Ceph » rbd

If rbd_diff_iterate2() is called on an image offset that doesn't correspond to an object boundary, the callback is invoked with an incorrect image offset.

For example, assuming a fully allocated image, a diff request for 806354944~57344 results in offs=807403520, len=57344, exists=true invocation, which is "ahead" by 1048576 bytes (because 806354944 happens to be 1048576 bytes "in" the corresponding object).

This occurs only in fast-diff mode, for a diff request on an image with the fast-diff feature disabled or if whole_object is set to false the invocation is correct.

This bug goes back to the introduction of fast-diff mode in 2015. We didn't see it before because normally diff requests are large and start at object size boundaries, most often at the beginning of the image. However in QEMU 6.2 we started using rbd_diff_iterate2() in fast-diff mode for bdrv_co_block_status reporting and some QEMU block layer configurations can generate a slew of small diff requests that are very likely to start at an arbitrary offset. One example is a local QCOW snapshot layered on top of an RBD image:

$ qemu-img create -f qcow2 -F raw -b rbd:rbd/base snap.qcow2

An incorrect offset reported by rbd_diff_iterate2() is sometimes caught by assert:

qemu-kvm: ../block/rbd.c:1355: int qemu_rbd_co_block_status(BlockDriverState *, _Bool, int64_t, int64_t, int64_t *, int64_t *, BlockDriverState **): Assertion `req.bytes <= bytes' failed.

If not caught, it can result in data corruption in the snapshot.