QEMU

qemu-io crashes with SIGSEGV when did -c aio_write 9233408 28160 on a image_fuzzer image

Bug #1728635 reported by R.Nageswara Sastry
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Expired
Undecided
Unassigned

Bug Description

git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4
This is on ppc64le architecture.

Re-production steps:

1. Copy the attached file named test.img to a directory
2. And customize the following command to point to the above directory and run the same.
# cp test.img copy.img
# qemu/qemu-io <path to>/copy.img -c "aio_write 9233408 28160"

from gdb:
Program terminated with signal 11, Segmentation fault.
#0 0x00003fffa0077644 in __memcpy_power7 () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.26-21.el7.ppc64le glib2-2.50.3-3.el7.ppc64le glibc-2.17-196.el7.ppc64le gmp-6.0.0-15.el7.ppc64le gnutls-3.3.26-9.el7.ppc64le keyutils-libs-1.5.8-3.el7.ppc64le krb5-libs-1.15.1-8.el7.ppc64le libaio-0.3.109-13.el7.ppc64le libcom_err-1.42.9-10.el7.ppc64le libcurl-7.29.0-42.el7.ppc64le libffi-3.0.13-18.el7.ppc64le libgcc-4.8.5-16.el7_4.1.ppc64le libidn-1.28-4.el7.ppc64le libselinux-2.5-11.el7.ppc64le libssh2-1.4.3-10.el7_2.1.ppc64le libstdc++-4.8.5-16.el7_4.1.ppc64le libtasn1-4.10-1.el7.ppc64le nettle-2.7.1-8.el7.ppc64le nspr-4.13.1-1.0.el7_3.ppc64le nss-3.28.4-15.el7_4.ppc64le nss-softokn-freebl-3.28.3-8.el7_4.ppc64le nss-util-3.28.4-3.el7.ppc64le openldap-2.4.44-5.el7.ppc64le openssl-libs-1.0.2k-8.el7.ppc64le p11-kit-0.23.5-3.el7.ppc64le pcre-8.32-17.el7.ppc64le zlib-1.2.7-17.el7.ppc64le
(gdb) bt
#0 0x00003fffa0077644 in __memcpy_power7 () from /lib64/libc.so.6
#1 0x0000000010056738 in qcow2_refcount_area (bs=0x25f56f60, start_offset=137438953472, additional_clusters=0, exact_size=false, new_refblock_index=0,
    new_refblock_offset=524288) at block/qcow2-refcount.c:573
#2 0x0000000010056374 in alloc_refcount_block (bs=0x25f56f60, cluster_index=0, refcount_block=0x3fff9dadf838) at block/qcow2-refcount.c:479
#3 0x0000000010057520 in update_refcount (bs=0x25f56f60, offset=0, length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER)
    at block/qcow2-refcount.c:834
#4 0x0000000010057c24 in qcow2_alloc_clusters (bs=0x25f56f60, size=524288) at block/qcow2-refcount.c:996
#5 0x0000000010063684 in do_alloc_cluster_offset (bs=0x25f56f60, guest_offset=9233408, host_offset=0x3fff9dadf9e0, nb_clusters=0x3fff9dadf9d8)
    at block/qcow2-cluster.c:1213
#6 0x0000000010063afc in handle_alloc (bs=0x25f56f60, guest_offset=9233408, host_offset=0x3fff9dadfab0, bytes=0x3fff9dadfab8, m=0x3fff9dadfb60)
    at block/qcow2-cluster.c:1324
#7 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x25f56f60, offset=9233408, bytes=0x3fff9dadfb4c, host_offset=0x3fff9dadfb58, m=0x3fff9dadfb60)
    at block/qcow2-cluster.c:1511
#8 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x25f56f60, offset=9233408, bytes=28160, qiov=0x25f6fa08, flags=0) at block/qcow2.c:1919
#9 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x25f56f60, offset=9233408, bytes=28160, qiov=0x25f6fa08, flags=16) at block/io.c:898
#10 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x25f627f0, req=0x3fff9dadfdd8, offset=9233408, bytes=28160, align=1, qiov=0x25f6fa08, flags=16)
    at block/io.c:1440
#11 0x00000000100ac4ac in bdrv_co_pwritev (child=0x25f627f0, offset=9233408, bytes=28160, qiov=0x25f6fa08, flags=BDRV_REQ_FUA) at block/io.c:1691
#12 0x000000001008da0c in blk_co_pwritev (blk=0x25f49410, offset=9233408, bytes=28160, qiov=0x25f6fa08, flags=BDRV_REQ_FUA) at block/block-backend.c:1085
#13 0x000000001008e718 in blk_aio_write_entry (opaque=0x25f6fa70) at block/block-backend.c:1276
#14 0x00000000101aa444 in coroutine_trampoline (i0=636902032, i1=0) at util/coroutine-ucontext.c:79
#15 0x00003fffa0022b9c in makecontext () from /lib64/libc.so.6
#16 0x0000000000000000 in ?? ()
(gdb) bt full
#0 0x00003fffa0077644 in __memcpy_power7 () from /lib64/libc.so.6
No symbol table info available.
#1 0x0000000010056738 in qcow2_refcount_area (bs=0x25f56f60, start_offset=137438953472, additional_clusters=0, exact_size=false, new_refblock_index=0,
    new_refblock_offset=524288) at block/qcow2-refcount.c:573
        s = 0x25f63210
        total_refblock_count_u64 = 2
        additional_refblock_count = 0
        total_refblock_count = 2
        table_size = 65536
        area_reftable_index = 1
        table_clusters = 1
        i = 0
        table_offset = 268870620
        block_offset = 70367094634128
        end_offset = 636891296
        ret = 636786432
        new_table = 0x3fff9d940010
        __PRETTY_FUNCTION__ = "qcow2_refcount_area"
        data = {d64 = 636841824, d32 = 1}
        old_table_offset = 70367094634552
        old_table_size = 636786432
