QEMU

qemu segfaults when writing to very large qcow2 disk

Bug #865518 reported by Richard W.M. Jones on 2011-10-03

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Fix Released	Undecided	Unassigned

Bug Description

Create a ridiculously large qcow2 disk:

qemu-img create -f qcow2 test1.img $((2**63-513))

Attach it to a guest and try to use parted to partition it. This is easy with virt-rescue: you just do:

virt-rescue test1.img
><rescue> parted /dev/vda mklabel gpt
<-- bang! qemu segfaults here

The stack trace is:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000434cac in get_cluster_table (bs=0x3193030, offset=
    9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0,
    new_l2_index=0x591e408) at block/qcow2-cluster.c:506
506 l2_offset = s->l1_table[l1_index];
(gdb) bt
#0 0x0000000000434cac in get_cluster_table (bs=0x3193030, offset=
    9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0,
    new_l2_index=0x591e408) at block/qcow2-cluster.c:506
#1 0x000000000043535b in qcow2_alloc_cluster_offset (bs=0x3193030, offset=
    9223372036854764544, n_start=106, n_end=126, num=0x591e4e8, m=0x591e470)
    at block/qcow2-cluster.c:719
#2 0x000000000043b8d4 in qcow2_co_writev (bs=0x3193030, sector_num=
    18014398509481962, remaining_sectors=20, qiov=0x4a81ee0)
    at block/qcow2.c:554
#3 0x0000000000428691 in bdrv_co_rw (opaque=0x38bad10) at block.c:2781
#4 0x000000000046e03a in coroutine_trampoline (i0=59487248, i1=0)
    at coroutine-ucontext.c:125
#5 0x00000034dc6471b0 in ?? () from /lib64/libc.so.6
#6 0x00007fff76cbb430 in ?? ()
#7 0x0000000000000000 in ?? ()

This is qemu from git (8f440cda08c6df574 from 2011-09-29)

Revision history for this message

Richard Jones (rjones-redhat) wrote on 2013-05-11:

Still happening in upstream qemu from git:

Program terminated with signal 11, Segmentation fault.
#0 0x00007f4f86c721a0 in get_cluster_table (bs=bs@entry=0x7f4f886e7880,
    offset=offset@entry=1152921504606834688,
    new_l2_table=new_l2_table@entry=0x7f4f8ad9a0b0,
    new_l2_index=new_l2_index@entry=0x7f4f8ad9a0ac)
    at block/qcow2-cluster.c:525
525 l2_offset = s->l1_table[l1_index] & L1E_OFFSET_MASK;
Missing separate debuginfos, use: debuginfo-install SDL-1.2.15-3.fc18.x86_64 bluez-libs-4.101-6.fc18.x86_64 brlapi-0.5.6-12.fc18.x86_64 celt051-0.5.1.3-5.fc18.x86_64 ceph-devel-0.56.3-1.fc18.x86_64 ceph-libs-0.56.3-1.fc18.x86_64 cryptopp-5.6.1-8.fc18.x86_64 cyrus-sasl-lib-2.1.25-2.fc18.x86_64 leveldb-1.7.0-4.fc18.x86_64 libfdt-1.3.0-5.fc18.x86_64 libseccomp-1.0.1-0.fc18.x86_64 libselinux-2.1.12-7.3.fc18.x86_64 libusbx-1.0.14-1.fc18.x86_64 snappy-1.0.5-2.fc18.x86_64 spice-server-0.12.2-3.fc18.x86_64 usbredir-0.6-1.fc18.x86_64 xen-libs-4.2.1-9.fc18.x86_64
(gdb) bt
#0 0x00007f4f86c721a0 in get_cluster_table (bs=bs@entry=0x7f4f886e7880,
    offset=offset@entry=1152921504606834688, new_l2_table=new_l2_table@entry=
    0x7f4f8ad9a0b0, new_l2_index=new_l2_index@entry=0x7f4f8ad9a0ac)
    at block/qcow2-cluster.c:525
#1 0x00007f4f86c72fa3 in handle_copied (m=<optimized out>,
    bytes=<synthetic pointer>, host_offset=<synthetic pointer>, guest_offset=
    1152921504606834688, bs=0x7f4f886e7880) at block/qcow2-cluster.c:873
#2 qcow2_alloc_cluster_offset (bs=bs@entry=0x7f4f886e7880,
    offset=<optimized out>, offset@entry=1152921504606834688,
    n_start=n_start@entry=104, n_end=<optimized out>, num=num@entry=
    0x7f4f8ad9a14c, host_offset=host_offset@entry=0x7f4f8ad9a150, m=m@entry=
    0x7f4f8ad9a158) at block/qcow2-cluster.c:1217
#3 0x00007f4f86c773b3 in qcow2_co_writev (bs=0x7f4f886e7880, sector_num=
    2251799813685224, remaining_sectors=24, qiov=0x7f4f88d88f98)
    at block/qcow2.c:819
#4 0x00007f4f86c638d5 in bdrv_co_do_writev (bs=0x7f4f886e7880, sector_num=
    2251799813685224, nb_sectors=24, qiov=0x7f4f88d88f98, flags=flags@entry=
    (unknown: 0)) at block.c:2625
#5 0x00007f4f86c63a38 in bdrv_co_do_rw (opaque=0x7f4f88e16160) at block.c:4139
#6 0x00007f4f86c9a19a in coroutine_trampoline (i0=<optimized out>,
    i1=<optimized out>) at coroutine-ucontext.c:118
#7 0x00007f4f7fd776c0 in ?? () from /lib64/libc.so.6
#8 0x00007fff125e6620 in ?? ()
#9 0x0000000000000000 in ?? ()

