1220809 – libvirtd crashed when attaching an RNG device failed

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1220809 - libvirtd crashed when attaching an RNG device failed

Summary: libvirtd crashed when attaching an RNG device failed

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Privoznik
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-05-12 13:46 UTC by Luyao Huang
Modified:	2015-11-19 06:30 UTC (History)
CC List:	6 users (show)
Fixed In Version:	libvirt-1.2.16-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 06:30:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2202	0	normal	SHIPPED_LIVE	libvirt bug fix and enhancement update	2015-11-19 08:17:58 UTC

Description Luyao Huang 2015-05-12 13:46:30 UTC

Description of problem:
libvirtd crashed when attach a rng device but faild

Version-Release number of selected component (if applicable):
libvirt-1.2.15-1.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. prepare a rng device have invalid pci address(or already used address)
# cat rng.xml 
    <rng model='virtio'>
      <backend model='random'>/dev/random</backend>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
    </rng>


2.# virsh attach-device test3 rng.xml --config
error: Failed to attach device from rng.xml
error: End of file while reading data: Input/output error

3.

Actual results:
libvirtd crashed when attach a rng device but faild

Expected results:
report error instead of crash

Additional info:

Program received signal SIGABRT, Aborted.
0x00007fb7ce9055d7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x00007fb7ce9055d7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007fb7ce906cc8 in __GI_abort () at abort.c:90
#2  0x00007fb7ce945e07 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fb7cea4e8c8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:196
#3  0x00007fb7ce94d1fd in malloc_printerr (ptr=<optimized out>, str=0x7fb7cea4e938 "double free or corruption (fasttop)", action=3) at malloc.c:4972
#4  _int_free (av=0x7fb7b0000020, p=<optimized out>, have_lock=0) at malloc.c:3804
#5  0x00007fb7d180ac8a in virFree (ptrptr=ptrptr@entry=0x7fb7c248d968) at util/viralloc.c:582
#6  0x00007fb7d1895cdd in virDomainRNGDefFree (def=0x7fb7b0275770) at conf/domain_conf.c:19786
#7  0x00007fb7d1895d99 in virDomainDeviceDefFree (def=def@entry=0x7fb7b0231aa0) at conf/domain_conf.c:2022
#8  0x00007fb7b92b8baf in qemuDomainAttachDeviceFlags (dom=<optimized out>, xml=<optimized out>, flags=<optimized out>) at qemu/qemu_driver.c:8785
#9  0x00007fb7d190c5d7 in virDomainAttachDeviceFlags (domain=domain@entry=0x7fb7b0281520, 
    xml=0x7fb7b0290c40 "    <rng model='virtio'>\n      <backend model='random'>/dev/random</backend>\n      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>\n    </rng>\n\n", 
    flags=2) at libvirt-domain.c:8488
#10 0x00007fb7d23af9d2 in remoteDispatchDomainAttachDeviceFlags (server=0x7fb7d2e8eeb0, msg=0x7fb7d2e8fff0, args=0x7fb7b0257690, rerr=0x7fb7c248dc70, client=<optimized out>) at remote_dispatch.h:2842
#11 remoteDispatchDomainAttachDeviceFlagsHelper (server=0x7fb7d2e8eeb0, client=<optimized out>, msg=0x7fb7d2e8fff0, rerr=0x7fb7c248dc70, args=0x7fb7b0257690, ret=0x7fb7b0158d00) at remote_dispatch.h:2818
#12 0x00007fb7d196ec82 in virNetServerProgramDispatchCall (msg=0x7fb7d2e8fff0, client=0x7fb7d2ea8350, server=0x7fb7d2e8eeb0, prog=0x7fb7d2ea3900) at rpc/virnetserverprogram.c:437
#13 virNetServerProgramDispatch (prog=0x7fb7d2ea3900, server=server@entry=0x7fb7d2e8eeb0, client=0x7fb7d2ea8350, msg=0x7fb7d2e8fff0) at rpc/virnetserverprogram.c:307
#14 0x00007fb7d23cc60d in virNetServerProcessMsg (msg=<optimized out>, prog=<optimized out>, client=<optimized out>, srv=0x7fb7d2e8eeb0) at rpc/virnetserver.c:172
#15 virNetServerHandleJob (jobOpaque=<optimized out>, opaque=0x7fb7d2e8eeb0) at rpc/virnetserver.c:193
#16 0x00007fb7d1868a45 in virThreadPoolWorker (opaque=opaque@entry=0x7fb7d2e89e30) at util/virthreadpool.c:145
#17 0x00007fb7d1867f68 in virThreadHelper (data=<optimized out>) at util/virthread.c:206
#18 0x00007fb7cec9fdf5 in start_thread (arg=0x7fb7c248e700) at pthread_create.c:308
#19 0x00007fb7ce9c61ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Comment 1 Luyao Huang 2015-05-12 13:56:23 UTC

Sent a patch to upstream:

https://www.redhat.com/archives/libvir-list/2015-May/msg00360.html

Comment 2 Michal Privoznik 2015-05-12 15:15:17 UTC

Moving to POST:

commit 5f6fe84d5731a45fa3fe08701f0d553818dd3e12
Author:     Luyao Huang <lhuang>
AuthorDate: Tue May 12 21:55:05 2015 +0800
Commit:     Michal Privoznik <mprivozn>
CommitDate: Tue May 12 17:09:14 2015 +0200

    qemu: fix double free when RNG cold-plug fails
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1220809
    
    When cold-plugging an RNG device but something fails in
    qemuDomainAssignAddresses, we will double free the RNG device.
    Once a device is plugged into the domain, we should set the
    device pointer to NULL to fix this issue.
    
    ...
    5  0x00007fb7d180ac8a in virFree at util/viralloc.c:582
    6  0x00007fb7d1895cdd in virDomainRNGDefFree at conf/domain_conf.c:19786
    7  0x00007fb7d1895d99 in virDomainDeviceDefFree at conf/domain_conf.c:2022
    8  0x00007fb7b92b8baf in qemuDomainAttachDeviceFlags at qemu/qemu_driver.c:8785
    9  0x00007fb7d190c5d7 in virDomainAttachDeviceFlags at libvirt-domain.c:8488
    10 0x00007fb7d23af9d2 in remoteDispatchDomainAttachDeviceFlags at remote_dispatch.h:2842
    ...
    
    Signed-off-by: Luyao Huang <lhuang>

Comment 4 Fangge Jin 2015-08-04 08:42:05 UTC

I can reproduce this bug on build libvirt-1.2.15-1.el7.x86_64

Verify this bug on build libvirt-1.2.17-3.el7.x86_64

Steps:
1.prepare a rng device have invalid pci address(Note: used address can't hit this issue)
# cat rng.xml 
    <rng model='virtio'>
      <backend model='random'>/dev/random</backend>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
    </rng>

2. # virsh attach-device r71 rng.xml --config
error: Failed to attach device from rng.xml
error: internal error: Attempted double use of PCI slot 0000:00:01.0 (may need "multifunction='on'" for device on function 0)

Comment 6 errata-xmlrpc 2015-11-19 06:30:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2202.html

Note You need to log in before you can comment on or make changes to this bug.