Bug 1325120 - libvirtd crash when try to start default network
Summary: libvirtd crash when try to start default network
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: libvirt
Version: 23
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-08 10:16 UTC by Shanzhi Yu
Modified: 2016-05-16 04:21 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-04-08 12:31:14 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Shanzhi Yu 2016-04-08 10:16:45 UTC 
Description of problem:

libvirtd crash when try to start default network 

Version-Release number of selected component (if applicable):

libvirt build from libvirt.git

libvirt-1.3.4-1.fc23.x86_64

How reproducible:

100%

Steps to Reproduce:

1.

# ip -d l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 addrgenmode eui64 
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master ovs-system state UP mode DEFAULT group default qlen 1000
    link/ether 24:be:05:02:a0:e9 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    openvswitch_slave addrgenmode none 
3: ovs-system: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/ether 86:24:2b:29:ba:2a brd ff:ff:ff:ff:ff:ff promiscuity 1 
    openvswitch addrgenmode eui64 
11: virbr0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 52:54:00:ef:ce:57 brd ff:ff:ff:ff:ff:ff promiscuity 0 
    bridge forward_delay 200 hello_time 200 max_age 2000 addrgenmode eui64 
12: virbr0-nic: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master virbr0 state DOWN mode DEFAULT group default qlen 500
    link/ether 52:54:00:ef:ce:57 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    tun 
    bridge_slave state disabled priority 32 cost 100 hairpin off guard off root_block off fastleave off learning on flood on addrgenmode eui64 
13: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1
    link/ether 5a:fc:20:6d:87:47 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    openvswitch addrgenmode eui64 
14: br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/ether 24:be:05:02:a0:e9 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    openvswitch addrgenmode eui64 
15: br-tun: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1
    link/ether 02:ae:45:5e:f7:44 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    openvswitch addrgenmode eui64 
20: qbr32083ce7-59: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 6a:d4:f8:44:a9:9f brd ff:ff:ff:ff:ff:ff promiscuity 0 
    bridge forward_delay 0 hello_time 200 max_age 2000 addrgenmode eui64 
21: qvo32083ce7-59@qvb32083ce7-59: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master ovs-system state UP mode DEFAULT group default qlen 1000
    link/ether 1a:46:d6:84:75:02 brd ff:ff:ff:ff:ff:ff promiscuity 2 
    veth 
    openvswitch_slave addrgenmode eui64 
22: qvb32083ce7-59@qvo32083ce7-59: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master qbr32083ce7-59 state UP mode DEFAULT group default qlen 1000
    link/ether 6a:d4:f8:44:a9:9f brd ff:ff:ff:ff:ff:ff promiscuity 2 
    veth 
    bridge_slave state forwarding priority 32 cost 2 hairpin off guard off root_block off fastleave off learning on flood on addrgenmode eui64 
23: tap32083ce7-59: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master qbr32083ce7-59 state UNKNOWN mode DEFAULT group default qlen 500
    link/ether fe:16:3e:82:d7:77 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    tun 
    bridge_slave state forwarding priority 32 cost 100 hairpin off guard off root_block off fastleave off learning on flood on addrgenmode eui64 
27: qbrd9882a21-c2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 46:03:a7:3a:d5:65 brd ff:ff:ff:ff:ff:ff promiscuity 0 
    bridge forward_delay 0 hello_time 200 max_age 2000 addrgenmode eui64 
28: qvod9882a21-c2@qvbd9882a21-c2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master ovs-system state UP mode DEFAULT group default qlen 1000
    link/ether 26:2a:9c:5e:e1:8e brd ff:ff:ff:ff:ff:ff promiscuity 2 
    veth 
    openvswitch_slave addrgenmode eui64 
29: qvbd9882a21-c2@qvod9882a21-c2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue master qbrd9882a21-c2 state UP mode DEFAULT group default qlen 1000
    link/ether 46:03:a7:3a:d5:65 brd ff:ff:ff:ff:ff:ff promiscuity 2 
    veth 
    bridge_slave state forwarding priority 32 cost 2 hairpin off guard off root_block off fastleave off learning on flood on addrgenmode eui64 
30: tapd9882a21-c2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master qbrd9882a21-c2 state UNKNOWN mode DEFAULT group default qlen 500
    link/ether fe:16:3e:71:ae:a2 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    tun 
    bridge_slave state forwarding priority 32 cost 100 hairpin off guard off root_block off fastleave off learning on flood on addrgenmode eui64 


2. Prepare default network as below

# virsh net-dumpxml default 
<network>
  <name>default</name>
  <uuid>c9aea060-ea6e-4fc7-892c-1088fc983138</uuid>
  <forward mode='nat'/>
  <bridge name='virbr1' stp='on' delay='0'/>
  <mac address='52:54:00:de:31:73'/>
  <ip address='192.168.125.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.125.2' end='192.168.125.254'/>
    </dhcp>
  </ip>
</network>



3.
# virsh net-start default 
error: Disconnected from qemu:///system due to keepalive timeout
error: Failed to start network default
error: internal error: connection closed due to keepalive timeout



Actual results:


Expected results:


Additional info:


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe4fea700 (LWP 32043)]
virNetDevSetIPAddress (ifname=0x7fff904171b0 "virbr1", addr=addr@entry=0x7fff902ced78, peer=peer@entry=0x0, prefix=24) at util/virnetdev.c:1132
1132	    if (VIR_SOCKET_ADDR_FAMILY(addr) == AF_INET && !VIR_SOCKET_ADDR_VALID(peer)) {

(gdb) t a a bt
...