#2 0x0000000010056374 in alloc_refcount_block (bs=0x25f56f60, cluster_index=0, refcount_block=0x3fff9dadf838) at block/qcow2-refcount.c:479
        s = 0x25f63210
        refcount_table_index = 0
        ret = 0
        new_block = 524288
        blocks_used = 1
        meta_offset = 137438953472
#3 0x0000000010057520 in update_refcount (bs=0x25f56f60, offset=0, length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER)
    at block/qcow2-refcount.c:834
        block_index = 268794524
        refcount = 4563798300
        cluster_index = 0
        table_index = 0
        s = 0x25f63210
        start = 0
        last = 0
        cluster_offset = 0
        refcount_block = 0x0
        old_table_index = -1
        ret = 0
#4 0x0000000010057c24 in qcow2_alloc_clusters (bs=0x25f56f60, size=524288) at block/qcow2-refcount.c:996
        offset = 0
        ret = 0
#5 0x0000000010063684 in do_alloc_cluster_offset (bs=0x25f56f60, guest_offset=9233408, host_offset=0x3fff9dadf9e0, nb_clusters=0x3fff9dadf9d8)
    at block/qcow2-cluster.c:1213
        cluster_offset = 0
        s = 0x25f63210
#6 0x0000000010063afc in handle_alloc (bs=0x25f56f60, guest_offset=9233408, host_offset=0x3fff9dadfab0, bytes=0x3fff9dadfab8, m=0x3fff9dadfb60)
    at block/qcow2-cluster.c:1324
---Type <return> to continue, or q <return> to quit---
        s = 0x25f63210
        l2_index = 17
        l2_table = 0x0
        entry = 0
        nb_clusters = 1
        ret = 0
        keep_old_clusters = false
        alloc_cluster_offset = 0
        __PRETTY_FUNCTION__ = "handle_alloc"
        requested_bytes = 73651285856
        avail_bytes = -1649542304
        nb_bytes = 16383
        old_m = 0x3fff00000000
#7 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x25f56f60, offset=9233408, bytes=0x3fff9dadfb4c, host_offset=0x3fff9dadfb58, m=0x3fff9dadfb60)
    at block/qcow2-cluster.c:1511
        s = 0x25f63210
        start = 9233408
        remaining = 28160
        cluster_offset = 0
        cur_bytes = 28160
        ret = 0
        __PRETTY_FUNCTION__ = "qcow2_alloc_cluster_offset"
#8 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x25f56f60, offset=9233408, bytes=28160, qiov=0x25f6fa08, flags=0) at block/qcow2.c:1919
        s = 0x25f63210
        offset_in_cluster = 320512
        ret = 0
        cur_bytes = 28160
        cluster_offset = 0
        hd_qiov = {iov = 0x25f285a0, niov = 0, nalloc = 1, size = 0}
        bytes_done = 0
        cluster_data = 0x0
        l2meta = 0x0
        __PRETTY_FUNCTION__ = "qcow2_co_pwritev"
#9 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x25f56f60, offset=9233408, bytes=28160, qiov=0x25f6fa08, flags=16) at block/io.c:898
        drv = 0x102036f0 <bdrv_qcow2>
        sector_num = 636854560
        nb_sectors = 598850083
        ret = -1802855680
        __PRETTY_FUNCTION__ = "bdrv_driver_pwritev"
#10 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x25f627f0, req=0x3fff9dadfdd8, offset=9233408, bytes=28160, align=1, qiov=0x25f6fa08, flags=16)
    at block/io.c:1440
        bs = 0x25f56f60
        drv = 0x102036f0 <bdrv_qcow2>
        waited = false
        ret = 0
        end_sector = 18089
        bytes_remaining = 28160
        max_transfer = 2147483647
        __PRETTY_FUNCTION__ = "bdrv_aligned_pwritev"
#11 0x00000000100ac4ac in bdrv_co_pwritev (child=0x25f627f0, offset=9233408, bytes=28160, qiov=0x25f6fa08, flags=BDRV_REQ_FUA) at block/io.c:1691
---Type <return> to continue, or q <return> to quit---
        bs = 0x25f56f60
        req = {bs = 0x25f56f60, offset = 9233408, bytes = 28160, type = BDRV_TRACKED_WRITE, serialising = false, overlap_offset = 9233408,
          overlap_bytes = 28160, list = {le_next = 0x0, le_prev = 0x25f5a1d8}, co = 0x25f65a90, wait_queue = {entries = {sqh_first = 0x0,
              sqh_last = 0x3fff9dadfe20}}, waiting_for = 0x0}
        align = 1
        head_buf = 0x0
        tail_buf = 0x0
        local_qiov = {iov = 0x3fff9dadfdb0, niov = -1649541648, nalloc = 16383, size = 9233408}
        use_local_qiov = false
        ret = 0
        __PRETTY_FUNCTION__ = "bdrv_co_pwritev"
#12 0x000000001008da0c in blk_co_pwritev (blk=0x25f49410, offset=9233408, bytes=28160, qiov=0x25f6fa08, flags=BDRV_REQ_FUA) at block/block-backend.c:1085
        ret = 0
        bs = 0x25f56f60
#13 0x000000001008e718 in blk_aio_write_entry (opaque=0x25f6fa70) at block/block-backend.c:1276
        acb = 0x25f6fa70
        rwco = 0x25f6fa98
        __PRETTY_FUNCTION__ = "blk_aio_write_entry"
#14 0x00000000101aa444 in coroutine_trampoline (i0=636902032, i1=0) at util/coroutine-ucontext.c:79
        arg = {p = 0x25f65a90, i = {636902032, 0}}
        self = 0x25f65a90
        co = 0x25f65a90
#15 0x00003fffa0022b9c in makecontext () from /lib64/libc.so.6
No symbol table info available.
#16 0x0000000000000000 in ?? ()
No symbol table info available.

