Red Hat Bugzilla – Bug 880064
[LXC] libvirt_lxc segfaults when staring lxc guest
Last modified: 2013-02-21 02:27:45 EST
Description of problem: Launch LXC guest on libvirt-0.10.2-9 causes libvirt_lxc segfault, it's okay on libvirt RHEL6.3 release version(libvirt-0.9.10-21), although the libvirt-0.9.10-21 exists a segfaults(see bug 874549), but this is different with bug 874549, I think it's a RC blocker bug. Version-Release number of selected component (if applicable): # rpm -q libvirt libvirt-0.10.2-9.el6.x86_64 How reproducible: always Steps to Reproduce: 1. # cat instance-0000006f <domain type='lxc'> <name>instance-00000069</name> <uuid>5abb4ca2-9e9b-4b33-b489-b09d301b1e8f</uuid> <memory unit='KiB'>524288</memory> <currentMemory unit='KiB'>524288</currentMemory> <vcpu placement='static'>2</vcpu> <os> <type arch='x86_64'>exe</type> <init>/sbin/init</init> <cmdline>console=ttyS0</cmdline> </os> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/libexec/libvirt_lxc</emulator> <filesystem type='mount' accessmode='passthrough'> <source dir='/home/stack/nova_state/instances/instance-00000069/rootfs'/> <target dir='/'/> </filesystem> <interface type='bridge'> <mac address='fa:16:3e:24:b3:65'/> <source bridge='br100'/> <filterref filter='nova-instance-instance-00000069-fa163e24b365'> <parameter name='DHCPSERVER' value='10.48.253.1'/> <parameter name='IP' value='10.48.253.2'/> <parameter name='PROJMASK' value='255.255.255.0'/> <parameter name='PROJNET' value='10.48.253.0'/> </filterref> </interface> <console type='pty'> <target type='lxc' port='0'/> </console> </devices> </domain> 2. /usr/libexec/libvirt_lxc --name instance-0000006f --console 23 --handshake 26 --background --veth veth1 Actual results: # /usr/libexec/libvirt_lxc --name instance-0000006f --console 23 --handshake 26 --background --veth veth1 Segmentation fault (core dumped) Expected results: fix it. Additional info: ==17442== Invalid read of size 8 ==17442== at 0x411755: main (lxc_controller.c:1596) ==17442== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==17442== ==17442== ==17442== Process terminating with default action of signal 11 (SIGSEGV) ==17442== Access not within mapped region at address 0x0 ==17442== at 0x411755: main (lxc_controller.c:1596) ==17442== If you believe this happened as a result of a stack ==17442== overflow in your program's main thread (unlikely but ==17442== possible), you can try to increase the size of the ==17442== main thread stack using the --main-stacksize= flag. ==17442== The main thread stack size used in this run was 10485760. The line 1596 of lxc_controller in 0.10.2-9.el6: 1596 VIR_DEBUG("Security model %s type %s label %s imagelabel %s", 1597 NULLSTR(ctrl->def->seclabels[0]->model), 1598 virDomainSeclabelTypeToString(ctrl->def->seclabels[0]->type), 1599 NULLSTR(ctrl->def->seclabels[0]->label), 1600 NULLSTR(ctrl->def->seclabels[0]->imagelabel));
Two patches fixing two possible segfaults were posted for upstream review: http://www.redhat.com/archives/libvir-list/2012-November/msg01097.html http://www.redhat.com/archives/libvir-list/2012-November/msg01087.html
Fixed upstream: commit 99a388e612d82a6bcd3462e4b98463fb32931520 Author: Peter Krempa <pkrempa@redhat.com> Date: Mon Nov 26 15:17:58 2012 +0100 lxc: Don't crash if no security driver is specified in libvirt_lxc When no security driver is specified libvirt_lxc segfaults as a debug message tries to access security labels for the container that are not present. This problem was introduced in commit 6c3cf57d6cb27cf10064baf8cca0f39. commit 81efb13b4a33f58c28e0e65dcc9521b983592683 Author: Peter Krempa <pkrempa@redhat.com> Date: Mon Nov 26 12:13:56 2012 +0100 lxc: Avoid segfault of libvirt_lxc helper on early cleanup paths Early jumps to the cleanup label caused a crash of the libvirt_lxc container helper as the cleanup section called virLXCControllerDeleteInterfaces(ctrl) without checking the ctrl argument for NULL. The argument was de-referenced soon after. $ /usr/libexec/libvirt_lxc /usr/libexec/libvirt_lxc: missing --name argument for configuration Segmentation fault
Peter, unfortunately, your patches introduce new "Segmentation violation" question, for details, please see attachment. Alex
Created attachment 652473 [details] Segmentation violation
The issue is caused by a free of a uninitialized pointer. This issue was already fixed upstream by: commit 3782814d4ad787d815e56382b6f809fe9020f14b Author: Daniel P. Berrange <berrange@redhat.com> Date: Wed Nov 14 15:39:48 2012 +0000 Fix uninitialized variable in virLXCControllerSetupDevPTS The lack of initialization of 'opts' caused a SEGV in the cleanup: path if the root->src directory did not exist but was not backported. Moving back to POST: http://post-office.corp.redhat.com/archives/rhvirt-patches/2012-November/msg00281.html
verified this bug in pkg libvirt-0.10.2-11.el6.x86_64 qemu-kvm-rhev-0.12.1.2-2.340.el6.x86_64 kernel-2.6.32-343.el6.x86_64 steps 1. # cat instance-0000006f <domain type='lxc'> <name>instance-00000069</name> <uuid>5abb4ca2-9e9b-4b33-b489-b09d301b1e8f</uuid> <memory unit='KiB'>524288</memory> <currentMemory unit='KiB'>524288</currentMemory> <vcpu placement='static'>2</vcpu> <os> <type arch='x86_64'>exe</type> <init>/sbin/init</init> <cmdline>console=ttyS0</cmdline> </os> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/libexec/libvirt_lxc</emulator> <filesystem type='mount' accessmode='passthrough'> <source dir='/home/stack/nova_state/instances/instance-00000069/rootfs'/> <target dir='/'/> </filesystem> <interface type='bridge'> <mac address='fa:16:3e:24:b3:65'/> <source bridge='br100'/> <filterref filter='nova-instance-instance-00000069-fa163e24b365'> <parameter name='DHCPSERVER' value='10.48.253.1'/> <parameter name='IP' value='10.48.253.2'/> <parameter name='PROJMASK' value='255.255.255.0'/> <parameter name='PROJNET' value='10.48.253.0'/> </filterref> </interface> <console type='pty'> <target type='lxc' port='0'/> </console> </devices> </domain> 2 excute the following command /usr/libexec/libvirt_lxc --name instance-0000006f --console 23 --handshake 26 --background --veth veth1 without any segfault 3 valgrind -v --leak-check=full /usr/libexec/libvirt_lxc --name instance-0000006f --console 23 --handshake 26 --background --veth veth1 without segfault info like this ==17442== Process terminating with default action of signal 11 (SIGSEGV) 4 the lxc guest can start /destroy normally From above ,the problem was solved correctly and I can also reproduce this bug in the pkg libvirt-0.10.2-9.el6.x86_64, so this is fixed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0276.html