  0x00007ffff779e7d3 in abort () from /lib64/libc.so.6
#3  0x00007ffff77f59d7 in __libc_message () from /lib64/libc.so.6
#4  0x00007ffff780b7ec in malloc_printerr () from /lib64/libc.so.6
#5  0x00007ffff780c39c in unlink_chunk.constprop () from /lib64/libc.so.6
#6  0x00007ffff780eb59 in _int_malloc () from /lib64/libc.so.6
#7  0x00007ffff780f0aa in _int_realloc () from /lib64/libc.so.6
#8  0x00007ffff780fe4b in realloc () from /lib64/libc.so.6
#9  0x00007ffff7adca20 in g_realloc () from /lib64/libglib-2.0.so.0
#10 0x00005555558ee2dd in vnc_client_cut_text_ext (vs=0x555557049000, len=<optimized out>, flags=268435457, 
    data=<optimized out>) at ../ui/vnc-clipboard.c:61
#11 0x00005555558ce46b in protocol_client_msg (vs=0x555557049000, data=<optimized out>, len=43) at ../ui/vnc.c:2459
#12 0x00005555558cbb2c in vnc_client_io (ioc=<optimized out>, condition=G_IO_IN, opaque=0x555557049000)
    at ../ui/vnc.c:1621
#13 0x00007ffff7ad3f6f in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#14 0x0000555555eddbc3 in main_loop_wait (nonblocking=<optimized out>) at ../util/main-loop.c:232
#15 0x0000555555b57d57 in qemu_main_loop () at ../softmmu/runstate.c:726
#16 0x00005555558b06f2 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>)
    at ../softmmu/main.c:50
Comment 4 Guo, Zhiyi 2022-01-20 09:47:15 UTC 
(In reply to Guo, Zhiyi from comment #1)
> Update, for crash message "malloc_consolidate(): unaligned fastbin chunk
> detected", the correct reproducer:
> Inside VM, select some characters and then qemu will crash

Another simple method to trigger this crash is to copy large number of characters (I'm using 11K character 'A') from client to VM
Comment 6 Gerd Hoffmann 2022-02-04 06:43:44 UTC 
Doesn't reproduce upstream.  So probably the downstream-only commit
8df1ea81ee6c674522967d056daa8d3748fa3883 is broken.

Trying to revert and cherry-pick two upstream clipboard fixes instead.

https://gitlab.com/kraxel/centos-qemu-kvm/-/commits/bz2042820-vnc-cut-paste-crash/
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=42796819
Comment 7 Guo, Zhiyi 2022-02-07 07:32:47 UTC 
(In reply to Gerd Hoffmann from comment #6)
> Doesn't reproduce upstream.  So probably the downstream-only commit
> 8df1ea81ee6c674522967d056daa8d3748fa3883 is broken.
> 
> Trying to revert and cherry-pick two upstream clipboard fixes instead.
> 
> https://gitlab.com/kraxel/centos-qemu-kvm/-/commits/bz2042820-vnc-cut-paste-
> crash/
> https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=42796819

Original issues addressed by comment 0, 1, 2 and 4 indeed have been fixed.
Comment 8 Guo, Zhiyi 2022-02-07 09:24:28 UTC 
(In reply to Guo, Zhiyi from comment #7)
> (In reply to Gerd Hoffmann from comment #6)
> > Doesn't reproduce upstream.  So probably the downstream-only commit
> > 8df1ea81ee6c674522967d056daa8d3748fa3883 is broken.
> > 
> > Trying to revert and cherry-pick two upstream clipboard fixes instead.
> > 
> > https://gitlab.com/kraxel/centos-qemu-kvm/-/commits/bz2042820-vnc-cut-paste-
> > crash/
> > https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=42796819
> 
> Original issues addressed by comment 0, 1, 2 and 4 indeed have been fixed.

Find another issue with scratch build.

Steps:
1.Boot a rhel 9 using the same qemu cli as comment 0 and connect vncviewer to qemu vnc port
2.Copy some characters from client side and then close vncviewer
3.Try to re-connect vncviewer to qemu vnc port

Result:
After step 3, vncviewer cannot re-connect to qemu vnc port. 

Additional problem:
When issue happening, I cannot reboot/reset/shutdown VM.

Gerd, do we need a new bug to track this issue(I haven't checked whether this issue can be reproduced on upstream or not)?

