Bug 1132347 – Libvirt crash after defining/editing macvtap network pool with <address> elements

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1132347 - Libvirt crash after defining/editing macvtap network pool with <address> elements

Summary:	Libvirt crash after defining/editing macvtap network pool with <address> elem...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt (Show other bugs)
Sub Component:
Version:	7.0
Hardware:	x86_64 Linux

Priority	high Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Peter Krempa
QA Contact:	Virtualization Bugs
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:	1131872
Blocks:
	Show dependency tree / graph

Reported:	2014-08-21 04:14 EDT by Hu Jianwei
Modified:	2016-01-20 03:00 EST (History)
CC List:	8 users (show)

See Also:	1299700
Fixed In Version:	libvirt-1.2.8-1.el7
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:	1131872
Environment:
Last Closed:	2015-03-05 02:43:05 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0323	normal	SHIPPED_LIVE	Low: libvirt security, bug fix, and enhancement update	2015-03-05 07:10:54 EST

Groups: None (edit)

Description Hu Jianwei 2014-08-21 04:14:56 EDT

The bug also can be reproduced in rhel7 with below version.

libvirt-1.2.7-1.el7.x86_64
qemu-kvm-rhev-2.1.0-1.el7.x86_64
kernel-3.10.0-138.el7.x86_64

+++ This bug was initially created as a clone of Bug #1131872 +++

Description of problem:
Libvirt crash after defining/editing macvtap network pool with unsupported <address> elements

Version-Release number of selected component (if applicable):
libvirt-0.10.2-44.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.428.el6.x86_64
kernel-2.6.32-468.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
[root@sriov2 jiahu]# cat pci.xml
<network>
<name>passthrough_001</name>
<forward mode='passthrough'>
<address type='pci' domain='0' bus='0x11' slot='0x10' function='0x1'/>
</forward>
</network>

[root@sriov2 jiahu]# virsh net-define pci.xml
error: Failed to define network from pci.xml
error: End of file while reading data: Input/output error
error: One or more references were leaked after disconnect from the hypervisor
error: Failed to reconnect to the hypervisor

Or added below line to an existing network tiwice.
  <address type='pci' domain='0' bus='0x11' slot='0x10' function='0x1'/>

[root@sriov2 jiahu]# virsh net-edit passthrough
error: End of file while reading data: Input/output error
Failed. Try again? [y,n,f,?]:
error: internal error client socket is closed
error: One or more references were leaked after disconnect from the hypervisor
error: Failed to reconnect to the hypervisor


Actual results:
As shown above steps, libvirtd crashed. Also can reproduce it on libvirt-0.10.2-43.el6.x86_64


Expected results:
No crash

Additional info:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f5853611700 (LWP 11177)]
__strlen_sse42 () at ../sysdeps/x86_64/multiarch/strlen-sse4.S:32
32                pcmpeqb        (%rdi), %xmm1
(gdb) t a a bt

