Bug 604221

Summary: Segmentation fault when writing preallocated qcow2 image on lvm
Product: Red Hat Enterprise Linux 6 Reporter: lihuang <lihuang>
Component: qemu-kvmAssignee: Kevin Wolf <kwolf>
Status: CLOSED DUPLICATE QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: kwolf, mkenneth, quintela, tburke, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-29 15:46:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description lihuang 2010-06-15 16:23:03 UTC 
Description of problem:
got another crash (bug 604210). please close one. if better to fix in one bug.

the test env is same to 604210.



#0  0x00000031d6484127 in memcpy () from /lib64/libc.so.6
#1  0x0000000000474445 in qemu_iovec_to_buffer (qiov=0x7f924c005390, 
    buf=<value optimized out>) at /usr/include/bits/string3.h:52
#2  0x000000000048babb in qcow_aio_setup (bs=0xc84010, sector_num=13678333, 
    qiov=0x7f924c005390, nb_sectors=464, cb=<value optimized out>, 
    opaque=<value optimized out>, is_write=1) at block/qcow2.c:499
#3  0x000000000048be30 in qcow_aio_writev (bs=<value optimized out>, 
    sector_num=<value optimized out>, qiov=<value optimized out>, 
    nb_sectors=<value optimized out>, cb=<value optimized out>, 
    opaque=<value optimized out>) at block/qcow2.c:651
#4  0x0000000000477cd3 in bdrv_aio_writev (bs=0xc84010, sector_num=13678333, 
    qiov=0x7f924c005390, nb_sectors=464, cb=<value optimized out>, 
    opaque=<value optimized out>) at block.c:1832
#5  0x0000000000478a9b in bdrv_aio_multiwrite (bs=0xc84010, 
    reqs=0x7f9250bb35d0, num_reqs=21) at block.c:2023
#6  0x000000000041d3be in do_multiwrite (bs=<value optimized out>, 
    blkreq=0x7f9250bb35d0, num_writes=21)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/virtio-blk.c:235
#7  0x000000000041da68 in virtio_blk_handle_output (vdev=0xd17b30, 
    vq=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/virtio-blk.c:362
#8  0x000000000042a3d1 in kvm_handle_io (env=0xcb9810)
    at /usr/src/debug/qemu-kvm-0.12.1.2/kvm-all.c:538
---Type <return> to continue, or q <return> to quit---
#9  kvm_run (env=0xcb9810) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:969
#10 0x000000000042a479 in kvm_cpu_exec (env=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1652
#11 0x000000000042b09f in kvm_main_loop_cpu (_env=0xcb9810)
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1894
#12 ap_main_loop (_env=0xcb9810)
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1944
#13 0x00000031d6c07761 in start_thread () from /lib64/libpthread.so.0
#14 0x00000031d64e14fd in clone () from /lib64/libc.so.6


Version-Release number of selected component (if applicable):
qemu-kvm-0.12.1.2-2.74.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.
  
Actual results:
Segmentation fault

Expected results:
1. normally write before hit NO SPACE error
2. pause on the NO SPACE error




Additional info:

/usr/libexec/qemu-kvm -M rhel6.0.0 -enable-kvm -m 2048 -smp 2,sockets=2,cores=1,threads=1 -name pxe -uuid a4e4e89f-ff9c-699a-ffe6-9823adf72f93 -nodefaults -monitor unix:/tmp/pxe,server,nowait -rtc base=utc -boot n  

-drive file=/dev/vgtest/lvtest,if=none,id=drive-virtio-disk0,boot=on,format=qcow2,cache=none,werror=stop,rerror=stop  
-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0   

-netdev tap,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:8d:c6:6e,bus=pci.0,addr=0x5 -usb -device usb-tablet,id=input0 -vnc :1 -k en-us -vga std -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3
Comment 2 RHEL Program Management 2010-06-15 16:53:10 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 6 Kevin Wolf 2010-06-29 14:23:03 UTC 
Got a core dump now. The stack trace looks different, but a segfault in malloc should be a sign for heap corruption. And if we overwrite some random memory, we can hit anything. So this could really be the same as in the original description and as in bug 602209.

