Bug 1325120

Summary:	libvirtd crash when try to start default network
Product:	[Fedora] Fedora	Reporter:	Shanzhi Yu <shyu>
Component:	libvirt	Assignee:	Libvirt Maintainers <libvirt-maint>
Status:	CLOSED UPSTREAM	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	high
Version:	23	CC:	agedosier, berrange, clalancette, itamar, jforbes, laine, libvirt-maint, mzhan, pkrempa, veillard, virt-maint
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-04-08 12:31:14 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Shanzhi Yu 2016-04-08 10:16:45 UTC

Description of problem:

libvirtd crash when try to start default network 

Version-Release number of selected component (if applicable):

libvirt build from libvirt.git

libvirt-1.3.4-1.fc23.x86_64

How reproducible:

100%

Steps to Reproduce:

1.

# ip -d l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 addrgenmode eui64 
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master ovs-system state UP mode DEFAULT group default qlen 1000
    link/ether 24:be:05:02:a0:e9 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    openvswitch_slave addrgenmode none 
3: ovs-system: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/ether 86:24:2b:29:ba:2a brd ff:ff:ff:ff:ff:ff promiscuity 1 
    openvswitch addrgenmode eui64 
11: virbr0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 52:54:00:ef:ce:57 brd ff:ff:ff:ff:ff:ff promiscuity 0 
    bridge forward_delay 200 hello_time 200 max_age 2000 addrgenmode eui64 
12: virbr0-nic: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master virbr0 state DOWN mode DEFAULT group default qlen 500
    link/ether 52:54:00:ef:ce:57 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    tun 
    bridge_slave state disabled priority 32 cost 100 hairpin off guard off root_block off fastleave off learning on flood on addrgenmode eui64 
13: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1
    link/ether 5a:fc:20:6d:87:47 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    openvswitch addrgenmode eui64 
14: br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/ether 24:be:05:02:a0:e9 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    openvswitch addrgenmode eui64 
15: br-tun: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1
    link/ether 02:ae:45:5e:f7:44 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    openvswitch addrgenmode eui64 
20: qbr32083ce7-59: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 6a:d4:f8:44:a9:9f brd ff:ff:ff:ff:ff:ff promiscuity 0 
    bridge forward_delay 0 hello_time 200 max_age 2000 addrgenmode eui64 
21: qvo32083ce7-59@qvb32083ce7-59: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master ovs-system state UP mode DEFAULT group default qlen 1000
    link/ether 1a:46:d6:84:75:02 brd ff:ff:ff:ff:ff:ff promiscuity 2 
    veth 
    openvswitch_slave addrgenmode eui64 
22: qvb32083ce7-59@qvo32083ce7-59: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master qbr32083ce7-59 state UP mode DEFAULT group default qlen 1000
    link/ether 6a:d4:f8:44:a9:9f brd ff:ff:ff:ff:ff:ff promiscuity 2 
    veth 
    bridge_slave state forwarding priority 32 cost 2 hairpin off guard off root_block off fastleave off learning on flood on addrgenmode eui64 
23: tap32083ce7-59: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master qbr32083ce7-59 state UNKNOWN mode DEFAULT group default qlen 500
    link/ether fe:16:3e:82:d7:77 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    tun 
    bridge_slave state forwarding priority 32 cost 100 hairpin off guard off root_block off fastleave off learning on flood on addrgenmode eui64 
27: qbrd9882a21-c2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 46:03:a7:3a:d5:65 brd ff:ff:ff:ff:ff:ff promiscuity 0 
    bridge forward_delay 0 hello_time 200 max_age 2000 addrgenmode eui64 
28: qvod9882a21-c2@qvbd9882a21-c2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master ovs-system state UP mode DEFAULT group default qlen 1000
    link/ether 26:2a:9c:5e:e1:8e brd ff:ff:ff:ff:ff:ff promiscuity 2 
    veth 
    openvswitch_slave addrgenmode eui64 
29: qvbd9882a21-c2@qvod9882a21-c2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master qbrd9882a21-c2 state UP mode DEFAULT group default qlen 1000
    link/ether 46:03:a7:3a:d5:65 brd ff:ff:ff:ff:ff:ff promiscuity 2 
    veth 
    bridge_slave state forwarding priority 32 cost 2 hairpin off guard off root_block off fastleave off learning on flood on addrgenmode eui64 
30: tapd9882a21-c2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master qbrd9882a21-c2 state UNKNOWN mode DEFAULT group default qlen 500
    link/ether fe:16:3e:71:ae:a2 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    tun 
    bridge_slave state forwarding priority 32 cost 100 hairpin off guard off root_block off fastleave off learning on flood on addrgenmode eui64 


2. Prepare default network as below

# virsh net-dumpxml default 
<network>
  <name>default</name>
  <uuid>c9aea060-ea6e-4fc7-892c-1088fc983138</uuid>
  <forward mode='nat'/>
  <bridge name='virbr1' stp='on' delay='0'/>
  <mac address='52:54:00:de:31:73'/>
  <ip address='192.168.125.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.125.2' end='192.168.125.254'/>
    </dhcp>
  </ip>
</network>



