* [Qemu-devel] [Bug 1728661] [NEW] qemu-io segfaults at block/qcow2.h:533
@ 2017-10-30 17:08 R.Nageswara Sastry
2017-10-30 17:08 ` [Qemu-devel] [Bug 1728661] " R.Nageswara Sastry
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: R.Nageswara Sastry @ 2017-10-30 17:08 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4
This is on ppc64le architecture.
Re-production steps:
1. Copy the attached file named test.img to a directory
2. And customize the following command to point to the above directory and run the same.
# mv test.img copy.img
# qemu-io <path to>/copy.img -c "truncate 66560"
from gdb:
Program terminated with signal 11, Segmentation fault.
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
533 return s->refcount_table[index] & REFT_OFFSET_MASK;
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.26-21.el7.ppc64le glib2-2.50.3-3.el7.ppc64le glibc-2.17-196.el7.ppc64le gmp-6.0.0-15.el7.ppc64le gnutls-3.3.26-9.el7.ppc64le keyutils-libs-1.5.8-3.el7.ppc64le krb5-libs-1.15.1-8.el7.ppc64le libaio-0.3.109-13.el7.ppc64le libcom_err-1.42.9-10.el7.ppc64le libcurl-7.29.0-42.el7.ppc64le libffi-3.0.13-18.el7.ppc64le libgcc-4.8.5-16.el7_4.1.ppc64le libidn-1.28-4.el7.ppc64le libselinux-2.5-11.el7.ppc64le libssh2-1.4.3-10.el7_2.1.ppc64le libstdc++-4.8.5-16.el7_4.1.ppc64le libtasn1-4.10-1.el7.ppc64le nettle-2.7.1-8.el7.ppc64le nspr-4.13.1-1.0.el7_3.ppc64le nss-3.28.4-15.el7_4.ppc64le nss-softokn-freebl-3.28.3-8.el7_4.ppc64le nss-util-3.28.4-3.el7.ppc64le openldap-2.4.44-5.el7.ppc64le openssl-libs-1.0.2k-8.el7.ppc64le p11-kit-0.23.5-3.el7.ppc64le pcre-8.32-17.el7.ppc64le zlib-1.2.7-17.el7.ppc64le
(gdb) bt
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
#1 0x000000001005df4c in qcow2_discard_refcount_block (bs=0x32c96f60, discard_block_offs=9223372036854775296) at block/qcow2-refcount.c:3070
#2 0x000000001005e5c4 in qcow2_shrink_reftable (bs=0x32c96f60) at block/qcow2-refcount.c:3169
#3 0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/qcow2.c:3155
#4 0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block.c:3585
#5 0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/block-backend.c:1845
#6 0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580
#7 0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117
#8 0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291
#9 0x000000001000b540 in command_loop () at qemu-io.c:374
#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051f618) at qemu-io.c:630
(gdb) bt full
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
index = 4294967295
#1 0x000000001005df4c in qcow2_discard_refcount_block (bs=0x32c96f60, discard_block_offs=9223372036854775296) at block/qcow2-refcount.c:3070
s = 0x32ca3210
refblock_offs = 852111520
cluster_index = 16384
block_index = 3226593616
refblock = 0x32cb9570
ret = 16384
__PRETTY_FUNCTION__ = "qcow2_discard_refcount_block"
#2 0x000000001005e5c4 in qcow2_shrink_reftable (bs=0x32c96f60) at block/qcow2-refcount.c:3169
s = 0x32ca3210
reftable_tmp = 0x32cb9570
i = 0
ret = 0
#3 0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/qcow2.c:3155
last_cluster = 70367675804416
old_file_size = 70367675804416
s = 0x32ca3210
old_length = 1048576
new_l1_size = 1
ret = 0
__func__ = "qcow2_truncate"
__PRETTY_FUNCTION__ = "qcow2_truncate"
__FUNCTION__ = "qcow2_truncate"
#4 0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block.c:3585
bs = 0x32c96f60
drv = 0x102036f0 <bdrv_qcow2>
ret = 16383
__PRETTY_FUNCTION__ = "bdrv_truncate"
__func__ = "bdrv_truncate"
#5 0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/block-backend.c:1845
__func__ = "blk_truncate"
#6 0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580
local_err = 0x0
offset = 66560
ret = 0
#7 0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117
cmd = 0x32c684c0 "truncate"
#8 0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291
ctx = 0x32c924d0
input = 0x32c684c0 "truncate"
ct = 0x32c96e30
v = 0x32c685a0
