Bug 1807377 - qcow2_alloc_cluster_abort() frees preallocated zero clusters
Summary: qcow2_alloc_cluster_abort() frees preallocated zero clusters
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux Advanced Virtualization
Classification: Red Hat
Component: qemu-kvm
Version: 8.2
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: 8.0
Assignee: Hanna Czenczek
QA Contact: Xueqiang Wei
URL:
Whiteboard:
Depends On: 1807057
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-26 09:04 UTC by Hanna Czenczek
Modified: 2020-11-17 17:47 UTC (History)
5 users (show)

Fixed In Version: qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1807057
Environment:
Last Closed: 2020-11-17 17:46:46 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Hanna Czenczek 2020-02-26 09:04:19 UTC 
+++ This bug was initially created as a clone of Bug #1807057 +++

Description of problem:

qcow2_alloc_cluster_abort() frees preallocated zero clusters, even though the corresponding handle_alloc() did not allocate them.  This leads to image corruption.


Version-Release number of selected component (if applicable):

qemu-kvm-4.2.0-12.module+el8.2.0+5858+afd073bc
qemu-kvm-2.12.0-99.module+el8.2.0+5827+8c39933c


How reproducible:

Always


Steps to Reproduce:

Create a preallocated zero cluster, then issue a write to it while ensuring that the data write will fail:

$ cat > blkdebug.conf <<EOF
[inject-error]
event = "write_aio"
errno = "5"
immediately = "on"
once = "on"
EOF

$ qemu-img create -f qcow2 foo.qcow2 64M
$ qemu-io -c 'write 0 64k' -c 'write -z 0 64k' foo.qcow2
$ qemu-io -c 'write 0 64k' blkdebug:blkdebug.conf:foo.qcow2


Actual results:

$ qemu-img check foo.qcow2
ERROR cluster 5 refcount=0 reference=1
ERROR OFLAG_COPIED data cluster: l2_entry=8000000000050001 refcount=0

2 errors were found on the image.
Data may be corrupted, or further writes to the image may corrupt it.
1/1024 = 0.10% allocated, 0.00% fragmented, 0.00% compressed clusters
Image end offset: 393216


Expected results:

$ qemu-img check foo.qcow2
No errors were found on the image.
1/1024 = 0.10% allocated, 0.00% fragmented, 0.00% compressed clusters
Image end offset: 393216


Additional info:

Fix sent upstream as “qcow2: Fix alloc_cluster_abort() for pre-existing clusters”.
Comment 2 CongLi 2020-08-24 05:19:28 UTC 
Hi Danilo,

Seems this bug has already been fixed in the rebase, could you please help update the bug status ?

commit 8aa34834d566ba4e635d6029339a5f4f1ae1685e
Author: Alberto Garcia <berto>
Date:   Fri Nov 3 16:18:52 2017 +0200

    qcow2: Prevent allocating compressed clusters at offset 0
    
    If the refcount data is corrupted then we can end up trying to
    allocate a new compressed cluster at offset 0 in the image, triggering
    an assertion in qcow2_alloc_bytes() that would crash QEMU:
    
      qcow2_alloc_bytes: Assertion `offset' failed.
    
    This patch adds an explicit check for this scenario and a new test
    case.
    
    Signed-off-by: Alberto Garcia <berto>
    Message-id: fb53467cf48e95ff3330def1cf1003a5b862b7d9.1509718618.git.berto
    Reviewed-by: Max Reitz <mreitz>
    Signed-off-by: Max Reitz <mreitz>

Thanks.
Comment 3 Xueqiang Wei 2020-08-26 02:37:27 UTC 
Hi Cong, Danilo,

Tested with qemu-kvm-5.1.0-3.module+el8.3.0+7708+740a1315, not hit this issue. It works well.


Versions:
kernel-4.18.0-233.el8.x86_64
qemu-kvm-5.1.0-3.module+el8.3.0+7708+740a1315


Steps:

# cat > blkdebug.conf <<EOF
[inject-error]
event = "write_aio"
errno = "5"
immediately = "on"
once = "on"
EOF

# qemu-img create -f qcow2 foo.qcow2 64M
Formatting 'foo.qcow2', fmt=qcow2 cluster_size=65536 compression_type=zlib size=67108864 lazy_refcounts=off refcount_bits=16

# qemu-io -c 'write 0 64k' -c 'write -z 0 64k' foo.qcow2
wrote 65536/65536 bytes at offset 0
64 KiB, 1 ops; 00.00 sec (15.980 MiB/sec and 255.6829 ops/sec)
wrote 65536/65536 bytes at offset 0
64 KiB, 1 ops; 00.00 sec (254.704 MiB/sec and 4075.2619 ops/sec)

# qemu-io -c 'write 0 64k' blkdebug:blkdebug.conf:foo.qcow2
write failed: Input/output error

# qemu-img check foo.qcow2
No errors were found on the image.
1/1024 = 0.10% allocated, 0.00% fragmented, 0.00% compressed clusters
Image end offset: 393216
Comment 4 CongLi 2020-08-31 05:59:26 UTC 
Hi Danilo,

Any update?

Thanks.
Comment 5 Danilo de Paula 2020-09-03 12:20:38 UTC 
Hi,

ITR wasn't set so it doesn't show in the queries looking for fixes appearing upstream.
Comment 9 Xueqiang Wei 2020-09-03 16:26:46 UTC 
Tested with qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f, not hit this issue. So set status to VERIFIED.


Versions:
kernel-4.18.0-234.el8.x86_64
qemu-kvm-5.1.0-4.module+el8.3.0+7846+ae9b566f


Steps:

# cat > blkdebug.conf <<EOF
[inject-error]
event = "write_aio"
errno = "5"
immediately = "on"
once = "on"
EOF

# qemu-img create -f qcow2 foo.qcow2 64M
Formatting 'foo.qcow2', fmt=qcow2 cluster_size=65536 compression_type=zlib size=67108864 lazy_refcounts=off refcount_bits=16

# qemu-io -c 'write 0 64k' -c 'write -z 0 64k' foo.qcow2
wrote 65536/65536 bytes at offset 0
64 KiB, 1 ops; 00.18 sec (363.550 KiB/sec and 5.6805 ops/sec)
wrote 65536/65536 bytes at offset 0
64 KiB, 1 ops; 00.01 sec (11.056 MiB/sec and 176.9039 ops/sec)

# qemu-io -c 'write 0 64k' blkdebug:blkdebug.conf:foo.qcow2
write failed: Input/output error

# qemu-img check foo.qcow2
No errors were found on the image.
1/1024 = 0.10% allocated, 0.00% fragmented, 0.00% compressed clusters
Image end offset: 393216
Comment 12 errata-xmlrpc 2020-11-17 17:46:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (virt:8.3 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5137
Note You need to log in before you can comment on or make changes to this bug.