From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1LXkqS-0002Z6-1q
	for qemu-devel@nongnu.org; Thu, 12 Feb 2009 18:19:48 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1LXkqR-0002Yl-Hg
	for qemu-devel@nongnu.org; Thu, 12 Feb 2009 18:19:47 -0500
Received: from [199.232.76.173] (port=49539 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1LXkqR-0002YW-DQ
	for qemu-devel@nongnu.org; Thu, 12 Feb 2009 18:19:47 -0500
Received: from main.gmane.org ([80.91.229.2]:50159 helo=ciao.gmane.org)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <gceq-qemu-devel@m.gmane.org>)
	id 1LXkqQ-0002lc-Uh
	for qemu-devel@nongnu.org; Thu, 12 Feb 2009 18:19:47 -0500
Received: from list by ciao.gmane.org with local (Exim 4.43)
	id 1LXkqO-0000Zx-PW
	for qemu-devel@nongnu.org; Thu, 12 Feb 2009 23:19:44 +0000
Received: from 204.147.152.1 ([204.147.152.1])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <qemu-devel@nongnu.org>; Thu, 12 Feb 2009 23:19:44 +0000
Received: from void by 204.147.152.1 with local (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <qemu-devel@nongnu.org>; Thu, 12 Feb 2009 23:19:44 +0000
From: Consul <void@aleksoft.net>
Date: Thu, 12 Feb 2009 15:19:32 -0800
Message-ID: <gn2aq6$gl3$1@ger.gmane.org>
References: <20090211070049.GA27821@shareable.org>
	<4992A108.8070304@suse.de>	<20090211114126.GC31997@shareable.org>
	<4992C77D.4030104@suse.de>	<20090211164814.GA7161@shareable.org>
	<gn29ga$cjv$1@ger.gmane.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
In-Reply-To: <gn29ga$cjv$1@ger.gmane.org>
Sender: news <news@ger.gmane.org>
Subject: [Qemu-devel] Re: qcow2 corruption observed,
	fixed by reverting old   change
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: kvm@vger.kernel.org

Consul wrote:
> Jamie Lokier wrote:
>>
>> It was just for clarity.  If there are any bugs it's more likely to be
>> truncation on a 32 bit host :-)
>>
> Maybe not a proper fix, do you see the same "corruption" with this patch?
> I don't know if it causes any memory leaks, but it certainly clears the 
> segfaults while running my old qcow2 windows images. Perhaps this is a 
> wrong place to free() or it needs a condition?
> 
> $ svn diff block.c
> Index: block.c
> ===================================================================
> --- block.c     (revision 6618)
> +++ block.c     (working copy)
> @@ -1263,7 +1263,7 @@
>      if (!s->is_write) {
>          qemu_iovec_from_buffer(s->iov, s->bounce, s->iov->size);
>      }
> -    qemu_free(s->bounce);
> +    //qemu_free(s->bounce);
>      s->this_aiocb->cb(s->this_aiocb->opaque, ret);
>      qemu_aio_release(s->this_aiocb);
>  }
> 
> 

In fact, s->bounce == 0xf270000 looks suspicious to me.
Perhaps there is a 64/32 bit conversion error somewhere?


(gdb) Num     Type           Disp Enb Address    What
1       breakpoint     keep y   0x004035ac in qemu_bh_poll
                                        at c:/test/qemu/vl.c:3342
	stop only if bh->opaque==0xee9d440
(gdb) The program being debugged has been started already.
Start it from the beginning? (y or n) [answered Y; input not from terminal]
Starting program: c:\test\qemu/i386-softmmu/qemu.exe -L c:\\qemu-dist -hda C:\\qemu-img\\qem8D.tmp -m 512 -boot c -loadvm 1
[New thread 5188.0x180]
[New thread 5188.0xea0]
[New thread 5188.0x1608]