c = 2
done = false
#9 0x000000001000b540 in command_loop () at qemu-io.c:374
i = 0
done = 0
fetchable = 0
---Type <return> to continue, or q <return> to quit---
prompted = 0
input = 0x0
#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051f618) at qemu-io.c:630
readonly = 0
sopt = 0x101b2608 "hVc:d:f:rsnCmkt:T:U"
lopt = {{name = 0x101b26d0 "driver", has_arg = 0, flag = 0x0, val = 104}, {name = 0x101b26d8 "help", has_arg = 0, flag = 0x0, val = 86}, {
name = 0x101b26e0 "version", has_arg = 1, flag = 0x0, val = 99}, {name = 0x101b26e8 "cmd", has_arg = 1, flag = 0x0, val = 102}, {
name = 0x101b26f0 "format", has_arg = 0, flag = 0x0, val = 114}, {name = 0x101b2700 "y", has_arg = 0, flag = 0x0, val = 115}, {
name = 0x101b2710 "", has_arg = 0, flag = 0x0, val = 110}, {name = 0x101b2718 "nocache", has_arg = 0, flag = 0x0, val = 67}, {
name = 0x101b2728 "read", has_arg = 0, flag = 0x0, val = 109}, {name = 0x101b2738 "", has_arg = 0, flag = 0x0, val = 107}, {
name = 0x101b2748 "io", has_arg = 1, flag = 0x0, val = 100}, {name = 0x101b2750 "discard", has_arg = 1, flag = 0x0, val = 116}, {
name = 0x101b2758 "cache", has_arg = 1, flag = 0x0, val = 84}, {name = 0x101b25e8 "object", has_arg = 1, flag = 0x0, val = 256}, {
name = 0x101b2760 "trace", has_arg = 0, flag = 0x0, val = 257}, {name = 0x101b1c48 "force-share", has_arg = 0, flag = 0x0, val = 85}, {name = 0x0,
has_arg = 0, flag = 0x0, val = 0}}
c = -1
opt_index = 0
flags = 16386
writethrough = true
local_error = 0x0
opts = 0x0
format = 0x0
trace_file = 0x0
force_share = false
image_fuzzer image will be attached.
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1728661
Title:
qemu-io segfaults at block/qcow2.h:533
Status in QEMU:
New
Bug description:
git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4
This is on ppc64le architecture.
Re-production steps:
1. Copy the attached file named test.img to a directory
2. And customize the following command to point to the above directory and run the same.
# mv test.img copy.img
# qemu-io <path to>/copy.img -c "truncate 66560"
from gdb:
Program terminated with signal 11, Segmentation fault.
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
533 return s->refcount_table[index] & REFT_OFFSET_MASK;
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.26-21.el7.ppc64le glib2-2.50.3-3.el7.ppc64le glibc-2.17-196.el7.ppc64le gmp-6.0.0-15.el7.ppc64le gnutls-3.3.26-9.el7.ppc64le keyutils-libs-1.5.8-3.el7.ppc64le krb5-libs-1.15.1-8.el7.ppc64le libaio-0.3.109-13.el7.ppc64le libcom_err-1.42.9-10.el7.ppc64le libcurl-7.29.0-42.el7.ppc64le libffi-3.0.13-18.el7.ppc64le libgcc-4.8.5-16.el7_4.1.ppc64le libidn-1.28-4.el7.ppc64le libselinux-2.5-11.el7.ppc64le libssh2-1.4.3-10.el7_2.1.ppc64le libstdc++-4.8.5-16.el7_4.1.ppc64le libtasn1-4.10-1.el7.ppc64le nettle-2.7.1-8.el7.ppc64le nspr-4.13.1-1.0.el7_3.ppc64le nss-3.28.4-15.el7_4.ppc64le nss-softokn-freebl-3.28.3-8.el7_4.ppc64le nss-util-3.28.4-3.el7.ppc64le openldap-2.4.44-5.el7.ppc64le openssl-libs-1.0.2k-8.el7.ppc64le p11-kit-0.23.5-3.el7.ppc64le pcre-8.32-17.el7.ppc64le zlib-1.2.7-17.el7.ppc64le
(gdb) bt
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
#1 0x000000001005df4c in qcow2_discard_refcount_block (bs=0x32c96f60, discard_block_offs=9223372036854775296) at block/qcow2-refcount.c:3070
#2 0x000000001005e5c4 in qcow2_shrink_reftable (bs=0x32c96f60) at block/qcow2-refcount.c:3169
#3 0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/qcow2.c:3155
#4 0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block.c:3585
#5 0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/block-backend.c:1845
#6 0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580
#7 0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117
#8 0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291
#9 0x000000001000b540 in command_loop () at qemu-io.c:374
#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051f618) at qemu-io.c:630
