Bug 1436400 - Repeatable double free when undefining storage pool
Summary: Repeatable double free when undefining storage pool
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libvirt
Version: 25
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Ján Tomko
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1436999
TreeView+ depends on / blocked
 
Reported: 2017-03-27 20:47 UTC by Jason Tibbitts
Modified: 2017-05-15 04:39 UTC (History)
9 users (show)

Fixed In Version: libvirt-2.2.1-1.fc25
Clone Of:
: 1436999 (view as bug list)
Environment:
Last Closed: 2017-05-15 04:39:53 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
Complete journal entry for the crash (68.01 KB, text/plain)
2017-03-27 20:47 UTC, Jason Tibbitts 		no flags Details
View All

Description Jason Tibbitts 2017-03-27 20:47:52 UTC 
Created attachment 1266756 [details]
Complete journal entry for the crash

While experimenting with ansible to configure a fresh virtualization host, I managed to create a storage pool that, if I try to undefine it, will cause libvirtd to crash.  I will attach the full journal entry, but here's the error and backtrace:

libvirtd[21979]: *** Error in `/usr/sbin/libvirtd': double free or corruption (fasttop): 0x00007efff80016e0 ***
libvirtd[21979]: ======= Backtrace: =========
libvirtd[21979]: /lib64/libc.so.6(+0x791fb)[0x7f003a5ee1fb]
libvirtd[21979]: /lib64/libc.so.6(+0x8288a)[0x7f003a5f788a]
libvirtd[21979]: /lib64/libc.so.6(cfree+0x4c)[0x7f003a5fb2bc]
libvirtd[21979]: /lib64/libvirt.so.0(virFree+0x1b)[0x7f003e23071b]
libvirtd[21979]: /lib64/libvirt.so.0(virStoragePoolSourceClear+0x85)[0x7f003e30a025]
libvirtd[21979]: /lib64/libvirt.so.0(virStoragePoolDefFree+0x21)[0x7f003e30a0d1]
libvirtd[21979]: /lib64/libvirt.so.0(+0x14bad1)[0x7f003e30bad1]
libvirtd[21979]: /lib64/libvirt.so.0(virStoragePoolObjRemove+0x6e)[0x7f003e30c64e]
libvirtd[21979]: /usr/lib64/libvirt/connection-driver/libvirt_driver_storage.so(+0xf325)[0x7f002ced5325]
libvirtd[21979]: /lib64/libvirt.so.0(virStoragePoolUndefine+0x8f)[0x7f003e36a07f]
libvirtd[21979]: /usr/sbin/libvirtd(+0x39a4f)[0x55e4da3eda4f]
libvirtd[21979]: /lib64/libvirt.so.0(virNetServerProgramDispatch+0x3ce)[0x7f003e3b26fe]
libvirtd[21979]: /usr/sbin/libvirtd(+0x50718)[0x55e4da404718]
libvirtd[21979]: /lib64/libvirt.so.0(+0xdb50b)[0x7f003e29b50b]
libvirtd[21979]: /lib64/libvirt.so.0(+0xda898)[0x7f003e29a898]
libvirtd[21979]: /lib64/libpthread.so.0(+0x76ca)[0x7f003a9426ca]
libvirtd[21979]: /lib64/libc.so.6(clone+0x5f)[0x7f003a67cf7f]

I create the pool with this ansible task (which is probably wrong; I'm just experimenting):

- name: Define pool
  tags: virtualization
  virt_pool:
    command: define
    name: virts
    xml: '{{ lookup("file", "pool.xml") }}'
    autostart: yes
    state: active
  when: not "virts" in ansible_libvirt_pools

pool.xml is:

<pool type='logical'>
  <source>
    <name>virt</name>
    <format type='lvm2'/>
  </source>
  <target>
    <path>/dev/virt</path>
  </target>
</pool>

The pool which is defined looks like this:

virsh # pool-dumpxml virt
<pool type='logical'>
  <name>virt</name>
  <uuid>ef610b5d-9b53-4d62-a5d2-5ad601602202</uuid>
  <capacity unit='bytes'>0</capacity>
  <allocation unit='bytes'>0</allocation>
  <available unit='bytes'>0</available>
  <source>
    <name>virt</name>
    <format type='lvm2'/>
  </source>
  <target>
    <path>/dev/virt</path>
  </target>
</pool>

which is odd because the name is wrong.  Not sure how that happened but I'm sure my XML isn't correct or complete.

Running pool-destroy or deleting the pool from virt-manager immediately crashes libvirtd with the above backtrace.  This is all on an updated F25 machine:

[root@vs02 ~]# rpm -qa|grep virt|sort
libgovirt-0.3.4-1.fc25.x86_64
libvirt-client-2.2.0-2.fc25.x86_64
libvirt-daemon-2.2.0-2.fc25.x86_64
libvirt-daemon-config-network-2.2.0-2.fc25.x86_64
libvirt-daemon-driver-interface-2.2.0-2.fc25.x86_64
libvirt-daemon-driver-network-2.2.0-2.fc25.x86_64
libvirt-daemon-driver-nodedev-2.2.0-2.fc25.x86_64
libvirt-daemon-driver-nwfilter-2.2.0-2.fc25.x86_64
libvirt-daemon-driver-qemu-2.2.0-2.fc25.x86_64
libvirt-daemon-driver-secret-2.2.0-2.fc25.x86_64
libvirt-daemon-driver-storage-2.2.0-2.fc25.x86_64
libvirt-daemon-kvm-2.2.0-2.fc25.x86_64
libvirt-glib-1.0.0-1.fc25.x86_64
libvirt-libs-2.2.0-2.fc25.x86_64
libvirt-python-2.2.0-1.fc25.x86_64
libvirt-python3-2.2.0-1.fc25.x86_64
virt-install-1.4.1-2.fc25.noarch
virt-manager-1.4.1-2.fc25.noarch
virt-manager-common-1.4.1-2.fc25.noarch
virt-viewer-5.0-1.fc25.x86_64
Comment 1 Jason Tibbitts 2017-03-27 20:55:16 UTC 
Note that if I just add "<name>virts</name>" to the XML, everything is fine.  Obviously I was doing something wrong but I figured you'd want to know about a complete libvirtd crash in any case.
Comment 2 Ján Tomko 2017-03-28 13:22:51 UTC 
Upstream patch:
https://www.redhat.com/archives/libvir-list/2017-March/msg01440.html
Comment 3 Ján Tomko 2017-03-29 08:43:46 UTC 
Pushed as:
commit e9f9690958b7fc86c4002c16cd2bdccba0dd07d1
Author:     Ján Tomko <jtomko>
CommitDate: 2017-03-29 10:36:55 +0200

    conf: do not steal pointers from the pool source

git describe: v3.2.0-rc1-16-ge9f9690
Comment 4 Fedora Update System 2017-05-11 13:41:37 UTC 
libvirt-2.2.1-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4b67f65db3
Comment 5 Fedora Update System 2017-05-12 13:39:34 UTC 
libvirt-2.2.1-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4b67f65db3
Comment 6 Fedora Update System 2017-05-15 04:39:53 UTC 
libvirt-2.2.1-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.