Thread 4 (Thread 0x7fffe4fea700 (LWP 32043)):
#0  virNetDevSetIPAddress (ifname=0x7fff904171b0 "virbr1", addr=addr@entry=0x7fff902ced78, peer=peer@entry=0x0, prefix=24) at util/virnetdev.c:1132
#1  0x00007fffe45d340a in networkAddAddrToBridge (network=0x7fff90016360, ipdef=0x7fff902ced70) at network/bridge_driver.c:1973
#2  networkStartNetworkVirtual (network=0x7fff90016360, driver=0x7fff90000ed0) at network/bridge_driver.c:2142
#3  networkStartNetwork (driver=driver@entry=0x7fff90000ed0, network=0x7fff90016360) at network/bridge_driver.c:2488
#4  0x00007fffe45d3c3b in networkCreate (net=0x7fffdc000d40) at network/bridge_driver.c:3451
#5  0x00007ffff73ad4ef in virNetworkCreate (network=network@entry=0x7fffdc000d40) at libvirt-network.c:588
#6  0x000055555558e157 in remoteDispatchNetworkCreate (server=0x5555557f6960, msg=0x5555557f7e50, args=<optimized out>, rerr=0x7fffe4fe9be0, client=0x555555823f10)
    at remote_dispatch.h:12366
#7  remoteDispatchNetworkCreateHelper (server=0x5555557f6960, client=0x555555823f10, msg=0x5555557f7e50, rerr=0x7fffe4fe9be0, args=<optimized out>, ret=0x7fffdc000b40)
    at remote_dispatch.h:12342
#8  0x00007ffff73fb419 in virNetServerProgramDispatchCall (msg=0x5555557f7e50, client=0x555555823f10, server=0x5555557f6960, prog=0x55555581e7b0)
    at rpc/virnetserverprogram.c:437
#9  virNetServerProgramDispatch (prog=0x55555581e7b0, server=server@entry=0x5555557f6960, client=0x555555823f10, msg=0x5555557f7e50) at rpc/virnetserverprogram.c:307
#10 0x00007ffff73f6818 in virNetServerProcessMsg (msg=<optimized out>, prog=<optimized out>, client=<optimized out>, srv=0x5555557f6960) at rpc/virnetserver.c:137
#11 virNetServerHandleJob (jobOpaque=<optimized out>, opaque=0x5555557f6960) at rpc/virnetserver.c:158
#12 0x00007ffff72ead86 in virThreadPoolWorker (opaque=opaque@entry=0x5555557f66d0) at util/virthreadpool.c:145
#13 0x00007ffff72ea308 in virThreadHelper (data=<optimized out>) at util/virthread.c:206
#14 0x00007ffff39e060a in start_thread (arg=0x7fffe4fea700) at pthread_create.c:334
#15 0x00007ffff371aa4d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
Comment 1 Peter Krempa 2016-04-08 11:57:43 UTC 
Caused by:
commit b3d069872ce53eb2ad058bda9ea8e27436be7020
Author:     Vasiliy Tolstov <v.tolstov>
AuthorDate: Mon Apr 4 21:00:02 2016 +0000
Commit:     Daniel P. Berrange <berrange>
CommitDate: Thu Apr 7 18:22:58 2016 +0100

    virnetdev allow to set peer address
    
    Signed-off-by: Vasiliy Tolstov <v.tolstov>

$ git desc b3d069872ce53eb2ad058bda9ea8e27436be7020
v1.3.3-28-gb3d0698

Fix posted upstream:

https://www.redhat.com/archives/libvir-list/2016-April/msg00354.html
Comment 2 Peter Krempa 2016-04-08 12:31:14 UTC 
commit a3510e33d33e52c7c7eceb6d12bb121ac0b36638
Author: Peter Krempa <pkrempa>
Date:   Fri Apr 8 13:51:57 2016 +0200

    util: netdev: Don't crash in virNetDevSetIPAddress if @peer is NULL
    
    VIR_SOCKET_ADDR_VALID dereferences the pointer, thus if we pass NULL
    into virNetDevSetIPAddress it crashes. Regression introduced by
    b3d069872ce53eb.

Closing since there is no existing release with the broken commit.
Note You need to log in before you can comment on or make changes to this bug.