1326990 – Libvirtd received SIGSEGV if destroy/start vm after removing video

Bug 1326990 - Libvirtd received SIGSEGV if destroy/start vm after removing video

Summary: Libvirtd received SIGSEGV if destroy/start vm after removing video

Keywords:
Status:	CLOSED DUPLICATE of bug 1324757
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Libvirt Maintainers
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-14 02:19 UTC by Yang Yang
Modified:	2016-04-14 06:49 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-04-14 06:49:08 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Yang Yang 2016-04-14 02:19:56 UTC

Description of problem:
Libvirtd received SIGSEGV if destroy/start vm after removing video field from domain xml. It can be reproduced with cirrus, qxl and vga type video

Version-Release number of selected component (if applicable):
libvirt-1.3.3-1.el7.x86_64
qemu-kvm-rhev-2.5.0-4.el7.x86_64

How reproducible:
100%

Steps to Reproduce:

1. start a guest with cirrus video

# virsh dumpxml vm1 | grep video -a6
<video>
      <model type='cirrus' vram='16384' heads='1' primary='yes'/>
      <alias name='video0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>

# virsh start vm1
Domain vm1 started

# virsh list
19    vm1                            running

# ps -ef|grep qemu | grep vm1
qemu      2561     1 12 10:56 ?        00:00:11 /usr/libexec/qemu-kvm -name vm1,debug-threads=on -S -machine pc-i440fx-rhel7.2.0,accel=kvm,usb=off -m 1024 -realtime mlock=off -smp 4,sockets=1,cores=2,threads=2 -uuid 35b33718-d952-4168-b6c2-96374f05e3e0 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-19-vm1/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=0 -boot strict=on -device pci-bridge,chassis_nr=1,id=pci.1,bus=pci.0,addr=0x6 -device pci-bridge,chassis_nr=2,id=pci.2,bus=pci.0,addr=0x8 -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x7 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/var/lib/libvirt/images/RHEL-7.2-20151008.0.qcow2,format=qcow2,if=none,id=drive-virtio-disk0 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x9,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -spice port=5901,addr=127.0.0.1,disable-ticketing,seamless-migration=on -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x3 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=charredir0,id=redir0 -chardev spicevmc,id=charredir1,name=usbredir -device usb-redir,chardev=charredir1,id=redir1 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4 -sandbox on -msg timestamp=on

2. edit guest xml, remove video field from xml
# virsh edit vm1
Domain vm1 XML configuration edited.

# virsh dumpxml vm1 --inactive | grep video -a6
<video>
      <model type='cirrus' vram='16384' heads='1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>

3. destroy/start guest
# virsh destroy vm1; virsh start vm1
Domain vm1 destroyed

error: Failed to start domain vm1
error: unsupported configuration: non-primary video device must be type of 'qxl'

Actual results:
Libvirtd received SIGSEGV

Expected results:


Additional info:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f4355049700 (LWP 3459)]
0x00007f4361982aad in malloc_consolidate () from /lib64/libc.so.6
(gdb) bt
#0  0x00007f4361982aad in malloc_consolidate () from /lib64/libc.so.6
#1  0x00007f4361984ea5 in _int_malloc () from /lib64/libc.so.6
#2  0x00007f43619868dc in malloc () from /lib64/libc.so.6
#3  0x00007f4364606dc0 in virReallocN () from /lib64/libvirt.so.0
#4  0x00007f43646273d6 in saferead_lim () from /lib64/libvirt.so.0
#5  0x00007f4364627810 in virFileReadLimFD () from /lib64/libvirt.so.0
#6  0x00007f43646278bb in virFileReadAll () from /lib64/libvirt.so.0
#7  0x00007f43646f7751 in nodeGetCPUCount () from /lib64/libvirt.so.0
#8  0x00007f43646f7996 in nodeGetPresentCPUBitmap () from /lib64/libvirt.so.0
#9  0x00007f43646f90dd in linuxNodeInfoCPUPopulate () from /lib64/libvirt.so.0
#10 0x00007f43646f967d in nodeGetInfo () from /lib64/libvirt.so.0
#11 0x00007f4364722103 in virNodeGetInfo () from /lib64/libvirt.so.0
#12 0x00007f436536aa93 in remoteDispatchNodeGetInfoHelper ()
#13 0x00007f436477a2e2 in virNetServerProgramDispatch ()
   from /lib64/libvirt.so.0
#14 0x00007f436477549d in virNetServerHandleJob () from /lib64/libvirt.so.0
#15 0x00007f436466c1c5 in virThreadPoolWorker () from /lib64/libvirt.so.0
#16 0x00007f436466b6e8 in virThreadHelper () from /lib64/libvirt.so.0
#17 0x00007f4361ccfdc5 in start_thread () from /lib64/libpthread.so.0
#18 0x00007f43619fd28d in clone () from /lib64/libc.so.6
(gdb)

Comment 1 Jiri Denemark 2016-04-14 06:49:08 UTC

This is most likely a result of a double free causing memory corruption.

*** This bug has been marked as a duplicate of bug 1324757 ***

Note You need to log in before you can comment on or make changes to this bug.