1132347 – Libvirt crash after defining/editing macvtap network pool with <address> elements

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1132347 - Libvirt crash after defining/editing macvtap network pool with <address> elements

Summary: Libvirt crash after defining/editing macvtap network pool with <address> elem...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Peter Krempa
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	1131872
Blocks:
TreeView+	depends on / blocked

Reported:	2014-08-21 08:14 UTC by Hu Jianwei
Modified:	2016-01-20 08:00 UTC (History)
CC List:	8 users (show)
Fixed In Version:	libvirt-1.2.8-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1131872
Environment:
Last Closed:	2015-03-05 07:43:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1299700	0	medium	CLOSED	libvirtd crashes when defining a network with incorrect forward mode	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHSA-2015:0323	0	normal	SHIPPED_LIVE	Low: libvirt security, bug fix, and enhancement update	2015-03-05 12:10:54 UTC

Internal Links: 1299700

Description Hu Jianwei 2014-08-21 08:14:56 UTC

The bug also can be reproduced in rhel7 with below version.

libvirt-1.2.7-1.el7.x86_64
qemu-kvm-rhev-2.1.0-1.el7.x86_64
kernel-3.10.0-138.el7.x86_64

+++ This bug was initially created as a clone of Bug #1131872 +++

Description of problem:
Libvirt crash after defining/editing macvtap network pool with unsupported <address> elements

Version-Release number of selected component (if applicable):
libvirt-0.10.2-44.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.428.el6.x86_64
kernel-2.6.32-468.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
[root@sriov2 jiahu]# cat pci.xml
<network>
<name>passthrough_001</name>
<forward mode='passthrough'>
<address type='pci' domain='0' bus='0x11' slot='0x10' function='0x1'/>
</forward>
</network>

[root@sriov2 jiahu]# virsh net-define pci.xml
error: Failed to define network from pci.xml
error: End of file while reading data: Input/output error
error: One or more references were leaked after disconnect from the hypervisor
error: Failed to reconnect to the hypervisor

Or added below line to an existing network tiwice.
  <address type='pci' domain='0' bus='0x11' slot='0x10' function='0x1'/>

[root@sriov2 jiahu]# virsh net-edit passthrough
error: End of file while reading data: Input/output error
Failed. Try again? [y,n,f,?]:
error: internal error client socket is closed
error: One or more references were leaked after disconnect from the hypervisor
error: Failed to reconnect to the hypervisor


Actual results:
As shown above steps, libvirtd crashed. Also can reproduce it on libvirt-0.10.2-43.el6.x86_64


Expected results:
No crash

Additional info:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f5853611700 (LWP 11177)]
__strlen_sse42 () at ../sysdeps/x86_64/multiarch/strlen-sse4.S:32
32                pcmpeqb        (%rdi), %xmm1
(gdb) t a a bt

