Steps to reproduce this bug: # cat test.sh #! /bin/bash -x virsh start domain sleep 5 virsh qemu-monitor-command domain 'cpu_set 2 online' --hmp # while true; do ./test.sh ; done Then libvirtd will crash. The reason is that: we add a reference of obj when we open the monitor. We will reduce this reference when we free the monitor. If the reference of monitor is 0, we will free monitor automatically and the reference of obj is reduced. But in the function qemuDomainObjExitMonitorWithDriver(), we reduce this reference again when the reference of monitor is 0. It will cause the obj be freed in the function qemuDomainObjEndJob(). Then we start the domain again, and libvirtd will crash in the function virDomainObjListSearchName(), because we pass a null pointer(obj->def->name) to strcmp(). Signed-off-by: Wen Congyang <wency(a)cn.fujitsu.com&gt; --- src/qemu/qemu_domain.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 8a2b9cc..ae28b1c 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -634,7 +634,6 @@ void qemuDomainObjExitMonitorWithDriver(struct qemud_driver *driver, virDomainObjLock(obj); if (refs == 0) { - virDomainObjUnref(obj); priv->mon = NULL; } }

At 03/17/2011 07:11 PM, Daniel P. Berrange Write: > On Wed, Mar 16, 2011 at 05:01:23PM +0800, Wen Congyang wrote: >> Steps to reproduce this bug: >> # cat test.sh >> #! /bin/bash -x >> virsh start domain >> sleep 5 >> virsh qemu-monitor-command domain 'cpu_set 2 online' --hmp >> # while true; do ./test.sh ; done >> >> Then libvirtd will crash. >> >> The reason is that: >> we add a reference of obj when we open the monitor. We will reduce this >> reference when we free the monitor. >> >> If the reference of monitor is 0, we will free monitor automatically and >> the reference of obj is reduced. >> >> But in the function qemuDomainObjExitMonitorWithDriver(), we reduce this >> reference again when the reference of monitor is 0. >> >> It will cause the obj be freed in the function qemuDomainObjEndJob(). >> >> Then we start the domain again, and libvirtd will crash in the function >> virDomainObjListSearchName(), because we pass a null pointer(obj->def->name) >> to strcmp(). >> >> Signed-off-by: Wen Congyang&lt;wency(a)cn.fujitsu.com&gt; >> >> --- >> src/qemu/qemu_domain.c | 1 - >> 1 files changed, 0 insertions(+), 1 deletions(-) >> >> diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c >> index 8a2b9cc..ae28b1c 100644 >> --- a/src/qemu/qemu_domain.c >> +++ b/src/qemu/qemu_domain.c >> @@ -634,7 +634,6 @@ void qemuDomainObjExitMonitorWithDriver(struct qemud_driver *driver, >> virDomainObjLock(obj); >> >> if (refs == 0) { >> - virDomainObjUnref(obj); >> priv->mon = NULL; >> } >> } > ACK, ExitMonitorWithDriver should not be touching the virDomainObjPtr > refs at all. The virDomainObjPtr refs should only be touched by the > BeginJob/EndJob calls. > > This same fix also needs to be done in qemuDomainObjExitMonitor() Yes, there is the same problem in qemuDomainObjExitMonitor(). I have updated this patch.

> > Daniel > From 6c30534f7e6c5d2e5661c38397fc5062a8288ef3 Mon Sep 17 00:00:00 2001 From: Wen Congyang&lt;wency(a)cn.fujitsu.com&gt; Date: Fri, 18 Mar 2011 09:51:07 +0800 Subject: [PATCH 3/3] do not unref obj in qemuDomainObjExitMonitor* --- src/qemu/qemu_domain.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 8a2b9cc..cc137d2 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -588,7 +588,6 @@ void qemuDomainObjExitMonitor(virDomainObjPtr obj) virDomainObjLock(obj); if (refs == 0) { - virDomainObjUnref(obj); priv->mon = NULL; } } @@ -634,7 +633,6 @@ void qemuDomainObjExitMonitorWithDriver(struct qemud_driver *driver, virDomainObjLock(obj); if (refs == 0) { - virDomainObjUnref(obj); priv->mon = NULL; } }