SIGSEGV in memcpy in v9fs_co_readdir_many Description of problem: When running btrfs tests in vm (using `virtme`-like setup with 9pfs) occasionally qemu crashes with (`coredumpctl info` output): ``` ... Message: Process 1764494 (qemu-system-x86) of user 502 dumped core. Stack trace of thread 1764817: #0 0x00005555559ebeed v9fs_co_readdir_many (/usr/bin/qemu-system-x86_64 + 0x497eed) #1 0x00005555559ec2e9 v9fs_readdir (/usr/bin/qemu-system-x86_64 + 0x4982e9) #2 0x0000555555eb7983 coroutine_trampoline (/usr/bin/qemu-system-x86_64 + 0x963983) #3 0x00007ffff73e0be0 n/a (n/a + 0x0) ``` Additional information: coredumpctl debug: ``` Failed to read a valid object file image from memory. Core was generated by `qemu-system-x86_64 -enable-kvm -m 40270M -smp cores=20 -nodefaults -nographic -'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00005555559ebeed in memcpy (__len=, __src=, __dest=, __dest=, __src=, __len=) at /usr/include/bits/string_fortified.h:29 29 return __builtin___memcpy_chk (__dest, __src, __len, [Current thread is 1 (LWP 1764817)] (gdb) list ../hw/9pfs/codir.c:147 142 *entries = e = g_malloc0(sizeof(V9fsDirEnt)); 143 } else { 144 e = e->next = g_malloc0(sizeof(V9fsDirEnt)); 145 } 146 e->dent = g_malloc0(sizeof(struct dirent)); 147 memcpy(e->dent, dent, sizeof(struct dirent)); 148 149 /* perform a full stat() for directory entry if requested by caller */ 150 if (dostat) { 151 err = s->ops->name_to_path( (gdb) bt #0 0x00005555559ebeed in memcpy (__len=, __src=, __dest=, __dest=, __src=, __len=) at /usr/include/bits/string_fortified.h:29 #1 do_readdir_many (dostat=, maxsize=, offset=, entries=, fidp=, pdu=0x555557353500) at ../hw/9pfs/codir.c:147 #2 v9fs_co_readdir_many (pdu=pdu@entry=0x555557353500, fidp=fidp@entry=0x555556cdd280, entries=entries@entry=0x7ff5bf7f7f58, offset=, maxsize=, dostat=) at ../hw/9pfs/codir.c:226 #3 0x00005555559ec2e9 in v9fs_do_readdir (max_count=, offset=, fidp=0x555556cdd280, pdu=0x555557353500) at ../hw/9pfs/9p.c:2430 #4 v9fs_readdir (opaque=0x555557353500) at ../hw/9pfs/9p.c:2543 #5 0x0000555555eb7983 in coroutine_trampoline (i0=, i1=) at ../util/coroutine-ucontext.c:173 #6 0x00007ffff73e0be0 in ?? () #7 0x00007fffffffd480 in ?? () #8 0x0000000000000000 in ?? () (gdb) x/11i 0x00005555559ebeed - 27 0x5555559ebed2 : call 0x555555928480 0x5555559ebed7 : mov %rbp,%rsi 0x5555559ebeda : mov %rax,(%r12) 0x5555559ebede : mov 0x0(%rbp),%rdx 0x5555559ebee2 : lea 0x8(%rax),%rdi 0x5555559ebee6 : and $0xfffffffffffffff8,%rdi 0x5555559ebeea : mov %rdx,(%rax) => 0x5555559ebeed : mov 0x110(%rbp),%rdx 0x5555559ebef4 : mov %rdx,0x110(%rax) 0x5555559ebefb : sub %rdi,%rax 0x5555559ebefe : sub %rax,%rsi (gdb) i r rdx rax rip rdx 0x29287d 2697341 rax 0x7ff4bc12ccf0 140689104096496 rip 0x5555559ebeed 0x5555559ebeed (gdb) x/11x 0x7ff4bc12ccf0 0x7ff4bc12ccf0: 0x0029287d 0x00000000 0x00000000 0x00000000 0x7ff4bc12cd00: 0x00000000 0x00000000 0x00000000 0x00000000 0x7ff4bc12cd10: 0x00000000 0x00000000 0x00000000 (gdb) frame 1 #1 do_readdir_many (dostat=, maxsize=, offset=, entries=, fidp=, pdu=0x555557353500) at ../hw/9pfs/codir.c:147 147 memcpy(e->dent, dent, sizeof(struct dirent)); (gdb) p e $3 = (struct V9fsDirEnt *) 0x7ff4bc12caa0 (gdb) p e->dent $4 = (struct dirent *) 0x7ff4bc12ccf0 (gdb) p dent $5 = (struct dirent *) 0x7ff4ec04cef0 ```