1203543 – bdrv_make_zero() passes a too large nb_sectors value to bdrv_write_zeroes()

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1203543 - bdrv_make_zero() passes a too large nb_sectors value to bdrv_write_zeroes()

Summary: bdrv_make_zero() passes a too large nb_sectors value to bdrv_write_zeroes()

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm-rhev
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Stefan Hajnoczi
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	1196688
Blocks:	1194743 1209034 1215744 1215775 1215776 1216130
TreeView+	depends on / blocked

Reported:	2015-03-19 05:20 UTC by Jan Kurik
Modified:	2019-07-11 08:48 UTC (History)
CC List:	32 users (show)
Fixed In Version:	qemu-kvm-rhev-2.1.2-23.el7_1.2
Doc Type:	Bug Fix
Doc Text:	On a virtual disk with a high number of sectors, the number of sectors was in some cases handled incorrectly, and converting a QEMU image failed with an "invalid argument" error. This update fixes the incorrect calculation that caused this error, and the described failure no longer occurs.
Clone Of:	1196688
Clones:	1215775 1215776 1216130 (view as bug list)
Environment:
Last Closed:	2015-05-07 15:13:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:0952	0	normal	SHIPPED_LIVE	qemu-kvm-rhev bug fix update	2015-05-07 19:12:53 UTC

Description Jan Kurik 2015-03-19 05:20:11 UTC

This bug has been copied from bug #1196688 and has been proposed
to be backported to 7.1 z-stream (EUS).

Comment 10 Stefan Hajnoczi 2015-04-07 16:31:15 UTC

Posted patch.  Sorry for the delay, there was an issue with the last patch I posted and I missed that the patch had been dropped.

Comment 13 Miroslav Rezanina 2015-04-21 07:22:02 UTC

Fix included in qemu-kvm-rhev-2.1.2-23.el7_1_1.2

Comment 20 Jun Li 2015-04-24 03:13:04 UTC

Test on qemu-kvm-rhev-2.1.2-23.el7.x86_64. Steps as bz 1196688 comment#0. 

Steps:
1. qemu-img create input.img 2G
2. qemu-img create output.img 2G
3. sudo losetup -f output.img
4. qemu-img convert -t none -O raw input.img /dev/loop0


Actual results:
After step 4, can not find any error.

Stefan and Jan,

  Could you help to check above reproduce method is right or not? If incorrect, could you give some suggestions? 

  Another question, does QE need to do more testing for verify this bz. Thx.


Regards,
Jun Li

Comment 23 Stefan Hajnoczi 2015-04-24 10:36:32 UTC

(In reply to Jun Li from comment #20)
> Test on qemu-kvm-rhev-2.1.2-23.el7.x86_64. Steps as bz 1196688 comment#0. 
> 
> Steps:
> 1. qemu-img create input.img 2G
> 2. qemu-img create output.img 2G
> 3. sudo losetup -f output.img
> 4. qemu-img convert -t none -O raw input.img /dev/loop0
> 
> 
> Actual results:
> After step 4, can not find any error.
> 
> Stefan and Jan,
> 
>   Could you help to check above reproduce method is right or not? If
> incorrect, could you give some suggestions? 
> 
>   Another question, does QE need to do more testing for verify this bz. Thx.

That verifies the fix, additional tests are not necessary.  Thank you!

Stefan

Comment 24 Jun Li 2015-04-24 12:29:31 UTC

(In reply to Stefan Hajnoczi from comment #23)
> (In reply to Jun Li from comment #20)
> > Test on qemu-kvm-rhev-2.1.2-23.el7.x86_64. Steps as bz 1196688 comment#0. 
> > 
> > Steps:
> > 1. qemu-img create input.img 2G
> > 2. qemu-img create output.img 2G
> > 3. sudo losetup -f output.img
> > 4. qemu-img convert -t none -O raw input.img /dev/loop0
> > 
> > 
> > Actual results:
> > After step 4, can not find any error.
> > 
> > Stefan and Jan,
> > 
> >   Could you help to check above reproduce method is right or not? If
> > incorrect, could you give some suggestions? 
> > 
> >   Another question, does QE need to do more testing for verify this bz. Thx.
> 
> That verifies the fix, additional tests are not necessary.  Thank you!
> 
> Stefan

Hi Stefan,

Seems above method can not reproduce this issue. 

