[libvirt] [PATCH] qemu: fix crash in qemuProcessAutoDestroy

Michael Chapman michael.chapman at anchor.net.au
Mon Mar 30 02:23:50 UTC 2015


On Fri, 27 Mar 2015, Michael Chapman wrote:
> The destination libvirt daemon in a migration may segfault if the client
> disconnects immediately after the migration has begun:
>
>  # virsh -c qemu+tls://remote/system list --all
>   Id    Name                           State
>  ----------------------------------------------------
>  ...
>
>  # timeout --signal KILL 1 \
>      virsh migrate example qemu+tls://remote/system \
>        --verbose --compressed --live --auto-converge \
>        --abort-on-error --unsafe --persistent \
>        --undefinesource --copy-storage-all --xml example.xml
>  Killed
>
>  # virsh -c qemu+tls://remote/system list --all
>  error: failed to connect to the hypervisor
>  error: unable to connect to server at 'remote:16514': Connection refused
>
> The crash is in:
>
>   1531 void
>   1532 qemuDomainObjEndJob(virQEMUDriverPtr driver, virDomainObjPtr obj)
>   1533 {
>   1534     qemuDomainObjPrivatePtr priv = obj->privateData;
>   1535     qemuDomainJob job = priv->job.active;
>   1536
>   1537     priv->jobs_queued--;
>
> Backtrace:
>
>  #0  at qemuDomainObjEndJob at qemu/qemu_domain.c:1537
>  #1  in qemuDomainRemoveInactive at qemu/qemu_domain.c:2497
>  #2  in qemuProcessAutoDestroy at qemu/qemu_process.c:5646
>  #3  in virCloseCallbacksRun at util/virclosecallbacks.c:350
>  #4  in qemuConnectClose at qemu/qemu_driver.c:1154
>  ...
>
> qemuDomainRemoveInactive calls virDomainObjListRemove, which in this
> case is holding the last remaining reference to the domain.
> qemuDomainRemoveInactive then calls qemuDomainObjEndJob, but the domain
> object has been freed and poisoned by then.
>
> This patch bumps the domain's refcount until qemuDomainRemoveInactive
> has completed. We also ensure qemuProcessAutoDestroy does not return the
> domain to virCloseCallbacksRun to be unlocked in this case. There is
> similar logic in bhyveProcessAutoDestroy and lxcProcessAutoDestroy
> (which call virDomainObjListRemove directly).

Please ignore this. I've got a few other fixes related to cancelled VM 
migrations, so I'll send through all in one patch series.

- Michael




More information about the libvir-list mailing list