Bug 1207034

Summary: QEMU segfault when doing unaligned zero write to non-512 disk
Product: Red Hat Enterprise Linux 7 Reporter: Fam Zheng <famz>
Component: qemu-kvm-rhevAssignee: Fam Zheng <famz>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: hhuang, huding, juzhang, mazhang, michen, ngu, rbalakri, virt-bugs, virt-maint, xfu, xuhan, ypu, zhengtli
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: qemu-kvm-rhev-2.3.0-8.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1200295 Environment:
Last Closed: 2015-12-04 16:33:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1200295    
Bug Blocks:    

Comment 1 Fam Zheng 2015-03-30 06:12:18 UTC 
The upstream fix is merged for 2.3.
Comment 3 Fam Zheng 2015-05-27 06:54:06 UTC 
Extra patches from upstream need to be manually backported. Patches sent to internal list for review.
Comment 4 Miroslav Rezanina 2015-07-08 10:53:53 UTC 
Fix included in qemu-kvm-rhev-2.3.0-8.el7
Comment 6 mazhang 2015-08-04 02:24:46 UTC 
Reproduce this bug on qemu-kvm-rhev-2.1.2-16.el7.

Steps:
1. Create a raw image with 100M.
# qemu-img create -f raw t.img 100M

2. write unaligned zero to this image.

Result:
Starting program: /usr/bin/qemu-io 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
qemu-io> open -o file.align=4k blkdebug::t.img
[New Thread 0x7fffed9b9700 (LWP 27645)]
qemu-io> write -z 512 1024

Program received signal SIGSEGV, Segmentation fault.
bdrv_co_do_pwritev (bs=0x555555c617d0, offset=512, bytes=1024, qiov=0x0, flags=BDRV_REQ_ZERO_WRITE) at block.c:3402
3402	        qemu_iovec_init(&local_qiov, qiov->niov + 2);
Missing separate debuginfos, use: debuginfo-install boost-system-1.53.0-24.el7.x86_64 boost-thread-1.53.0-24.el7.x86_64 cyrus-sasl-lib-2.1.26-18.el7.x86_64 glib2-2.42.2-2.el7.x86_64 glibc-2.17-101.el7.x86_64 glusterfs-api-3.6.0.29-2.el7.x86_64 glusterfs-libs-3.6.0.29-2.el7.x86_64 gmp-6.0.0-11.el7.x86_64 gnutls-3.3.8-12.el7_1.1.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.13.2-3.el7.x86_64 libaio-0.3.109-13.el7.x86_64 libcom_err-1.42.9-7.el7.x86_64 libcurl-7.29.0-25.el7.x86_64 libffi-3.0.13-16.el7.x86_64 libgcc-4.8.5-3.el7.x86_64 libgcrypt-1.5.3-12.el7_1.1.x86_64 libgpg-error-1.12-3.el7.x86_64 libibverbs-1.1.8-6.el7.x86_64 libidn-1.28-4.el7.x86_64 libiscsi-1.9.0-6.el7.x86_64 libnl-1.1.4-3.el7.x86_64 librados2-0.80.7-3.el7.x86_64 librbd1-0.80.7-3.el7.x86_64 librdmacm-1.0.21-1.el7.x86_64 libseccomp-2.2.1-1.el7.x86_64 libselinux-2.2.2-6.el7.x86_64 libssh2-1.4.3-10.el7.x86_64 libstdc++-4.8.5-3.el7.x86_64 libtasn1-3.8-2.el7.x86_64 libuuid-2.23.2-24.el7.x86_64 lzo-2.06-6.el7_0.2.x86_64 nettle-2.7.1-4.el7.x86_64 nspr-4.10.8-1.el7_1.x86_64 nss-3.19.1-7.el7.x86_64 nss-softokn-freebl-3.16.2.3-12.el7.x86_64 nss-util-3.19.1-3.el7.x86_64 openldap-2.4.40-4.el7.x86_64 openssl-libs-1.0.1e-42.el7_1.9.x86_64 p11-kit-0.20.7-3.el7.x86_64 pcre-8.32-15.el7.x86_64 snappy-1.1.0-3.el7.x86_64 trousers-0.3.11.2-4.el7_1.x86_64 xz-libs-5.1.2-9alpha.el7.x86_64 zlib-1.2.7-15.el7.x86_64
(gdb) bt
#0  bdrv_co_do_pwritev (bs=0x555555c617d0, offset=512, bytes=1024, qiov=0x0, flags=BDRV_REQ_ZERO_WRITE) at block.c:3402
#1  0x000055555556ff7f in bdrv_co_do_write_zeroes (bs=bs@entry=0x555555c5ec50, sector_num=sector_num@entry=1, nb_sectors=nb_sectors@entry=2, flags=flags@entry=BDRV_REQ_ZERO_WRITE)
    at block.c:3250
#2  0x0000555555573f62 in bdrv_aligned_pwritev (flags=<optimized out>, qiov=0x0, bytes=1024, offset=512, req=0x7ffff7fbff20, bs=0x555555c5ec50) at block.c:3319
#3  bdrv_co_do_pwritev (bs=0x555555c5ec50, offset=512, bytes=1024, qiov=qiov@entry=0x0, flags=BDRV_REQ_ZERO_WRITE) at block.c:3448
#4  0x0000555555574a1a in bdrv_co_do_writev (flags=<optimized out>, qiov=0x0, nb_sectors=<optimized out>, sector_num=<optimized out>, bs=<optimized out>) at block.c:3472
#5  bdrv_co_write_zeroes (bs=<optimized out>, sector_num=<optimized out>, nb_sectors=<optimized out>, flags=<optimized out>, flags@entry=(unknown: 0)) at block.c:3494
#6  0x000055555559baae in co_write_zeroes_entry (opaque=0x7fffffffe0d0) at qemu-io-cmds.c:460
#7  0x000055555559f53a in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at coroutine-ucontext.c:118
#8  0x00007ffff311b0f0 in ?? () from /lib64/libc.so.6
#9  0x00007fffffffcfc0 in ?? ()
#10 0x0000000000000000 in ?? ()


Verify this bug on qemu-kvm-rhev-2.3.0-14.el7

Result:
No longer segment fault.
Starting program: /usr/bin/qemu-io 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
qemu-io> open -o file.align=4k blkdebug::t.img
[New Thread 0x7fffed62d700 (LWP 27748)]
WARNING: Image format was not specified for 'json:{"image": {"driver": "file", "filename": "t.img"}, "driver": "blkdebug", "align": "4k"}' and probing guessed raw.
         Automatically detecting the format is dangerous for raw images, write operations on block 0 will be restricted.
         Specify the 'raw' format explicitly to remove the restrictions.
qemu-io> write -z 512 1024
wrote 1024/1024 bytes at offset 512
1 KiB, 1 ops; 0.0210 sec (47.560 KiB/sec and 47.5602 ops/sec)

This bug has been fixed.
Comment 8 errata-xmlrpc 2015-12-04 16:33:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2546.html