Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qemu-io segfaults at block/io.c:2387 #27

Closed
nasastry opened this issue Oct 30, 2017 · 2 comments
Closed

qemu-io segfaults at block/io.c:2387 #27

nasastry opened this issue Oct 30, 2017 · 2 comments

Comments

@nasastry
Copy link

nasastry commented Oct 30, 2017
edited by cdeadmin
Loading

cde:info Mirrored with LTC bug https://bugzilla.linux.ibm.com/show_bug.cgi?id=160753 </cde:info>

Re-production steps:

  1. Copy the attached files named backing_img.qcow2.txt and test.img.txt to a directory
  2. Rename them as
mv backing_img.qcow2.txt backing_img.qcow2
mv test.img.txt test.img

P.S. with filename extension as .qcow2 and .img, they are not getting attached here to changed to .txt.
3. And customize the following command to point to the above directory and run the same.
/usr/bin/qemu-io <path to>/test.img -c "discard 4115456 3203072"
Output of the above command.

qcow2_free_clusters failed: Invalid argument
qcow2: Image is corrupt: Cannot free unaligned cluster 0x3ffffe00; further non-fatal corruption events will be suppressed
qcow2: Marking image as corrupt: Preventing invalid write on metadata (overlaps with refcount table); further corruption events will be suppressed
qcow2_free_clusters failed: Input/output error
qcow2_free_clusters failed: Invalid argument
qcow2_free_clusters failed: Input/output error
qcow2_free_clusters failed: Invalid argument
qcow2_free_clusters failed: Input/output error
Segmentation fault (core dumped)

from gdb:

(gdb) bt
#0  0x000000013017b494 in bdrv_co_pdiscard (bs=0x16083e7a0, offset=7307264, bytes=11264) at block/io.c:2387
#1  0x0000000130167b54 in blk_co_pdiscard (blk=0x16082e4a0, offset=4115456, bytes=<optimized out>) at block/block-backend.c:1445
#2  0x0000000130167c50 in blk_pdiscard_entry (opaque=0x7fffcf42b5d8) at block/block-backend.c:1851
#3  0x000000013023bc38 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at util/coroutine-ucontext.c:79
#4  0x00007fff9cf92b9c in makecontext () from /lib64/libc.so.6
#5  0x0000000000000000 in ?? ()
(gdb) bt full
#0  0x000000013017b494 in bdrv_co_pdiscard (bs=0x16083e7a0, offset=7307264, bytes=11264) at block/io.c:2387
        num = <optimized out>
        req = {bs = 0x16083e7a0, offset = 4115456, bytes = 3203072, type = BDRV_TRACKED_DISCARD, serialising = false, overlap_offset = 4115456,
          overlap_bytes = 3203072, list = {le_next = 0x0, le_prev = 0x160841a18}, co = 0x1608601b0, wait_queue = {entries = {sqh_first = 0x0,
              sqh_last = 0x7fff99ecfe20}}, waiting_for = 0x0}
        max_pdiscard = 2147467264
        ret = <optimized out>
        head = 0
        tail = 11264
        align = 16384
        __PRETTY_FUNCTION__ = "bdrv_co_pdiscard"
#1  0x0000000130167b54 in blk_co_pdiscard (blk=0x16082e4a0, offset=4115456, bytes=<optimized out>) at block/block-backend.c:1445
        ret = <optimized out>
#2  0x0000000130167c50 in blk_pdiscard_entry (opaque=0x7fffcf42b5d8) at block/block-backend.c:1851
        rwco = 0x7fffcf42b5d8
#3  0x000000013023bc38 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at util/coroutine-ucontext.c:79
        arg = {p = 0x1608601b0, i = {1619394992, 1}}
        self = 0x1608601b0
        co = 0x1608601b0
#4  0x00007fff9cf92b9c in makecontext () from /lib64/libc.so.6
No symbol table info available.
#5  0x0000000000000000 in ?? ()
No symbol table info available.

Qemu version:
qemu-2.10.0-2.rel.gitc334a4e.el7.centos.ppc64le

Will attach the required image files.
backing_img.qcow2.txt
test.img.txt

These image files created by tests/image_fuzzer code from qemu source tree.
@cdeadmin
Copy link

------- Comment From muriloo@br.ibm.com 2017-12-28 12:18:35 EDT-------
This was fixed in HostOS QEMU 2.11.0 by the following commit (which is present in both hostos-devel and -release branches):

https://git.qemu.org/?p=qemu.git;a=commitdiff;h=d470ad42acfc73c45d3e8e

commit d470ad4
Author: Max Reitz <mreitz@redhat.com>
Date: Fri Nov 10 21:31:09 2017 +0100

block: Guard against NULL bs-&gt;drv

@cdeadmin
Copy link

cdeadmin commented Jan 1, 2018

------- Comment From nasastry@in.ibm.com 2018-01-01 01:07:41 EDT-------
Tested with qemu-img-2.11.0-1.rel.gite7153e0.el7.centos.ppc64le
reported segfault is not seen. This bugzilla can be closed.