(gdb) bt full
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
index = 4294967295
#1 0x000000001005df4c in qcow2_discard_refcount_block (bs=0x32c96f60, discard_block_offs=9223372036854775296) at block/qcow2-refcount.c:3070
s = 0x32ca3210
refblock_offs = 852111520
cluster_index = 16384
block_index = 3226593616
refblock = 0x32cb9570
ret = 16384
__PRETTY_FUNCTION__ = "qcow2_discard_refcount_block"
#2 0x000000001005e5c4 in qcow2_shrink_reftable (bs=0x32c96f60) at block/qcow2-refcount.c:3169
s = 0x32ca3210
reftable_tmp = 0x32cb9570
i = 0
ret = 0
#3 0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/qcow2.c:3155
last_cluster = 70367675804416
old_file_size = 70367675804416
s = 0x32ca3210
old_length = 1048576
new_l1_size = 1
ret = 0
__func__ = "qcow2_truncate"
__PRETTY_FUNCTION__ = "qcow2_truncate"
__FUNCTION__ = "qcow2_truncate"
#4 0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block.c:3585
bs = 0x32c96f60
drv = 0x102036f0 <bdrv_qcow2>
ret = 16383
__PRETTY_FUNCTION__ = "bdrv_truncate"
__func__ = "bdrv_truncate"
#5 0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/block-backend.c:1845
__func__ = "blk_truncate"
#6 0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580
local_err = 0x0
offset = 66560
ret = 0
#7 0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117
cmd = 0x32c684c0 "truncate"
#8 0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291
ctx = 0x32c924d0
input = 0x32c684c0 "truncate"
ct = 0x32c96e30
v = 0x32c685a0
c = 2
done = false
#9 0x000000001000b540 in command_loop () at qemu-io.c:374
i = 0
done = 0
fetchable = 0
---Type <return> to continue, or q <return> to quit---
prompted = 0
input = 0x0
#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051f618) at qemu-io.c:630
readonly = 0
sopt = 0x101b2608 "hVc:d:f:rsnCmkt:T:U"
lopt = {{name = 0x101b26d0 "driver", has_arg = 0, flag = 0x0, val = 104}, {name = 0x101b26d8 "help", has_arg = 0, flag = 0x0, val = 86}, {
name = 0x101b26e0 "version", has_arg = 1, flag = 0x0, val = 99}, {name = 0x101b26e8 "cmd", has_arg = 1, flag = 0x0, val = 102}, {
name = 0x101b26f0 "format", has_arg = 0, flag = 0x0, val = 114}, {name = 0x101b2700 "y", has_arg = 0, flag = 0x0, val = 115}, {
name = 0x101b2710 "", has_arg = 0, flag = 0x0, val = 110}, {name = 0x101b2718 "nocache", has_arg = 0, flag = 0x0, val = 67}, {
name = 0x101b2728 "read", has_arg = 0, flag = 0x0, val = 109}, {name = 0x101b2738 "", has_arg = 0, flag = 0x0, val = 107}, {
name = 0x101b2748 "io", has_arg = 1, flag = 0x0, val = 100}, {name = 0x101b2750 "discard", has_arg = 1, flag = 0x0, val = 116}, {
name = 0x101b2758 "cache", has_arg = 1, flag = 0x0, val = 84}, {name = 0x101b25e8 "object", has_arg = 1, flag = 0x0, val = 256}, {
name = 0x101b2760 "trace", has_arg = 0, flag = 0x0, val = 257}, {name = 0x101b1c48 "force-share", has_arg = 0, flag = 0x0, val = 85}, {name = 0x0,
has_arg = 0, flag = 0x0, val = 0}}
c = -1
opt_index = 0
flags = 16386
writethrough = true
local_error = 0x0
opts = 0x0
format = 0x0
trace_file = 0x0
force_share = false
image_fuzzer image will be attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1728661/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Qemu-devel] [Bug 1728661] Re: qemu-io segfaults at block/qcow2.h:533
2017-10-30 17:08 [Qemu-devel] [Bug 1728661] [NEW] qemu-io segfaults at block/qcow2.h:533 R.Nageswara Sastry
@ 2017-10-30 17:08 ` R.Nageswara Sastry
2017-11-02 21:16 ` Max Reitz
2017-12-15 15:38 ` Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: R.Nageswara Sastry @ 2017-10-30 17:08 UTC (permalink / raw)
To: qemu-devel
** Attachment added: "test.img tarred"
https://bugs.launchpad.net/qemu/+bug/1728661/+attachment/5000235/+files/test.img_1728661.tar.gz
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1728661
Title:
qemu-io segfaults at block/qcow2.h:533
Status in QEMU:
New
Bug description:
git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4
This is on ppc64le architecture.
