All of lore.kernel.org
 help / color / mirror / Atom feed
* [Qemu-devel] Supplying QCOW2 as 'file' driver to `blockdev-add` results in a QEMU crash
@ 2016-06-15  9:58 Kashyap Chamarthy
  2016-06-15 12:02 ` [Qemu-devel] [Qemu-block] " Kashyap Chamarthy
  2016-06-15 15:17 ` [Qemu-devel] " Max Reitz
  0 siblings, 2 replies; 5+ messages in thread
From: Kashyap Chamarthy @ 2016-06-15  9:58 UTC (permalink / raw)
  To: qemu-devel; +Cc: qemu-block, armbru, eblake

Seems like supplying "qcow2" file BlockdevDriver option to QMP
`blockdev-add` results in a SIGSEGV:

	[...]
    Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
    0x0000555555a0121f in visit_type_BlockdevRef ()
	[...]

Reproducer
----------

Tested with: qemu-2.6.0-3.fc24

Invoke this QEMU command-line (QMP server over Unix socket) in GDB:

$ gdb /usr/bin/qemu-system-x86_64
[...]
(gdb) run -machine accel=kvm -name cirrvm -S -machine pc-i440fx-2.1,accel=kvm,usb=off -cpu SandyBridge -m 977 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -nographic -no-user-confi
g -nodefaults -chardev socket,id=charmonitor,path=/var/tmp/cirrvm.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick
_policy=discard -no-hpet -no-shutdown -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x3.0x7 -drive file=./cirros-0.3.3.qcow2,if=none,id=drive-ide0-0-0,driver=qcow2 -device ide
-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device virtio-balloon-pci,id=balloon0,bus=pci
.0,addr=0x4 -msg timestamp=on -qmp unix:./qmp-sock,server --monitor stdio
[...]

Then, invoke the 'blockdev-add' QMP command with these arguments and options:

    $ socat UNIX:/export/qmp-sock READLINE,history=$HOME/.qmp_history,prompt='QMP> '
    {"QMP": {"version": {"qemu": {"micro": 0, "minor": 6, "major": 2}, "package": " (qemu-2.6.0-3.fc24)"}, "capabilities": []}}
    QMP> {"execute":"qmp_capabilities"}
    {"return": {}}
    
    QMP> { "execute": "blockdev-add",
         "arguments": { "options" : { "driver": "qcow2", 
                                     "id": "drive-ide1-0-0",
                                     "file": { "driver": "qcow2",
                                               "filename": "backup1.qcow2" } } } }


Backtrace
---------

[...]
Starting program: /usr/bin/qemu-system-x86_64 -machine accel=kvm -name cirrvm -S -machine pc-i440fx-2.1,accel=kvm,usb=off -cpu SandyBridge -m 977 -realtime mlock=off -smp 1,sockets=1,cores=1
,threads=1 -nographic -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/tmp/cirrvm.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,dri
ftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -boot strict=on -device ich9-usb-ehci1,id=usb,bus=pci.0,addr=0x3.0x7 -drive file=./cirros-0.3.3.qcow2,if=none,id=dri
ve-ide0-0-0,driver=qcow2 -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -device vi
rtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4 -msg timestamp=on -qmp unix:./qmp-sock,server --monitor stdio
[...]

[New Thread 0x7fffcb792700 (LWP 2169)]
char device redirected to /dev/pts/50 (label charserial0)
QEMU waiting for connection on: disconnected:unix:./qmp-sock,server
[New Thread 0x7fffcad7f700 (LWP 2234)]
QEMU 2.6.0 monitor - type 'help' for more information
(qemu) [New Thread 0x7fffca57e700 (LWP 2235)]
[Thread 0x7fffcad7f700 (LWP 2234) exited]

Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
0x0000555555a0121f in visit_type_BlockdevRef ()
(gdb) thread apply all bt full

Thread 4 (Thread 0x7fffca57e700 (LWP 2235)):
#0  0x00007fffdabf4bd0 in pthread_cond_wait@@GLIBC_2.3.2 () at /lib64/libpthread.so.0
#1  0x0000555555a199e9 in qemu_cond_wait ()
#2  0x000055555571e26f in qemu_kvm_cpu_thread_fn ()
#3  0x00007fffdabef5ca in start_thread () at /lib64/libpthread.so.0
#4  0x00007fffda928ead in clone () at /lib64/libc.so.6

Thread 2 (Thread 0x7fffcb792700 (LWP 2169)):
#0  0x00007fffda922ff9 in syscall () at /lib64/libc.so.6
#1  0x0000555555a19cf8 in qemu_event_wait ()
#2  0x0000555555a27e6e in call_rcu_thread ()
#3  0x00007fffdabef5ca in start_thread () at /lib64/libpthread.so.0
#4  0x00007fffda928ead in clone () at /lib64/libc.so.6