Zhiyi
Comment 9 John Snow 2022-02-07 18:08:51 UTC 
(In reply to Gerd Hoffmann from comment #6)
> Doesn't reproduce upstream.  So probably the downstream-only commit
> 8df1ea81ee6c674522967d056daa8d3748fa3883 is broken.
> 
> Trying to revert and cherry-pick two upstream clipboard fixes instead.
> 
> https://gitlab.com/kraxel/centos-qemu-kvm/-/commits/bz2042820-vnc-cut-paste-
> crash/
> https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=42796819

Oh, I didn't realize that one went in downstream. We never took it upstream. Sorry about that. I need to refresh the upstream version.

--js
Comment 10 Klaus Heinrich Kiwi 2022-02-09 12:36:24 UTC 
(In reply to John Snow from comment #9)
> (In reply to Gerd Hoffmann from comment #6)
> > Doesn't reproduce upstream.  So probably the downstream-only commit
> > 8df1ea81ee6c674522967d056daa8d3748fa3883 is broken.
> > 
> > Trying to revert and cherry-pick two upstream clipboard fixes instead.
> > 
> > https://gitlab.com/kraxel/centos-qemu-kvm/-/commits/bz2042820-vnc-cut-paste-
> > crash/
> > https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=42796819
> 
> Oh, I didn't realize that one went in downstream. We never took it upstream.
> Sorry about that. I need to refresh the upstream version.
> 
> --js

I couldn't follow if there's an action for Gerd here. I.e., is the solution clear and are we able to progress even with Gerd out this week, or does the (new) bug needs to be debugged/root-caused?

Thanks,
Comment 11 John Snow 2022-02-09 19:47:15 UTC 
A different fix went in upstream, I mailed Mirek about it.

commit 70a54b01693eda3c61814b05d699aba41015ac48
Author: Daniel P. Berrangé <berrange>
Date:   Wed Jan 5 13:49:36 2022 +0000

    ui: avoid compiler warnings from unused clipboard info variable


You'll want to take out my bad fix and replace it with this good fix.

--js
Comment 12 Klaus Heinrich Kiwi 2022-02-09 19:54:04 UTC 
Thanks John, I'll reassign to Mirek then, in case he can get to this this week. Otherwise we can put it back on Gerd's queue next week.

 -Klaus
Comment 13 Gerd Hoffmann 2022-02-14 12:39:52 UTC 
> Find another issue with scratch build.
> 
> Steps:
> 1.Boot a rhel 9 using the same qemu cli as comment 0 and connect vncviewer
> to qemu vnc port
> 2.Copy some characters from client side and then close vncviewer
> 3.Try to re-connect vncviewer to qemu vnc port

Any change with http://brew-task-repos.usersys.redhat.com/repos/scratch/ghoffman/qemu-kvm/6.2.0/7.el9.bz2042820.3/ ?

(new scratch build dropped one unrelated patch, branch is now this):

kraxel@sirius ~/rhel/9/qemu-kvm (bz2042820-vnc-cut-paste-crash)# git log --oneline c9s..
6a7982a0bab8 (HEAD -> bz2042820-vnc-cut-paste-crash, gitlab.kraxel.centos/bz2042820-vnc-cut-paste-crash) ui: avoid compiler warnings from unused clipboard info variable
0937d15054ad Revert "ui/clipboard: Don't use g_autoptr just to free a variable"
Comment 14 Gerd Hoffmann 2022-02-14 12:43:05 UTC 
Just in: https://patchwork.ozlabs.org/project/qemu-devel/patch/20220214115917.1679568-1-marcandre.lureau@redhat.com/
Guess that calls for a new scratch build ...
Comment 15 Gerd Hoffmann 2022-02-14 13:37:39 UTC 
> Guess that calls for a new scratch build ...

And here we go: http://brew-task-repos.usersys.redhat.com/repos/scratch/ghoffman/qemu-kvm/6.2.0/7.el9.bz2042820.4/
Comment 16 Guo, Zhiyi 2022-02-15 16:06:14 UTC 
(In reply to Gerd Hoffmann from comment #15)
> > Guess that calls for a new scratch build ...
> 
> And here we go:
> http://brew-task-repos.usersys.redhat.com/repos/scratch/ghoffman/qemu-kvm/6.
> 2.0/7.el9.bz2042820.4/

Issue is still there with qemu-kvm-6.2.0-7.el9.bz2042820.4.x86_64...
Comment 17 Guo, Zhiyi 2022-02-16 07:16:21 UTC 
(In reply to Guo, Zhiyi from comment #16)
> (In reply to Gerd Hoffmann from comment #15)
> > > Guess that calls for a new scratch build ...
> > 
> > And here we go:
> > http://brew-task-repos.usersys.redhat.com/repos/scratch/ghoffman/qemu-kvm/6.
> > 2.0/7.el9.bz2042820.4/
> 
> Issue is still there with qemu-kvm-6.2.0-7.el9.bz2042820.4.x86_64...