#0  0x00000037faa75852 in malloc_consolidate () from /lib64/libc.so.6
#1  0x00000037faa786e2 in _int_malloc () from /lib64/libc.so.6
#2  0x00000037faa79f5f in _int_memalign () from /lib64/libc.so.6
#3  0x00000037faa7a5d2 in memalign () from /lib64/libc.so.6
#4  0x00000037faa7a7e9 in posix_memalign () from /lib64/libc.so.6
#5  0x000000000047c837 in qemu_memalign (alignment=<value optimized out>, size=<value optimized out>) at osdep.c:93
#6  0x000000000048bb46 in qcow_aio_setup (bs=0x2272010, sector_num=18082495, qiov=0x7f8fb41f49c0, nb_sectors=48, cb=<value optimized out>, 
    opaque=<value optimized out>, is_write=1) at block/qcow2.c:497
#7  0x000000000048bf30 in qcow_aio_writev (bs=<value optimized out>, sector_num=<value optimized out>, qiov=<value optimized out>, 
    nb_sectors=<value optimized out>, cb=<value optimized out>, opaque=<value optimized out>) at block/qcow2.c:651
#8  0x0000000000477d93 in bdrv_aio_writev (bs=0x2272010, sector_num=18082495, qiov=0x7f8fb41f49c0, nb_sectors=48, cb=<value optimized out>, 
    opaque=<value optimized out>) at block.c:1858
#9  0x0000000000478b5b in bdrv_aio_multiwrite (bs=0x2272010, reqs=0x7f8fbc3605d0, num_reqs=3) at block.c:2049
#10 0x000000000041d3fe in do_multiwrite (bs=<value optimized out>, blkreq=0x7f8fbc3605d0, num_writes=3)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/virtio-blk.c:235
#11 0x000000000041daa8 in virtio_blk_handle_output (vdev=0x2305b40, vq=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/virtio-blk.c:362
#12 0x000000000042a481 in kvm_handle_io (env=0x22a7900) at /usr/src/debug/qemu-kvm-0.12.1.2/kvm-all.c:538
#13 kvm_run (env=0x22a7900) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:969
#14 0x000000000042a529 in kvm_cpu_exec (env=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1652
#15 0x000000000042b14f in kvm_main_loop_cpu (_env=0x22a7900) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1894
#16 ap_main_loop (_env=0x22a7900) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1944
#17 0x00000037fb207761 in start_thread () from /lib64/libpthread.so.0
#18 0x00000037faae14fd in clone () from /lib64/libc.so.6

The qemu_blockalign parameters look right:

497             acb->buf = acb->orig_buf = qemu_blockalign(bs, qiov->size);
(gdb) p *qiov
$3 = {iov = 0x7f8fb41f09b8, niov = 2, nalloc = -1, size = 24576}
(gdb) p *bs
$4 = {total_sectors = 41943040, read_only = 0, keep_read_only = 0, open_flags = 34, removable = 0, locked = 0, encrypted = 0, valid_key = 0, sg = 0, 
  change_cb = 0, change_opaque = 0x0, drv = 0x859c00, opaque = 0x2272920, filename = "/dev/vgtest/lvtest", '\000' <repeats 1005 times>, 
  backing_file = '\000' <repeats 1023 times>, backing_format = '\000' <repeats 15 times>, is_temporary = 0, media_changed = 1, backing_hd = 0x0, 
  file = 0x2272ca0, sync_aiocb = 0x0, rd_bytes = 2284544, wr_bytes = 878585856, rd_ops = 550, wr_ops = 1652, wr_highest_sector = 41943039, 
  growable = 0, buffer_alignment = 512, enable_write_cache = 1, cyls = 16383, heads = 16, secs = 63, translation = 2, type = 0, 
  device_name = "drive-virtio-disk0", '\000' <repeats 13 times>, dirty_bitmap = 0x0, list = {tqe_next = 0x0, tqe_prev = 0x857f20}, private = 0x0}
Comment 7 lihuang 2010-06-29 15:46:28 UTC 
ok .then follow it in bug 602209/

*** This bug has been marked as a duplicate of bug 602209 ***