qemu-io segfaults at block/qcow2.h:533
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
git is at HEAD a93ece47fd9edbd
This is on ppc64le architecture.
Re-production steps:
1. Copy the attached file named test.img to a directory
2. And customize the following command to point to the above directory and run the same.
# mv test.img copy.img
# qemu-io <path to>/copy.img -c "truncate 66560"
from gdb:
Program terminated with signal 11, Segmentation fault.
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=
533 return s->refcount_
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-
(gdb) bt
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=
#1 0x000000001005df4c in qcow2_discard_
#2 0x000000001005e5c4 in qcow2_shrink_
#3 0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=
#4 0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=
#5 0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=
#6 0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580
#7 0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117
#8 0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291
#9 0x000000001000b540 in command_loop () at qemu-io.c:374
#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051
(gdb) bt full
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=
index = 4294967295
#1 0x000000001005df4c in qcow2_discard_
s = 0x32ca3210
block_index = 3226593616
refblock = 0x32cb9570
ret = 16384
#2 0x000000001005e5c4 in qcow2_shrink_
s = 0x32ca3210
i = 0
ret = 0
#3 0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=
s = 0x32ca3210
old_length = 1048576
new_l1_size = 1
ret = 0
__func__ = "qcow2_truncate"
#4 0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=
bs = 0x32c96f60
drv = 0x102036f0 <bdrv_qcow2>
ret = 16383
__func__ = "bdrv_truncate"
#5 0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=
__func__ = "blk_truncate"
#6 0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580
local_err = 0x0
offset = 66560
ret = 0
#7 0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117
cmd = 0x32c684c0 "truncate"
#8 0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291
ctx = 0x32c924d0
input = 0x32c684c0 "truncate"
ct = 0x32c96e30
v = 0x32c685a0
c = 2
done = false
#9 0x000000001000b540 in command_loop () at qemu-io.c:374
i = 0
done = 0
fetchable = 0
---Type <return> to continue, or q <return> to quit---
prompted = 0
input = 0x0
#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051
readonly = 0
sopt = 0x101b2608 "hVc:d:
lopt = {{name = 0x101b26d0 "driver", has_arg = 0, flag = 0x0, val = 104}, {name = 0x101b26d8 "help", has_arg = 0, flag = 0x0, val = 86}, {
name = 0x101b26e0 "version", has_arg = 1, flag = 0x0, val = 99}, {name = 0x101b26e8 "cmd", has_arg = 1, flag = 0x0, val = 102}, {
name = 0x101b26f0 "format", has_arg = 0, flag = 0x0, val = 114}, {name = 0x101b2700 "y", has_arg = 0, flag = 0x0, val = 115}, {
name = 0x101b2710 "", has_arg = 0, flag = 0x0, val = 110}, {name = 0x101b2718 "nocache", has_arg = 0, flag = 0x0, val = 67}, {
name = 0x101b2728 "read", has_arg = 0, flag = 0x0, val = 109}, {name = 0x101b2738 "", has_arg = 0, flag = 0x0, val = 107}, {
name = 0x101b2748 "io", has_arg = 1, flag = 0x0, val = 100}, {name = 0x101b2750 "discard", has_arg = 1, flag = 0x0, val = 116}, {
name = 0x101b2758 "cache", has_arg = 1, flag = 0x0, val = 84}, {name = 0x101b25e8 "object", has_arg = 1, flag = 0x0, val = 256}, {
name = 0x101b2760 "trace", has_arg = 0, flag = 0x0, val = 257}, {name = 0x101b1c48 "force-share", has_arg = 0, flag = 0x0, val = 85}, {name = 0x0,
has_arg = 0, flag = 0x0, val = 0}}
c = -1
opt_index = 0
flags = 16386
local_error = 0x0
opts = 0x0
format = 0x0
trace_file = 0x0
force_share = false
image_fuzzer image will be attached.
Hi,
And finally, also here, thanks a lot for reporting this bug! I've found a fix; sending a patch might take a little longer, though...
Max