QE just do a simple debug, seems can not call bdrv_make_zero() when execute "qemu-img convert -t none -O raw input.img /dev/loop0".


static int img_convert(int argc, char **argv)
{
...
                                       +-------> Here will return 0.
                                       |
        if (!has_zero_init && bdrv_can_write_zeroes_with_unmap(out_bs)) {
            ret = bdrv_make_zero(out_bs, BDRV_REQ_MAY_UNMAP);
            if (ret < 0) {
                goto out;
            }
...
}

As bdrv_can_write_zeroes_with_unmap(out_bs) will return 0, so can not call  bdrv_make_zero(out_bs, BDRV_REQ_MAY_UNMAP).

bdrv_can_write_zeroes_with_unmap
    bdrv_get_info

   int bdrv_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
{
    BlockDriver *drv = bs->drv;
    if (!drv)
        return -ENOMEDIUM;
    if (!drv->bdrv_get_info)  -----> Here !drv->bdrv_get_info will be 1.
        return -ENOTSUP;                                   |
    memset(bdi, 0, sizeof(*bdi));                          |
    return drv->bdrv_get_info(bs, bdi);                    |
}                                                          |
                                                           |
                                                          \|/ 
                                               I don't know why here is 1. Could you give some explanations and suggestions ? Thx.




Regards,
Jun Li

Comment 25 Stefan Hajnoczi 2015-04-24 17:52:14 UTC

(In reply to Jun Li from comment #24)
> (In reply to Stefan Hajnoczi from comment #23)
> > (In reply to Jun Li from comment #20)
> > > Test on qemu-kvm-rhev-2.1.2-23.el7.x86_64. Steps as bz 1196688 comment#0. 
> > > 
> > > Steps:
> > > 1. qemu-img create input.img 2G
> > > 2. qemu-img create output.img 2G
> > > 3. sudo losetup -f output.img
> > > 4. qemu-img convert -t none -O raw input.img /dev/loop0
> > > 
> > > 
> > > Actual results:
> > > After step 4, can not find any error.
> > > 
> > > Stefan and Jan,
> > > 
> > >   Could you help to check above reproduce method is right or not? If
> > > incorrect, could you give some suggestions? 
> > > 
> > >   Another question, does QE need to do more testing for verify this bz. Thx.
> > 
> > That verifies the fix, additional tests are not necessary.  Thank you!
> > 
> > Stefan
> 
> Hi Stefan,
> 
> Seems above method can not reproduce this issue. 
> 
> QE just do a simple debug, seems can not call bdrv_make_zero() when execute
> "qemu-img convert -t none -O raw input.img /dev/loop0".

I cannot reproduce what you are showing:

$ git log --oneline
509328f block: Fix max nb_sectors in bdrv_make_zero
230c69c Update to qemu-kvm-rhev-2.1.2-23.el7
$ gdb ./qemu-img --args ./qemu-img convert -t none -O raw input.img /dev/loop0
(gdb) b bdrv_can_write_zeroes_with_unmap
(gdb) r
(gdb) finish
Run till exit from #0  bdrv_can_write_zeroes_with_unmap (
    bs=0x555555c65ac0) at block.c:3950
0x0000555555569194 in img_convert (argc=<optimized out>, 
    argv=<optimized out>) at qemu-img.c:1608
1608	        if (!has_zero_init && bdrv_can_write_zeroes_with_unmap(out_bs)) {
Value returned is $1 = true

The function is returning true, so the bdrv_make_zero() code path gets taken.

Can you retry with the exact GDB commands that I have provided?

