From: Consul <void@aleksoft.net>
To: qemu-devel@nongnu.org
Cc: kvm@vger.kernel.org
Subject: Re: qcow2 corruption observed, fixed by reverting old change
Date: Thu, 12 Feb 2009 15:19:32 -0800 [thread overview]
Message-ID: <gn2aq6$gl3$1@ger.gmane.org> (raw)
In-Reply-To: <gn29ga$cjv$1@ger.gmane.org>
Consul wrote:
> Jamie Lokier wrote:
>>
>> It was just for clarity. If there are any bugs it's more likely to be
>> truncation on a 32 bit host :-)
>>
> Maybe not a proper fix, do you see the same "corruption" with this patch?
> I don't know if it causes any memory leaks, but it certainly clears the
> segfaults while running my old qcow2 windows images. Perhaps this is a
> wrong place to free() or it needs a condition?
>
> $ svn diff block.c
> Index: block.c
> ===================================================================
> --- block.c (revision 6618)
> +++ block.c (working copy)
> @@ -1263,7 +1263,7 @@
> if (!s->is_write) {
> qemu_iovec_from_buffer(s->iov, s->bounce, s->iov->size);
> }
> - qemu_free(s->bounce);
> + //qemu_free(s->bounce);
> s->this_aiocb->cb(s->this_aiocb->opaque, ret);
> qemu_aio_release(s->this_aiocb);
> }
>
>
In fact, s->bounce == 0xf270000 looks suspicious to me.
Perhaps there is a 64/32 bit conversion error somewhere?
(gdb) Num Type Disp Enb Address What
1 breakpoint keep y 0x004035ac in qemu_bh_poll
at c:/test/qemu/vl.c:3342
stop only if bh->opaque==0xee9d440
(gdb) The program being debugged has been started already.
Start it from the beginning? (y or n) [answered Y; input not from terminal]
Starting program: c:\test\qemu/i386-softmmu/qemu.exe -L c:\\qemu-dist -hda C:\\qemu-img\\qem8D.tmp -m 512 -boot c -loadvm 1
[New thread 5188.0x180]
[New thread 5188.0xea0]
[New thread 5188.0x1608]
Breakpoint 1, qemu_bh_poll () at c:/test/qemu/vl.c:3342
3342 bh->cb(bh->opaque);
(gdb) #0 qemu_bh_poll () at c:/test/qemu/vl.c:3342
#1 0x00403a9a in main_loop_wait (timeout=0) at c:/test/qemu/vl.c:3745
#2 0x00407bf5 in main (argc=11, argv=0x3e27c0, envp=0xccc359ff)
at c:/test/qemu/vl.c:3888
(gdb) qcow_aio_read_bh (opaque=0xee9d440) at block-qcow2.c:1194
1194 qemu_bh_delete(acb->bh);
(gdb) qemu_bh_delete (bh=0xe41b2f8) at c:/test/qemu/vl.c:3391
3391 bh->scheduled = 0;
(gdb) 3392 bh->deleted = 1;
(gdb) 3393 }
(gdb) qcow_aio_read_bh (opaque=0xee9d440) at block-qcow2.c:1195
1195 acb->bh = NULL;
(gdb) 1196 qcow_aio_read_cb(opaque, 0);
(gdb) qcow_aio_read_cb (opaque=0xee9d440, ret=0) at block-qcow2.c:1215
1215 QCowAIOCB *acb = opaque;
(gdb) 1216 BlockDriverState *bs = acb->common.bs;
(gdb) 1217 BDRVQcowState *s = bs->opaque;
(gdb) 1220 acb->hd_aiocb = NULL;
(gdb) 1221 if (ret < 0) {
(gdb) 1217 BDRVQcowState *s = bs->opaque;
(gdb) 1229 if (!acb->cluster_offset) {
(gdb) 1231 } else if (acb->cluster_offset & QCOW_OFLAG_COMPRESSED) {
(gdb) 1241 acb->nb_sectors -= acb->n;