Will be attaching image_fuzzer image

Revision history for this message
R.Nageswara Sastry (nasastry) wrote :
Revision history for this message
John Snow (jnsnow) wrote :

I can't reproduce this on commit a93ece47fd9edbd4558db24300056c9a57d3bcd4:

# ./qemu-io copy.img -c "aio_write 9233408 28160"
can't open device copy.img: Could not open backing file: Could not open 'backing_img.file': No such file or directory

and on the latest commit, I get a different error that makes me suspect this has been fixed:

# ./qemu-io copy.img -c "aio_write 9233408 28160"
can't open device copy.img: Image does not contain a reference count table

It just doesn't look as if this was fixed explicitly, as the recent refcount changes reference your other fuzzer disclosures, and not this one.

...Max?

Revision history for this message
Thomas Huth (th-huth) wrote :

The QEMU project is currently considering to move its bug tracking to another system. For this we need to know which bugs are still valid and which could be closed already. Thus we are setting older bugs to "Incomplete" now.
If you still think this bug report here is valid, then please switch the state back to "New" within the next 60 days, otherwise this report will be marked as "Expired". Or mark it as "Fix Released" if the problem has been solved with a newer version of QEMU already. Thank you and sorry for the inconvenience.

Changed in qemu:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for QEMU because there has been no activity for 60 days.]

Changed in qemu:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.