Thread 11 (Thread 0x7f5855e15700 (LWP 11173)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f5855e15700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 10 (Thread 0x7f5855414700 (LWP 11174)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f5855414700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 9 (Thread 0x7f5854a13700 (LWP 11175)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f5854a13700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 8 (Thread 0x7f5854012700 (LWP 11176)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f5854012700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 7 (Thread 0x7f5853611700 (LWP 11177)):
#0  __strlen_sse42 () at ../sysdeps/x86_64/multiarch/strlen-sse4.S:32
#1  0x00007f585bf2ad11 in virBufferEscapeString (buf=0x7f58536109d0, format=0x7f585c0a7ecf "<interface dev='%s'", str=0x1100000000 <Address 0x1100000000 out of bounds>)
    at util/buf.c:379
#2  0x00007f585bf96139 in virNetworkDefFormatBuf (buf=0x7f58536109d0, def=0x7f583c001050, flags=<value optimized out>) at conf/network_conf.c:2132
#3  0x00007f585bf96f1a in virNetworkDefFormat (def=<value optimized out>, flags=<value optimized out>) at conf/network_conf.c:2216
#4  0x00007f585bf97001 in virNetworkSaveConfig (configDir=0x7f5848000a20 "/etc/libvirt/qemu/networks", def=0x7f583c001050) at conf/network_conf.c:2281
#5  0x00000000004f3962 in networkDefine (conn=0x7f58440009c0, xml=<value optimized out>) at network/bridge_driver.c:2988
---Type <return> to continue, or q <return> to quit---
#6  0x00007f585bfd1096 in virNetworkDefineXML (conn=0x7f58440009c0,
    xml=0x7f583c0009a0 "<network>\n<name>passthrough_001</name>\n<forward mode='passthrough'>\n<address type='pci' domain='0' bus='0x11' slot='0x10' function='0x1'/>\n</forward>\n</network>\n") at libvirt.c:10510
#7  0x000000000043df2e in remoteDispatchNetworkDefineXML (server=<value optimized out>, client=0x26da650, msg=<value optimized out>, rerr=0x7f5853610b80, args=0x7f583c0008c0,
    ret=0x7f583c0008e0) at remote_dispatch.h:8769
#8  remoteDispatchNetworkDefineXMLHelper (server=<value optimized out>, client=0x26da650, msg=<value optimized out>, rerr=0x7f5853610b80, args=0x7f583c0008c0, ret=0x7f583c0008e0)
    at remote_dispatch.h:8749
#9  0x00007f585c0284f2 in virNetServerProgramDispatchCall (prog=0x26da300, server=0x26d0bf0, client=0x26da650, msg=0x26dad10) at rpc/virnetserverprogram.c:431
#10 virNetServerProgramDispatch (prog=0x26da300, server=0x26d0bf0, client=0x26da650, msg=0x26dad10) at rpc/virnetserverprogram.c:304
#11 0x00007f585c026d3e in virNetServerProcessMsg (srv=<value optimized out>, client=0x26da650, prog=<value optimized out>, msg=0x26dad10) at rpc/virnetserver.c:170
#12 0x00007f585c0273dc in virNetServerHandleJob (jobOpaque=<value optimized out>, opaque=0x26d0bf0) at rpc/virnetserver.c:191
#13 0x00007f585bf47b0c in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:144
#14 0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#15 0x0000003d04a079d1 in start_thread (arg=0x7f5853611700) at pthread_create.c:301
#16 0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 6 (Thread 0x7f5852c10700 (LWP 11178)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f5852c10700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 5 (Thread 0x7f585220f700 (LWP 11179)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f585220f700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 4 (Thread 0x7f585180e700 (LWP 11180)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f585180e700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 3 (Thread 0x7f5850e0d700 (LWP 11181)):
---Type <return> to continue, or q <return> to quit---
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f5850e0d700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 2 (Thread 0x7f585040c700 (LWP 11182)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f585040c700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 1 (Thread 0x7f585bec6860 (LWP 11172)):
#0  0x0000003d042df353 in __poll (fds=<value optimized out>, nfds=<value optimized out>, timeout=<value optimized out>) at ../sysdeps/unix/sysv/linux/poll.c:87
#1  0x00007f585bf34f3c in virEventPollRunOnce () at util/event_poll.c:615
#2  0x00007f585bf34177 in virEventRunDefaultImpl () at util/event.c:247
#3  0x00007f585c02657d in virNetServerRun (srv=0x26d0bf0) at rpc/virnetserver.c:748
#4  0x00000000004242f7 in main (argc=<value optimized out>, argv=<value optimized out>) at libvirtd.c:1229
(gdb)
(gdb)

Comment 2 Peter Krempa 2014-08-21 10:06:57 EDT

Fixed upstream:

commit 4cf1c3fab138462fc9c014aee853fa17f278c5df
Author: Peter Krempa <pkrempa@redhat.com>
Date:   Thu Aug 21 11:06:37 2014 +0200

    conf: net: Correctly switch how to format address fields
    
    When formatting the forward mode addresses or interfaces the switch was
    done based on the type of the network rather than of the type of the
    individual <interface>/<address> element. In case a user would specify
    an incorrect network type ("passhtrough") with <address> elements,
    libvirtd would crash as it would attempt to format an <interface>.
    
    Use the type of the individual element to format the XML.

v1.2.7-192-g4cf1c3f

Comment 4 lcheng 2014-11-18 03:36:05 EST

Verify it as follows. The result is expected.


Version:
libvirt-1.2.8-7.el7.x86_64
qemu-kvm-1.5.3-79.el7.x86_64
qemu-kvm-rhev-2.1.2-8.el7


Scenario 1. define macvtap network
# cat pci.xml 
<network>
<name>pt</name>
<forward mode='passthrough'>
<address type='pci' domain='0' bus='0x00' slot='0x19' function='0x0'/>
</forward>
</network>

# virsh net-define pci.xml 
Network pt defined from pci.xml

# virsh net-dumpxml pt 
<network>
  <name>pt</name>
  <uuid>508c3b93-0a19-4aaf-ae96-4486423041d7</uuid>
  <forward mode='passthrough'>
    <address type='pci' domain='0x0000' bus='0x00' slot='0x19' function='0x0'/>
  </forward>
</network>



Scenario 2: edit macvtap network
# virsh net-dumpxml pt2
<network>
  <name>pt2</name>
  <uuid>937c23ec-ebb0-46f6-992a-32509c20e0fe</uuid>
  <forward mode='passthrough'/>
</network>

# virsh net-edit pt2
Network pt2 XML configuration edited.

# virsh net-dumpxml pt2
<network>
  <name>pt2</name>
  <uuid>937c23ec-ebb0-46f6-992a-32509c20e0fe</uuid>
  <forward mode='passthrough'>
    <address type='pci' domain='0x0000' bus='0x00' slot='0x19' function='0x0'/>
    <address type='pci' domain='0x0000' bus='0x00' slot='0x19' function='0x0'/>
  </forward>
</network>

Comment 6 errata-xmlrpc 2015-03-05 02:43:05 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0323.html

Note You need to log in before you can comment on or make changes to this bug.