[libvirt] RHBZ 1013045: Crash on xen domain startup

Jeremy Fitzhardinge jeremy at goop.org
Wed Oct 30 17:38:08 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 10/24/2013 02:52 AM, Martin Kletzander wrote:
> On Wed, Oct 23, 2013 at 10:46:14AM -0700, Jeremy Fitzhardinge wrote:
>> Hi all,
>>
>> I posted this bug (https://bugzilla.redhat.com/show_bug.cgi?id=1013045)
>> to the Redhat Bugzilla a while ago, and the only response has been to
>> post a note to this list about the bug.
>>
>> Summary below, but it looks like a pretty clear use-after-free or
>> something. The full details are attached to the bug report.
>>
>
> From the looks of the BZ, I think the probnlem found by valgrind (not
> the one in libxl) is a different than the one which causes the
> 'invalid free()', but anyway, I posted a patch [1] which might help
> (read: fixes a problem found out thanks to the valgrind output), but I
> have no way to test it.  If you do, I would appreciate you trying
> whether the issue gets fixed for you with that patch.

I reverted your change then applied the following, which looks like it
fixes the problem.

Thanks,

    J


commit 65d342a6df5e8020b682a6085aa7aced7215e93b
Author: Jeremy Fitzhardinge <jeremy at goop.org>
Date:   Wed Oct 30 10:36:37 2013 -0700

    libxl: fix dubious cpumask handling in libxlDomainSetVcpuAffinities
  
    Rather than casting the virBitmap pointer to uint8_t* and then using
    the structure contents as a byte array, use the virBitmap API to
determine
    the bitmap size and test each bit.
  
    Signed-off-by: Jeremy Fitzhardinge <jeremy at goop.org>

diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c
index e2a6d44..ab509a6 100644
- --- a/src/libxl/libxl_driver.c
+++ b/src/libxl/libxl_driver.c
@@ -448,7 +448,7 @@ libxlDomainSetVcpuAffinities(libxlDriverPrivatePtr
driver, virDomainObjPtr vm)
     libxlDomainObjPrivatePtr priv = vm->privateData;
     virDomainDefPtr def = vm->def;
     libxl_bitmap map;
- -    uint8_t *cpumask = NULL;
+    virBitmapPtr cpumask = NULL;
     uint8_t *cpumap = NULL;
     virNodeInfo nodeinfo;
     size_t cpumaplen;
@@ -468,10 +468,16 @@ libxlDomainSetVcpuAffinities(libxlDriverPrivatePtr
driver, virDomainObjPtr vm)
         if (VIR_ALLOC_N(cpumap, cpumaplen) < 0)
             goto cleanup;
 
- -        cpumask = (uint8_t*) def->cputune.vcpupin[vcpu]->cpumask;
+        cpumask = def->cputune.vcpupin[vcpu]->cpumask;
 
- -        for (i = 0; i < VIR_DOMAIN_CPUMASK_LEN; ++i) {
- -            if (cpumask[i])
+        for (i = 0; i < virBitmapSize(cpumask); ++i) {
+            bool bit;
+            if (virBitmapGetBit(cpumask, i, &bit) < 0) {
+                virReportError(VIR_ERR_INTERNAL_ERROR,
+                               _("Failed to get cpumask bit '%zd' with
libxenlight"), i);
+                goto cleanup;
+            }
+            if (bit)
                 VIR_USE_CPU(cpumap, i);
         }
 


