[Bug 1594936] Re: fix crash in virDomainObjListFindByUUIDInternal

James Page james.page at ubuntu.com
Fri Jul 1 13:56:30 UTC 2016 

This bug was fixed in the package libvirt - 1.2.12-0ubuntu14.4~cloud1
---------------

 libvirt (1.2.12-0ubuntu14.4~cloud1) trusty-kilo; urgency=medium
 .
   * Added d/p/domain_conf-fix-crash-in-virDomainObjListFindByUUIDI.patch (LP: #1594936)


** Changed in: cloud-archive/kilo
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1594936

Title:
  fix crash in virDomainObjListFindByUUIDInternal

Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive kilo series:
  Fix Released
Status in libvirt package in Ubuntu:
  Fix Released

Bug description:
  [Impact]

   * Users from trusty-kilo cloud archive may experience crashes on
  libvirtd.

  [Test Case]

   * Stress test libvirtd until a crash like this is seen:

  #0  0x00007f0d3777ae68 in virClassIsDerivedFrom
  #1  0x00007f0d3777b196 in virObjectIsClass
  #2  0x00007f0d3777b2b4 in virObjectUnlock
  #3  0x00007f0d377a797f in virDomainObjListFindByUUIDInternal
  #4  0x00007f0d377b1a42 in virDomainObjListFindByUUIDRef
  #5  0x00007f0d25175fb9 in qemuDomainLookupByUUID (conn=0x7f0d0c0015f0,
  #6  0x00007f0d378333b0 in virDomainLookupByUUID (conn=0x7f0d0c0015f0,
  #7  0x00007f0d38e19361 in remoteDispatchDomainLookupByUUID (server=<optimized
  #8  remoteDispatchDomainLookupByUUIDHelper (server=<optimized out>,
  ...

  [Regression Potential]

   * Fix is based on upstream commit and says to resolve issue in the
  exact same frame.

  [Other Info]

  ## Original description

  It was brought to my attention that libvirt might face some crashes
  (dumps were sent to me).

  Following stack trace:

  #0 0x00007f0d3777ae68 in virClassIsDerivedFrom

  156 /**
  157 * virClassIsDerivedFrom:
  158 * @klass: the klass to check
  159 * @parent: the possible parent class
  160 *
  161 * Determine if @klass is derived from @parent
  162 *
  163 * Return true if @klass is derived from @parent, false otherwise
  164 */
  165 bool virClassIsDerivedFrom(virClassPtr klass,
  166 virClassPtr parent)
  167 {
  168 while (klass) {
  169 if (klass->magic == parent->magic) *** HERE ***
  170 return true;
  171 klass = klass->parent;
  172 }
  173 return false;
  174 }

  #1 0x00007f0d3777b196 in virObjectIsClass

  348 /**
  349 * virObjectIsClass:
  350 * @anyobj: any instance of virObjectPtr
  351 * @klass: the class to check
  352 *
  353 * Checks whether @anyobj is an instance of
  354 * @klass
  355 *
  356 * Returns true if @anyobj is an instance of @klass
  357 */
  358 bool virObjectIsClass(void *anyobj,
  359 virClassPtr klass)
  360 {
  361 virObjectPtr obj = anyobj;
  362 if (!obj)
  363 return false;
  364
  365 return virClassIsDerivedFrom(obj->klass, klass); *** HERE ***
  366 }

  #2 0x00007f0d3777b2b4 in virObjectUnlock

  327 /**
  328 * virObjectUnlock:
  329 * @anyobj: any instance of virObjectLockablePtr
  330 *
  331 * Release a lock on @anyobj. The lock must have been
  332 * acquired by virObjectLock.
  333 */
  334 void virObjectUnlock(void *anyobj)
  335 {
  336 virObjectLockablePtr obj = anyobj;
  337
  338 if (!virObjectIsClass(obj, virObjectLockableClass)) { *** HERE ***
  339 VIR_WARN("Object %p (%s) is not a virObjectLockable instance",
  340 obj, obj ? obj->parent.klass->name : "(unknown)");
  341 return;
  342 }
  343
  344 virMutexUnlock(&obj->lock);
  345 }

  #3 0x00007f0d377a797f in virDomainObjListFindByUUIDInternal

  1052 static virDomainObjPtr
  1053 virDomainObjListFindByUUIDInternal(virDomainObjListPtr doms,
  1054 const unsigned char *uuid,
  1055 bool ref)
  1056 {
  1057 char uuidstr[VIR_UUID_STRING_BUFLEN];
  1058 virDomainObjPtr obj;
  1059
  1060 virObjectLock(doms);
  1061 virUUIDFormat(uuid, uuidstr);
  1062
  1063 obj = virHashLookup(doms->objs, uuidstr);
  1064 if (ref) {
  1065 virObjectRef(obj);
  1066 virObjectUnlock(doms);
  1067 }
  1068 if (obj) {
  1069 virObjectLock(obj);
  1070 if (obj->removing) {
  1071 if (ref)
  1072 virObjectUnref(obj);
  1073 virObjectUnlock(obj);
  1074 obj = NULL;
  1075 }
  1076 }
  1077 if (!ref)
  1078 virObjectUnlock(doms); *** HERE ***
  1079 return obj;
  1080 }

  And the fix:

  https://www.redhat.com/archives/libvir-list/2015-March/msg00531.html

  Object is being unlocked after already cleaned.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1594936/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list