Comment 26 Jun Li 2015-04-27 03:18:03 UTC

(In reply to Stefan Hajnoczi from comment #25)
> (In reply to Jun Li from comment #24)
> > (In reply to Stefan Hajnoczi from comment #23)
> > > (In reply to Jun Li from comment #20)
> > > > Test on qemu-kvm-rhev-2.1.2-23.el7.x86_64. Steps as bz 1196688 comment#0. 
> > > > 
> > > > Steps:
> > > > 1. qemu-img create input.img 2G
> > > > 2. qemu-img create output.img 2G
> > > > 3. sudo losetup -f output.img
> > > > 4. qemu-img convert -t none -O raw input.img /dev/loop0
> > > > 
> > > > 
> > > > Actual results:
> > > > After step 4, can not find any error.
> > > > 
> > > > Stefan and Jan,
> > > > 
> > > >   Could you help to check above reproduce method is right or not? If
> > > > incorrect, could you give some suggestions? 
> > > > 
> > > >   Another question, does QE need to do more testing for verify this bz. Thx.
> > > 
> > > That verifies the fix, additional tests are not necessary.  Thank you!
> > > 
> > > Stefan
> > 
> > Hi Stefan,
> > 
> > Seems above method can not reproduce this issue. 
> > 
> > QE just do a simple debug, seems can not call bdrv_make_zero() when execute
> > "qemu-img convert -t none -O raw input.img /dev/loop0".
> 
> I cannot reproduce what you are showing:
> 
> $ git log --oneline
> 509328f block: Fix max nb_sectors in bdrv_make_zero
> 230c69c Update to qemu-kvm-rhev-2.1.2-23.el7
> $ gdb ./qemu-img --args ./qemu-img convert -t none -O raw input.img
> /dev/loop0
> (gdb) b bdrv_can_write_zeroes_with_unmap
> (gdb) r
> (gdb) finish
> Run till exit from #0  bdrv_can_write_zeroes_with_unmap (
>     bs=0x555555c65ac0) at block.c:3950
> 0x0000555555569194 in img_convert (argc=<optimized out>, 
>     argv=<optimized out>) at qemu-img.c:1608
> 1608	        if (!has_zero_init && bdrv_can_write_zeroes_with_unmap(out_bs))
> {
> Value returned is $1 = true
> 
> The function is returning true, so the bdrv_make_zero() code path gets taken.
> 
> Can you retry with the exact GDB commands that I have provided?


Hi Stefan,

 So Sorry. Wrong qemu-img shell execute environment.
# which qemu-img 
/usr/local/bin/qemu-img

# rpm -ql qemu-img-rhev-2.1.2-23.el7.x86_64
/usr/bin/qemu-img
/usr/bin/qemu-io
/usr/bin/qemu-nbd
/usr/share/man/man1/qemu-img.1.gz
/usr/share/man/man8/qemu-nbd.8.gz

Then using the correct qemu-img shell path test as followings:

Reproduce:
Version of components:
qemu-img-rhev-2.1.2-23.el7.x86_64

# losetup -D

# losetup -l

# /usr/bin/qemu-img create input.img 2G
Formatting 'input.img', fmt=raw size=2147483648

# /usr/bin/qemu-img create output.img 2G
Formatting 'output.img', fmt=raw size=2147483648

# losetup -f output.img

# losetup -l
NAME       SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE
/dev/loop0         0      0         0  0 /tmp/output.img

# /usr/bin/qemu-img convert -t none -O raw input.img /dev/loop0
qemu-img: error writing zeroes at sector 0: Invalid argument

As above show, this bz has been reproduced.

Verify:
Version of components:
qemu-img-rhev-2.1.2-23.el7_1.2.x86_64

Steps:
1,
# losetup -D
2,
# losetup -l
3,
# /usr/bin/qemu-img create input.img 2G
Formatting 'input.img', fmt=raw size=2147483648 
4,
# /usr/bin/qemu-img create output.img 2G
Formatting 'output.img', fmt=raw size=2147483648 
5,
# losetup -f output.img
6,
# losetup -l
NAME       SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE
/dev/loop0         0      0         0  0 /tmp/output.img
7,
# /usr/bin/qemu-img convert -t none -O raw input.img /dev/loop0

After step 7, no any error occur. 


Based on above show, this bz has been verified. Thanks Stefan again.


Regards,
Jun Li

Comment 32 errata-xmlrpc 2015-05-07 15:13:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0952.html

Note You need to log in before you can comment on or make changes to this bug.

adahms
amureini
djuran
dmaley
dprince
dron
eharney
hhuang
huding
jen
jherrman
jkurik
jraju
juli
juzhang
kevin.x.wang
lyarwood
mrezanin
mykaul
myllynen
nsabine
pm-eus
scohen
sgotliv
sluo
s-takeda
stefanha
tatsu-ab1
tnisan
virt-bugs
virt-maint
xfu