[libvirt] [BUG] xenInotify/keep-alive double-free

Philipp Hahn hahn at univention.de
Wed Apr 2 08:32:05 UTC 2014 

Hello,

There seems to be a double-free bug in libvirt; I've checked libvirt
0.9.12 and 1.2.3:

With 0.9.12 xenUnifiedOpen() passes a pointer of "conn" to
xenInotifyOpen(), which passes it to virEventAddHandle(...opaque=conn...).

After successfully defining a new domain inotify picks up the newly
created directory and generates an event, which is processes when virsh
already dropped its last public reference to the domain and subsequently
already freed the connection. Since *conn is not zero-filled, the data
is still valid and usable, but virsh the terminates on double-freeing
some internal data.
I can reproduce by it doing:
  virsh undefine $DOM
  virsh -c xen:// define $DOM.xml

For 1.2.3 something similar seems to happen with the keep-alive:
$ grep unref ~/BUG/31032_virsh-define-segv.log
virUnrefDomain:276 : unref domain 0x7f4ec4003fe0 ucs32-64-segv 1
virReleaseDomain:246 : unref connection 0x917650 2
virUnrefDomain:276 : unref domain 0x934460 ucs32-64-segv 1
virReleaseDomain:246 : unref connection 0x917650 2
virUnrefConnect:145 : unref connection 0x917650 1
virUnrefDomain:276 : unref domain 0x7f4ec4004060 ucs32-64-segv 1
virReleaseDomain:246 : unref connection 0x917650 1

Notice that there are two lines for "unref connection ... 1"!


My gut feeling is that libvirt should also increment the reference
counter for internal references to delay freeing still used data and add
a second counter to track external references, which is used to start
closing down things.
Comments and ideas welcomed.

We're tracking this as
<https://forge.univention.org/bugzilla/show_bug.cgi?id=31032>

Sincerely
Philipp
-- 
Philipp Hahn
Open Source Software Engineer

Univention GmbH
be open.
Mary-Somerville-Str. 1
D-28359 Bremen
Tel.: +49 421 22232-0
Fax : +49 421 22232-99
hahn at univention.de

http://www.univention.de/
Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 31032_virsh-define-segv.log
Type: text/x-log
Size: 25056 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140402/948fc4ef/attachment-0001.bin>

More information about the libvir-list mailing list