Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 870917

Summary: qcow2: Crash when growing large refcount table
Product: Red Hat Enterprise Linux 6 Reporter: Kevin Wolf <kwolf>
Component: qemu-kvmAssignee: Kevin Wolf <kwolf>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: acathrow, areis, bsarathy, dyasny, juzhang, mkenneth, sluo, szhou, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-0.12.1.2-2.338.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 07:44:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 580953    
Attachments:
Description Flags
strace logs. none

Description Kevin Wolf 2012-10-29 07:51:20 UTC 
The following qemu-img invocation crashes qemu-img with a corrupted heap (will be tested by upstream qemu-iotests case 044):

qemu-img create -f qcow2 -o cluster_size=512,preallocation=metadata disk.img 4G

Upstream bug report at https://bugs.launchpad.net/qemu/+bug/1071236.
Comment 6 Sibiao Luo 2012-12-21 02:55:18 UTC 
Hi Kevin,
 
   I tried this bug creating qcow2 image with preallocation fails if size >=4G, but both of the unfixed and fixed kernel & qemu-kvm version fail to execute the commands, i donot know whether my method was wrong, please correct if any problem. 

host info:
# uname -r && rpm -q qemu-kvm
2.6.32-348.el6.x86_64
qemu-kvm-0.12.1.2-2.344.el6.x86_64

# qemu-img create -f qcow2 -o cluster_size=512,preallocation=metadata disk.img 4G
Formatting 'disk.img', fmt=qcow2 size=4294967296 encryption=off cluster_size=512 preallocation='metadata' 
^C           <------------ fail to execute

I will attach the strace log later.

Best Regards & thx.
sluo
Comment 7 Sibiao Luo 2012-12-21 02:55:59 UTC 
Created attachment 667073 [details]
strace logs.
Comment 8 Sibiao Luo 2012-12-25 09:18:00 UTC 
---Reproduce
Create qcow2 image with preallocation fails if size >=4G cause call dump.

host info:
kernel-2.6.32-351.el6.x86_64
qemu-kvm-0.12.1.2-2.295.el6.x86_64

# qemu-img create -f qcow2 -o cluster_size=512,preallocation=metadata disk.img 4G
Formatting 'disk.img', fmt=qcow2 size=4294967296 encryption=off cluster_size=512 preallocation='metadata'

