Hello,
I am currently investigating a rare segfault in libvirt. I have attached a
backtrace, the coredump is for s390x. I am currently trying to reproduce the
segfault on x86 but it did not occur yet (timespan to short).
This can be triggered by rapidly performing domain start/stop cycles in a
tight loop and will trigger in the order of a couple weeks.
I have come to the conclusion that there seems to be a race condition in the
log manager client. When the log manager gets freed via virLogManagerFree() it
(asynchronously) invokes virNetClientClose() and unrefs the associated client
structure in virLogManager. If there are other threads waiting for data on the
socket they will be woken up but because they rely on virLogManager holding a
ref to the client we get a use-after-free.
Can anyone verify this analysis and either provide a fix or at least give me
some pointers in the right direction on how to further proceed for debugging?
Should I open a bug for this?
Best regards,
Bjoern
Show replies by thread