(gdb) 1242 acb->sector_num += acb->n;
(gdb) 1243 acb->buf += acb->n * 512;
(gdb) 1245 if (acb->nb_sectors == 0) {
(gdb) 1247 acb->common.cb(acb->common.opaque, 0);
(gdb) qcow_aio_read_cb (opaque=0xee9d3d0, ret=0) at block-qcow2.c:1215
1215 QCowAIOCB *acb = opaque;
(gdb) 1216 BlockDriverState *bs = acb->common.bs;
(gdb) 1217 BDRVQcowState *s = bs->opaque;
(gdb) 1220 acb->hd_aiocb = NULL;
(gdb) 1221 if (ret < 0) {
(gdb) 1217 BDRVQcowState *s = bs->opaque;
(gdb) 1229 if (!acb->cluster_offset) {
(gdb) 1241 acb->nb_sectors -= acb->n;
(gdb) 1242 acb->sector_num += acb->n;
(gdb) 1243 acb->buf += acb->n * 512;
(gdb) 1245 if (acb->nb_sectors == 0) {
(gdb) 1247 acb->common.cb(acb->common.opaque, 0);
(gdb) bdrv_aio_rw_vector_cb (opaque=0xe41b2c8, ret=0) at block.c:1261
1261 VectorTranslationState *s = opaque;
(gdb) 1263 if (!s->is_write) {
(gdb) 1264 qemu_iovec_from_buffer(s->iov, s->bounce, s->iov->size);
(gdb) qemu_iovec_from_buffer (qiov=0xe412b9c, buf=0xf270000, count=512)
at cutils.c:155
155 for (i = 0; i < qiov->niov && count; ++i) {
(gdb) 151 const uint8_t *p = (const uint8_t *)buf;
(gdb) 157 if (copy > qiov->iov[i].iov_len)
(gdb) 159 memcpy(qiov->iov[i].iov_base, p, copy);
(gdb) 160 p += copy;
(gdb) 155 for (i = 0; i < qiov->niov && count; ++i) {
(gdb) 163 }
(gdb) bdrv_aio_rw_vector_cb (opaque=0xe41b2c8, ret=0) at block.c:1266
1266 qemu_free(s->bounce);
(gdb) qemu_free (ptr=0xf270000) at qemu-malloc.c:41
41 free(ptr);
(gdb)
Program received signal SIGSEGV, Segmentation fault.
0x7c96d811 in ntdll!RtlpNtMakeTemporaryKey () from C:\WINNT\system32\ntdll.dll
WARNING: multiple messages have this Message-ID (diff)
From: Consul <void@aleksoft.net>
To: qemu-devel@nongnu.org
Cc: kvm@vger.kernel.org
Subject: [Qemu-devel] Re: qcow2 corruption observed, fixed by reverting old change
Date: Thu, 12 Feb 2009 15:19:32 -0800 [thread overview]
Message-ID: <gn2aq6$gl3$1@ger.gmane.org> (raw)
In-Reply-To: <gn29ga$cjv$1@ger.gmane.org>
Consul wrote:
> Jamie Lokier wrote:
>>
>> It was just for clarity. If there are any bugs it's more likely to be
>> truncation on a 32 bit host :-)
>>
> Maybe not a proper fix, do you see the same "corruption" with this patch?
> I don't know if it causes any memory leaks, but it certainly clears the
> segfaults while running my old qcow2 windows images. Perhaps this is a
> wrong place to free() or it needs a condition?
>
> $ svn diff block.c
> Index: block.c
> ===================================================================
> --- block.c (revision 6618)
> +++ block.c (working copy)
> @@ -1263,7 +1263,7 @@
> if (!s->is_write) {
> qemu_iovec_from_buffer(s->iov, s->bounce, s->iov->size);
> }
> - qemu_free(s->bounce);
> + //qemu_free(s->bounce);
> s->this_aiocb->cb(s->this_aiocb->opaque, ret);
> qemu_aio_release(s->this_aiocb);
> }
>
>
In fact, s->bounce == 0xf270000 looks suspicious to me.
