604221 – Segmentation fault when writing preallocated qcow2 image on lvm

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 604221 - Segmentation fault when writing preallocated qcow2 image on lvm

Summary: Segmentation fault when writing preallocated qcow2 image on lvm

Keywords:
Status:	CLOSED DUPLICATE of bug 602209
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Kevin Wolf
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-06-15 16:23 UTC by lihuang
Modified:	2013-01-09 22:44 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-06-29 15:46:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description lihuang 2010-06-15 16:23:03 UTC

Description of problem:
got another crash (bug 604210). please close one. if better to fix in one bug.

the test env is same to 604210.



#0  0x00000031d6484127 in memcpy () from /lib64/libc.so.6
#1  0x0000000000474445 in qemu_iovec_to_buffer (qiov=0x7f924c005390, 
    buf=<value optimized out>) at /usr/include/bits/string3.h:52
#2  0x000000000048babb in qcow_aio_setup (bs=0xc84010, sector_num=13678333, 
    qiov=0x7f924c005390, nb_sectors=464, cb=<value optimized out>, 
    opaque=<value optimized out>, is_write=1) at block/qcow2.c:499
#3  0x000000000048be30 in qcow_aio_writev (bs=<value optimized out>, 
    sector_num=<value optimized out>, qiov=<value optimized out>, 
    nb_sectors=<value optimized out>, cb=<value optimized out>, 
    opaque=<value optimized out>) at block/qcow2.c:651
#4  0x0000000000477cd3 in bdrv_aio_writev (bs=0xc84010, sector_num=13678333, 
    qiov=0x7f924c005390, nb_sectors=464, cb=<value optimized out>, 
    opaque=<value optimized out>) at block.c:1832
#5  0x0000000000478a9b in bdrv_aio_multiwrite (bs=0xc84010, 
    reqs=0x7f9250bb35d0, num_reqs=21) at block.c:2023
#6  0x000000000041d3be in do_multiwrite (bs=<value optimized out>, 
    blkreq=0x7f9250bb35d0, num_writes=21)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/virtio-blk.c:235
#7  0x000000000041da68 in virtio_blk_handle_output (vdev=0xd17b30, 
    vq=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/virtio-blk.c:362
#8  0x000000000042a3d1 in kvm_handle_io (env=0xcb9810)
    at /usr/src/debug/qemu-kvm-0.12.1.2/kvm-all.c:538
---Type <return> to continue, or q <return> to quit---
#9  kvm_run (env=0xcb9810) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:969
#10 0x000000000042a479 in kvm_cpu_exec (env=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1652
#11 0x000000000042b09f in kvm_main_loop_cpu (_env=0xcb9810)
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1894
#12 ap_main_loop (_env=0xcb9810)
    at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1944
#13 0x00000031d6c07761 in start_thread () from /lib64/libpthread.so.0
#14 0x00000031d64e14fd in clone () from /lib64/libc.so.6


Version-Release number of selected component (if applicable):
qemu-kvm-0.12.1.2-2.74.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.
  
Actual results:
Segmentation fault

Expected results:
1. normally write before hit NO SPACE error
2. pause on the NO SPACE error




Additional info:

/usr/libexec/qemu-kvm -M rhel6.0.0 -enable-kvm -m 2048 -smp 2,sockets=2,cores=1,threads=1 -name pxe -uuid a4e4e89f-ff9c-699a-ffe6-9823adf72f93 -nodefaults -monitor unix:/tmp/pxe,server,nowait -rtc base=utc -boot n  

-drive file=/dev/vgtest/lvtest,if=none,id=drive-virtio-disk0,boot=on,format=qcow2,cache=none,werror=stop,rerror=stop  
-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0   

-netdev tap,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:8d:c6:6e,bus=pci.0,addr=0x5 -usb -device usb-tablet,id=input0 -vnc :1 -k en-us -vga std -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3

Comment 2 RHEL Program Management 2010-06-15 16:53:10 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 6 Kevin Wolf 2010-06-29 14:23:03 UTC

Got a core dump now. The stack trace looks different, but a segfault in malloc should be a sign for heap corruption. And if we overwrite some random memory, we can hit anything. So this could really be the same as in the original description and as in bug 602209.

