RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2136797 - qemu crash when taking screenshot with png format
Summary: qemu crash when taking screenshot with png format
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: qemu-kvm
Version: 9.2
Hardware: x86_64
OS: All
medium
medium
Target Milestone: rc
: ---
Assignee: Gerd Hoffmann
QA Contact: Guo, Zhiyi
URL:
Whiteboard:
Depends On: 2135806
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-10-21 11:13 UTC by Guo, Zhiyi
Modified: 2023-05-09 07:50 UTC (History)
8 users (show)

Fixed In Version: qemu-kvm-7.2.0-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-09 07:20:41 UTC
Type: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-137280 0 None None None 2022-10-21 11:53:16 UTC
Red Hat Product Errata RHSA-2023:2162 0 None None None 2023-05-09 07:22:20 UTC

Description Guo, Zhiyi 2022-10-21 11:13:38 UTC 
Description of problem:
qemu crash when taking screenshot with png format

Version-Release number of selected component (if applicable):
qemu-kvm-7.1.0-3.el9.x86_64
kernel-5.14.0-176.el9.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Boot a VM with qemu cli:
/usr/libexec/qemu-kvm \
-name guest=win-tmp,debug-threads=on \
-machine pc-q35-rhel9.0.0,usb=off,dump-guest-core=off,memory-backend=pc.ram \
-accel kvm \
-cpu Broadwell-IBRS,vme=on,ss=on,vmx=on,pdcm=on,f16c=on,rdrand=on,hypervisor=on,arat=on,tsc-adjust=on,umip=on,md-clear=on,stibp=on,arch-capabilities=on,ssbd=on,xsaveopt=on,pdpe1gb=on,abm=on,ibpb=on,ibrs=on,amd-stibp=on,amd-ssbd=on,skip-l1dfl-vmentry=on,pschange-mc-no=on,hv-time=on,hv-relaxed=on,hv-vapic=on,hv-spinlocks=0x1fff,hv-vpindex=on,hv-runtime=on,hv-synic=on,hv-stimer=on,hv-stimer-direct=on,hv-reset=on,hv-frequencies=on,hv-reenlightenment=on,hv-tlbflush=on,hv-ipi=on,hv-evmcs=on \
-m 8192 \
-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":8589934592}' \
-overcommit mem-lock=off \
-smp 4,sockets=1,dies=1,cores=4,threads=1 \
-uuid 77c895d1-4180-4d0d-aea4-01e04dede02d \
-no-user-config \
-nodefaults \
-rtc base=localtime,driftfix=slew \
-global kvm-pit.lost_tick_policy=delay \
-no-hpet \
-no-shutdown \
-global ICH9-LPC.disable_s3=1 \
-global ICH9-LPC.disable_s4=1 \
-boot strict=on \
-device '{"driver":"pcie-root-port","port":16,"chassis":1,"id":"pci.1","bus":"pcie.0","multifunction":true,"addr":"0x2"}' \
-device '{"driver":"pcie-root-port","port":17,"chassis":2,"id":"pci.2","bus":"pcie.0","addr":"0x2.0x1"}' \
-device '{"driver":"pcie-root-port","port":18,"chassis":3,"id":"pci.3","bus":"pcie.0","addr":"0x2.0x2"}' \
-device '{"driver":"pcie-root-port","port":19,"chassis":4,"id":"pci.4","bus":"pcie.0","addr":"0x2.0x3"}' \
-device '{"driver":"pcie-root-port","port":20,"chassis":5,"id":"pci.5","bus":"pcie.0","addr":"0x2.0x4"}' \
-device '{"driver":"pcie-root-port","port":21,"chassis":6,"id":"pci.6","bus":"pcie.0","addr":"0x2.0x5"}' \
-device '{"driver":"pcie-root-port","port":22,"chassis":7,"id":"pci.7","bus":"pcie.0","addr":"0x2.0x6"}' \
-device '{"driver":"pcie-root-port","port":23,"chassis":8,"id":"pci.8","bus":"pcie.0","addr":"0x2.0x7"}' \
-device '{"driver":"pcie-root-port","port":24,"chassis":9,"id":"pci.9","bus":"pcie.0","multifunction":true,"addr":"0x3"}' \
-device '{"driver":"pcie-root-port","port":25,"chassis":10,"id":"pci.10","bus":"pcie.0","addr":"0x3.0x1"}' \
-device '{"driver":"pcie-root-port","port":26,"chassis":11,"id":"pci.11","bus":"pcie.0","addr":"0x3.0x2"}' \
-device '{"driver":"pcie-root-port","port":27,"chassis":12,"id":"pci.12","bus":"pcie.0","addr":"0x3.0x3"}' \
-device '{"driver":"pcie-root-port","port":28,"chassis":13,"id":"pci.13","bus":"pcie.0","addr":"0x3.0x4"}' \
-device '{"driver":"pcie-root-port","port":29,"chassis":14,"id":"pci.14","bus":"pcie.0","addr":"0x3.0x5"}' \
-device '{"driver":"qemu-xhci","p2":15,"p3":15,"id":"usb","bus":"pci.2","addr":"0x0"}' \
-device '{"driver":"virtio-scsi-pci","id":"scsi0","bus":"pci.3","addr":"0x0"}' \
-blockdev '{"driver":"file","filename":"/home/win-tmp.qcow2","node-name":"libvirt-4-storage","cache":{"direct":true,"no-flush":false},"auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-4-format","read-only":false,"discard":"unmap","cache":{"direct":true,"no-flush":false},"driver":"qcow2","file":"libvirt-4-storage","backing":null}' \
-device '{"driver":"scsi-hd","bus":"scsi0.0","channel":0,"scsi-id":0,"lun":0,"device_id":"drive-scsi0-0-0-0","drive":"libvirt-4-format","id":"scsi0-0-0-0","bootindex":1,"write-cache":"on"}' \
-device '{"driver":"ide-cd","bus":"ide.1","id":"sata0-0-1"}' \
-device '{"driver":"ide-cd","bus":"ide.2","id":"sata0-0-2"}' \
-device '{"driver":"ide-cd","bus":"ide.3","id":"sata0-0-3"}' \
-device '{"driver":"usb-tablet","id":"input0","bus":"usb.0","port":"1"}' \
-audiodev '{"id":"audio1","driver":"none"}' \
-vnc 0.0.0.0:0,audiodev=audio1 \
-device '{"driver":"VGA","id":"video0","vgamem_mb":16,"bus":"pcie.0","addr":"0x1"}' \
-qmp tcp:0.0.0.0:4444,server,nowait \
2.Try to take a screenshot with png format:
{ "execute": "screendump", "arguments": { "filename": "/tmp/image", "format":"png" } }
3.