Re-production steps:
1. Copy the attached file named test.img to a directory
2. And customize the following command to point to the above directory and run the same.
# mv test.img copy.img
# qemu-io <path to>/copy.img -c "truncate 66560"
from gdb:
Program terminated with signal 11, Segmentation fault.
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
533 return s->refcount_table[index] & REFT_OFFSET_MASK;
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.26-21.el7.ppc64le glib2-2.50.3-3.el7.ppc64le glibc-2.17-196.el7.ppc64le gmp-6.0.0-15.el7.ppc64le gnutls-3.3.26-9.el7.ppc64le keyutils-libs-1.5.8-3.el7.ppc64le krb5-libs-1.15.1-8.el7.ppc64le libaio-0.3.109-13.el7.ppc64le libcom_err-1.42.9-10.el7.ppc64le libcurl-7.29.0-42.el7.ppc64le libffi-3.0.13-18.el7.ppc64le libgcc-4.8.5-16.el7_4.1.ppc64le libidn-1.28-4.el7.ppc64le libselinux-2.5-11.el7.ppc64le libssh2-1.4.3-10.el7_2.1.ppc64le libstdc++-4.8.5-16.el7_4.1.ppc64le libtasn1-4.10-1.el7.ppc64le nettle-2.7.1-8.el7.ppc64le nspr-4.13.1-1.0.el7_3.ppc64le nss-3.28.4-15.el7_4.ppc64le nss-softokn-freebl-3.28.3-8.el7_4.ppc64le nss-util-3.28.4-3.el7.ppc64le openldap-2.4.44-5.el7.ppc64le openssl-libs-1.0.2k-8.el7.ppc64le p11-kit-0.23.5-3.el7.ppc64le pcre-8.32-17.el7.ppc64le zlib-1.2.7-17.el7.ppc64le
(gdb) bt
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
#1 0x000000001005df4c in qcow2_discard_refcount_block (bs=0x32c96f60, discard_block_offs=9223372036854775296) at block/qcow2-refcount.c:3070
#2 0x000000001005e5c4 in qcow2_shrink_reftable (bs=0x32c96f60) at block/qcow2-refcount.c:3169
#3 0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/qcow2.c:3155
#4 0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block.c:3585
#5 0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/block-backend.c:1845
#6 0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580
#7 0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117
#8 0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291
#9 0x000000001000b540 in command_loop () at qemu-io.c:374
#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051f618) at qemu-io.c:630
(gdb) bt full
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
index = 4294967295
#1 0x000000001005df4c in qcow2_discard_refcount_block (bs=0x32c96f60, discard_block_offs=9223372036854775296) at block/qcow2-refcount.c:3070
s = 0x32ca3210
refblock_offs = 852111520
cluster_index = 16384
block_index = 3226593616
refblock = 0x32cb9570
ret = 16384
__PRETTY_FUNCTION__ = "qcow2_discard_refcount_block"
#2 0x000000001005e5c4 in qcow2_shrink_reftable (bs=0x32c96f60) at block/qcow2-refcount.c:3169
s = 0x32ca3210
reftable_tmp = 0x32cb9570
i = 0
ret = 0
#3 0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/qcow2.c:3155
last_cluster = 70367675804416
old_file_size = 70367675804416
s = 0x32ca3210
old_length = 1048576
new_l1_size = 1
ret = 0
__func__ = "qcow2_truncate"
__PRETTY_FUNCTION__ = "qcow2_truncate"
__FUNCTION__ = "qcow2_truncate"
#4 0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block.c:3585
bs = 0x32c96f60
drv = 0x102036f0 <bdrv_qcow2>
ret = 16383
__PRETTY_FUNCTION__ = "bdrv_truncate"
__func__ = "bdrv_truncate"
#5 0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/block-backend.c:1845
