[Qemu-devel] [Bug 865518] Re: qemu segfaults when writing to very large qcow2 disk
Fix has been included here: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=2cf7cfa1cde6672b8a35b ... so I think it should be OK to close this ticket now. ** Changed in: qemu Status: New => Fix Released -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/865518 Title: qemu segfaults when writing to very large qcow2 disk Status in QEMU: Fix Released Bug description: Create a ridiculously large qcow2 disk: qemu-img create -f qcow2 test1.img $((2**63-513)) Attach it to a guest and try to use parted to partition it. This is easy with virt-rescue: you just do: virt-rescue test1.img > parted /dev/vda mklabel gpt <-- bang! qemu segfaults here The stack trace is: Program received signal SIGSEGV, Segmentation fault. 0x00434cac in get_cluster_table (bs=0x3193030, offset= 9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0, new_l2_index=0x591e408) at block/qcow2-cluster.c:506 506 l2_offset = s->l1_table[l1_index]; (gdb) bt #0 0x00434cac in get_cluster_table (bs=0x3193030, offset= 9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0, new_l2_index=0x591e408) at block/qcow2-cluster.c:506 #1 0x0043535b in qcow2_alloc_cluster_offset (bs=0x3193030, offset= 9223372036854764544, n_start=106, n_end=126, num=0x591e4e8, m=0x591e470) at block/qcow2-cluster.c:719 #2 0x0043b8d4 in qcow2_co_writev (bs=0x3193030, sector_num= 18014398509481962, remaining_sectors=20, qiov=0x4a81ee0) at block/qcow2.c:554 #3 0x00428691 in bdrv_co_rw (opaque=0x38bad10) at block.c:2781 #4 0x0046e03a in coroutine_trampoline (i0=59487248, i1=0) at coroutine-ucontext.c:125 #5 0x0034dc6471b0 in ?? () from /lib64/libc.so.6 #6 0x7fff76cbb430 in ?? () #7 0x in ?? () This is qemu from git (8f440cda08c6df574 from 2011-09-29) To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/865518/+subscriptions
Re: [Qemu-devel] [Bug 865518] Re: qemu segfaults when writing to very large qcow2 disk
On 05/11/13 10:16, Richard Jones wrote: > Still happening in upstream qemu from git: > > Program terminated with signal 11, Segmentation fault. > #0 0x7f4f86c721a0 in get_cluster_table (bs=bs@entry=0x7f4f886e7880, > offset=offset@entry=1152921504606834688, > new_l2_table=new_l2_table@entry=0x7f4f8ad9a0b0, > new_l2_index=new_l2_index@entry=0x7f4f8ad9a0ac) > at block/qcow2-cluster.c:525 > 525 l2_offset = s->l1_table[l1_index] & L1E_OFFSET_MASK; Supposing that line 517 doesn't overflow "l1_index" for starters (which is an uint32_t in practice), line 519 converts "l1_index + 1" to "signed int". If the "min_size" parameter of qcow2_grow_l1_table() is negative, then the function won't do anything. Laszlo
[Qemu-devel] [Bug 865518] Re: qemu segfaults when writing to very large qcow2 disk
Still happening in upstream qemu from git: Program terminated with signal 11, Segmentation fault. #0 0x7f4f86c721a0 in get_cluster_table (bs=bs@entry=0x7f4f886e7880, offset=offset@entry=1152921504606834688, new_l2_table=new_l2_table@entry=0x7f4f8ad9a0b0, new_l2_index=new_l2_index@entry=0x7f4f8ad9a0ac) at block/qcow2-cluster.c:525 525 l2_offset = s->l1_table[l1_index] & L1E_OFFSET_MASK; Missing separate debuginfos, use: debuginfo-install SDL-1.2.15-3.fc18.x86_64 bluez-libs-4.101-6.fc18.x86_64 brlapi-0.5.6-12.fc18.x86_64 celt051-0.5.1.3-5.fc18.x86_64 ceph-devel-0.56.3-1.fc18.x86_64 ceph-libs-0.56.3-1.fc18.x86_64 cryptopp-5.6.1-8.fc18.x86_64 cyrus-sasl-lib-2.1.25-2.fc18.x86_64 leveldb-1.7.0-4.fc18.x86_64 libfdt-1.3.0-5.fc18.x86_64 libseccomp-1.0.1-0.fc18.x86_64 libselinux-2.1.12-7.3.fc18.x86_64 libusbx-1.0.14-1.fc18.x86_64 snappy-1.0.5-2.fc18.x86_64 spice-server-0.12.2-3.fc18.x86_64 usbredir-0.6-1.fc18.x86_64 xen-libs-4.2.1-9.fc18.x86_64 (gdb) bt #0 0x7f4f86c721a0 in get_cluster_table (bs=bs@entry=0x7f4f886e7880, offset=offset@entry=1152921504606834688, new_l2_table=new_l2_table@entry= 0x7f4f8ad9a0b0, new_l2_index=new_l2_index@entry=0x7f4f8ad9a0ac) at block/qcow2-cluster.c:525 #1 0x7f4f86c72fa3 in handle_copied (m=, bytes=, host_offset=, guest_offset= 1152921504606834688, bs=0x7f4f886e7880) at block/qcow2-cluster.c:873 #2 qcow2_alloc_cluster_offset (bs=bs@entry=0x7f4f886e7880, offset=, offset@entry=1152921504606834688, n_start=n_start@entry=104, n_end=, num=num@entry= 