I have tested same scenario against upstream qemu and cannot reproduce this issue
Comment 18 Gerd Hoffmann 2022-02-16 09:32:37 UTC 
Marc, you've look at at the clipboard upstream recently, does the behavior (see comment #8) ring a bell?
Can you take over the bug?
Failing that, any suggestions what to cherry-pick?
Thanks.
Comment 19 Marc-Andre Lureau 2022-02-16 10:10:18 UTC 
The qemu-kvm patch is wrong: 0001-ui-clipboard-Don-t-use-g_autoptr-just-to-free-a-vari.patch

The upstream commit 70a54b01693eda3c61814b05d699aba41015ac48 ("ui: avoid compiler warnings from unused clipboard info variable"), isn't much better either.

You need the following fix I sent a few days ago: [PATCH] ui/clipboard: fix use-after-free regression
https://patchew.org/QEMU/20220214115917.1679568-1-marcandre.lureau@redhat.com/ 

Mirsolav, can you update the package patches?
Comment 20 Guo, Zhiyi 2022-02-16 10:21:15 UTC 
(In reply to Marc-Andre Lureau from comment #19)
> The qemu-kvm patch is wrong:
> 0001-ui-clipboard-Don-t-use-g_autoptr-just-to-free-a-vari.patch
> 
> The upstream commit 70a54b01693eda3c61814b05d699aba41015ac48 ("ui: avoid
> compiler warnings from unused clipboard info variable"), isn't much better
> either.
> 
> You need the following fix I sent a few days ago: [PATCH] ui/clipboard: fix
> use-after-free regression
> https://patchew.org/QEMU/20220214115917.1679568-1-marcandre.lureau@redhat.
> com/ 
> 
> Mirsolav, can you update the package patches?

Hmm, Gerd has already created a scratch build with this patch but the it cannot solve the issue addressed by comment 8
Comment 21 Gerd Hoffmann 2022-02-16 10:46:26 UTC 
> > Mirsolav, can you update the package patches?
> 
> Hmm, Gerd has already created a scratch build with this patch but the it
> cannot solve the issue addressed by comment 8

https://gitlab.com/kraxel/centos-qemu-kvm/-/commits/bz2042820-vnc-cut-paste-crash/

git branch for the latest scratch build, with exactly those three changes (revert, 70a54b01693eda3c61814b05d699aba41015ac48 with conflicts resolved, additional fix posted yesterday).
Comment 22 Marc-Andre Lureau 2022-02-16 10:49:28 UTC 
(In reply to Guo, Zhiyi from comment #20)
> > Mirsolav, can you update the package patches?
> 
> Hmm, Gerd has already created a scratch build with this patch but the it
> cannot solve the issue addressed by comment 8

My bad, I didn't study enough the current situation.

I cannot reproduce the behaviour described in comment 8 on fedora. 

I suggest we open a different bug for it. @
Comment 23 Marc-Andre Lureau 2022-02-16 10:51:10 UTC 
> When issue happening, I cannot reboot/reset/shutdown VM.

@zhguo you could perhaps check if qemu is stuck by attaching gdb and producing a backtrace?
Comment 24 Guo, Zhiyi 2022-02-16 12:21:04 UTC 
(In reply to Marc-Andre Lureau from comment #23)
> > When issue happening, I cannot reboot/reset/shutdown VM.
> 
> @zhguo you could perhaps check if qemu is stuck by attaching gdb
> and producing a backtrace?