Thread 1 (Thread 0x7ffff7ed0f80 (LWP 2162)):
#0  0x0000555555a0121f in visit_type_BlockdevRef ()
#1  0x0000555555a016a2 in visit_type_BlockdevOptionsGenericFormat_members ()
#2  0x0000555555a01903 in visit_type_BlockdevOptionsGenericCOWFormat_members ()
#3  0x0000555555a01a53 in visit_type_BlockdevOptionsQcow2_members ()
#4  0x0000555555a010d5 in visit_type_BlockdevOptions_members ()
#5  0x0000555555a012c8 in visit_type_BlockdevRef ()
#6  0x0000555555a016a2 in visit_type_BlockdevOptionsGenericFormat_members ()
#7  0x0000555555a01903 in visit_type_BlockdevOptionsGenericCOWFormat_members ()
#8  0x0000555555a01a53 in visit_type_BlockdevOptionsQcow2_members ()
#9  0x0000555555a010d5 in visit_type_BlockdevOptions_members ()
#10 0x0000555555a0116f in visit_type_BlockdevOptions ()
#11 0x0000555555a077a2 in visit_type_q_obj_blockdev_add_arg_members ()
#12 0x000055555580691b in qmp_marshal_blockdev_add ()
#13 0x0000555555721460 in handle_qmp_command ()
#14 0x0000555555a15858 in json_message_process_token ()
---Type <return> to continue, or q <return> to quit---
#15 0x0000555555a29bcd in json_lexer_feed_char ()
#16 0x0000555555a29cde in json_lexer_feed ()
#17 0x000055555571fedb in monitor_qmp_read ()
#18 0x00005555557fd2a0 in tcp_chr_read ()
#19 0x00007fffde6a9703 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#20 0x0000555555987163 in main_loop_wait ()
#21 0x00005555556eadbd in main ()
(gdb) 

-- 
/kashyap

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [Qemu-block] Supplying QCOW2 as 'file' driver to `blockdev-add` results in a QEMU crash
  2016-06-15  9:58 [Qemu-devel] Supplying QCOW2 as 'file' driver to `blockdev-add` results in a QEMU crash Kashyap Chamarthy
@ 2016-06-15 12:02 ` Kashyap Chamarthy
  2016-06-15 15:17 ` [Qemu-devel] " Max Reitz
  1 sibling, 0 replies; 5+ messages in thread
From: Kashyap Chamarthy @ 2016-06-15 12:02 UTC (permalink / raw)
  To: qemu-devel; +Cc: armbru, qemu-block

On Wed, Jun 15, 2016 at 11:58:31AM +0200, Kashyap Chamarthy wrote:
> Seems like supplying "qcow2" file BlockdevDriver option to QMP
> `blockdev-add` results in a SIGSEGV:
> 
> 	[...]
>     Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
>     0x0000555555a0121f in visit_type_BlockdevRef ()
> 	[...]
> 

[...]
 
> Then, invoke the 'blockdev-add' QMP command with these arguments and options:
> 
>     $ socat UNIX:/export/qmp-sock READLINE,history=$HOME/.qmp_history,prompt='QMP> '
>     {"QMP": {"version": {"qemu": {"micro": 0, "minor": 6, "major": 2}, "package": " (qemu-2.6.0-3.fc24)"}, "capabilities": []}}
>     QMP> {"execute":"qmp_capabilities"}
>     {"return": {}}
>     
>     QMP> { "execute": "blockdev-add",
>          "arguments": { "options" : { "driver": "qcow2", 
>                                      "id": "drive-ide1-0-0",
>                                      "file": { "driver": "qcow2",
>                                                "filename": "backup1.qcow2" } } } }
> 

[...]

Related SIGSEGV case:

(1) driver: raw, file: driver: raw

    QMP> { "execute": "blockdev-add",
         "arguments": { "options" : { "driver": "raw", 
                                     "id": "drive-ide1-0-0",
                                     "file": { "driver": "raw",
                                               "filename": "/tmp/test1.raw" } } } }


And the below are the *good* cases, where the block device is added
successfully:

(2) driver: qcow2, file: driver: file

    $ qemu-img create -f qcow2 /tmp/test2.qcow2 512M

    QMP> { "execute": "blockdev-add",
         "arguments": { "options" : { "driver": "qcow2", 
                                     "id": "drive-ide2-0-0",
                                     "file": { "driver": "file",
                                               "filename": "/tmp/test2.qcow2" } } } }
    {"return": {}}


(3) driver: raw, file: driver: file

    $ qemu-img create -f raw /tmp/test3.raw 512M

    QMP> { "execute": "blockdev-add",
         "arguments": { "options" : { "driver": "raw", 
                                     "id": "drive-ide3-0-0",
                                     "file": { "driver": "file",
                                               "filename": "/tmp/test3.raw" } } } }
    {"return": {}}