Still happening in upstream qemu from git:

Program terminated with signal 11, Segmentation fault.
#0  0x00007f4f86c721a0 in get_cluster_table (bs=bs@entry=0x7f4f886e7880, 
    offset=offset@entry=1152921504606834688, 
    new_l2_table=new_l2_table@entry=0x7f4f8ad9a0b0, 
    new_l2_index=new_l2_index@entry=0x7f4f8ad9a0ac)
    at block/qcow2-cluster.c:525
525	    l2_offset = s->l1_table[l1_index] & L1E_OFFSET_MASK;
Missing separate debuginfos, use: debuginfo-install SDL-1.2.15-3.fc18.x86_64 bluez-libs-4.101-6.fc18.x86_64 brlapi-0.5.6-12.fc18.x86_64 celt051-0.5.1.3-5.fc18.x86_64 ceph-devel-0.56.3-1.fc18.x86_64 ceph-libs-0.56.3-1.fc18.x86_64 cryptopp-5.6.1-8.fc18.x86_64 cyrus-sasl-lib-2.1.25-2.fc18.x86_64 leveldb-1.7.0-4.fc18.x86_64 libfdt-1.3.0-5.fc18.x86_64 libseccomp-1.0.1-0.fc18.x86_64 libselinux-2.1.12-7.3.fc18.x86_64 libusbx-1.0.14-1.fc18.x86_64 snappy-1.0.5-2.fc18.x86_64 spice-server-0.12.2-3.fc18.x86_64 usbredir-0.6-1.fc18.x86_64 xen-libs-4.2.1-9.fc18.x86_64
(gdb) bt
#0  0x00007f4f86c721a0 in get_cluster_table (bs=bs@entry=0x7f4f886e7880, 
    offset=offset@entry=1152921504606834688, new_l2_table=new_l2_table@entry=
    0x7f4f8ad9a0b0, new_l2_index=new_l2_index@entry=0x7f4f8ad9a0ac)
    at block/qcow2-cluster.c:525
#1  0x00007f4f86c72fa3 in handle_copied (m=<optimized out>, 
    bytes=<synthetic pointer>, host_offset=<synthetic pointer>, guest_offset=
    1152921504606834688, bs=0x7f4f886e7880) at block/qcow2-cluster.c:873
#2  qcow2_alloc_cluster_offset (bs=bs@entry=0x7f4f886e7880, 
    offset=<optimized out>, offset@entry=1152921504606834688, 
    n_start=n_start@entry=104, n_end=<optimized out>, num=num@entry=
    0x7f4f8ad9a14c, host_offset=host_offset@entry=0x7f4f8ad9a150, m=m@entry=
    0x7f4f8ad9a158) at block/qcow2-cluster.c:1217
#3  0x00007f4f86c773b3 in qcow2_co_writev (bs=0x7f4f886e7880, sector_num=
    2251799813685224, remaining_sectors=24, qiov=0x7f4f88d88f98)
    at block/qcow2.c:819
#4  0x00007f4f86c638d5 in bdrv_co_do_writev (bs=0x7f4f886e7880, sector_num=
    2251799813685224, nb_sectors=24, qiov=0x7f4f88d88f98, flags=flags@entry=
    (unknown: 0)) at block.c:2625
#5  0x00007f4f86c63a38 in bdrv_co_do_rw (opaque=0x7f4f88e16160) at block.c:4139
#6  0x00007f4f86c9a19a in coroutine_trampoline (i0=<optimized out>, 
    i1=<optimized out>) at coroutine-ucontext.c:118
#7  0x00007f4f7fd776c0 in ?? () from /lib64/libc.so.6
#8  0x00007fff125e6620 in ?? ()
#9  0x0000000000000000 in ?? ()

Revision history for this message

Richard Jones (rjones-redhat) wrote on 2013-05-11:

Simple reproducer using only qemu tools:

$ qemu-img create -f qcow2 huge.qcow2 $((1024*1024))T
Formatting 'huge.qcow2', fmt=qcow2 size=1152921504606846976 encryption=off cluster_size=65536 lazy_refcounts=off
$ qemu-io /tmp/huge.qcow2 -c "write $((1024*1024*1024*1024*1024*1024 - 1024)) 512"
Segmentation fault

Revision history for this message

Thomas Huth (th-huth) wrote on 2016-06-22:

Fix has been included here:
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=2cf7cfa1cde6672b8a35b
... so I think it should be OK to close this ticket now.

Changed in qemu:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.