backtrace:
(gdb) bt
#0  0x00007ffff780b450 in __lll_lock_wait () from /lib64/libc.so.6
#1  0x00007ffff7811b12 in pthread_mutex_lock@@GLIBC_2.2.5 () from /lib64/libc.so.6
#2  0x0000555555ebaeff in qemu_mutex_lock_impl (mutex=0x555556e53fe8, file=0x555555f0ce72 "../ui/vnc-jobs.h", line=60)
    at ../util/qemu-thread-posix.c:80
#3  0x00005555558ee8d8 in vnc_lock_output (vs=0x555556e47e50) at ../ui/vnc-jobs.h:60
#4  vnc_clipboard_send (vs=0x555556e47e50, count=1, dwords=0x7ffff678cf74) at ../ui/vnc-clipboard.c:138
#5  0x00005555558eeafc in vnc_clipboard_notify (notifier=<optimized out>, data=0x55555665e520)
    at ../ui/vnc-clipboard.c:209
#6  0x00005555558bafc9 in notifier_list_notify (data=0x55555665e520, list=<optimized out>) at ../util/notify.c:39
#7  qemu_clipboard_update (info=0x55555665e520) at ../ui/clipboard.c:49
#8  0x00005555558baf03 in qemu_clipboard_peer_release (peer=<optimized out>, 
    selection=QEMU_CLIPBOARD_SELECTION_CLIPBOARD) at ../ui/clipboard.c:41
#9  0x00005555558cc16a in qemu_clipboard_peer_unregister (peer=0x555556e58140) at ../ui/clipboard.c:19
#10 vnc_disconnect_finish (vs=0x555556e47e50) at ../ui/vnc.c:1358
#11 0x00005555558cbab3 in vnc_client_io (ioc=<optimized out>, condition=G_IO_IN, opaque=0x555556e47e50)
    at ../ui/vnc.c:1610
#12 0x00007ffff7acbd4f in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
#13 0x0000555555eddec3 in main_loop_wait (nonblocking=<optimized out>) at ../util/main-loop.c:232
#14 0x0000555555b58057 in qemu_main_loop () at ../softmmu/runstate.c:726
#15 0x00005555558b06f2 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>)
    at ../softmmu/main.c:50
Comment 25 Marc-Andre Lureau 2022-02-16 13:17:30 UTC 
commit 1dbbe6f172810026c51dc84ed927a3cc23017949
https://gitlab.com/qemu-project/qemu/-/commit/1dbbe6f172810026c51dc84ed927a3cc23017949

Miroslav, can you pick this as well? Or should we open a new bug?
Comment 26 Gerd Hoffmann 2022-02-16 13:34:53 UTC 
(In reply to Marc-Andre Lureau from comment #25)
> commit 1dbbe6f172810026c51dc84ed927a3cc23017949
> https://gitlab.com/qemu-project/qemu/-/commit/
> 1dbbe6f172810026c51dc84ed927a3cc23017949

cherry-picked, new scratch build is in progress.
Comment 27 Guo, Zhiyi 2022-02-16 13:40:38 UTC 
(In reply to Marc-Andre Lureau from comment #22)
> (In reply to Guo, Zhiyi from comment #20)
> > > Mirsolav, can you update the package patches?
> > 
> > Hmm, Gerd has already created a scratch build with this patch but the it
> > cannot solve the issue addressed by comment 8
> 
> My bad, I didn't study enough the current situation.
> 
> I cannot reproduce the behaviour described in comment 8 on fedora. 
> 
> I suggest we open a different bug for it. @

Should we still report a new bug to track the deadlock fix or use this bug to track all of the fixes related with VNC clipboard? It seems either way is fine here.
Comment 28 Gerd Hoffmann 2022-02-16 14:41:19 UTC 
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=43113252
[ ... no repo yet, aarch64 still building atm ... ]

> Should we still report a new bug to track the deadlock fix or use this bug
> to track all of the fixes related with VNC clipboard? It seems either way is
> fine here.

Using this bug is fine.  When the tests pass I'll submit a pull req with all fixes tomorrow.
Comment 29 Gerd Hoffmann 2022-02-16 15:08:58 UTC 
http://brew-task-repos.usersys.redhat.com/repos/scratch/ghoffman/qemu-kvm/6.2.0/7.el9.bz2042820.5/
Comment 30 Guo, Zhiyi 2022-02-17 03:13:50 UTC 
(In reply to Gerd Hoffmann from comment #29)
> http://brew-task-repos.usersys.redhat.com/repos/scratch/ghoffman/qemu-kvm/6.
> 2.0/7.el9.bz2042820.5/

All of the issues are gone with this scratch build!
Comment 32 Gerd Hoffmann 2022-02-17 07:36:59 UTC 
https://gitlab.com/redhat/centos-stream/src/qemu-kvm/-/merge_requests/75
Comment 35 Yanan Fu 2022-02-25 03:54:30 UTC 
QE bot(pre verify): Set 'Verified:Tested,SanityOnly' as gating/tier1 test pass.
Comment 38 Guo, Zhiyi 2022-02-28 10:49:12 UTC 
Test against qemu-kvm-6.2.0-10.el9.x86_64, all issues are fixed, both rhel9 VM and windows 10 VM are tested.
Comment 40 errata-xmlrpc 2022-05-17 12:25:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: qemu-kvm), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2307
Note You need to log in before you can comment on or make changes to this bug.