QEMU

qemu-io segfaults at block/qcow2.h:533

Bug #1728661 reported by R.Nageswara Sastry
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Fix Released
Undecided
Unassigned

Bug Description

git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4
This is on ppc64le architecture.

Re-production steps:

1. Copy the attached file named test.img to a directory
2. And customize the following command to point to the above directory and run the same.
# mv test.img copy.img
# qemu-io <path to>/copy.img -c "truncate 66560"

from gdb:
Program terminated with signal 11, Segmentation fault.
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
533 return s->refcount_table[index] & REFT_OFFSET_MASK;
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.26-21.el7.ppc64le glib2-2.50.3-3.el7.ppc64le glibc-2.17-196.el7.ppc64le gmp-6.0.0-15.el7.ppc64le gnutls-3.3.26-9.el7.ppc64le keyutils-libs-1.5.8-3.el7.ppc64le krb5-libs-1.15.1-8.el7.ppc64le libaio-0.3.109-13.el7.ppc64le libcom_err-1.42.9-10.el7.ppc64le libcurl-7.29.0-42.el7.ppc64le libffi-3.0.13-18.el7.ppc64le libgcc-4.8.5-16.el7_4.1.ppc64le libidn-1.28-4.el7.ppc64le libselinux-2.5-11.el7.ppc64le libssh2-1.4.3-10.el7_2.1.ppc64le libstdc++-4.8.5-16.el7_4.1.ppc64le libtasn1-4.10-1.el7.ppc64le nettle-2.7.1-8.el7.ppc64le nspr-4.13.1-1.0.el7_3.ppc64le nss-3.28.4-15.el7_4.ppc64le nss-softokn-freebl-3.28.3-8.el7_4.ppc64le nss-util-3.28.4-3.el7.ppc64le openldap-2.4.44-5.el7.ppc64le openssl-libs-1.0.2k-8.el7.ppc64le p11-kit-0.23.5-3.el7.ppc64le pcre-8.32-17.el7.ppc64le zlib-1.2.7-17.el7.ppc64le
(gdb) bt
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
#1 0x000000001005df4c in qcow2_discard_refcount_block (bs=0x32c96f60, discard_block_offs=9223372036854775296) at block/qcow2-refcount.c:3070
#2 0x000000001005e5c4 in qcow2_shrink_reftable (bs=0x32c96f60) at block/qcow2-refcount.c:3169
#3 0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/qcow2.c:3155
#4 0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block.c:3585
#5 0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/block-backend.c:1845
#6 0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580
#7 0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117
#8 0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291
#9 0x000000001000b540 in command_loop () at qemu-io.c:374
#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051f618) at qemu-io.c:630
(gdb) bt full
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
        index = 4294967295
#1 0x000000001005df4c in qcow2_discard_refcount_block (bs=0x32c96f60, discard_block_offs=9223372036854775296) at block/qcow2-refcount.c:3070
        s = 0x32ca3210
        refblock_offs = 852111520
        cluster_index = 16384
        block_index = 3226593616
        refblock = 0x32cb9570
        ret = 16384
        __PRETTY_FUNCTION__ = "qcow2_discard_refcount_block"
#2 0x000000001005e5c4 in qcow2_shrink_reftable (bs=0x32c96f60) at block/qcow2-refcount.c:3169
        s = 0x32ca3210
        reftable_tmp = 0x32cb9570
        i = 0
        ret = 0
#3 0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/qcow2.c:3155
        last_cluster = 70367675804416
        old_file_size = 70367675804416
        s = 0x32ca3210
        old_length = 1048576
        new_l1_size = 1
        ret = 0
        __func__ = "qcow2_truncate"
        __PRETTY_FUNCTION__ = "qcow2_truncate"
        __FUNCTION__ = "qcow2_truncate"
#4 0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block.c:3585
        bs = 0x32c96f60
        drv = 0x102036f0 <bdrv_qcow2>
        ret = 16383
        __PRETTY_FUNCTION__ = "bdrv_truncate"
        __func__ = "bdrv_truncate"
#5 0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/block-backend.c:1845
        __func__ = "blk_truncate"
#6 0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580
        local_err = 0x0
        offset = 66560
        ret = 0
#7 0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117
        cmd = 0x32c684c0 "truncate"
#8 0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291
        ctx = 0x32c924d0
        input = 0x32c684c0 "truncate"
        ct = 0x32c96e30
        v = 0x32c685a0
        c = 2
        done = false
#9 0x000000001000b540 in command_loop () at qemu-io.c:374
        i = 0
        done = 0
        fetchable = 0
---Type <return> to continue, or q <return> to quit---
        prompted = 0
        input = 0x0
#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051f618) at qemu-io.c:630
        readonly = 0
        sopt = 0x101b2608 "hVc:d:f:rsnCmkt:T:U"
        lopt = {{name = 0x101b26d0 "driver", has_arg = 0, flag = 0x0, val = 104}, {name = 0x101b26d8 "help", has_arg = 0, flag = 0x0, val = 86}, {
            name = 0x101b26e0 "version", has_arg = 1, flag = 0x0, val = 99}, {name = 0x101b26e8 "cmd", has_arg = 1, flag = 0x0, val = 102}, {
            name = 0x101b26f0 "format", has_arg = 0, flag = 0x0, val = 114}, {name = 0x101b2700 "y", has_arg = 0, flag = 0x0, val = 115}, {
            name = 0x101b2710 "", has_arg = 0, flag = 0x0, val = 110}, {name = 0x101b2718 "nocache", has_arg = 0, flag = 0x0, val = 67}, {
            name = 0x101b2728 "read", has_arg = 0, flag = 0x0, val = 109}, {name = 0x101b2738 "", has_arg = 0, flag = 0x0, val = 107}, {
            name = 0x101b2748 "io", has_arg = 1, flag = 0x0, val = 100}, {name = 0x101b2750 "discard", has_arg = 1, flag = 0x0, val = 116}, {
            name = 0x101b2758 "cache", has_arg = 1, flag = 0x0, val = 84}, {name = 0x101b25e8 "object", has_arg = 1, flag = 0x0, val = 256}, {
            name = 0x101b2760 "trace", has_arg = 0, flag = 0x0, val = 257}, {name = 0x101b1c48 "force-share", has_arg = 0, flag = 0x0, val = 85}, {name = 0x0,
            has_arg = 0, flag = 0x0, val = 0}}
        c = -1
        opt_index = 0
        flags = 16386
        writethrough = true
        local_error = 0x0
        opts = 0x0
        format = 0x0
        trace_file = 0x0
        force_share = false

image_fuzzer image will be attached.

Revision history for this message
R.Nageswara Sastry (nasastry) wrote :
Revision history for this message
Max Reitz (xanclic) wrote :

Hi,

And finally, also here, thanks a lot for reporting this bug! I've found a fix; sending a patch might take a little longer, though...

Max

Revision history for this message
Thomas Huth (th-huth) wrote :

Fix has been released with QEMU 2.11:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=23482f8a603a7fc591b770

Changed in qemu:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.