Re: [libvirt] [PATCH 1/1] Fix the crash when seclable is freed
On 2013年04月02日 19:29, Michal Privoznik wrote:
On 02.04.2013 07:58, Li Zhang wrote:
> From: Li Zhang <zhlcindy(a)linux.vnet.ibm.com>
>
> When seclabel's type is VIR_DOMAIN_SECLABEL_NONE,
> virSecurityLabelDefPtr's members are not allocated.
> So it will cause crash when calling VIR_FREE.
>
> This problem is found when running autotest on PPC.
>
> Failed to remove cgroup for virt-tests-vm1
> *** glibc detected *** /usr/sbin/libvirtd: free(): invalid pointer:
0x00003fff9c187510 ***
> ======= Backtrace: =========
> /lib64/libc.so.6(+0xb89c4)[0x3fffa9bc89c4]
> /lib64/libvirt.so.0(virFree-0x3e2320)[0x3fffaa82e9c0]
> /lib64/libvirt.so.0(virSecurityLabelDefFree-0x378984)[0x3fffaa89d69c]
> /lib64/libvirt.so.0(virDomainDefFree-0x367c98)[0x3fffaa8ae968]
>
/usr/lib64/libvirt/connection-driver/libvirt_driver_qemu.so(qemuProcessStop-0xc85f8)[0x3fffa2899d58]
>
/usr/lib64/libvirt/connection-driver/libvirt_driver_qemu.so(+0xc3668)[0x3fffa28e3668]
> /lib64/libvirt.so.0(virDomainDestroy-0x309bd0)[0x3fffaa90f6f0]
> /usr/sbin/libvirtd[0x10035230]
> /lib64/libvirt.so.0(virNetServerProgramDispatch-0x289b50)[0x3fffaa995930]
> /lib64/libvirt.so.0(+0x20db18)[0x3fffaa98db18]
> /lib64/libvirt.so.0(+0xfbd24)[0x3fffaa87bd24]
> /lib64/libvirt.so.0(+0xfaec8)[0x3fffaa87aec8]
> /lib64/libpthread.so.0(+0xc604)[0x3fffa9d7c604]
> /lib64/libc.so.6(clone-0xb8fe4)[0x3fffa9c3f094]
>
> Signed-off-by: Li Zhang <zhlcindy(a)linux.vnet.ibm.com>
> ---
> src/conf/domain_conf.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index f3fca7f..2856660 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -1006,6 +1006,8 @@ virSecurityLabelDefFree(virSecurityLabelDefPtr def)
> {
> if (!def)
> return;
> + if (def->type == VIR_DOMAIN_SECLABEL_NONE)
> + return;
> VIR_FREE(def->model);
> VIR_FREE(def->label);
> VIR_FREE(def->imagelabel);
>
NACK
As you already found out, we are freeing invalid pointers. We need to
find out root cause. I wonder where those pointers come from, as
VIR_ALLOC(), which is used to alloc a virSecurityLabelDefPtr, fill
allocated memory with zeros, so calling VIR_FREE() even for struct
members is just fine. Are you able to reproduce this crash? What are the
steps?
I think it is freed twice.
After the pointer is freed, it will be a wild pointer.
When freeing it the second time, this error occurs.
I am trying to reproduce this crash.
This steps are:
1. start libvirtd
2. create VM
#virsh create /etc/libvirt/qemu/virt-tests-vm1.xml
3. Run autotest tests
#cd /DIR/autotest-power
#./client/autotest-local client/tests/virt/libvirt/control
Michal