0x7f4f8ad9a14c, host_offset=host_offset@entry=0x7f4f8ad9a150, m=m@entry= 0x7f4f8ad9a158) at block/qcow2-cluster.c:1217 #3 0x7f4f86c773b3 in qcow2_co_writev (bs=0x7f4f886e7880, sector_num= 2251799813685224, remaining_sectors=24, qiov=0x7f4f88d88f98) at block/qcow2.c:819 #4 0x7f4f86c638d5 in bdrv_co_do_writev (bs=0x7f4f886e7880, sector_num= 2251799813685224, nb_sectors=24, qiov=0x7f4f88d88f98, flags=flags@entry= (unknown: 0)) at block.c:2625 #5 0x7f4f86c63a38 in bdrv_co_do_rw (opaque=0x7f4f88e16160) at block.c:4139 #6 0x7f4f86c9a19a in coroutine_trampoline (i0=, i1=) at coroutine-ucontext.c:118 #7 0x7f4f7fd776c0 in ?? () from /lib64/libc.so.6 #8 0x7fff125e6620 in ?? () #9 0x in ?? () -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/865518 Title: qemu segfaults when writing to very large qcow2 disk Status in QEMU: New Bug description: Create a ridiculously large qcow2 disk: qemu-img create -f qcow2 test1.img $((2**63-513)) Attach it to a guest and try to use parted to partition it. This is easy with virt-rescue: you just do: virt-rescue test1.img > parted /dev/vda mklabel gpt <-- bang! qemu segfaults here The stack trace is: Program received signal SIGSEGV, Segmentation fault. 0x00434cac in get_cluster_table (bs=0x3193030, offset= 9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0, new_l2_index=0x591e408) at block/qcow2-cluster.c:506 506 l2_offset = s->l1_table[l1_index]; (gdb) bt #0 0x00434cac in get_cluster_table (bs=0x3193030, offset= 9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0, new_l2_index=0x591e408) at block/qcow2-cluster.c:506 #1 0x0043535b in qcow2_alloc_cluster_offset (bs=0x3193030, offset= 9223372036854764544, n_start=106, n_end=126, num=0x591e4e8, m=0x591e470) at block/qcow2-cluster.c:719 #2 0x0043b8d4 in qcow2_co_writev (bs=0x3193030, sector_num= 18014398509481962, remaining_sectors=20, qiov=0x4a81ee0) at block/qcow2.c:554 #3 0x00428691 in bdrv_co_rw (opaque=0x38bad10) at block.c:2781 #4 0x0046e03a in coroutine_trampoline (i0=59487248, i1=0) at coroutine-ucontext.c:125 #5 0x0034dc6471b0 in ?? () from /lib64/libc.so.6 #6 0x7fff76cbb430 in ?? () #7 0x in ?? () This is qemu from git (8f440cda08c6df574 from 2011-09-29) To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/865518/+subscriptions
[Qemu-devel] [Bug 865518] Re: qemu segfaults when writing to very large qcow2 disk
Simple reproducer using only qemu tools: $ qemu-img create -f qcow2 huge.qcow2 $((1024*1024))T Formatting 'huge.qcow2', fmt=qcow2 size=1152921504606846976 encryption=off cluster_size=65536 lazy_refcounts=off $ qemu-io /tmp/huge.qcow2 -c "write $((1024*1024*1024*1024*1024*1024 - 1024)) 512" Segmentation fault -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/865518 Title: qemu segfaults when writing to very large qcow2 disk Status in QEMU: New Bug description: Create a ridiculously large qcow2 disk: qemu-img create -f qcow2 test1.img $((2**63-513)) Attach it to a guest and try to use parted to partition it. This is easy with virt-rescue: you just do: virt-rescue test1.img > parted /dev/vda mklabel gpt <-- bang! qemu segfaults here The stack trace is: Program received signal SIGSEGV, Segmentation fault. 0x00434cac in get_cluster_table (bs=0x3193030, offset= 9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0, new_l2_index=0x591e408) at block/qcow2-cluster.c:506 506 l2_offset = s->l1_table[l1_index]; (gdb) bt #0 0x00434cac in get_cluster_table (bs=0x3193030, offset= 9223372036854764544, new_l2_table=0x591e3c8, new_l2_offset=0x591e3c0, new_l2_index=0x591e408) at block/qcow2-cluster.c:506 #1 0x0043535b in qcow2_alloc_cluster_offset (bs=0x3193030, offset= 9223372036854764544, n_start=106, n_end=126, num=0x591e4e8, m=0x591e470) at block/qcow2-cluster.c:719 #2 0x0043b8d4 in qcow2_co_writev (bs=0x3193030, sector_num= 18014398509481962, remaining_sectors=20, qiov=0x4a81ee0) at block/qcow2.c:554 #3 0x00428691 in bdrv_co_rw (opaque=0x38bad10) at block.c:2781 #4 0x0046e03a in coroutine_trampoline (i0=59487248, i1=0) at coroutine-ucontext.c:125 #5 0x0034dc6471b0 in ?? () from /lib64/libc.so.6 #6 0x7fff76cbb430 in ?? () #7 0x in ?? () This is qemu from git (8f440cda08c6df574 from 2011-09-29) To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/865518/+subscriptions