__func__ = "blk_truncate"
#6 0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580
local_err = 0x0
offset = 66560
ret = 0
#7 0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117
cmd = 0x32c684c0 "truncate"
#8 0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291
ctx = 0x32c924d0
input = 0x32c684c0 "truncate"
ct = 0x32c96e30
v = 0x32c685a0
c = 2
done = false
#9 0x000000001000b540 in command_loop () at qemu-io.c:374
i = 0
done = 0
fetchable = 0
---Type <return> to continue, or q <return> to quit---
prompted = 0
input = 0x0
#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051f618) at qemu-io.c:630
readonly = 0
sopt = 0x101b2608 "hVc:d:f:rsnCmkt:T:U"
lopt = {{name = 0x101b26d0 "driver", has_arg = 0, flag = 0x0, val = 104}, {name = 0x101b26d8 "help", has_arg = 0, flag = 0x0, val = 86}, {
name = 0x101b26e0 "version", has_arg = 1, flag = 0x0, val = 99}, {name = 0x101b26e8 "cmd", has_arg = 1, flag = 0x0, val = 102}, {
name = 0x101b26f0 "format", has_arg = 0, flag = 0x0, val = 114}, {name = 0x101b2700 "y", has_arg = 0, flag = 0x0, val = 115}, {
name = 0x101b2710 "", has_arg = 0, flag = 0x0, val = 110}, {name = 0x101b2718 "nocache", has_arg = 0, flag = 0x0, val = 67}, {
name = 0x101b2728 "read", has_arg = 0, flag = 0x0, val = 109}, {name = 0x101b2738 "", has_arg = 0, flag = 0x0, val = 107}, {
name = 0x101b2748 "io", has_arg = 1, flag = 0x0, val = 100}, {name = 0x101b2750 "discard", has_arg = 1, flag = 0x0, val = 116}, {
name = 0x101b2758 "cache", has_arg = 1, flag = 0x0, val = 84}, {name = 0x101b25e8 "object", has_arg = 1, flag = 0x0, val = 256}, {
name = 0x101b2760 "trace", has_arg = 0, flag = 0x0, val = 257}, {name = 0x101b1c48 "force-share", has_arg = 0, flag = 0x0, val = 85}, {name = 0x0,
has_arg = 0, flag = 0x0, val = 0}}
c = -1
opt_index = 0
flags = 16386
writethrough = true
local_error = 0x0
opts = 0x0
format = 0x0
trace_file = 0x0
force_share = false
image_fuzzer image will be attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1728661/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Qemu-devel] [Bug 1728661] Re: qemu-io segfaults at block/qcow2.h:533
2017-10-30 17:08 [Qemu-devel] [Bug 1728661] [NEW] qemu-io segfaults at block/qcow2.h:533 R.Nageswara Sastry
2017-10-30 17:08 ` [Qemu-devel] [Bug 1728661] " R.Nageswara Sastry
@ 2017-11-02 21:16 ` Max Reitz
2017-12-15 15:38 ` Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: Max Reitz @ 2017-11-02 21:16 UTC (permalink / raw)
To: qemu-devel
Hi,
And finally, also here, thanks a lot for reporting this bug! I've found
a fix; sending a patch might take a little longer, though...
Max
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1728661
Title:
qemu-io segfaults at block/qcow2.h:533
Status in QEMU:
New
Bug description:
git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4
This is on ppc64le architecture.
Re-production steps:
1. Copy the attached file named test.img to a directory
2. And customize the following command to point to the above directory and run the same.
# mv test.img copy.img
# qemu-io <path to>/copy.img -c "truncate 66560"
from gdb:
Program terminated with signal 11, Segmentation fault.
