[libvirt] [PATCH 1/1] Fix the crash when seclable is freed

Li Zhang zhlcindy at gmail.com
Wed Apr 3 02:24:07 UTC 2013 

On 2013年04月02日 19:29, Michal Privoznik wrote:
> On 02.04.2013 07:58, Li Zhang wrote:
>> From: Li Zhang <zhlcindy at linux.vnet.ibm.com>
>>
>> When seclabel's type is VIR_DOMAIN_SECLABEL_NONE,
>> virSecurityLabelDefPtr's members are not allocated.
>> So it will cause crash when calling VIR_FREE.
>>
>> This problem is found when running autotest on PPC.
>>
>>   Failed to remove cgroup for virt-tests-vm1
>>   *** glibc detected *** /usr/sbin/libvirtd: free(): invalid pointer: 0x00003fff9c187510 ***
>>   ======= Backtrace: =========
>>   /lib64/libc.so.6(+0xb89c4)[0x3fffa9bc89c4]
>>   /lib64/libvirt.so.0(virFree-0x3e2320)[0x3fffaa82e9c0]
>>   /lib64/libvirt.so.0(virSecurityLabelDefFree-0x378984)[0x3fffaa89d69c]
>>   /lib64/libvirt.so.0(virDomainDefFree-0x367c98)[0x3fffaa8ae968]
>>   /usr/lib64/libvirt/connection-driver/libvirt_driver_qemu.so(qemuProcessStop-0xc85f8)[0x3fffa2899d58]
>>   /usr/lib64/libvirt/connection-driver/libvirt_driver_qemu.so(+0xc3668)[0x3fffa28e3668]
>>   /lib64/libvirt.so.0(virDomainDestroy-0x309bd0)[0x3fffaa90f6f0]
>>   /usr/sbin/libvirtd[0x10035230]
>>   /lib64/libvirt.so.0(virNetServerProgramDispatch-0x289b50)[0x3fffaa995930]
>>   /lib64/libvirt.so.0(+0x20db18)[0x3fffaa98db18]
>>   /lib64/libvirt.so.0(+0xfbd24)[0x3fffaa87bd24]
>>   /lib64/libvirt.so.0(+0xfaec8)[0x3fffaa87aec8]
>>   /lib64/libpthread.so.0(+0xc604)[0x3fffa9d7c604]
>>   /lib64/libc.so.6(clone-0xb8fe4)[0x3fffa9c3f094]
>>
>> Signed-off-by: Li Zhang <zhlcindy at linux.vnet.ibm.com>
>> ---
>>   src/conf/domain_conf.c |    2 ++
>>   1 files changed, 2 insertions(+), 0 deletions(-)
>>
>> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
>> index f3fca7f..2856660 100644
>> --- a/src/conf/domain_conf.c
>> +++ b/src/conf/domain_conf.c
>> @@ -1006,6 +1006,8 @@ virSecurityLabelDefFree(virSecurityLabelDefPtr def)
>>   {
>>       if (!def)
>>           return;
>> +    if (def->type == VIR_DOMAIN_SECLABEL_NONE)
>> +        return;
>>       VIR_FREE(def->model);
>>       VIR_FREE(def->label);
>>       VIR_FREE(def->imagelabel);
>>
> NACK
>
> As you already found out, we are freeing invalid pointers. We need to
> find out root cause. I wonder where those pointers come from, as
> VIR_ALLOC(), which is used to alloc a virSecurityLabelDefPtr, fill
> allocated memory with zeros, so calling VIR_FREE() even for struct
> members is just fine. Are you able to reproduce this crash? What are the
> steps?

I think it is freed twice.
After the pointer is freed, it will be a wild pointer.
When freeing it the second time, this error occurs.

I am trying to reproduce this crash.
This steps are:
1. start libvirtd
2. create VM
#virsh create /etc/libvirt/qemu/virt-tests-vm1.xml

3. Run autotest tests
#cd /DIR/autotest-power
#./client/autotest-local client/tests/virt/libvirt/control

>
> Michal

More information about the libvir-list mailing list