-- 
/kashyap

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [Qemu-devel] Supplying QCOW2 as 'file' driver to `blockdev-add` results in a QEMU crash
  2016-06-15  9:58 [Qemu-devel] Supplying QCOW2 as 'file' driver to `blockdev-add` results in a QEMU crash Kashyap Chamarthy
  2016-06-15 12:02 ` [Qemu-devel] [Qemu-block] " Kashyap Chamarthy
@ 2016-06-15 15:17 ` Max Reitz
  2016-06-15 15:38   ` Eric Blake
  1 sibling, 1 reply; 5+ messages in thread
From: Max Reitz @ 2016-06-15 15:17 UTC (permalink / raw)
  To: Kashyap Chamarthy, qemu-devel; +Cc: armbru, qemu-block, Eric Blake

[-- Attachment #1: Type: text/plain, Size: 566 bytes --]

On 15.06.2016 11:58, Kashyap Chamarthy wrote:
> Seems like supplying "qcow2" file BlockdevDriver option to QMP
> `blockdev-add` results in a SIGSEGV:
> 
> 	[...]
>     Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
>     0x0000555555a0121f in visit_type_BlockdevRef ()
> 	[...]
> 
> Reproducer
> ----------

Even simpler reproducer:

{'execute':'blockdev-add','arguments':{'options':{'driver':'raw'}}}

Seems like a QAPI problem to me, and bisecting yields
dbf11922622685934bfb41e7cf2be9bd4a0405c0 as the culprit.

Max


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [Qemu-devel] Supplying QCOW2 as 'file' driver to `blockdev-add` results in a QEMU crash
  2016-06-15 15:17 ` [Qemu-devel] " Max Reitz
@ 2016-06-15 15:38   ` Eric Blake
  2016-06-15 16:10     ` Eric Blake
  0 siblings, 1 reply; 5+ messages in thread
From: Eric Blake @ 2016-06-15 15:38 UTC (permalink / raw)
  To: Max Reitz, Kashyap Chamarthy, qemu-devel; +Cc: armbru, qemu-block

[-- Attachment #1: Type: text/plain, Size: 785 bytes --]

On 06/15/2016 09:17 AM, Max Reitz wrote:
> On 15.06.2016 11:58, Kashyap Chamarthy wrote:
>> Seems like supplying "qcow2" file BlockdevDriver option to QMP
>> `blockdev-add` results in a SIGSEGV:
>>
>> 	[...]
>>     Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
>>     0x0000555555a0121f in visit_type_BlockdevRef ()
>> 	[...]
>>
>> Reproducer
>> ----------
> 
> Even simpler reproducer:
> 
> {'execute':'blockdev-add','arguments':{'options':{'driver':'raw'}}}
> 
> Seems like a QAPI problem to me, and bisecting yields
> dbf11922622685934bfb41e7cf2be9bd4a0405c0 as the culprit.

I'm looking into it. Thanks for the testcase.


-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [Qemu-devel] Supplying QCOW2 as 'file' driver to `blockdev-add` results in a QEMU crash
  2016-06-15 15:38   ` Eric Blake
@ 2016-06-15 16:10     ` Eric Blake
  0 siblings, 0 replies; 5+ messages in thread
From: Eric Blake @ 2016-06-15 16:10 UTC (permalink / raw)
  To: Max Reitz, Kashyap Chamarthy, qemu-devel; +Cc: armbru, qemu-block

[-- Attachment #1: Type: text/plain, Size: 1197 bytes --]

On 06/15/2016 09:38 AM, Eric Blake wrote:
> On 06/15/2016 09:17 AM, Max Reitz wrote:
>> On 15.06.2016 11:58, Kashyap Chamarthy wrote:
>>> Seems like supplying "qcow2" file BlockdevDriver option to QMP
>>> `blockdev-add` results in a SIGSEGV:
>>>
>>> 	[...]
>>>     Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
>>>     0x0000555555a0121f in visit_type_BlockdevRef ()
>>> 	[...]
>>>
>>> Reproducer
>>> ----------
>>
>> Even simpler reproducer:
>>
>> {'execute':'blockdev-add','arguments':{'options':{'driver':'raw'}}}
>>
>> Seems like a QAPI problem to me, and bisecting yields
>> dbf11922622685934bfb41e7cf2be9bd4a0405c0 as the culprit.
> 
> I'm looking into it. Thanks for the testcase.

Okay, the problem is based on error handling - you have a missing 'file'
argument.  That patch consolidated things to do two things at once
instead of two calls where the second was skipped if the first failed;
and now ends up dereferencing NULL.  I didn't notice or test it at the
time, so I get to enhance the testsuite as part of my patch.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-06-15 16:10 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-15  9:58 [Qemu-devel] Supplying QCOW2 as 'file' driver to `blockdev-add` results in a QEMU crash Kashyap Chamarthy
2016-06-15 12:02 ` [Qemu-devel] [Qemu-block] " Kashyap Chamarthy
2016-06-15 15:17 ` [Qemu-devel] " Max Reitz
2016-06-15 15:38   ` Eric Blake
2016-06-15 16:10     ` Eric Blake

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.