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
533 return s->refcount_table[index] & REFT_OFFSET_MASK;
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.26-21.el7.ppc64le glib2-2.50.3-3.el7.ppc64le glibc-2.17-196.el7.ppc64le gmp-6.0.0-15.el7.ppc64le gnutls-3.3.26-9.el7.ppc64le keyutils-libs-1.5.8-3.el7.ppc64le krb5-libs-1.15.1-8.el7.ppc64le libaio-0.3.109-13.el7.ppc64le libcom_err-1.42.9-10.el7.ppc64le libcurl-7.29.0-42.el7.ppc64le libffi-3.0.13-18.el7.ppc64le libgcc-4.8.5-16.el7_4.1.ppc64le libidn-1.28-4.el7.ppc64le libselinux-2.5-11.el7.ppc64le libssh2-1.4.3-10.el7_2.1.ppc64le libstdc++-4.8.5-16.el7_4.1.ppc64le libtasn1-4.10-1.el7.ppc64le nettle-2.7.1-8.el7.ppc64le nspr-4.13.1-1.0.el7_3.ppc64le nss-3.28.4-15.el7_4.ppc64le nss-softokn-freebl-3.28.3-8.el7_4.ppc64le nss-util-3.28.4-3.el7.ppc64le openldap-2.4.44-5.el7.ppc64le openssl-libs-1.0.2k-8.el7.ppc64le p11-kit-0.23.5-3.el7.ppc64le pcre-8.32-17.el7.ppc64le zlib-1.2.7-17.el7.ppc64le
(gdb) bt
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
#1 0x000000001005df4c in qcow2_discard_refcount_block (bs=0x32c96f60, discard_block_offs=9223372036854775296) at block/qcow2-refcount.c:3070
#2 0x000000001005e5c4 in qcow2_shrink_reftable (bs=0x32c96f60) at block/qcow2-refcount.c:3169
#3 0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/qcow2.c:3155
#4 0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block.c:3585
#5 0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/block-backend.c:1845
#6 0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580
#7 0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117
#8 0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291
#9 0x000000001000b540 in command_loop () at qemu-io.c:374
#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051f618) at qemu-io.c:630
(gdb) bt full
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
index = 4294967295
#1 0x000000001005df4c in qcow2_discard_refcount_block (bs=0x32c96f60, discard_block_offs=9223372036854775296) at block/qcow2-refcount.c:3070
s = 0x32ca3210
refblock_offs = 852111520
cluster_index = 16384
block_index = 3226593616
refblock = 0x32cb9570
ret = 16384
__PRETTY_FUNCTION__ = "qcow2_discard_refcount_block"
#2 0x000000001005e5c4 in qcow2_shrink_reftable (bs=0x32c96f60) at block/qcow2-refcount.c:3169
s = 0x32ca3210
reftable_tmp = 0x32cb9570
i = 0
ret = 0
#3 0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/qcow2.c:3155
last_cluster = 70367675804416
old_file_size = 70367675804416
s = 0x32ca3210
old_length = 1048576
new_l1_size = 1
ret = 0
__func__ = "qcow2_truncate"
__PRETTY_FUNCTION__ = "qcow2_truncate"
__FUNCTION__ = "qcow2_truncate"
#4 0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block.c:3585
bs = 0x32c96f60
drv = 0x102036f0 <bdrv_qcow2>
ret = 16383
__PRETTY_FUNCTION__ = "bdrv_truncate"
__func__ = "bdrv_truncate"
#5 0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/block-backend.c:1845
__func__ = "blk_truncate"
#6 0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580
local_err = 0x0
offset = 66560
ret = 0
#7 0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117
cmd = 0x32c684c0 "truncate"
#8 0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291
ctx = 0x32c924d0
input = 0x32c684c0 "truncate"
ct = 0x32c96e30
v = 0x32c685a0
c = 2
done = false
#9 0x000000001000b540 in command_loop () at qemu-io.c:374
i = 0
done = 0
fetchable = 0
---Type <return> to continue, or q <return> to quit---
prompted = 0
input = 0x0
#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051f618) at qemu-io.c:630
readonly = 0
sopt = 0x101b2608 "hVc:d:f:rsnCmkt:T:U"
lopt = {{name = 0x101b26d0 "driver", has_arg = 0, flag = 0x0, val = 104}, {name = 0x101b26d8 "help", has_arg = 0, flag = 0x0, val = 86}, {