Breakpoint 1, qemu_bh_poll () at c:/test/qemu/vl.c:3342
3342	            bh->cb(bh->opaque);
(gdb) #0  qemu_bh_poll () at c:/test/qemu/vl.c:3342
#1  0x00403a9a in main_loop_wait (timeout=0) at c:/test/qemu/vl.c:3745
#2  0x00407bf5 in main (argc=11, argv=0x3e27c0, envp=0xccc359ff)
     at c:/test/qemu/vl.c:3888
(gdb) qcow_aio_read_bh (opaque=0xee9d440) at block-qcow2.c:1194
1194	    qemu_bh_delete(acb->bh);
(gdb) qemu_bh_delete (bh=0xe41b2f8) at c:/test/qemu/vl.c:3391
3391	    bh->scheduled = 0;
(gdb) 3392	    bh->deleted = 1;
(gdb) 3393	}
(gdb) qcow_aio_read_bh (opaque=0xee9d440) at block-qcow2.c:1195
1195	    acb->bh = NULL;
(gdb) 1196	    qcow_aio_read_cb(opaque, 0);
(gdb) qcow_aio_read_cb (opaque=0xee9d440, ret=0) at block-qcow2.c:1215
1215	    QCowAIOCB *acb = opaque;
(gdb) 1216	    BlockDriverState *bs = acb->common.bs;
(gdb) 1217	    BDRVQcowState *s = bs->opaque;
(gdb) 1220	    acb->hd_aiocb = NULL;
(gdb) 1221	    if (ret < 0) {
(gdb) 1217	    BDRVQcowState *s = bs->opaque;
(gdb) 1229	    if (!acb->cluster_offset) {
(gdb) 1231	    } else if (acb->cluster_offset & QCOW_OFLAG_COMPRESSED) {
(gdb) 1241	    acb->nb_sectors -= acb->n;
(gdb) 1242	    acb->sector_num += acb->n;
(gdb) 1243	    acb->buf += acb->n * 512;
(gdb) 1245	    if (acb->nb_sectors == 0) {
(gdb) 1247	        acb->common.cb(acb->common.opaque, 0);
(gdb) qcow_aio_read_cb (opaque=0xee9d3d0, ret=0) at block-qcow2.c:1215
1215	    QCowAIOCB *acb = opaque;
(gdb) 1216	    BlockDriverState *bs = acb->common.bs;
(gdb) 1217	    BDRVQcowState *s = bs->opaque;
(gdb) 1220	    acb->hd_aiocb = NULL;
(gdb) 1221	    if (ret < 0) {
(gdb) 1217	    BDRVQcowState *s = bs->opaque;
(gdb) 1229	    if (!acb->cluster_offset) {
(gdb) 1241	    acb->nb_sectors -= acb->n;
(gdb) 1242	    acb->sector_num += acb->n;
(gdb) 1243	    acb->buf += acb->n * 512;
(gdb) 1245	    if (acb->nb_sectors == 0) {
(gdb) 1247	        acb->common.cb(acb->common.opaque, 0);
(gdb) bdrv_aio_rw_vector_cb (opaque=0xe41b2c8, ret=0) at block.c:1261
1261	    VectorTranslationState *s = opaque;
(gdb) 1263	    if (!s->is_write) {
(gdb) 1264	        qemu_iovec_from_buffer(s->iov, s->bounce, s->iov->size);
(gdb) qemu_iovec_from_buffer (qiov=0xe412b9c, buf=0xf270000, count=512)
     at cutils.c:155
155	    for (i = 0; i < qiov->niov && count; ++i) {
(gdb) 151	    const uint8_t *p = (const uint8_t *)buf;
(gdb) 157	        if (copy > qiov->iov[i].iov_len)
(gdb) 159	        memcpy(qiov->iov[i].iov_base, p, copy);
(gdb) 160	        p     += copy;
(gdb) 155	    for (i = 0; i < qiov->niov && count; ++i) {
(gdb) 163	}
(gdb) bdrv_aio_rw_vector_cb (opaque=0xe41b2c8, ret=0) at block.c:1266
1266	    qemu_free(s->bounce);
(gdb) qemu_free (ptr=0xf270000) at qemu-malloc.c:41
41	    free(ptr);
(gdb)
Program received signal SIGSEGV, Segmentation fault.
0x7c96d811 in ntdll!RtlpNtMakeTemporaryKey () from C:\WINNT\system32\ntdll.dll