*** glibc detected *** /usr/bin/qemu-img: double free or corruption (!prev): 0x00007ffff820f470 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x303ae760e6)[0x7ffff6d4d0e6]
/lib64/libc.so.6(+0x303ae78c13)[0x7ffff6d4fc13]
/usr/bin/qemu-img(+0x2999c)[0x7ffff7fdb99c]
/usr/bin/qemu-img(+0x2a340)[0x7ffff7fdc340]
/usr/bin/qemu-img(+0x2b225)[0x7ffff7fdd225]
/usr/bin/qemu-img(+0x27a2b)[0x7ffff7fd9a2b]
/usr/bin/qemu-img(+0x27eea)[0x7ffff7fd9eea]
/usr/bin/qemu-img(+0x14448)[0x7ffff7fc6448]
/usr/bin/qemu-img(+0x7da3)[0x7ffff7fb9da3]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7ffff6cf5cdd]
/usr/bin/qemu-img(+0x7619)[0x7ffff7fb9619]
======= Memory map: ========
7ffff5fbf000-7ffff5fd5000 r-xp 00000000 fd:00 2240212                    /lib64/libgcc_s-4.4.7-20120601.so.1
7ffff5fd5000-7ffff61d4000 ---p 00016000 fd:00 2240212                    /lib64/libgcc_s-4.4.7-20120601.so.1
7ffff61d4000-7ffff61d5000 rw-p 00015000 fd:00 2240212                    /lib64/libgcc_s-4.4.7-20120601.so.1
7ffff61d5000-7ffff62d6000 rw-p 00000000 00:00 0 
7ffff62d6000-7ffff62d7000 ---p 00000000 00:00 0 
7ffff62d7000-7ffff6cd7000 rw-p 00000000 00:00 0 
7ffff6cd7000-7ffff6e61000 r-xp 00000000 fd:00 2240175                    /lib64/libc-2.12.so
7ffff6e61000-7ffff7060000 ---p 0018a000 fd:00 2240175                    /lib64/libc-2.12.so
7ffff7060000-7ffff7064000 r--p 00189000 fd:00 2240175                    /lib64/libc-2.12.so
7ffff7064000-7ffff7065000 rw-p 0018d000 fd:00 2240175                    /lib64/libc-2.12.so
7ffff7065000-7ffff706a000 rw-p 00000000 00:00 0 
7ffff706a000-7ffff707f000 r-xp 00000000 fd:00 2240187                    /lib64/libz.so.1.2.3
7ffff707f000-7ffff727e000 ---p 00015000 fd:00 2240187                    /lib64/libz.so.1.2.3
7ffff727e000-7ffff727f000 r--p 00014000 fd:00 2240187                    /lib64/libz.so.1.2.3
7ffff727f000-7ffff7280000 rw-p 00015000 fd:00 2240187                    /lib64/libz.so.1.2.3
7ffff7280000-7ffff7285000 r-xp 00000000 fd:00 1839233                    /usr/lib64/libusbredirparser.so.0.0.0
7ffff7285000-7ffff7484000 ---p 00005000 fd:00 1839233                    /usr/lib64/libusbredirparser.so.0.0.0
7ffff7484000-7ffff7485000 rw-p 00004000 fd:00 1839233                    /usr/lib64/libusbredirparser.so.0.0.0
7ffff7485000-7ffff7486000 r-xp 00000000 fd:00 2235951                    /lib64/libaio.so.1.0.1
7ffff7486000-7ffff7685000 ---p 00001000 fd:00 2235951                    /lib64/libaio.so.1.0.1
7ffff7685000-7ffff7686000 rw-p 00000000 fd:00 2235951                    /lib64/libaio.so.1.0.1
7ffff7686000-7ffff776a000 r-xp 00000000 fd:00 2240178                    /lib64/libglib-2.0.so.0.2200.5
7ffff776a000-7ffff7969000 ---p 000e4000 fd:00 2240178                    /lib64/libglib-2.0.so.0.2200.5
7ffff7969000-7ffff796b000 rw-p 000e3000 fd:00 2240178                    /lib64/libglib-2.0.so.0.2200.5
7ffff796b000-7ffff7982000 r-xp 00000000 fd:00 2240176                    /lib64/libpthread-2.12.so
7ffff7982000-7ffff7b82000 ---p 00017000 fd:00 2240176                    /lib64/libpthread-2.12.so
7ffff7b82000-7ffff7b83000 r--p 00017000 fd:00 2240176                    /lib64/libpthread-2.12.so
7ffff7b83000-7ffff7b84000 rw-p 00018000 fd:00 2240176                    /lib64/libpthread-2.12.so
7ffff7b84000-7ffff7b88000 rw-p 00000000 00:00 0 
7ffff7b88000-7ffff7b8f000 r-xp 00000000 fd:00 2240177                    /lib64/librt-2.12.so
7ffff7b8f000-7ffff7d8e000 ---p 00007000 fd:00 2240177                    /lib64/librt-2.12.so
7ffff7d8e000-7ffff7d8f000 r--p 00006000 fd:00 2240177                    /lib64/librt-2.12.so
7ffff7d8f000-7ffff7d90000 rw-p 00007000 fd:00 2240177                    /lib64/librt-2.12.so
7ffff7d90000-7ffff7db0000 r-xp 00000000 fd:00 2240174                    /lib64/ld-2.12.so
7ffff7dd4000-7ffff7e69000 rw-p 00000000 00:00 0 
7ffff7e91000-7ffff7f97000 rw-p 00000000 00:00 0 
7ffff7fab000-7ffff7fae000 rw-p 00000000 00:00 0 
7ffff7fae000-7ffff7faf000 r-xp 00000000 00:00 0                          [vdso]
7ffff7faf000-7ffff7fb0000 r--p 0001f000 fd:00 2240174                    /lib64/ld-2.12.so
7ffff7fb0000-7ffff7fb1000 rw-p 00020000 fd:00 2240174                    /lib64/ld-2.12.so
7ffff7fb1000-7ffff7fb2000 rw-p 00000000 00:00 0 
7ffff7fb2000-7ffff7fff000 r-xp 00000000 fd:00 1839249                    /usr/bin/qemu-img
7ffff81ff000-7ffff8200000 r--p 0004d000 fd:00 1839249                    /usr/bin/qemu-img
7ffff8200000-7ffff8204000 rw-p 0004e000 fd:00 1839249                    /usr/bin/qemu-img
7ffff8204000-7ffff8230000 rw-p 00000000 00:00 0                          [heap]
7ffffffea000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff6d098a5 in raise () from /lib64/libc.so.6