Actual results:
qemu crash with log:
Thread 1 "qemu-kvm" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff6135f00 (LWP 3713)]
0x00007ffff716d4e9 in malloc () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff716d4e9 in malloc () from /lib64/libc.so.6
#1  0x00007ffff74241e9 in g_malloc () from /lib64/libglib-2.0.so.0
#2  0x0000555555ece6c0 in qemu_iovec_init_extended (qiov=0x7ffdc018fe00, head_buf=0x0, head_len=0, mid_qiov=<optimized out>, 
    mid_offset=<optimized out>, mid_len=65536, tail_buf=0x0, tail_len=0) at ../util/iov.c:451
#3  0x0000555555d208b2 in bdrv_driver_pwritev (bs=0x5555567f6110, offset=10338041856, bytes=65536, qiov=0x5, 
    qiov_offset=65536, flags=0) at ../util/iov.c:514
#4  0x0000555555d1fbac in bdrv_aligned_pwritev (child=0x555556802f50, req=0x7ffdc018ff68, offset=22894965138, bytes=65536, 
    align=<optimized out>, qiov=0x5, qiov_offset=65536, flags=<optimized out>) at ../block/io.c:2097
#5  0x0000555555d1e5c9 in bdrv_co_pwritev_part (child=0x555556802f50, offset=10338041856, bytes=65536, qiov=0x7ffdc018fe00, 
    qiov_offset=<optimized out>, flags=0) at ../block/io.c:2289
#6  0x0000555555d55781 in qcow2_co_pwritev_task (bs=0x5555567fd960, host_offset=22894965138, offset=10237247488, bytes=65536, 
    qiov=0x5, qiov_offset=0, l2meta=0x555557c61990) at ../block/qcow2.c:2573
#7  qcow2_co_pwritev_task_entry (task=<optimized out>) at ../block/qcow2.c:2603
#8  0x0000555555d00645 in aio_task_co (opaque=0x1f) at ../block/aio_task.c:45
#9  0x0000555555eca6f6 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at ../util/coroutine-ucontext.c:177
#10 0x00007ffff70e8360 in ?? () from /lib64/libc.so.6
#11 0x00007ffff6132980 in ?? ()
#12 0x0000000000000000 in ?? ()

Expected results:
No qemu crash happen

Additional info:
No qemu crash happen when taking  screenshot with ppm format
Comment 1 Guo, Zhiyi 2022-10-21 11:24:54 UTC 
I see there is an upstream fix "[PATCH v2] ui/console: fix three double frees in png_save()" seems address this issue. But I cannot reproduce the issue with the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/1210. 
Gerd, could you help to check this issue?

Zhiyi
Comment 2 John Ferlan 2022-10-22 11:57:31 UTC 
If the above MR resolves the issue, then this bug can be moved to POST, set ITR=9.2.0 w/ DTM=15, dependent bug 2135806 (qemu rebase), and add 'resolved by qemu-7.2 commit ######' to the devel whiteboard....
Comment 4 Gerd Hoffmann 2022-11-09 17:59:22 UTC 
reproduces on upstream 7.1.0
does not reproduce on upstream 7.2.0-rc0

So the patch referenced in comment 1 most likely fixes the problem and the rebase should pick up the fix.
Comment 6 Yanan Fu 2022-12-20 09:18:52 UTC 
QE bot(pre verify): Set 'Verified:Tested,SanityOnly' as gating/tier1 test pass.
Comment 9 Guo, Zhiyi 2022-12-28 14:24:33 UTC 
Test against qemu-kvm-7.2.0-2.el9.x86_64, not able to reproduce this issue anymore. So mark this bug verified
Comment 11 errata-xmlrpc 2023-05-09 07:20:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: qemu-kvm security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2162
Note You need to log in before you can comment on or make changes to this bug.