Bug 1200295 - QEMU segfault when doing unaligned zero write to non-512 disk
Summary: QEMU segfault when doing unaligned zero write to non-512 disk
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm
Version: 7.2
Hardware: All
OS: All
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Fam Zheng
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 1207034
TreeView+ depends on / blocked
 
Reported: 2015-03-10 08:56 UTC by Gu Nini
Modified: 2015-11-19 04:58 UTC (History)
12 users (show)

Fixed In Version: qemu-kvm-1.5.3-89.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1207034 (view as bug list)
Environment:
Last Closed: 2015-11-19 04:58:56 UTC
Target Upstream Version:

Attachments (Terms of Use)
gdb_info_of_core_file (7.97 KB, text/plain)
2015-03-10 08:57 UTC, Gu Nini 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2213 0 normal SHIPPED_LIVE qemu-kvm bug fix and enhancement update 2015-11-19 08:16:10 UTC

Description Gu Nini 2015-03-10 08:56:18 UTC 
Description of problem:
Boot up a guest with an extra vscsi hard disk less than or equal to 500MB; inside the guest, format the guest with cmd 'mkfs.ext4 /dev/sd*', then mount it to /mnt with cmd 'mount /dev/sd* /mnt', the guest would exit for 'Segmentation fault (core dumped)' within one minutes

Version-Release number of selected component (if applicable):
Host kernel: 3.10.0-229.el7.ppc64
Guest kernel: 3.10.0-229.el7.pc64/3.10.0-229.ael7b.ppc64le
Qemu-kvm-rhev:
qemu-kvm-common-rhev-2.2.0-5.el7.ppc64
qemu-kvm-tools-rhev-2.2.0-5.el7.ppc64
qemu-img-rhev-2.2.0-5.el7.ppc64
ipxe-roms-qemu-20130517-6.gitc4bce43.el7.noarch
qemu-kvm-rhev-2.2.0-5.el7.ppc64
qemu-kvm-rhev-debuginfo-2.2.0-5.el7.ppc64

How reproducible:
100%

Steps to Reproduce:
1. Create 2 hard disks less than or equal to 500MB in raw format with 'qemu-img' cmd:
# qemu-img create -f raw hd-8-0310-1 500M
# qemu-img create -f raw hd-8-0310-2 500M

2. Boot up a guest with the 2 hard disks with following qemu-kvm cmd, one as virtio-blk-pci disk, and the other one as spapr-vscsi disk:

/usr/libexec/qemu-kvm -name virtioblkqcow-0310-1 -machine pseries-rhel7.1.0,accel=kvm,usb=off -m 1024 -realtime mlock=off -smp 64,sockets=1,cores=16,threads=4 -uuid 95346a10-1828-403a-a610-ac5a52a29448 -no-user-config -nodefaults -monitor stdio -rtc base=utc,clock=vm -no-shutdown -boot strict=on -device usb-ehci,id=usb,bus=pci.0,addr=0x2 -device pci-ohci,id=usb1,bus=pci.0,addr=0x1 -device spapr-vscsi,id=scsi0,reg=0x1000 -drive file=/media/ngu/virtioblkqcow-0310-1,if=none,id=drive-virtio-disk0,format=qcow2,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x9,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -drive file=/media/ngu/hd-8-0310-1,if=none,id=drive-virtio-disk1,format=raw,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x10,drive=drive-virtio-disk1,id=virtio-disk1 -drive file=/media/ngu/hd-8-0310-2,if=none,id=drive-scsi0-0-2-0,format=raw,cache=none -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=2,lun=0,drive=drive-scsi0-0-2-0,id=scsi0-0-2-0 -netdev tap,id=hostnet0,script=/etc/qemu-ifup,downscript=/etc/qemu-ifdown -device spapr-vlan,netdev=hostnet0,id=net0,mac=52:54:00:c4:e7:48,reg=0x2000 -chardev pty,id=charserial0 -device spapr-vty,chardev=charserial0,reg=0x30000000 -device usb-kbd,id=input0 -device usb-mouse,id=input1 -device usb-tablet,id=input2 -vnc 0:18 -device VGA,id=video0,bus=pci.0,addr=0x4 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 -object rng-random,id=rng0,filename=/dev/random -device virtio-rng-pci,rng=rng0,max-bytes=1234,period=2000,bus=pci.0,addr=0x5 -msg timestamp=on

3. After the guest booted up, inside the guest, format the 2 hard disks in turn with 'mkfs.ext4' cmd:
# mkfs.ext4 /dev/vdb
# mkfs.ext4 /dev/sda

4. Mount the 2 hard disks:
# mount /dev/vdb /media
# mount /dev/sda /mnt

Actual results:
After mounted the vscsi disk with cmd 'mount /dev/sda /mnt', the guest exited for 'Segmentation fault (core dumped)' within one minutes; while no problem when mounted the virtio-blk-pci disk in previous

Expected results:
The vscsi disk couldn't be mounted without any problem

Additional info:
During test, it's found the issue only occurred on vscsi(both virtio-scsi and spapr-vscsi) disk that is in raw format and less than or equal to 500MB; while the that in qcow2 format is without the issue
Comment 1 Gu Nini 2015-03-10 08:57:39 UTC 
Created attachment 999782 [details]
gdb_info_of_core_file
Comment 3 Fam Zheng 2015-03-23 05:05:51 UTC 
Patches posted to upstream:

http://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04617.html
Comment 5 Fam Zheng 2015-03-30 06:04:18 UTC 
Fixing the component to qemu-kvm.

qemu-kvm-rhev will pick up the patches automatically from upstream in the coming rebase to 2.3, so we only need to fix qemu-kvm here.

