Description of problem: qemu crash when taking screenshot with png format Version-Release number of selected component (if applicable): qemu-kvm-7.1.0-3.el9.x86_64 kernel-5.14.0-176.el9.x86_64 How reproducible: 100% Steps to Reproduce: 1.Boot a VM with qemu cli: /usr/libexec/qemu-kvm \ -name guest=win-tmp,debug-threads=on \ -machine pc-q35-rhel9.0.0,usb=off,dump-guest-core=off,memory-backend=pc.ram \ -accel kvm \ -cpu Broadwell-IBRS,vme=on,ss=on,vmx=on,pdcm=on,f16c=on,rdrand=on,hypervisor=on,arat=on,tsc-adjust=on,umip=on,md-clear=on,stibp=on,arch-capabilities=on,ssbd=on,xsaveopt=on,pdpe1gb=on,abm=on,ibpb=on,ibrs=on,amd-stibp=on,amd-ssbd=on,skip-l1dfl-vmentry=on,pschange-mc-no=on,hv-time=on,hv-relaxed=on,hv-vapic=on,hv-spinlocks=0x1fff,hv-vpindex=on,hv-runtime=on,hv-synic=on,hv-stimer=on,hv-stimer-direct=on,hv-reset=on,hv-frequencies=on,hv-reenlightenment=on,hv-tlbflush=on,hv-ipi=on,hv-evmcs=on \ -m 8192 \ -object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":8589934592}' \ -overcommit mem-lock=off \ -smp 4,sockets=1,dies=1,cores=4,threads=1 \ -uuid 77c895d1-4180-4d0d-aea4-01e04dede02d \ -no-user-config \ -nodefaults \ -rtc base=localtime,driftfix=slew \ -global kvm-pit.lost_tick_policy=delay \ -no-hpet \ -no-shutdown \ -global ICH9-LPC.disable_s3=1 \ -global ICH9-LPC.disable_s4=1 \ -boot strict=on \ -device '{"driver":"pcie-root-port","port":16,"chassis":1,"id":"pci.1","bus":"pcie.0","multifunction":true,"addr":"0x2"}' \ -device '{"driver":"pcie-root-port","port":17,"chassis":2,"id":"pci.2","bus":"pcie.0","addr":"0x2.0x1"}' \ -device '{"driver":"pcie-root-port","port":18,"chassis":3,"id":"pci.3","bus":"pcie.0","addr":"0x2.0x2"}' \ -device '{"driver":"pcie-root-port","port":19,"chassis":4,"id":"pci.4","bus":"pcie.0","addr":"0x2.0x3"}' \ -device '{"driver":"pcie-root-port","port":20,"chassis":5,"id":"pci.5","bus":"pcie.0","addr":"0x2.0x4"}' \ -device '{"driver":"pcie-root-port","port":21,"chassis":6,"id":"pci.6","bus":"pcie.0","addr":"0x2.0x5"}' \ -device '{"driver":"pcie-root-port","port":22,"chassis":7,"id":"pci.7","bus":"pcie.0","addr":"0x2.0x6"}' \ -device '{"driver":"pcie-root-port","port":23,"chassis":8,"id":"pci.8","bus":"pcie.0","addr":"0x2.0x7"}' \ -device '{"driver":"pcie-root-port","port":24,"chassis":9,"id":"pci.9","bus":"pcie.0","multifunction":true,"addr":"0x3"}' \ -device '{"driver":"pcie-root-port","port":25,"chassis":10,"id":"pci.10","bus":"pcie.0","addr":"0x3.0x1"}' \ -device '{"driver":"pcie-root-port","port":26,"chassis":11,"id":"pci.11","bus":"pcie.0","addr":"0x3.0x2"}' \ -device '{"driver":"pcie-root-port","port":27,"chassis":12,"id":"pci.12","bus":"pcie.0","addr":"0x3.0x3"}' \ -device '{"driver":"pcie-root-port","port":28,"chassis":13,"id":"pci.13","bus":"pcie.0","addr":"0x3.0x4"}' \ -device '{"driver":"pcie-root-port","port":29,"chassis":14,"id":"pci.14","bus":"pcie.0","addr":"0x3.0x5"}' \ -device '{"driver":"qemu-xhci","p2":15,"p3":15,"id":"usb","bus":"pci.2","addr":"0x0"}' \ -device '{"driver":"virtio-scsi-pci","id":"scsi0","bus":"pci.3","addr":"0x0"}' \ -blockdev '{"driver":"file","filename":"/home/win-tmp.qcow2","node-name":"libvirt-4-storage","cache":{"direct":true,"no-flush":false},"auto-read-only":true,"discard":"unmap"}' \ -blockdev '{"node-name":"libvirt-4-format","read-only":false,"discard":"unmap","cache":{"direct":true,"no-flush":false},"driver":"qcow2","file":"libvirt-4-storage","backing":null}' \ -device '{"driver":"scsi-hd","bus":"scsi0.0","channel":0,"scsi-id":0,"lun":0,"device_id":"drive-scsi0-0-0-0","drive":"libvirt-4-format","id":"scsi0-0-0-0","bootindex":1,"write-cache":"on"}' \ -device '{"driver":"ide-cd","bus":"ide.1","id":"sata0-0-1"}' \ -device '{"driver":"ide-cd","bus":"ide.2","id":"sata0-0-2"}' \ -device '{"driver":"ide-cd","bus":"ide.3","id":"sata0-0-3"}' \ -device '{"driver":"usb-tablet","id":"input0","bus":"usb.0","port":"1"}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -vnc 0.0.0.0:0,audiodev=audio1 \ -device '{"driver":"VGA","id":"video0","vgamem_mb":16,"bus":"pcie.0","addr":"0x1"}' \ -qmp tcp:0.0.0.0:4444,server,nowait \ 2.Try to take a screenshot with png format: { "execute": "screendump", "arguments": { "filename": "/tmp/image", "format":"png" } } 3. Actual results: qemu crash with log: Thread 1 "qemu-kvm" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff6135f00 (LWP 3713)] 0x00007ffff716d4e9 in malloc () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff716d4e9 in malloc () from /lib64/libc.so.6 #1 0x00007ffff74241e9 in g_malloc () from /lib64/libglib-2.0.so.0 #2 0x0000555555ece6c0 in qemu_iovec_init_extended (qiov=0x7ffdc018fe00, head_buf=0x0, head_len=0, mid_qiov=<optimized out>, mid_offset=<optimized out>, mid_len=65536, tail_buf=0x0, tail_len=0) at ../util/iov.c:451 #3 0x0000555555d208b2 in bdrv_driver_pwritev (bs=0x5555567f6110, offset=10338041856, bytes=65536, qiov=0x5, qiov_offset=65536, flags=0) at ../util/iov.c:514 #4 0x0000555555d1fbac in bdrv_aligned_pwritev (child=0x555556802f50, req=0x7ffdc018ff68, offset=22894965138, bytes=65536, align=<optimized out>, qiov=0x5, qiov_offset=65536, flags=<optimized out>) at ../block/io.c:2097 #5 0x0000555555d1e5c9 in bdrv_co_pwritev_part (child=0x555556802f50, offset=10338041856, bytes=65536, qiov=0x7ffdc018fe00, qiov_offset=<optimized out>, flags=0) at ../block/io.c:2289 #6 0x0000555555d55781 in qcow2_co_pwritev_task (bs=0x5555567fd960, host_offset=22894965138, offset=10237247488, bytes=65536, qiov=0x5, qiov_offset=0, l2meta=0x555557c61990) at ../block/qcow2.c:2573 #7 qcow2_co_pwritev_task_entry (task=<optimized out>) at ../block/qcow2.c:2603 #8 0x0000555555d00645 in aio_task_co (opaque=0x1f) at ../block/aio_task.c:45 #9 0x0000555555eca6f6 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at ../util/coroutine-ucontext.c:177 #10 0x00007ffff70e8360 in ?? () from /lib64/libc.so.6 #11 0x00007ffff6132980 in ?? () #12 0x0000000000000000 in ?? () Expected results: No qemu crash happen Additional info: No qemu crash happen when taking screenshot with ppm format
I see there is an upstream fix "[PATCH v2] ui/console: fix three double frees in png_save()" seems address this issue. But I cannot reproduce the issue with the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/1210. Gerd, could you help to check this issue? Zhiyi
If the above MR resolves the issue, then this bug can be moved to POST, set ITR=9.2.0 w/ DTM=15, dependent bug 2135806 (qemu rebase), and add 'resolved by qemu-7.2 commit ######' to the devel whiteboard....
reproduces on upstream 7.1.0 does not reproduce on upstream 7.2.0-rc0 So the patch referenced in comment 1 most likely fixes the problem and the rebase should pick up the fix.
QE bot(pre verify): Set 'Verified:Tested,SanityOnly' as gating/tier1 test pass.
Test against qemu-kvm-7.2.0-2.el9.x86_64, not able to reproduce this issue anymore. So mark this bug verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: qemu-kvm security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:2162