Red Hat Bugzilla – Bug 1169409
Libvirt will crash with segfault if you try to set non-existing nwfilter to network interface for live guest
Last modified: 2015-03-17 05:22:16 EDT
See the summary. Version-Release number of selected component (if applicable): libvirt-1.2.8-9.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. create a guest with network interface 2. start the guest 3. create a xml configuration for the interface with non-existing nwfilter: cat nic2.xml <interface type='network'> <mac address='52:54:00:3c:f1:8d'/> <source network='default'/> <model type='virtio'/> <target dev='vnet0'/> <filterref filter='clean-traffic-non-exist'/> </interface> 4. run 'virsh update-device jeos nic2.xml' Actual results: error: Failed to update device from nic2.xml error: End of file while reading data: Input/output error error: Failed to reconnect to the hypervisor and the daemon will crash with segfault Expected results: error: Failed to update device from nic.xml error: operation failed: failed to add new filter rules to 'vnet0' - attempting to restore old rules
Upstream patch posted: https://www.redhat.com/archives/libvir-list/2014-December/msg00084.html
commit d98ad8dd0c5a1d9f6a804e23f0568c784469c3fd Author: Pavel Hrdina <phrdina@redhat.com> Date: Mon Dec 1 17:23:00 2014 +0100 nwfilter: fix crash when adding non-existing nwfilter Adding non-existing nwfilter to a network interface device without any nwfilter specified will crash libvirt daemon with segfault. The reason is that the nwfilter is not found an libvirt will try to restore old nwfilter configuration but there is no nwfilter specified. Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
I can not reproduce it on below version. [root@ibm-x3850x5-06 ~]# rpm -q libvirt qemu-kvm-rhev libvirt-1.2.8-11.el7.x86_64 qemu-kvm-rhev-2.1.2-17.el7.x86_64 [root@ibm-x3850x5-06 ~]# cat nic3.xml <interface type='network'> <mac address='02:54:00:36:c6:d0'/> <source network='default' bridge='virbr0'/> <target dev='vnet0'/> <model type='virtio'/> <alias name='net0'/> <filterref filter='clean-traffic-non-exist'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> [root@ibm-x3850x5-06 ~]# virsh list --all Id Name State ---------------------------------------------------- 37 r7 running [root@ibm-x3850x5-06 ~]# service libvirtd status Redirecting to /bin/systemctl status libvirtd.service libvirtd.service - Virtualization daemon Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled) Active: active (running) since Fri 2014-12-19 16:45:50 CST; 3 days ago Docs: man:libvirtd(8) http://libvirt.org Main PID: 14355 (libvirtd) CGroup: /system.slice/libvirtd.service ├─ 2742 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/libexec/libvirt_leaseshelper ├─ 2743 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/libexec/libvirt_leaseshelper └─14355 /usr/sbin/libvirtd ... [root@ibm-x3850x5-06 ~]# virsh update-device r7 nic3.xml error: Failed to update device from nic3.xml error: operation failed: failed to add new filter rules to 'vnet0' - attempting to restore old rules [root@ibm-x3850x5-06 ~]# virsh update-device r7 nic3.xml error: Failed to update device from nic3.xml error: operation failed: failed to add new filter rules to 'vnet0' - attempting to restore old rules [root@ibm-x3850x5-06 ~]# service libvirtd status Redirecting to /bin/systemctl status libvirtd.service libvirtd.service - Virtualization daemon Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled) Active: active (running) since Fri 2014-12-19 16:45:50 CST; 3 days ago Docs: man:libvirtd(8) http://libvirt.org Main PID: 14355 (libvirtd) CGroup: /system.slice/libvirtd.service ├─ 2742 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/libexec/libvirt_leaseshelper ├─ 2743 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/libexec/libvirt_leaseshelper └─14355 /usr/sbin/libvirtd ... Move to Verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0323.html