3.
# virsh net-start default 
error: Disconnected from qemu:///system due to keepalive timeout
error: Failed to start network default
error: internal error: connection closed due to keepalive timeout



Actual results:


Expected results:


Additional info:


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe4fea700 (LWP 32043)]
virNetDevSetIPAddress (ifname=0x7fff904171b0 "virbr1", addr=addr@entry=0x7fff902ced78, peer=peer@entry=0x0, prefix=24) at util/virnetdev.c:1132
1132	    if (VIR_SOCKET_ADDR_FAMILY(addr) == AF_INET && !VIR_SOCKET_ADDR_VALID(peer)) {

(gdb) t a a bt
...


Thread 4 (Thread 0x7fffe4fea700 (LWP 32043)):
#0  virNetDevSetIPAddress (ifname=0x7fff904171b0 "virbr1", addr=addr@entry=0x7fff902ced78, peer=peer@entry=0x0, prefix=24) at util/virnetdev.c:1132
#1  0x00007fffe45d340a in networkAddAddrToBridge (network=0x7fff90016360, ipdef=0x7fff902ced70) at network/bridge_driver.c:1973
#2  networkStartNetworkVirtual (network=0x7fff90016360, driver=0x7fff90000ed0) at network/bridge_driver.c:2142
#3  networkStartNetwork (driver=driver@entry=0x7fff90000ed0, network=0x7fff90016360) at network/bridge_driver.c:2488
#4  0x00007fffe45d3c3b in networkCreate (net=0x7fffdc000d40) at network/bridge_driver.c:3451
#5  0x00007ffff73ad4ef in virNetworkCreate (network=network@entry=0x7fffdc000d40) at libvirt-network.c:588
#6  0x000055555558e157 in remoteDispatchNetworkCreate (server=0x5555557f6960, msg=0x5555557f7e50, args=<optimized out>, rerr=0x7fffe4fe9be0, client=0x555555823f10)
    at remote_dispatch.h:12366
#7  remoteDispatchNetworkCreateHelper (server=0x5555557f6960, client=0x555555823f10, msg=0x5555557f7e50, rerr=0x7fffe4fe9be0, args=<optimized out>, ret=0x7fffdc000b40)
    at remote_dispatch.h:12342
#8  0x00007ffff73fb419 in virNetServerProgramDispatchCall (msg=0x5555557f7e50, client=0x555555823f10, server=0x5555557f6960, prog=0x55555581e7b0)
    at rpc/virnetserverprogram.c:437
#9  virNetServerProgramDispatch (prog=0x55555581e7b0, server=server@entry=0x5555557f6960, client=0x555555823f10, msg=0x5555557f7e50) at rpc/virnetserverprogram.c:307
#10 0x00007ffff73f6818 in virNetServerProcessMsg (msg=<optimized out>, prog=<optimized out>, client=<optimized out>, srv=0x5555557f6960) at rpc/virnetserver.c:137
#11 virNetServerHandleJob (jobOpaque=<optimized out>, opaque=0x5555557f6960) at rpc/virnetserver.c:158
#12 0x00007ffff72ead86 in virThreadPoolWorker (opaque=opaque@entry=0x5555557f66d0) at util/virthreadpool.c:145
#13 0x00007ffff72ea308 in virThreadHelper (data=<optimized out>) at util/virthread.c:206
#14 0x00007ffff39e060a in start_thread (arg=0x7fffe4fea700) at pthread_create.c:334
#15 0x00007ffff371aa4d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Comment 1 Peter Krempa 2016-04-08 11:57:43 UTC

Caused by:
commit b3d069872ce53eb2ad058bda9ea8e27436be7020
Author:     Vasiliy Tolstov <v.tolstov>
AuthorDate: Mon Apr 4 21:00:02 2016 +0000
Commit:     Daniel P. Berrange <berrange>
CommitDate: Thu Apr 7 18:22:58 2016 +0100

    virnetdev allow to set peer address
    
    Signed-off-by: Vasiliy Tolstov <v.tolstov>

$ git desc b3d069872ce53eb2ad058bda9ea8e27436be7020
v1.3.3-28-gb3d0698

Fix posted upstream:

https://www.redhat.com/archives/libvir-list/2016-April/msg00354.html

Comment 2 Peter Krempa 2016-04-08 12:31:14 UTC

commit a3510e33d33e52c7c7eceb6d12bb121ac0b36638
Author: Peter Krempa <pkrempa>
Date:   Fri Apr 8 13:51:57 2016 +0200

    util: netdev: Don't crash in virNetDevSetIPAddress if @peer is NULL
    
    VIR_SOCKET_ADDR_VALID dereferences the pointer, thus if we pass NULL
    into virNetDevSetIPAddress it crashes. Regression introduced by
    b3d069872ce53eb.

Closing since there is no existing release with the broken commit.