1326990 – Libvirtd received SIGSEGV if destroy/start vm after removing video

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1326990 - Libvirtd received SIGSEGV if destroy/start vm after removing video

Summary: Libvirtd received SIGSEGV if destroy/start vm after removing video

Keywords:
Status:	CLOSED DUPLICATE of bug 1324757
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Libvirt Maintainers
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-14 02:19 UTC by Yang Yang
Modified:	2016-04-14 06:49 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-04-14 06:49:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Yang Yang 2016-04-14 02:19:56 UTC

Description of problem:
Libvirtd received SIGSEGV if destroy/start vm after removing video field from domain xml. It can be reproduced with cirrus, qxl and vga type video

Version-Release number of selected component (if applicable):
libvirt-1.3.3-1.el7.x86_64
qemu-kvm-rhev-2.5.0-4.el7.x86_64

How reproducible:
100%

Steps to Reproduce:

1. start a guest with cirrus video

# virsh dumpxml vm1 | grep video -a6
<video>
      <model type='cirrus' vram='16384' heads='1' primary='yes'/>
      <alias name='video0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>

# virsh start vm1
Domain vm1 started

# virsh list
19    vm1                            running

# ps -ef|grep qemu | grep vm1
qemu      2561     1 12 10:56 ?        00:00:11 /usr/libexec/qemu-kvm -name vm1,debug-threads=on -S -machine pc-i440fx-rhel7.2.0,accel=kvm,usb=off -m 1024 -realtime mlock=off -smp 4,sockets=1,cores=2,threads=2 -uuid 35b33718-d952-4168-b6c2-96374f05e3e0 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-19-vm1/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=0 -boot strict=on -device pci-bridge,chassis_nr=1,id=pci.1,bus=pci.0,addr=0x6 -device pci-bridge,chassis_nr=2,id=pci.2,bus=pci.0,addr=0x8 -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x7 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/var/lib/libvirt/images/RHEL-7.2-20151008.0.qcow2,format=qcow2,if=none,id=drive-virtio-disk0 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x9,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -spice port=5901,addr=127.0.0.1,disable-ticketing,seamless-migration=on -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x3 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=charredir0,id=redir0 -chardev spicevmc,id=charredir1,name=usbredir -device usb-redir,chardev=charredir1,id=redir1 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4 -sandbox on -msg timestamp=on

2. edit guest xml, remove video field from xml
# virsh edit vm1
Domain vm1 XML configuration edited.

# virsh dumpxml vm1 --inactive | grep video -a6
<video>
      <model type='cirrus' vram='16384' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>

3. destroy/start guest
# virsh destroy vm1; virsh start vm1
Domain vm1 destroyed

error: Failed to start domain vm1
error: unsupported configuration: non-primary video device must be type of 'qxl'

Actual results:
Libvirtd received SIGSEGV

Expected results:


Additional info:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f4355049700 (LWP 3459)]
0x00007f4361982aad in malloc_consolidate () from /lib64/libc.so.6
(gdb) bt
#0  0x00007f4361982aad in malloc_consolidate () from /lib64/libc.so.6
#1  0x00007f4361984ea5 in _int_malloc () from /lib64/libc.so.6
#2  0x00007f43619868dc in malloc () from /lib64/libc.so.6
#3  0x00007f4364606dc0 in virReallocN () from /lib64/libvirt.so.0
#4  0x00007f43646273d6 in saferead_lim () from /lib64/libvirt.so.0
#5  0x00007f4364627810 in virFileReadLimFD () from /lib64/libvirt.so.0
#6  0x00007f43646278bb in virFileReadAll () from /lib64/libvirt.so.0
#7  0x00007f43646f7751 in nodeGetCPUCount () from /lib64/libvirt.so.0
#8  0x00007f43646f7996 in nodeGetPresentCPUBitmap () from /lib64/libvirt.so.0
#9  0x00007f43646f90dd in linuxNodeInfoCPUPopulate () from /lib64/libvirt.so.0
#10 0x00007f43646f967d in nodeGetInfo () from /lib64/libvirt.so.0
#11 0x00007f4364722103 in virNodeGetInfo () from /lib64/libvirt.so.0
#12 0x00007f436536aa93 in remoteDispatchNodeGetInfoHelper ()
#13 0x00007f436477a2e2 in virNetServerProgramDispatch ()
   from /lib64/libvirt.so.0
#14 0x00007f436477549d in virNetServerHandleJob () from /lib64/libvirt.so.0
#15 0x00007f436466c1c5 in virThreadPoolWorker () from /lib64/libvirt.so.0
#16 0x00007f436466b6e8 in virThreadHelper () from /lib64/libvirt.so.0
#17 0x00007f4361ccfdc5 in start_thread () from /lib64/libpthread.so.0
#18 0x00007f43619fd28d in clone () from /lib64/libc.so.6
(gdb)

Comment 1 Jiri Denemark 2016-04-14 06:49:08 UTC

This is most likely a result of a double free causing memory corruption.

*** This bug has been marked as a duplicate of bug 1324757 ***

Note You need to log in before you can comment on or make changes to this bug.