#0  0x00000037faa75852 in malloc_consolidate () from /lib64/libc.so.6
#1  0x00000037faa786e2 in _int_malloc () from /lib64/libc.so.6
#2  0x00000037faa79f5f in _int_memalign () from /lib64/libc.so.6
#3  0x00000037faa7a5d2 in memalign () from /lib64/libc.so.6
#4  0x00000037faa7a7e9 in posix_memalign () from /lib64/libc.so.6
#5  0x000000000047c837 in qemu_memalign (alignment=<value optimized out>, size=<value optimized out>) at osdep.c:93
#6  0x000000000048bb46 in qcow_aio_setup (bs=0x2272010, sector_num=18082495, qiov=0x7f8fb41f49c0, nb_sectors=48, cb=<value optimized out>, 
    opaque=<value optimized out>, is_write=1) at block/qcow2.c:497
#7  0x000000000048bf30 in qcow_aio_writev (bs=<value optimized out>, sector_num=<value optimized out>, qiov=<value optimized out>, 
    nb_sectors=<value optimized out>, cb=<value optimized out>, opaque=<value optimized out>) at block/qcow2.c:651
#8  0x0000000000477d93 in bdrv_aio_writev (bs=0x2272010, sector_num=18082495, qiov=0x7f8fb41f49c0, nb_sectors=48, cb=<value optimized out>, 
    opaque=<value optimized out>) at block.c:1858
#9  0x0000000000478b5b in bdrv_aio_multiwrite (bs=0x2272010, reqs=0x7f8fbc3605d0, num_reqs=3) at block.c:2049
#10 0x000000000041d3fe in do_multiwrite (bs=<value optimized out>, blkreq=0x7f8fbc3605d0, num_writes=3)
    at /usr/src/debug/qemu-kvm-0.12.1.2/hw/virtio-blk.c:235
#11 0x000000000041daa8 in virtio_blk_handle_output (vdev=0x2305b40, vq=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/virtio-blk.c:362
#12 0x000000000042a481 in kvm_handle_io (env=0x22a7900) at /usr/src/debug/qemu-kvm-0.12.1.2/kvm-all.c:538
#13 kvm_run (env=0x22a7900) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:969
#14 0x000000000042a529 in kvm_cpu_exec (env=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1652
#15 0x000000000042b14f in kvm_main_loop_cpu (_env=0x22a7900) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1894
#16 ap_main_loop (_env=0x22a7900) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1944
#17 0x00000037fb207761 in start_thread () from /lib64/libpthread.so.0
#18 0x00000037faae14fd in clone () from /lib64/libc.so.6

The qemu_blockalign parameters look right:

497             acb->buf = acb->orig_buf = qemu_blockalign(bs, qiov->size);
(gdb) p *qiov
$3 = {iov = 0x7f8fb41f09b8, niov = 2, nalloc = -1, size = 24576}
(gdb) p *bs
$4 = {total_sectors = 41943040, read_only = 0, keep_read_only = 0, open_flags = 34, removable = 0, locked = 0, encrypted = 0, valid_key = 0, sg = 0, 
  change_cb = 0, change_opaque = 0x0, drv = 0x859c00, opaque = 0x2272920, filename = "/dev/vgtest/lvtest", '\000' <repeats 1005 times>, 
  backing_file = '\000' <repeats 1023 times>, backing_format = '\000' <repeats 15 times>, is_temporary = 0, media_changed = 1, backing_hd = 0x0, 
  file = 0x2272ca0, sync_aiocb = 0x0, rd_bytes = 2284544, wr_bytes = 878585856, rd_ops = 550, wr_ops = 1652, wr_highest_sector = 41943039, 
  growable = 0, buffer_alignment = 512, enable_write_cache = 1, cyls = 16383, heads = 16, secs = 63, translation = 2, type = 0, 
  device_name = "drive-virtio-disk0", '\000' <repeats 13 times>, dirty_bitmap = 0x0, list = {tqe_next = 0x0, tqe_prev = 0x857f20}, private = 0x0}

Comment 7 lihuang 2010-06-29 15:46:28 UTC

ok .then follow it in bug 602209/

*** This bug has been marked as a duplicate of bug 602209 ***

Note You need to log in before you can comment on or make changes to this bug.