Perhaps there is a 64/32 bit conversion error somewhere?
(gdb) Num Type Disp Enb Address What
1 breakpoint keep y 0x004035ac in qemu_bh_poll
at c:/test/qemu/vl.c:3342
stop only if bh->opaque==0xee9d440
(gdb) The program being debugged has been started already.
Start it from the beginning? (y or n) [answered Y; input not from terminal]
Starting program: c:\test\qemu/i386-softmmu/qemu.exe -L c:\\qemu-dist -hda C:\\qemu-img\\qem8D.tmp -m 512 -boot c -loadvm 1
[New thread 5188.0x180]
[New thread 5188.0xea0]
[New thread 5188.0x1608]
Breakpoint 1, qemu_bh_poll () at c:/test/qemu/vl.c:3342
3342 bh->cb(bh->opaque);
(gdb) #0 qemu_bh_poll () at c:/test/qemu/vl.c:3342
#1 0x00403a9a in main_loop_wait (timeout=0) at c:/test/qemu/vl.c:3745
#2 0x00407bf5 in main (argc=11, argv=0x3e27c0, envp=0xccc359ff)
at c:/test/qemu/vl.c:3888
(gdb) qcow_aio_read_bh (opaque=0xee9d440) at block-qcow2.c:1194
1194 qemu_bh_delete(acb->bh);
(gdb) qemu_bh_delete (bh=0xe41b2f8) at c:/test/qemu/vl.c:3391
3391 bh->scheduled = 0;
(gdb) 3392 bh->deleted = 1;
(gdb) 3393 }
(gdb) qcow_aio_read_bh (opaque=0xee9d440) at block-qcow2.c:1195
1195 acb->bh = NULL;
(gdb) 1196 qcow_aio_read_cb(opaque, 0);
(gdb) qcow_aio_read_cb (opaque=0xee9d440, ret=0) at block-qcow2.c:1215
1215 QCowAIOCB *acb = opaque;
(gdb) 1216 BlockDriverState *bs = acb->common.bs;
(gdb) 1217 BDRVQcowState *s = bs->opaque;
(gdb) 1220 acb->hd_aiocb = NULL;
(gdb) 1221 if (ret < 0) {
(gdb) 1217 BDRVQcowState *s = bs->opaque;
(gdb) 1229 if (!acb->cluster_offset) {
(gdb) 1231 } else if (acb->cluster_offset & QCOW_OFLAG_COMPRESSED) {
(gdb) 1241 acb->nb_sectors -= acb->n;
(gdb) 1242 acb->sector_num += acb->n;
(gdb) 1243 acb->buf += acb->n * 512;
(gdb) 1245 if (acb->nb_sectors == 0) {
(gdb) 1247 acb->common.cb(acb->common.opaque, 0);
(gdb) qcow_aio_read_cb (opaque=0xee9d3d0, ret=0) at block-qcow2.c:1215
1215 QCowAIOCB *acb = opaque;
(gdb) 1216 BlockDriverState *bs = acb->common.bs;
(gdb) 1217 BDRVQcowState *s = bs->opaque;
(gdb) 1220 acb->hd_aiocb = NULL;
(gdb) 1221 if (ret < 0) {
(gdb) 1217 BDRVQcowState *s = bs->opaque;
(gdb) 1229 if (!acb->cluster_offset) {
(gdb) 1241 acb->nb_sectors -= acb->n;
(gdb) 1242 acb->sector_num += acb->n;
(gdb) 1243 acb->buf += acb->n * 512;
(gdb) 1245 if (acb->nb_sectors == 0) {
(gdb) 1247 acb->common.cb(acb->common.opaque, 0);
(gdb) bdrv_aio_rw_vector_cb (opaque=0xe41b2c8, ret=0) at block.c:1261
1261 VectorTranslationState *s = opaque;
(gdb) 1263 if (!s->is_write) {
(gdb) 1264 qemu_iovec_from_buffer(s->iov, s->bounce, s->iov->size);
(gdb) qemu_iovec_from_buffer (qiov=0xe412b9c, buf=0xf270000, count=512)
at cutils.c:155
155 for (i = 0; i < qiov->niov && count; ++i) {
(gdb) 151 const uint8_t *p = (const uint8_t *)buf;
(gdb) 157 if (copy > qiov->iov[i].iov_len)
(gdb) 159 memcpy(qiov->iov[i].iov_base, p, copy);
(gdb) 160 p += copy;
(gdb) 155 for (i = 0; i < qiov->niov && count; ++i) {
(gdb) 163 }
(gdb) bdrv_aio_rw_vector_cb (opaque=0xe41b2c8, ret=0) at block.c:1266
1266 qemu_free(s->bounce);
(gdb) qemu_free (ptr=0xf270000) at qemu-malloc.c:41
41 free(ptr);
(gdb)
Program received signal SIGSEGV, Segmentation fault.