name = 0x101b26e0 "version", has_arg = 1, flag = 0x0, val = 99}, {name = 0x101b26e8 "cmd", has_arg = 1, flag = 0x0, val = 102}, {
name = 0x101b26f0 "format", has_arg = 0, flag = 0x0, val = 114}, {name = 0x101b2700 "y", has_arg = 0, flag = 0x0, val = 115}, {
name = 0x101b2710 "", has_arg = 0, flag = 0x0, val = 110}, {name = 0x101b2718 "nocache", has_arg = 0, flag = 0x0, val = 67}, {
name = 0x101b2728 "read", has_arg = 0, flag = 0x0, val = 109}, {name = 0x101b2738 "", has_arg = 0, flag = 0x0, val = 107}, {
name = 0x101b2748 "io", has_arg = 1, flag = 0x0, val = 100}, {name = 0x101b2750 "discard", has_arg = 1, flag = 0x0, val = 116}, {
name = 0x101b2758 "cache", has_arg = 1, flag = 0x0, val = 84}, {name = 0x101b25e8 "object", has_arg = 1, flag = 0x0, val = 256}, {
name = 0x101b2760 "trace", has_arg = 0, flag = 0x0, val = 257}, {name = 0x101b1c48 "force-share", has_arg = 0, flag = 0x0, val = 85}, {name = 0x0,
has_arg = 0, flag = 0x0, val = 0}}
c = -1
opt_index = 0
flags = 16386
writethrough = true
local_error = 0x0
opts = 0x0
format = 0x0
trace_file = 0x0
force_share = false
image_fuzzer image will be attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1728661/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Qemu-devel] [Bug 1728661] Re: qemu-io segfaults at block/qcow2.h:533
2017-10-30 17:08 [Qemu-devel] [Bug 1728661] [NEW] qemu-io segfaults at block/qcow2.h:533 R.Nageswara Sastry
2017-10-30 17:08 ` [Qemu-devel] [Bug 1728661] " R.Nageswara Sastry
2017-11-02 21:16 ` Max Reitz
@ 2017-12-15 15:38 ` Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Huth @ 2017-12-15 15:38 UTC (permalink / raw)
To: qemu-devel
Fix has been released with QEMU 2.11:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=23482f8a603a7fc591b770
** Changed in: qemu
Status: New => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1728661
Title:
qemu-io segfaults at block/qcow2.h:533
Status in QEMU:
Fix Released
Bug description:
git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4
This is on ppc64le architecture.
Re-production steps:
1. Copy the attached file named test.img to a directory
2. And customize the following command to point to the above directory and run the same.
# mv test.img copy.img
# qemu-io <path to>/copy.img -c "truncate 66560"
from gdb:
Program terminated with signal 11, Segmentation fault.
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
533 return s->refcount_table[index] & REFT_OFFSET_MASK;
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.26-21.el7.ppc64le glib2-2.50.3-3.el7.ppc64le glibc-2.17-196.el7.ppc64le gmp-6.0.0-15.el7.ppc64le gnutls-3.3.26-9.el7.ppc64le keyutils-libs-1.5.8-3.el7.ppc64le krb5-libs-1.15.1-8.el7.ppc64le libaio-0.3.109-13.el7.ppc64le libcom_err-1.42.9-10.el7.ppc64le libcurl-7.29.0-42.el7.ppc64le libffi-3.0.13-18.el7.ppc64le libgcc-4.8.5-16.el7_4.1.ppc64le libidn-1.28-4.el7.ppc64le libselinux-2.5-11.el7.ppc64le libssh2-1.4.3-10.el7_2.1.ppc64le libstdc++-4.8.5-16.el7_4.1.ppc64le libtasn1-4.10-1.el7.ppc64le nettle-2.7.1-8.el7.ppc64le nspr-4.13.1-1.0.el7_3.ppc64le nss-3.28.4-15.el7_4.ppc64le nss-softokn-freebl-3.28.3-8.el7_4.ppc64le nss-util-3.28.4-3.el7.ppc64le openldap-2.4.44-5.el7.ppc64le openssl-libs-1.0.2k-8.el7.ppc64le p11-kit-0.23.5-3.el7.ppc64le pcre-8.32-17.el7.ppc64le zlib-1.2.7-17.el7.ppc64le
(gdb) bt
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
#1 0x000000001005df4c in qcow2_discard_refcount_block (bs=0x32c96f60, discard_block_offs=9223372036854775296) at block/qcow2-refcount.c:3070
#2 0x000000001005e5c4 in qcow2_shrink_reftable (bs=0x32c96f60) at block/qcow2-refcount.c:3169
#3 0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/qcow2.c:3155
#4 0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block.c:3585
#5 0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/block-backend.c:1845
#6 0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580