>
>
> Thank you,
> Martin
>
> [1] https://www.redhat.com/archives/libvir-list/2013-October/msg01075.html
>
>> Thanks,
>>
>>     J
>>
>>
>> --
>> Description of problem:
>> When starting a Xen domain with libvirt + libxl, it crashes after
>> creating the domain.  The domain is left in a paused state, and works
>> fine if manually unpaused with xl unpause. virt-manager never shows the
>> domain as running.
>>
>> [...]
>>
>> Steps to Reproduce:
>> 1. Open virt-manager
>> 2. Connect to localhost (xen)
>> 3. Start a domain
>>
>> Actual results:
>> Domain is created in a paused state, virt-manager shows errors about
>> losing connection to the daemon. Logs show libvirtd crashed.
>>
>> Expected results:
>> Domain creation.
>>
>> Additional info:
>> Sep 27 09:08:30 saboo libvirtd[24880]: *** Error in
>> `/usr/sbin/libvirtd': free(): invalid next size (fast):
>> 0x00007f82c8003210 ***
>> Sep 27 09:08:30 saboo libvirtd[24880]: ======= Backtrace: =========
>> Sep 27 09:08:30 saboo libvirtd[24880]:
>> /lib64/libc.so.6(+0x365b27d0e8)[0x7f82f5a7a0e8]
>> Sep 27 09:08:30 saboo libvirtd[24880]:
>> /lib64/libvirt.so.0(virFree+0x1a)[0x7f82f8f07d5a]
>> Sep 27 09:08:30 saboo libvirtd[24880]:
>>
/usr/lib64/libvirt/connection-driver/libvirt_driver_libxl.so(+0x14b6c)[0x7f82e032bb6c]
>> Sep 27 09:08:30 saboo libvirtd[24880]:
>>
/usr/lib64/libvirt/connection-driver/libvirt_driver_libxl.so(+0x154d4)[0x7f82e032c4d4]
>> Sep 27 09:08:30 saboo libvirtd[24880]:
>> /lib64/libvirt.so.0(virDomainCreate+0xf7)[0x7f82f8fdb6b7]
>> Sep 27 09:08:30 saboo libvirtd[24880]:
>> /usr/sbin/libvirtd(+0x350c7)[0x7f82f9a1a0c7]
>> Sep 27 09:08:30 saboo libvirtd[24880]:
>> /lib64/libvirt.so.0(virNetServerProgramDispatch+0x3ba)[0x7f82f90314aa]
>> Sep 27 09:08:30 saboo libvirtd[24880]:
>> /lib64/libvirt.so.0(+0x3a33f822d8)[0x7f82f902c2d8]
>> Sep 27 09:08:30 saboo libvirtd[24880]:
>> /lib64/libvirt.so.0(+0x3a33ea0c15)[0x7f82f8f4ac15]
>> Sep 27 09:08:30 saboo libvirtd[24880]:
>> /lib64/libvirt.so.0(+0x3a33ea0691)[0x7f82f8f4a691]
>> Sep 27 09:08:30 saboo libvirtd[24880]:
>> /lib64/libpthread.so.0(+0x365ba07c53)[0x7f82f61ccc53]
>> Sep 27 09:08:30 saboo libvirtd[24880]:
>> /lib64/libc.so.6(clone+0x6d)[0x7f82f5af2d3d]
>>
>>
>>
>> --
>> libvir-list mailing list
>> libvir-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/libvir-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQEkBAEBCgAGBQJScUP4AAoJEAUkni6MUg7HuRwIQJF41DkVUDNeuYaQd+wzrT56
XJRvzuH5IKXw0SwgVv0q6cNQ0VfpSgLhIjUM2I3TIAs/d8JIqrBuV7Dy3D0y71Iz
Kk+x01mSnT3N5uUi2PQqiJAPSDZanD0c//m5mDgUa5YcvY1RrG8toVbvewkZg36o
7kJPn8kGZPSVE7kw9o9GNeP8JSJHmEo6oJEyRwvIzGZtEV+zzEeOehM/mitF/N4X
kewKFz6m4A/QFytasc43kOokQd6DWeSqF6lLT4Usi6uZ/ktikevrc843dd6OEzTl
9KV8L7lRaqY/z1/OiWtflMmZonadwFpTCS8R43zCf2TzHSFfRkqrzxQVSur+m9dX
gvd+vyCPTg==
=ItmR
-----END PGP SIGNATURE-----

More information about the libvir-list mailing list