Bug 994657

Summary: libvirtd gets segmentation violation trying to access recently freed virDomainDefPtr
Product: [Community] Virtualization Tools Reporter: John Schmaus <jschmaus>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: acathrow, eblake, jschmaus
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-07 20:18:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Schmaus 2013-08-07 17:42:47 UTC 
Description of problem:
When trying to create a domain (using virt-install or virt-manager), libvirtd gets a segmentation violation and exits.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. run:
virt-install --name centos64 --ram 1024 -s 20 -f /dev/VolGroup00/lv_centos64 --location http://centralcity2.dr.avaya.com/centos64 --network bridge=avpublic
2.
3.

Actual results:
command exits with an exception: unexpected end of file while reading libvirtd's socket that was closed when libvirtd died from SIGSEGV.


Expected results:
libvirtd continues to create the domain and virt-install proceeds normally.


Additional info:
Here is the call sequence:
xenUnifiedDomainCreateXML -->
    def = virDomainDefParseString -->
        virDomainDefParse(def) -->
            virDomainDefParseNode(def) -->
                virDomainDefParseXML(def)
                return
            return
        return
    return
... call some other XML routines ...
xenDaemonCreateXML(def) -->
    virDomainDefFree(def)
    return
virGetDomain(def) <-- def is no longer usable and we get SIGSEGV
virDomainDefFree(def)

I fixed this by not calling virDomainDefFree inside xenDaemonCreateXML:

    - We will call virDomainDefFree from xenUnifiedDomainCreateXML after xenDaemonCraeteXML returns, anyway.
    - We are passing def to virGetDomain and aren't done with it yet.  This is where the SIGSEGV happens.
Comment 1 Eric Blake 2013-08-07 17:56:51 UTC 
Can you post your patch upstream to libvir-list?
Comment 2 Eric Blake 2013-08-07 20:18:12 UTC 
Already patched upstream for the upcoming 1.1.2 with this:

commit 9d0557b9655fe4a3f31af2e1cc2f33de8acfaa7d
Author: Stefan Bader <stefan.bader>
Date:   Wed Jul 31 11:59:21 2013 +0200

    xen: Avoid double free of virDomainDef in xenDaemonCreateXML
    
    The virDomainDef is allocated by the caller and also used after
    calling to xenDaemonCreateXML. So it must not get freed by the
    callee.
    
    Signed-off-by: Stefan Bader <stefan.bader>