#7 0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117
#8 0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291
#9 0x000000001000b540 in command_loop () at qemu-io.c:374
#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051f618) at qemu-io.c:630
(gdb) bt full
#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533
index = 4294967295
#1 0x000000001005df4c in qcow2_discard_refcount_block (bs=0x32c96f60, discard_block_offs=9223372036854775296) at block/qcow2-refcount.c:3070
s = 0x32ca3210
refblock_offs = 852111520
cluster_index = 16384
block_index = 3226593616
refblock = 0x32cb9570
ret = 16384
__PRETTY_FUNCTION__ = "qcow2_discard_refcount_block"
#2 0x000000001005e5c4 in qcow2_shrink_reftable (bs=0x32c96f60) at block/qcow2-refcount.c:3169
s = 0x32ca3210
reftable_tmp = 0x32cb9570
i = 0
ret = 0
#3 0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/qcow2.c:3155
last_cluster = 70367675804416
old_file_size = 70367675804416
s = 0x32ca3210
old_length = 1048576
new_l1_size = 1
ret = 0
__func__ = "qcow2_truncate"
__PRETTY_FUNCTION__ = "qcow2_truncate"
__FUNCTION__ = "qcow2_truncate"
#4 0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block.c:3585
bs = 0x32c96f60
drv = 0x102036f0 <bdrv_qcow2>
ret = 16383
__PRETTY_FUNCTION__ = "bdrv_truncate"
__func__ = "bdrv_truncate"
#5 0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/block-backend.c:1845
__func__ = "blk_truncate"
#6 0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580
local_err = 0x0
offset = 66560
ret = 0
#7 0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117
cmd = 0x32c684c0 "truncate"
#8 0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291
ctx = 0x32c924d0
input = 0x32c684c0 "truncate"
ct = 0x32c96e30
v = 0x32c685a0
c = 2
done = false
#9 0x000000001000b540 in command_loop () at qemu-io.c:374
i = 0
done = 0
fetchable = 0
---Type <return> to continue, or q <return> to quit---
prompted = 0
input = 0x0
#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051f618) at qemu-io.c:630
readonly = 0
sopt = 0x101b2608 "hVc:d:f:rsnCmkt:T:U"
lopt = {{name = 0x101b26d0 "driver", has_arg = 0, flag = 0x0, val = 104}, {name = 0x101b26d8 "help", has_arg = 0, flag = 0x0, val = 86}, {
name = 0x101b26e0 "version", has_arg = 1, flag = 0x0, val = 99}, {name = 0x101b26e8 "cmd", has_arg = 1, flag = 0x0, val = 102}, {
name = 0x101b26f0 "format", has_arg = 0, flag = 0x0, val = 114}, {name = 0x101b2700 "y", has_arg = 0, flag = 0x0, val = 115}, {
name = 0x101b2710 "", has_arg = 0, flag = 0x0, val = 110}, {name = 0x101b2718 "nocache", has_arg = 0, flag = 0x0, val = 67}, {
name = 0x101b2728 "read", has_arg = 0, flag = 0x0, val = 109}, {name = 0x101b2738 "", has_arg = 0, flag = 0x0, val = 107}, {
name = 0x101b2748 "io", has_arg = 1, flag = 0x0, val = 100}, {name = 0x101b2750 "discard", has_arg = 1, flag = 0x0, val = 116}, {
name = 0x101b2758 "cache", has_arg = 1, flag = 0x0, val = 84}, {name = 0x101b25e8 "object", has_arg = 1, flag = 0x0, val = 256}, {
name = 0x101b2760 "trace", has_arg = 0, flag = 0x0, val = 257}, {name = 0x101b1c48 "force-share", has_arg = 0, flag = 0x0, val = 85}, {name = 0x0,
has_arg = 0, flag = 0x0, val = 0}}
c = -1
opt_index = 0
flags = 16386
writethrough = true
local_error = 0x0
opts = 0x0
format = 0x0
trace_file = 0x0
force_share = false
image_fuzzer image will be attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1728661/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-12-15 15:45 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-30 17:08 [Qemu-devel] [Bug 1728661] [NEW] qemu-io segfaults at block/qcow2.h:533 R.Nageswara Sastry
2017-10-30 17:08 ` [Qemu-devel] [Bug 1728661] " R.Nageswara Sastry
2017-11-02 21:16 ` Max Reitz
2017-12-15 15:38 ` Thomas Huth
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.