/usr/bin/qemu-io /tmp/test.img -c "discard 4115456 3203072"

qcow2_free_clusters failed: Invalid argument
qcow2: Image is corrupt: Cannot free unaligned cluster 0x3ffffe00; further non-fatal corruption events will be suppressed
qcow2: Marking image as corrupt: Preventing invalid write on metadata (overlaps with refcount table); further corruption events will be suppressed
qcow2_free_clusters failed: Input/output error
qcow2_free_clusters failed: Invalid argument
qcow2_free_clusters failed: Input/output error
qcow2_free_clusters failed: Invalid argument
qcow2_free_clusters failed: Input/output error
discard failed: No medium found

@cdeadmin cdeadmin closed this as completed Jan 1, 2018
aik pushed a commit that referenced this issue Jan 31, 2018
@elmarco @bonzini
disas/s390: fix global-buffer-overflow
02a2ad2 
Spotted thanks to ASAN:

==25226==ERROR: AddressSanitizer: global-buffer-overflow on address 0x556715a1f120 at pc 0x556714b6f6b1 bp 0x7ffcdfac1360 sp 0x7ffcdfac1350
READ of size 1 at 0x556715a1f120 thread T0
    #0 0x556714b6f6b0 in init_disasm /home/elmarco/src/qemu/disas/s390.c:219
    #1 0x556714b6fa6a in print_insn_s390 /home/elmarco/src/qemu/disas/s390.c:294
    #2 0x55671484d031 in monitor_disas /home/elmarco/src/qemu/disas.c:635
    #3 0x556714862ec0 in memory_dump /home/elmarco/src/qemu/monitor.c:1324
    #4 0x55671486342a in hmp_memory_dump /home/elmarco/src/qemu/monitor.c:1418
    #5 0x5567148670be in handle_hmp_command /home/elmarco/src/qemu/monitor.c:3109
    #6 0x5567148674ed in qmp_human_monitor_command /home/elmarco/src/qemu/monitor.c:613
    #7 0x556714b00918 in qmp_marshal_human_monitor_command /home/elmarco/src/qemu/build/qmp-marshal.c:1704
    #8 0x556715138a3e in do_qmp_dispatch /home/elmarco/src/qemu/qapi/qmp-dispatch.c:104
    #9 0x556715138f83 in qmp_dispatch /home/elmarco/src/qemu/qapi/qmp-dispatch.c:131
    #10 0x55671485cf88 in handle_qmp_command /home/elmarco/src/qemu/monitor.c:3839
    #11 0x55671514e80b in json_message_process_token /home/elmarco/src/qemu/qobject/json-streamer.c:105
    #12 0x5567151bf2dc in json_lexer_feed_char /home/elmarco/src/qemu/qobject/json-lexer.c:323
    #13 0x5567151bf827 in json_lexer_feed /home/elmarco/src/qemu/qobject/json-lexer.c:373
    #14 0x55671514ee62 in json_message_parser_feed /home/elmarco/src/qemu/qobject/json-streamer.c:124
    #15 0x556714854b1f in monitor_qmp_read /home/elmarco/src/qemu/monitor.c:3881
    #16 0x556715045440 in qemu_chr_be_write_impl /home/elmarco/src/qemu/chardev/char.c:172
    #17 0x556715047184 in qemu_chr_be_write /home/elmarco/src/qemu/chardev/char.c:184
    #18 0x55671505a8e6 in tcp_chr_read /home/elmarco/src/qemu/chardev/char-socket.c:440
    #19 0x5567150943c3 in qio_channel_fd_source_dispatch /home/elmarco/src/qemu/io/channel-watch.c:84
    #20 0x7fb90292b90b in g_main_dispatch ../glib/gmain.c:3182
    #21 0x7fb90292c7ac in g_main_context_dispatch ../glib/gmain.c:3847
    #22 0x556715162eca in glib_pollfds_poll /home/elmarco/src/qemu/util/main-loop.c:214
    #23 0x556715163001 in os_host_main_loop_wait /home/elmarco/src/qemu/util/main-loop.c:261
    #24 0x5567151631fa in main_loop_wait /home/elmarco/src/qemu/util/main-loop.c:515
    #25 0x556714ad6d3b in main_loop /home/elmarco/src/qemu/vl.c:1950
    #26 0x556714ade329 in main /home/elmarco/src/qemu/vl.c:4865
    #27 0x7fb8fe5c9009 in __libc_start_main (/lib64/libc.so.6+0x21009)
    #28 0x5567147af4d9 in _start (/home/elmarco/src/qemu/build/s390x-softmmu/qemu-system-s390x+0xf674d9)

0x556715a1f120 is located 32 bytes to the left of global variable 'char_hci_type_info' defined in '/home/elmarco/src/qemu/hw/bt/hci-csr.c:493:23' (0x556715a1f140) of size 104
0x556715a1f120 is located 8 bytes to the right of global variable 's390_opcodes' defined in '/home/elmarco/src/qemu/disas/s390.c:860:33' (0x556715a15280) of size 40600

This fix is based on Andreas Arnez <arnez@linux.vnet.ibm.com> upstream
commit:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=9ace48f3d7d80ce09c5df60cccb433470410b11b

2014-08-19  Andreas Arnez  <arnez@linux.vnet.ibm.com>

       * s390-dis.c (init_disasm): Simplify initialization of
       opc_index[].  This also fixes an access after the last element
       of s390_opcodes[].

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20180104160523.22995-19-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nasastry @cdeadmin