Bug 837021 - qemu segmentation faults in qcow2_co_writev
Summary: qemu segmentation faults in qcow2_co_writev
Keywords:
Status: CLOSED DUPLICATE of bug 836913
Alias: None
Product: Fedora
Classification: Fedora
Component: qemu
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Fedora Virtualization Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-07-02 14:29 UTC by Richard W.M. Jones
Modified: 2013-01-09 12:04 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-07-10 12:32:53 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Richard W.M. Jones 2012-07-02 14:29:06 UTC
Description of problem:

Program terminated with signal 11, Segmentation fault.
#0  qemu_co_queue_next (queue=queue@entry=0x7f010cfb4480)
    at qemu-coroutine-lock.c:70
70	        QTAILQ_REMOVE(&queue->entries, next, co_queue_next);
(gdb) bt
#0  qemu_co_queue_next (queue=queue@entry=0x7f010cfb4480)
    at qemu-coroutine-lock.c:70
#1  0x00007f010be65de8 in qemu_co_mutex_unlock (mutex=mutex@entry=
    0x7f010cfb4478) at qemu-coroutine-lock.c:115
#2  0x00007f010bdaf18d in qcow2_co_writev (bs=0x7f010cfb3a90, sector_num=
    749472, remaining_sectors=1008, qiov=0x7f00f033e1c8) at block/qcow2.c:612
#3  0x00007f010bd9f1bc in bdrv_co_do_writev (bs=0x7f010cfb3a90, sector_num=
    749472, nb_sectors=1008, qiov=<optimized out>) at block.c:1300
#4  0x00007f010bd9f412 in bdrv_co_do_rw (opaque=0x7f00f033e290) at block.c:2606
#5  0x00007f010bdd6a0a in coroutine_trampoline (i0=<optimized out>, 
    i1=<optimized out>) at coroutine-ucontext.c:129
#6  0x00007f01064ef450 in ?? () from /lib64/libc.so.6
#7  0x00007f00fef021f0 in ?? ()
#8  0xc5c5c5c5c5c5c5c5 in ?? ()
#9  0x0000000000000000 in ?? ()
(gdb) info threads
  Id   Target Id         Frame 
  19   Thread 0x7f00bbfff700 (LWP 12334) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  18   Thread 0x7f00ba7fc700 (LWP 12337) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  17   Thread 0x7f00bb7fe700 (LWP 12335) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  16   Thread 0x7f00d09fe700 (LWP 12333) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  15   Thread 0x7f00f5ffb700 (LWP 12329) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  14   Thread 0x7f00ff905700 (LWP 12319) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  13   Thread 0x7f00f77fe700 (LWP 12326) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  12   Thread 0x7f00f7fff700 (LWP 12325) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  11   Thread 0x7f00baffd700 (LWP 12336) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  10   Thread 0x7f00f57fa700 (LWP 12330) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  9    Thread 0x7f00fda1e700 (LWP 12322) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  8    Thread 0x7f00fef03700 (LWP 12320) __lll_lock_wait ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135
  7    Thread 0x7f00f67fc700 (LWP 12328) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  6    Thread 0x7f00f4ff9700 (LWP 12331) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  5    Thread 0x7f00f6ffd700 (LWP 12327) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  4    Thread 0x7f00fca1c700 (LWP 12324) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  3    Thread 0x7f00fe21f700 (LWP 12321) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  2    Thread 0x7f00fd21d700 (LWP 12323) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
* 1    Thread 0x7f010bcd2a00 (LWP 12316) qemu_co_queue_next (queue=queue@entry=
    0x7f010cfb4480) at qemu-coroutine-lock.c:70


Version-Release number of selected component (if applicable):

qemu-system-x86-1.0-17.fc18.x86_64

How reproducible:

Unknown

Steps to Reproduce:

Unknown, but I got the bug when I turned on core dumps and ran some
aggressive libguestfs tests here:
https://bugzilla.redhat.com/show_bug.cgi?id=836710#c5

Comment 1 Richard W.M. Jones 2012-07-02 14:31:13 UTC
Here's a slightly different variation of what
looks like the same bug:

Program terminated with signal 11, Segmentation fault.
#0  0x00007f712dc8fe08 in qcow2_cache_do_get (bs=bs@entry=0x7f712f3cfa90, 
    c=0x7f712f3d1790, offset=140123986749816, 
    table=table@entry=0x7f71176ab530, read_from_disk=read_from_disk@entry=true)
    at block/qcow2-cache.c:253
253	    c->entries[i].cache_hits = 32;
(gdb) bt
#0  0x00007f712dc8fe08 in qcow2_cache_do_get (bs=bs@entry=0x7f712f3cfa90, c=
    0x7f712f3d1790, offset=140123986749816, table=table@entry=0x7f71176ab530, 
    read_from_disk=read_from_disk@entry=true) at block/qcow2-cache.c:253
#1  0x00007f712dc8ffa3 in qcow2_cache_get (bs=bs@entry=0x7f712f3cfa90, 
    c=<optimized out>, offset=<optimized out>, table=table@entry=
    0x7f71176ab530) at block/qcow2-cache.c:267
#2  0x00007f712dc90afc in l2_load (l2_table=0x7f71176ab530, 
    l2_offset=<optimized out>, bs=0x7f712f3cfa90) at block/qcow2-cluster.c:121
#3  qcow2_get_cluster_offset (bs=bs@entry=0x7f712f3cfa90, offset=offset@entry=
    377987072, num=num@entry=0x7f71176ab5c4, 
    cluster_offset=cluster_offset@entry=0x7f71176ab5c8)
    at block/qcow2-cluster.c:442
#4  0x00007f712dc91381 in qcow2_read (nb_sectors=48, buf=
    0x7f7120dea200 <Address 0x7f7120dea200 out of bounds>, sector_num=738256, 
    bs=0x7f712f3cfa90) at block/qcow2-cluster.c:305
#5  copy_sectors (bs=bs@entry=0x7f712f3cfa90, start_sect=<optimized out>, 
    cluster_offset=345899008, n_start=80, n_end=<optimized out>)
    at block/qcow2-cluster.c:360
#6  0x00007f712dc917b6 in qcow2_alloc_cluster_link_l2 (bs=bs@entry=
    0x7f712f3cfa90, m=m@entry=0x7f71176ab720) at block/qcow2-cluster.c:631
#7  0x00007f712dc95088 in qcow2_co_writev (bs=0x7f712f3cfa90, sector_num=
    737280, remaining_sectors=976, qiov=0x7f7114006f18) at block/qcow2.c:596
#8  0x00007f712dc851bc in bdrv_co_do_writev (bs=0x7f712f3cfa90, sector_num=
    737248, nb_sectors=1008, qiov=<optimized out>) at block.c:1300
#9  0x00007f712dc85412 in bdrv_co_do_rw (opaque=0x7f7114019b20) at block.c:2606
#10 0x00007f712dcbca0a in coroutine_trampoline (i0=<optimized out>, 
    i1=<optimized out>) at coroutine-ucontext.c:129
#11 0x00007f71283d5450 in ?? () from /lib64/libc.so.6
#12 0x00007f7120de81f0 in ?? ()
#13 0x7b7b7b7b7b7b7b7b in ?? ()
#14 0x0000000000000000 in ?? ()
(gdb) info threads 
  Id   Target Id         Frame 
  6    Thread 0x7f711b7fe700 (LWP 1466) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  5    Thread 0x7f7120de9700 (LWP 1464) 0x00007f712847baa7 in ioctl ()
    at ../sysdeps/unix/syscall-template.S:81
  4    Thread 0x7f711affd700 (LWP 1467) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  3    Thread 0x7f711bfff700 (LWP 1465) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  2    Thread 0x7f71217eb700 (LWP 1463) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
* 1    Thread 0x7f712dbb8a00 (LWP 1460) 0x00007f712dc8fe08 in qcow2_cache_do_get (bs=bs@entry=0x7f712f3cfa90, c=0x7f712f3d1790, offset=140123986749816, 
    table=table@entry=0x7f71176ab530, read_from_disk=read_from_disk@entry=true)
    at block/qcow2-cache.c:253

Comment 2 Richard W.M. Jones 2012-07-02 17:05:20 UTC
Another one:

Program terminated with signal 11, Segmentation fault.
#0  qcow2_cache_entry_flush (bs=bs@entry=0x7f31ec9f2a90, 
    c=c@entry=0x7f31ec9f11a0, i=i@entry=2) at block/qcow2-cache.c:116
116	    if (c == s->refcount_block_cache) {
(gdb) bt
#0  qcow2_cache_entry_flush (bs=bs@entry=0x7f31ec9f2a90, c=c@entry=
    0x7f31ec9f11a0, i=i@entry=2) at block/qcow2-cache.c:116
#1  0x00007f31eb548b2d in qcow2_cache_flush (bs=bs@entry=0x7f31ec9f2a90, c=
    0x7f31ec9f11a0) at block/qcow2-cache.c:140
#2  0x00007f31eb54969f in l2_allocate (table=0x7f31d305f9f8, l1_index=0, bs=
    0x7f31ec9f2a90) at block/qcow2-cluster.c:180
#3  get_cluster_table (bs=bs@entry=0x7f31ec9f2a90, offset=382205952, 
    new_l2_table=new_l2_table@entry=0x7f31d305fa70, 
    new_l2_offset=new_l2_offset@entry=0x7f31d305fa68, 
    new_l2_index=new_l2_index@entry=0x7f31d305fa64)
    at block/qcow2-cluster.c:519
#4  0x00007f31eb54a66a in qcow2_alloc_cluster_link_l2 (bs=bs@entry=
    0x7f31ec9f2a90, m=m@entry=0x7f31d305fb30) at block/qcow2-cluster.c:649
#5  0x00007f31eb54e088 in qcow2_co_writev (bs=0x7f31ec9f2a90, sector_num=
    746496, remaining_sectors=960, qiov=0x7f31d0006918) at block/qcow2.c:596
#6  0x00007f31eb53e1bc in bdrv_co_do_writev (bs=0x7f31ec9f2a90, sector_num=
    746448, nb_sectors=1008, qiov=<optimized out>) at block.c:1300
#7  0x00007f31eb53e412 in bdrv_co_do_rw (opaque=0x7f31d0006850) at block.c:2606
#8  0x00007f31eb575a0a in coroutine_trampoline (i0=<optimized out>, 
    i1=<optimized out>) at coroutine-ucontext.c:129
#9  0x00007f31e5c8e450 in ?? () from /lib64/libc.so.6
#10 0x00007f31de6a11f0 in ?? ()
#11 0xd2d2d2d2d2d2d2d2 in ?? ()
#12 0x0000000000000000 in ?? ()
(gdb) info threads
  Id   Target Id         Frame 
  14   Thread 0x7f31ad1f7700 (LWP 26072) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  13   Thread 0x7f31af1fb700 (LWP 26068) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  12   Thread 0x7f31ad9f8700 (LWP 26071) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  11   Thread 0x7f31ae9fa700 (LWP 26069) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  10   Thread 0x7f31dd1bd700 (LWP 26063) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  9    Thread 0x7f31df0a4700 (LWP 25969) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  8    Thread 0x7f31de6a2700 (LWP 25970) __lll_lock_wait ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135
  7    Thread 0x7f31b01fd700 (LWP 26066) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  6    Thread 0x7f31ae1f9700 (LWP 26070) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  5    Thread 0x7f31dc9bc700 (LWP 26064) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  4    Thread 0x7f31af9fc700 (LWP 26067) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  3    Thread 0x7f31dd9be700 (LWP 26060) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
  2    Thread 0x7f31b09fe700 (LWP 26065) pthread_cond_timedwait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:217
* 1    Thread 0x7f31eb471a00 (LWP 25966) qcow2_cache_entry_flush (bs=bs@entry=
    0x7f31ec9f2a90, c=c@entry=0x7f31ec9f11a0, i=i@entry=2)
    at block/qcow2-cache.c:116

(gdb) frame 0
#0  qcow2_cache_entry_flush (bs=bs@entry=0x7f31ec9f2a90, c=c@entry=
    0x7f31ec9f11a0, i=i@entry=2) at block/qcow2-cache.c:116
116	    if (c == s->refcount_block_cache) {
(gdb) print c
$1 = (Qcow2Cache *) 0x7f31ec9f11a0
(gdb) print *s
Cannot access memory at address 0x0

Comment 3 Richard W.M. Jones 2012-07-02 17:06:43 UTC
Another one:

Program terminated with signal 11, Segmentation fault.
#0  qcow2_cache_do_get (bs=bs@entry=0x7f3aaa028a90, c=0xa8a8a8a8a8a8a8a8, 
    offset=offset@entry=353894400, table=table@entry=0x7f3a8e3c7978, 
    read_from_disk=read_from_disk@entry=false) at block/qcow2-cache.c:222
222	    for (i = 0; i < c->size; i++) {
(gdb) bt
#0  qcow2_cache_do_get (bs=bs@entry=0x7f3aaa028a90, c=0xa8a8a8a8a8a8a8a8, 
    offset=offset@entry=353894400, table=table@entry=0x7f3a8e3c7978, 
    read_from_disk=read_from_disk@entry=false) at block/qcow2-cache.c:222
#1  0x00007f3aa815ffe0 in qcow2_cache_get_empty (bs=bs@entry=0x7f3aaa028a90, 
    c=<optimized out>, offset=offset@entry=353894400, table=table@entry=
    0x7f3a8e3c7978) at block/qcow2-cache.c:273
#2  0x00007f3aa81606c6 in l2_allocate (table=0x7f3a8e3c7978, l1_index=0, bs=
    0x7f3aaa028a90) at block/qcow2-cluster.c:187
#3  get_cluster_table (bs=bs@entry=0x7f3aaa028a90, offset=385417216, 
    new_l2_table=new_l2_table@entry=0x7f3a8e3c79f0, 
    new_l2_offset=new_l2_offset@entry=0x7f3a8e3c79e8, 
    new_l2_index=new_l2_index@entry=0x7f3a8e3c79e4)
    at block/qcow2-cluster.c:519
#4  0x00007f3aa816166a in qcow2_alloc_cluster_link_l2 (bs=bs@entry=
    0x7f3aaa028a90, m=m@entry=0x7f3a8e3c7ab0) at block/qcow2-cluster.c:649
#5  0x00007f3aa8165088 in qcow2_co_writev (bs=0x7f3aaa028a90, sector_num=
    752768, remaining_sectors=992, qiov=0x7f3a8c341308) at block/qcow2.c:596
#6  0x00007f3aa81551bc in bdrv_co_do_writev (bs=0x7f3aaa028a90, sector_num=
    752752, nb_sectors=1008, qiov=<optimized out>) at block.c:1300
#7  0x00007f3aa8155412 in bdrv_co_do_rw (opaque=0x7f3a8c883370) at block.c:2606
#8  0x00007f3aa818ca0a in coroutine_trampoline (i0=<optimized out>, 
    i1=<optimized out>) at coroutine-ucontext.c:129
#9  0x00007f3aa28a5450 in ?? () from /lib64/libc.so.6
#10 0x00007f3a9b2b81f0 in ?? ()
#11 0x5757575757575757 in ?? ()
#12 0x0000000000000000 in ?? ()
(gdb) frame 0
#0  qcow2_cache_do_get (bs=bs@entry=0x7f3aaa028a90, c=0xa8a8a8a8a8a8a8a8, 
    offset=offset@entry=353894400, table=table@entry=0x7f3a8e3c7978, 
    read_from_disk=read_from_disk@entry=false) at block/qcow2-cache.c:222
222	    for (i = 0; i < c->size; i++) {
(gdb) print c
$1 = (Qcow2Cache *) 0xa8a8a8a8a8a8a8a8
(gdb) print *bs
$2 = {
  total_sectors = 1024000, 
  read_only = 0, 
  keep_read_only = 0, 
  open_flags = 98, 
  encrypted = 0, 
  valid_key = 0, 
  sg = 0, 
  drv = 0x0, 
  opaque = 0x0, 
  dev = 0x7f3aaa758da0, 
  dev_ops = 0x0, 
  dev_opaque = 0x0, 
  filename = "/tmp/test.img", '\000' <repeats 1010 times>, 
  backing_file = '\000' <repeats 1023 times>, 
  backing_format = '\000' <repeats 15 times>, 
  is_temporary = 0, 
  backing_hd = 0x0, 
  file = 0x7f3aaa0296b0, 
  sync_aiocb = 0x0, 
  nr_bytes = {2804224, 351936512, 0}, 
  nr_ops = {560, 693, 10}, 
  total_time_ns = {40245897, 105952906262, 11386858}, 
  wr_highest_sector = 1023999, 
  growable = 0, 
  buffer_alignment = 512, 
  enable_write_cache = 1, 
  cyls = 1015, 
  heads = 16, 
  secs = 63, 
  translation = 0, 
  on_read_error = BLOCK_ERR_REPORT, 
  on_write_error = BLOCK_ERR_STOP_ENOSPC, 
  iostatus_enabled = true, 
  iostatus = BLOCK_DEVICE_IO_STATUS_OK, 
  device_name = "hd0", '\000' <repeats 28 times>, 
  dirty_bitmap = 0x0, 
  dirty_count = 0, 
  in_use = 0, 
  list = {
    tqe_next = 0x7f3aaa18d030, 
    tqe_prev = 0x7f3aa86e1130
  }, 
  private = 0x0
}

Comment 4 Cole Robinson 2012-07-10 11:22:00 UTC
Rich, have you seen this with 1.1 currently in rawhide, or on F17?

qemu-system-x86-1.0-17.fc18.x86_64 is basically what's in F17 now, so reassigning there.

Comment 5 Richard W.M. Jones 2012-07-10 12:32:53 UTC
I strongly suspect this was simply another aspect of bug 836913.
So I'm going to tentatively mark it as a duplicate.

*** This bug has been marked as a duplicate of bug 836913 ***


Note You need to log in before you can comment on or make changes to this bug.