Cloning to qemu-kvm-rhev and set to MODIFIED, in order to keep track for QE purpose.
Comment 6 Miroslav Rezanina 2015-05-27 07:59:02 UTC 
Fix included in qemu-kvm-1.5.3-89.el7
Comment 8 mazhang 2015-07-27 07:07:55 UTC 
Reproduce this bug with qemu-kvm-1.5.3-88.el7.x86_64.

Result:
# qemu-img create -f raw test.raw 100M
# (echo "open -o file.align=4k blkdebug::test.raw"; echo "write -z 512 1024") | qemu-io
qemu-io> qemu-io> Segmentation fault (core dumped)

Program received signal SIGSEGV, Segmentation fault.
0x0000555555568135 in bdrv_co_do_pwritev (bs=0x555555c12320, offset=512, bytes=1024, qiov=0x0, flags=BDRV_REQ_ZERO_WRITE) at block.c:3133
3133	        qemu_iovec_init(&local_qiov, qiov->niov + 2);
Missing separate debuginfos, use: debuginfo-install glib2-2.40.0-4.el7.x86_64 glibc-2.17-78.el7.x86_64 glusterfs-api-3.6.0.29-2.el7.x86_64 glusterfs-libs-3.6.0.29-2.el7.x86_64 libaio-0.3.109-13.el7.x86_64 libgcc-4.8.3-9.el7.x86_64 libgcrypt-1.5.3-12.el7.x86_64 libgpg-error-1.12-3.el7.x86_64 libiscsi-1.9.0-6.el7.x86_64 libstdc++-4.8.3-9.el7.x86_64 libuuid-2.23.2-22.el7_1.x86_64 nspr-4.10.8-1.el7_1.x86_64 nss-3.19.1-3.el7_1.x86_64 nss-util-3.19.1-3.el7.x86_64 openssl-libs-1.0.1e-42.el7.x86_64 zlib-1.2.7-15.el7.x86_64
(gdb) bt
#0  0x0000555555568135 in bdrv_co_do_pwritev (bs=0x555555c12320, offset=512, bytes=1024, qiov=0x0, flags=BDRV_REQ_ZERO_WRITE) at block.c:3133
#1  0x0000555555563bef in bdrv_co_do_write_zeroes (bs=bs@entry=0x555555c0e0d0, sector_num=sector_num@entry=1, nb_sectors=nb_sectors@entry=2, flags=flags@entry=BDRV_REQ_ZERO_WRITE)
    at block.c:2992
#2  0x0000555555568045 in bdrv_aligned_pwritev (flags=2, qiov=0x0, bytes=1024, offset=<optimized out>, req=0x7ffff7fd1f10, bs=0x555555c0e0d0) at block.c:3047
#3  bdrv_co_do_pwritev (bs=0x555555c0e0d0, offset=<optimized out>, bytes=1024, qiov=qiov@entry=0x0, flags=BDRV_REQ_ZERO_WRITE) at block.c:3179
#4  0x000055555556891a in bdrv_co_do_writev (flags=<optimized out>, qiov=0x0, nb_sectors=<optimized out>, sector_num=<optimized out>, bs=<optimized out>) at block.c:3203
#5  bdrv_co_write_zeroes (bs=<optimized out>, sector_num=<optimized out>, nb_sectors=<optimized out>, flags=<optimized out>, flags@entry=(unknown: 0)) at block.c:3225
#6  0x00005555555b7c81 in co_write_zeroes_entry (opaque=0x7fffffffe120) at qemu-io.c:239
#7  0x000055555559cb2a in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at coroutine-ucontext.c:118
#8  0x00007ffff50290f0 in ?? () from /lib64/libc.so.6
#9  0x00007fffffffb890 in ?? ()
#10 0x0000000000000000 in ?? ()

Verify this bug on qemu-kvm-1.5.3-97.el7

Result:
# (echo "open -o file.align=4k blkdebug::test.raw"; echo "write -z 512 1024") | qemu-io
qemu-io> qemu-io> wrote 1024/1024 bytes at offset 512
1 KiB, 1 ops; 0.0928 sec (10.769 KiB/sec and 10.7694 ops/sec)
qemu-io> 

This bug has been fixed.
Comment 10 errata-xmlrpc 2015-11-19 04:58:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2213.html
Note You need to log in before you can comment on or make changes to this bug.