(gdb) bt
#0  0x00007ffff6d098a5 in raise () from /lib64/libc.so.6
#1  0x00007ffff6d0b085 in abort () from /lib64/libc.so.6
#2  0x00007ffff6d477b7 in __libc_message () from /lib64/libc.so.6
#3  0x00007ffff6d4d0e6 in malloc_printerr () from /lib64/libc.so.6
#4  0x00007ffff6d4fc13 in _int_free () from /lib64/libc.so.6
#5  0x00007ffff7fdb99c in alloc_refcount_block (bs=0x7ffff8204530, offset=3967779840, length=<value optimized out>, addend=1) at block/qcow2-refcount.c:352
#6  update_refcount (bs=0x7ffff8204530, offset=3967779840, length=<value optimized out>, addend=1) at block/qcow2-refcount.c:459
#7  0x00007ffff7fdc340 in qcow2_alloc_clusters (bs=0x7ffff8204530, size=32768) at block/qcow2-refcount.c:576
#8  0x00007ffff7fdd225 in qcow2_alloc_cluster_offset (bs=0x7ffff8204530, offset=3889594368, n_start=0, n_end=791744, num=0x7fffffffe08c, m=0x7fffffffdfa0)
    at block/qcow2-cluster.c:819
#9  0x00007ffff7fd9a2b in preallocate (filename=0x7fffffffe819 "disk.img", total_size=<value optimized out>, backing_file=0x0, backing_format=0x0, 
    flags=<value optimized out>, cluster_size=<value optimized out>, prealloc=1) at block/qcow2.c:783
#10 qcow2_create2 (filename=0x7fffffffe819 "disk.img", total_size=<value optimized out>, backing_file=0x0, backing_format=0x0, flags=<value optimized out>, 
    cluster_size=<value optimized out>, prealloc=1) at block/qcow2.c:1073
#11 0x00007ffff7fd9eea in qcow2_create (filename=0x7fffffffe819 "disk.img", options=<value optimized out>) at block/qcow2.c:1125
#12 0x00007ffff7fc6448 in bdrv_img_create (filename=0x7fffffffe819 "disk.img", fmt=0x7fffffffe7e8 "qcow2", base_filename=<value optimized out>, 
    base_fmt=<value optimized out>, options=<value optimized out>, img_size=4294967296, flags=64) at block.c:3728
#13 0x00007ffff7fb9da3 in img_create (argc=7, argv=0x7fffffffe530) at qemu-img.c:375
#14 0x00007ffff6cf5cdd in __libc_start_main () from /lib64/libc.so.6
#15 0x00007ffff7fb9619 in _start ()
(gdb) q

---Verify
create qcow2 image with preallocation fails if size >=4G on fixed version could complete successfully waiting a long time.

host info:
kernel-2.6.32-351.el6.x86_64
qemu-kvm-0.12.1.2-2.346.el6.x86_64

# qemu-img create -f qcow2 -o cluster_size=512,preallocation=metadata disk.img 4G
Formatting 'disk.img', fmt=qcow2 size=4294967296 encryption=off cluster_size=512 preallocation='metadata'

# qemu-img info disk.img
image: disk.img
file format: qcow2
virtual size: 4.0G (4294967296 bytes)
disk size: 530M
cluster_size: 512
# qemu-img check disk.img
No errors were found on the image.

Base on above, this issue has been fixed correctly.
Comment 10 errata-xmlrpc 2013-02-21 07:44:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0527.html
Comment 11 Kevin Wolf 2013-04-08 09:00:09 UTC 
*** Bug 622352 has been marked as a duplicate of this bug. ***