Red Hat Bugzilla – Bug 743269
Hot unplug of snapshot device crashes
Last modified: 2013-01-09 19:24:53 EST
Description of problem: savevm.c keeps a pointer to the snapshot block device. If you manage to get that device deleted, the pointer dangles, and the next snapshot operation will crash & burn. Version-Release number of selected component (if applicable): qemu-kvm-0.12.1.2-2.195.el6 How reproducible: 100% for me, but use-after-free bugs like this one are always somewhat unpredictable Steps to Reproduce: 1. Start a VM without a snapshot device 2. Create a snapshot device, examine it, and destroy it 3. Examine the (destroyed) snapshot device Actual results: $ MALLOC_PERTURB_=234 rhel6-qemu-kvm --nodefaults --enable-kvm -vnc :0 -S -m 384 -monitor stdio -usb QEMU 0.12.1 monitor - type 'help' for more information (qemu) info snapshots No available block device supports snapshots (qemu) __com.redhat_drive_add id=none1,file=tmp.qcow2 (qemu) device_add usb-storage,id=foo,drive=none1 (qemu) info snapshots Snapshot devices: none1 Snapshot list (from none1): ID TAG VM SIZE DATE VM CLOCK (qemu) device_del foo (qemu) info snapshots Snapshot devices: Segmentation fault (core dumped) Expected results: Print "No available block device supports snapshots" instead of crashing. Additional info: Fixed in upstream qemu commit f9092b10.
Reproduced with qemu-kvm-0.12.1.2-2.195.el6. 1. boot guest #MALLOC_PERTURB_=234 /usr/libexec/qemu-kvm -m 384 --enable-kvm --nodefaults -monitor stdio -usb -S -vnc :0 2.(qemu) info snapshots No available block device supports snapshots 3.(qemu) __com.redhat_drive_add id=none1,file=tmp.qcow2 4.(qemu) device_add usb-storage,id=foo,drive=none1 (qemu) info snapshots 5.Snapshot devices: none1 Snapshot list (from none1): ID TAG VM SIZE DATE VM CLOCK 6.(qemu) device_del foo 7.(qemu) info snapshots Results: Snapshot devices: Segmentation fault (core dumped) Verified with qemu-kvm-0.12.1.2-2.199.el6. After step7 Results: (qemu) info snapshots No available block device supports snapshots
We also did virtual block and usb device functional testing,did not find block or regression bugs. https://tcms.engineering.redhat.com/run/29499/ https://tcms.engineering.redhat.com/run/29338/
Moving to ON_QA because Errata Tool did not do it
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: Snapshot device bookkeeping wasn't prepared for hot unplug Consequence: Unplugging the snapshot device could make a future snapshot operation behave unpredictably or crash Fix: Fix the bookkeeping Result: Unplugging the snapshot device is now safe
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,4 +1,4 @@ Cause: Snapshot device bookkeeping wasn't prepared for hot unplug -Consequence: Unplugging the snapshot device could make a future snapshot operation behave unpredictably or crash +Consequence: Unplugging the "wrong" block device could make a future snapshot operation behave unpredictably or crash Fix: Fix the bookkeeping -Result: Unplugging the snapshot device is now safe+Result: Unplugging block devices no longer endangers future snapshot operations
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1531.html