Bug 1220809

Summary: libvirtd crashed when attaching an RNG device failed
Product: Red Hat Enterprise Linux 7 Reporter: Luyao Huang <lhuang>
Component: libvirtAssignee: Michal Privoznik <mprivozn>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.2CC: dyuan, fjin, honzhang, mprivozn, mzhan, rbalakri
Target Milestone: rcKeywords: Upstream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-1.2.16-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 06:30:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luyao Huang 2015-05-12 13:46:30 UTC 
Description of problem:
libvirtd crashed when attach a rng device but faild

Version-Release number of selected component (if applicable):
libvirt-1.2.15-1.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. prepare a rng device have invalid pci address(or already used address)
# cat rng.xml 
    <rng model='virtio'>
      <backend model='random'>/dev/random</backend>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
    </rng>


2.# virsh attach-device test3 rng.xml --config
error: Failed to attach device from rng.xml
error: End of file while reading data: Input/output error

3.

Actual results:
libvirtd crashed when attach a rng device but faild

Expected results:
report error instead of crash

Additional info:

Program received signal SIGABRT, Aborted.
0x00007fb7ce9055d7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x00007fb7ce9055d7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007fb7ce906cc8 in __GI_abort () at abort.c:90
#2  0x00007fb7ce945e07 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fb7cea4e8c8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:196
#3  0x00007fb7ce94d1fd in malloc_printerr (ptr=<optimized out>, str=0x7fb7cea4e938 "double free or corruption (fasttop)", action=3) at malloc.c:4972
#4  _int_free (av=0x7fb7b0000020, p=<optimized out>, have_lock=0) at malloc.c:3804
#5  0x00007fb7d180ac8a in virFree (ptrptr=ptrptr@entry=0x7fb7c248d968) at util/viralloc.c:582
#6  0x00007fb7d1895cdd in virDomainRNGDefFree (def=0x7fb7b0275770) at conf/domain_conf.c:19786
#7  0x00007fb7d1895d99 in virDomainDeviceDefFree (def=def@entry=0x7fb7b0231aa0) at conf/domain_conf.c:2022
#8  0x00007fb7b92b8baf in qemuDomainAttachDeviceFlags (dom=<optimized out>, xml=<optimized out>, flags=<optimized out>) at qemu/qemu_driver.c:8785
#9  0x00007fb7d190c5d7 in virDomainAttachDeviceFlags (domain=domain@entry=0x7fb7b0281520, 
    xml=0x7fb7b0290c40 "    <rng model='virtio'>\n      <backend model='random'>/dev/random</backend>\n      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>\n    </rng>\n\n", 
    flags=2) at libvirt-domain.c:8488
#10 0x00007fb7d23af9d2 in remoteDispatchDomainAttachDeviceFlags (server=0x7fb7d2e8eeb0, msg=0x7fb7d2e8fff0, args=0x7fb7b0257690, rerr=0x7fb7c248dc70, client=<optimized out>) at remote_dispatch.h:2842
#11 remoteDispatchDomainAttachDeviceFlagsHelper (server=0x7fb7d2e8eeb0, client=<optimized out>, msg=0x7fb7d2e8fff0, rerr=0x7fb7c248dc70, args=0x7fb7b0257690, ret=0x7fb7b0158d00) at remote_dispatch.h:2818
#12 0x00007fb7d196ec82 in virNetServerProgramDispatchCall (msg=0x7fb7d2e8fff0, client=0x7fb7d2ea8350, server=0x7fb7d2e8eeb0, prog=0x7fb7d2ea3900) at rpc/virnetserverprogram.c:437
#13 virNetServerProgramDispatch (prog=0x7fb7d2ea3900, server=server@entry=0x7fb7d2e8eeb0, client=0x7fb7d2ea8350, msg=0x7fb7d2e8fff0) at rpc/virnetserverprogram.c:307
#14 0x00007fb7d23cc60d in virNetServerProcessMsg (msg=<optimized out>, prog=<optimized out>, client=<optimized out>, srv=0x7fb7d2e8eeb0) at rpc/virnetserver.c:172
#15 virNetServerHandleJob (jobOpaque=<optimized out>, opaque=0x7fb7d2e8eeb0) at rpc/virnetserver.c:193
#16 0x00007fb7d1868a45 in virThreadPoolWorker (opaque=opaque@entry=0x7fb7d2e89e30) at util/virthreadpool.c:145
#17 0x00007fb7d1867f68 in virThreadHelper (data=<optimized out>) at util/virthread.c:206
#18 0x00007fb7cec9fdf5 in start_thread (arg=0x7fb7c248e700) at pthread_create.c:308
#19 0x00007fb7ce9c61ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
Comment 1 Luyao Huang 2015-05-12 13:56:23 UTC 
Sent a patch to upstream:

https://www.redhat.com/archives/libvir-list/2015-May/msg00360.html
Comment 2 Michal Privoznik 2015-05-12 15:15:17 UTC 
Moving to POST:

commit 5f6fe84d5731a45fa3fe08701f0d553818dd3e12
Author:     Luyao Huang <lhuang>
AuthorDate: Tue May 12 21:55:05 2015 +0800
Commit:     Michal Privoznik <mprivozn>
CommitDate: Tue May 12 17:09:14 2015 +0200

    qemu: fix double free when RNG cold-plug fails
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1220809
    
    When cold-plugging an RNG device but something fails in
    qemuDomainAssignAddresses, we will double free the RNG device.
    Once a device is plugged into the domain, we should set the
    device pointer to NULL to fix this issue.
    
    ...
    5  0x00007fb7d180ac8a in virFree at util/viralloc.c:582
    6  0x00007fb7d1895cdd in virDomainRNGDefFree at conf/domain_conf.c:19786
    7  0x00007fb7d1895d99 in virDomainDeviceDefFree at conf/domain_conf.c:2022
    8  0x00007fb7b92b8baf in qemuDomainAttachDeviceFlags at qemu/qemu_driver.c:8785
    9  0x00007fb7d190c5d7 in virDomainAttachDeviceFlags at libvirt-domain.c:8488
    10 0x00007fb7d23af9d2 in remoteDispatchDomainAttachDeviceFlags at remote_dispatch.h:2842
    ...
    
    Signed-off-by: Luyao Huang <lhuang>
Comment 4 Fangge Jin 2015-08-04 08:42:05 UTC 
I can reproduce this bug on build libvirt-1.2.15-1.el7.x86_64

Verify this bug on build libvirt-1.2.17-3.el7.x86_64

Steps:
1.prepare a rng device have invalid pci address(Note: used address can't hit this issue)
# cat rng.xml 
    <rng model='virtio'>
      <backend model='random'>/dev/random</backend>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
    </rng>

2. # virsh attach-device r71 rng.xml --config
error: Failed to attach device from rng.xml
error: internal error: Attempted double use of PCI slot 0000:00:01.0 (may need "multifunction='on'" for device on function 0)
Comment 6 errata-xmlrpc 2015-11-19 06:30:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2202.html