Thread 11 (Thread 0x7f5855e15700 (LWP 11173)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f5855e15700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 10 (Thread 0x7f5855414700 (LWP 11174)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f5855414700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 9 (Thread 0x7f5854a13700 (LWP 11175)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f5854a13700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 8 (Thread 0x7f5854012700 (LWP 11176)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f5854012700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 7 (Thread 0x7f5853611700 (LWP 11177)):
#0  __strlen_sse42 () at ../sysdeps/x86_64/multiarch/strlen-sse4.S:32
#1  0x00007f585bf2ad11 in virBufferEscapeString (buf=0x7f58536109d0, format=0x7f585c0a7ecf "<interface dev='%s'", str=0x1100000000 <Address 0x1100000000 out of bounds>)
    at util/buf.c:379
#2  0x00007f585bf96139 in virNetworkDefFormatBuf (buf=0x7f58536109d0, def=0x7f583c001050, flags=<value optimized out>) at conf/network_conf.c:2132
#3  0x00007f585bf96f1a in virNetworkDefFormat (def=<value optimized out>, flags=<value optimized out>) at conf/network_conf.c:2216
#4  0x00007f585bf97001 in virNetworkSaveConfig (configDir=0x7f5848000a20 "/etc/libvirt/qemu/networks", def=0x7f583c001050) at conf/network_conf.c:2281
#5  0x00000000004f3962 in networkDefine (conn=0x7f58440009c0, xml=<value optimized out>) at network/bridge_driver.c:2988
---Type <return> to continue, or q <return> to quit---
#6  0x00007f585bfd1096 in virNetworkDefineXML (conn=0x7f58440009c0,
    xml=0x7f583c0009a0 "<network>\n<name>passthrough_001</name>\n<forward mode='passthrough'>\n<address type='pci' domain='0' bus='0x11' slot='0x10' function='0x1'/>\n</forward>\n</network>\n") at libvirt.c:10510
#7  0x000000000043df2e in remoteDispatchNetworkDefineXML (server=<value optimized out>, client=0x26da650, msg=<value optimized out>, rerr=0x7f5853610b80, args=0x7f583c0008c0,
    ret=0x7f583c0008e0) at remote_dispatch.h:8769
#8  remoteDispatchNetworkDefineXMLHelper (server=<value optimized out>, client=0x26da650, msg=<value optimized out>, rerr=0x7f5853610b80, args=0x7f583c0008c0, ret=0x7f583c0008e0)
    at remote_dispatch.h:8749
#9  0x00007f585c0284f2 in virNetServerProgramDispatchCall (prog=0x26da300, server=0x26d0bf0, client=0x26da650, msg=0x26dad10) at rpc/virnetserverprogram.c:431
#10 virNetServerProgramDispatch (prog=0x26da300, server=0x26d0bf0, client=0x26da650, msg=0x26dad10) at rpc/virnetserverprogram.c:304
#11 0x00007f585c026d3e in virNetServerProcessMsg (srv=<value optimized out>, client=0x26da650, prog=<value optimized out>, msg=0x26dad10) at rpc/virnetserver.c:170
#12 0x00007f585c0273dc in virNetServerHandleJob (jobOpaque=<value optimized out>, opaque=0x26d0bf0) at rpc/virnetserver.c:191
#13 0x00007f585bf47b0c in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:144
#14 0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#15 0x0000003d04a079d1 in start_thread (arg=0x7f5853611700) at pthread_create.c:301
#16 0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 6 (Thread 0x7f5852c10700 (LWP 11178)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f5852c10700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 5 (Thread 0x7f585220f700 (LWP 11179)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f585220f700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 4 (Thread 0x7f585180e700 (LWP 11180)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f585180e700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 3 (Thread 0x7f5850e0d700 (LWP 11181)):
---Type <return> to continue, or q <return> to quit---
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f5850e0d700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 2 (Thread 0x7f585040c700 (LWP 11182)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:183
#1  0x00007f585bf475d6 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
#2  0x00007f585bf47ba3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
#3  0x00007f585bf473f9 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:161
#4  0x0000003d04a079d1 in start_thread (arg=0x7f585040c700) at pthread_create.c:301
#5  0x0000003d042e8b7d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 1 (Thread 0x7f585bec6860 (LWP 11172)):
#0  0x0000003d042df353 in __poll (fds=<value optimized out>, nfds=<value optimized out>, timeout=<value optimized out>) at ../sysdeps/unix/sysv/linux/poll.c:87
#1  0x00007f585bf34f3c in virEventPollRunOnce () at util/event_poll.c:615
#2  0x00007f585bf34177 in virEventRunDefaultImpl () at util/event.c:247
#3  0x00007f585c02657d in virNetServerRun (srv=0x26d0bf0) at rpc/virnetserver.c:748
#4  0x00000000004242f7 in main (argc=<value optimized out>, argv=<value optimized out>) at libvirtd.c:1229
(gdb)
(gdb)

Comment 2 Peter Krempa 2014-08-21 14:06:57 UTC

Fixed upstream:

commit 4cf1c3fab138462fc9c014aee853fa17f278c5df
Author: Peter Krempa <pkrempa>
Date:   Thu Aug 21 11:06:37 2014 +0200

    conf: net: Correctly switch how to format address fields
    
    When formatting the forward mode addresses or interfaces the switch was
    done based on the type of the network rather than of the type of the
    individual <interface>/<address> element. In case a user would specify
    an incorrect network type ("passhtrough") with <address> elements,
    libvirtd would crash as it would attempt to format an <interface>.
    
    Use the type of the individual element to format the XML.

v1.2.7-192-g4cf1c3f

Comment 4 lcheng 2014-11-18 08:36:05 UTC

Verify it as follows. The result is expected.


Version:
libvirt-1.2.8-7.el7.x86_64
qemu-kvm-1.5.3-79.el7.x86_64
qemu-kvm-rhev-2.1.2-8.el7


Scenario 1. define macvtap network
# cat pci.xml 
<network>
<name>pt</name>
<forward mode='passthrough'>
<address type='pci' domain='0' bus='0x00' slot='0x19' function='0x0'/>
</forward>
</network>

# virsh net-define pci.xml 
Network pt defined from pci.xml

# virsh net-dumpxml pt 
<network>
  <name>pt</name>
  <uuid>508c3b93-0a19-4aaf-ae96-4486423041d7</uuid>
  <forward mode='passthrough'>
    <address type='pci' domain='0x0000' bus='0x00' slot='0x19' function='0x0'/>
  </forward>
</network>



Scenario 2: edit macvtap network
# virsh net-dumpxml pt2
<network>
  <name>pt2</name>
  <uuid>937c23ec-ebb0-46f6-992a-32509c20e0fe</uuid>
  <forward mode='passthrough'/>
</network>

# virsh net-edit pt2
Network pt2 XML configuration edited.

# virsh net-dumpxml pt2
<network>
  <name>pt2</name>
  <uuid>937c23ec-ebb0-46f6-992a-32509c20e0fe</uuid>
  <forward mode='passthrough'>
    <address type='pci' domain='0x0000' bus='0x00' slot='0x19' function='0x0'/>
    <address type='pci' domain='0x0000' bus='0x00' slot='0x19' function='0x0'/>
  </forward>
</network>

Comment 6 errata-xmlrpc 2015-03-05 07:43:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0323.html

Note You need to log in before you can comment on or make changes to this bug.