0x7c96d811 in ntdll!RtlpNtMakeTemporaryKey () from C:\WINNT\system32\ntdll.dll
next prev parent reply other threads:[~2009-02-12 23:19 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-11 7:00 qcow2 corruption observed, fixed by reverting old change Jamie Lokier
2009-02-11 7:00 ` [Qemu-devel] " Jamie Lokier
2009-02-11 9:57 ` Kevin Wolf
2009-02-11 11:27 ` Jamie Lokier
2009-02-11 11:27 ` Jamie Lokier
2009-02-11 11:41 ` Jamie Lokier
2009-02-11 11:41 ` Jamie Lokier
2009-02-11 12:41 ` Kevin Wolf
2009-02-11 12:41 ` Kevin Wolf
2009-02-11 16:48 ` Jamie Lokier
2009-02-11 16:48 ` Jamie Lokier
2009-02-12 22:57 ` Consul
2009-02-12 22:57 ` [Qemu-devel] " Consul
2009-02-12 23:19 ` Consul [this message]
2009-02-12 23:19 ` [Qemu-devel] " Consul
2009-02-13 7:50 ` Marc Bevand
2009-02-16 12:44 ` [Qemu-devel] " Kevin Wolf
2009-02-17 0:43 ` Jamie Lokier
2009-02-17 0:43 ` Jamie Lokier
2009-03-06 22:37 ` Filip Navara
2009-03-06 22:37 ` Filip Navara
2009-02-12 5:45 ` Chris Wright
2009-02-12 5:45 ` Chris Wright
2009-02-12 11:08 ` Johannes Schindelin
2009-02-12 11:08 ` Johannes Schindelin
2009-02-13 6:41 ` Marc Bevand
2009-02-13 11:16 ` Kevin Wolf
2009-02-13 11:16 ` [Qemu-devel] " Kevin Wolf
2009-02-13 16:23 ` Jamie Lokier
2009-02-13 16:23 ` Jamie Lokier
2009-02-13 18:43 ` Chris Wright
2009-02-13 18:43 ` Chris Wright
2009-02-14 6:31 ` Marc Bevand
2009-02-14 22:28 ` Dor Laor
2009-02-14 22:28 ` Dor Laor
2009-02-15 2:27 ` Jamie Lokier
2009-02-15 7:56 ` Marc Bevand
2009-02-15 7:56 ` Marc Bevand
2009-02-15 2:37 ` Jamie Lokier
2009-02-15 10:57 ` Gleb Natapov
2009-02-15 10:57 ` [Qemu-devel] " Gleb Natapov
2009-02-15 11:46 ` Marc Bevand
2009-02-15 11:46 ` [Qemu-devel] " Marc Bevand
2009-02-15 11:54 ` Marc Bevand
2009-02-15 11:54 ` [Qemu-devel] " Marc Bevand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='gn2aq6$gl3$1@ger.gmane.org' \
--to=void@aleksoft.net \
--cc=kvm@vger.kernel.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.