Bug 1200043

Summary: bdrv_make_zero() passes a too large nb_sectors value to bdrv_write_zeroes()
Product: [Fedora] Fedora Reporter: Dan Prince <dprince>
Component: qemuAssignee: Fedora Virtualization Maintainers <virt-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: amit.shah, apevec, berrange, cfergeau, crobinso, dprince, dron, dwmw2, eharney, hguemar, itamar, pbonzini, rjones, scottt.tw, stefanha, virt-bugs, virt-maint, virt-maint
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-2.1.3-6.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1196688 Environment:
Last Closed: 2015-04-18 09:52:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1196688    
Bug Blocks: 1194743    

Description Dan Prince 2015-03-09 15:11:14 UTC 
+++ This bug was initially created as a clone of Bug #1196688 +++

Description of problem:

bdrv_make_zero() clamps the nb_sectors value:

  if (nb_sectors > INT_MAX) {
      nb_sectors = INT_MAX;
  }

But INT_MAX is too large because bdrv_rw_co() performs the following check later:

  if (nb_sectors < 0 || nb_sectors > INT_MAX / BDRV_SECTOR_SIZE) {
      return -EINVAL;
  }

Fam Zheng already fixed this bug upstream so we just need to backport the fix:
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=f3a9cfddaec127078ac1898de6b063db8ac3bb48


How reproducible:
Deterministic


Steps to Reproduce:
1. qemu-img create input.img 2G
2. qemu-img create output.img 2G
3. sudo losetup -f output.img
4. qemu-img convert -t none -O raw input.img /dev/loop0


Actual results:
qemu-img: error writing zeroes at sector 0: Invalid argument


Expected results:
Success from qemu-img convert.

--- Additional comment from Stefan Hajnoczi on 2015-02-27 07:18:16 EST ---



--- Additional comment from Stefan Hajnoczi on 2015-03-06 17:35:37 EST ---

Set state to modified.  The patch will come into RHEL 7.2 qemu-kvm from upstream via rebase.

--- Additional comment from Dan Prince on 2015-03-09 08:37:31 EDT ---

This same issue effects Fedora 21 as well and is displayed when trying to use OpenStack Cinder to convert Glance images. Could we backport the fix into Fedora 21 as well (it is preventing upstream CI from using Fedora ATM).
Comment 1 hguemar 2015-03-09 16:42:32 UTC 
Already working on backporting this, the patch is trivial and should not affect stable branches.
Comment 2 Fedora Update System 2015-03-10 15:05:07 UTC 
qemu-2.1.3-3.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/qemu-2.1.3-3.fc21
Comment 3 Fedora Update System 2015-03-13 16:55:32 UTC 
qemu-2.1.3-3.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Dan Prince 2015-04-14 12:33:22 UTC 
Looks like the security fixes in qemu-2.1.3-5.fc21 have caused a regression. We are once again hitting this issue in Fedora 21 stable.
Comment 5 Cole Robinson 2015-04-14 14:25:22 UTC 
ugh, apologies, I accidentally dropped haikel's patch when pushed the next update. I'll do a build now
Comment 6 Cole Robinson 2015-04-14 14:28:41 UTC 
nm looks like haikel got to it first
Comment 7 Fedora Update System 2015-04-14 18:03:46 UTC 
qemu-2.1.3-6.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/qemu-2.1.3-6.fc21
Comment 8 Fedora Update System 2015-04-18 09:52:13 UTC 
qemu-2.1.3-6.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.