-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-10.2
-
None
-
Moderate
-
rhel-virt-confidential-firmware
-
1
-
3
-
False
-
False
-
-
No
-
Virt-fw-cc Sprint 19 Mar 9
-
None
-
None
-
Unspecified Release Note Type - Unknown
-
Unspecified
-
Unspecified
-
Unspecified
-
-
aarch64
-
None
What were you trying to do that didn't work?
With secure boot enabled and a TPM attached, performing a save immediately followed by a restore --reset-nvram causes the destination qemu process to crash with a SIGABRT due to a double-free memory corruption.
What is the impact of this issue to you?
Affects testing of the new secure boot feature on libvirt.
Please provide the package NVR for which the bug is seen:
RHEL-10.2-20260226.1 BaseOS aarch64
6.12.0-211.el10.aarch64+64k
libvirt-11.10.0-10.el10_2.abologna.varstore.jira82645.1.aarch64
edk2-aarch64-20251114-4.el10.rhel150696.20260223.noarch
edk2-tools-20251114-4.el10.rhel150696.20260223.aarch64
qemu-kvm-10.1.0-12.el10.aarch64
How reproducible is this bug?:
100%
Steps to reproduce
- root@ampere-mtsnow-altramax-48 /]# virsh define test-vm.xml; virsh start test-vm; virsh save test-vm /tmp/test.state; virsh restore /tmp/test.state --reset-nvram
Expected results
Succeeds with no qemu error message.
Note: the following scenarios pass as expected
- Without secure boot, save and restore immediately
- With secure boot, save and restore after a few minutes of waiting between each action
- With secure boot present but not enforced, save and restore immediately
- With secure boot but tpm not defined, save and restore immediately
- See comments in https://issues.redhat.com/browse/RHEL-120897 for full output details
Actual results
in the qemu log:
2026-03-03 12:01:37.692+0000: Domain id=4 is tainted: high-privileges 2026-03-03 12:01:37.692+0000: Domain id=4 is tainted: host-cpu char device redirected to /dev/pts/5 (label charserial0) warning: fd: migration to a file is deprecated. Use file: instead. double free or corruption (fasttop) 2026-03-03 12:01:49.858+0000: shutting down, reason=crashed
Coredumpctl output:
gdb) bt full
#0 __pthread_kill_implementation (threadid=281466756473920, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
tid = 214984
ret = 0
pd = 0xfffe16092440
old_mask = {__val = {187655813955616}}
ret = <optimized out>
#1 0x0000fffe16a7c1f8 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:78
#2 0x0000fffe16a2ada0 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
ret = <optimized out>
#3 0x0000fffe16a15a08 in __GI_abort () at abort.c:79
save_stage = 1
act = {__sigaction_handler = {sa_handler = 0x20, sa_sigaction = 0x20}, sa_mask = {__val = {187655245146488, 1, 14076621008917734912, 281474721869184, 281466767350836, 34, 281474721869360, 281474721870032, 281466519720168, 6, 281474721869248, 281474721869232, 281466771490204, 281474721869680, 281474721869680, 281474721869616}}, sa_flags = -56, sa_restorer = 0xfffff0cf6e40}
#4 0x0000fffe16a6f468 in __libc_message_impl (fmt=fmt@entry=0xfffe16b58cc0 "%s\n") at ../sysdeps/posix/libc_fatal.c:134
ap = {__stack = 0xfffff0cf6f20, __gr_top = 0xfffff0cf6f20, __vr_top = 0xfffff0cf6ee0, __gr_offs = -48, __vr_offs = 0}
fd = 2
iov = {{iov_base = 0xfffe16b541f8, iov_len = 35}, {iov_base = 0xfffe16b58cc2, iov_len = 1}, {iov_base = 0xc35a3439fa57a600, iov_len = 281474721869472}, {iov_base = 0xfffe16eb2b1c <g_strdup_printf+116>, iov_len = 281474721869680}, {iov_base = 0xfffff0cf6f70, iov_len = 281474721869616}, {iov_base = 0xffffff80ffffffc8, iov_len = 281474721869720}, {iov_base = 0xfffff0cf6f70, iov_len = 281474721869680}}
iovcnt = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--c
total = <optimized out>
cp = <optimized out>
#5 0x0000fffe16a873c8 in malloc_printerr (str=str@entry=0xfffe16b541f8 "double free or corruption (fasttop)") at malloc.c:5775
#6 0x0000fffe16a89848 in _int_free (av=<optimized out>, p=p@entry=0xaaac06983820, have_lock=have_lock@entry=0) at malloc.c:4607
idx = 0
old = 0xaaac06983820
old2 = <optimized out>
size = <optimized out>
fb = <optimized out>
#7 0x0000fffe16a8c2d0 in __GI___libc_free (mem=mem@entry=0xaaac06983830) at malloc.c:3398
ar_ptr = <optimized out>
p = 0xaaac06983820
err = <optimized out>
#8 0x0000fffe16e8dd78 in g_free (mem=0xaaac06983830) at ../glib/gmem.c:208
#9 0x0000fffe07ec698c in uefi_trace_variable () at /usr/libexec/../lib64/qemu-kvm/hw-uefi-vars.so
#10 0x0000fffe07ec4abc in uefi_vars_set_variable () at /usr/libexec/../lib64/qemu-kvm/hw-uefi-vars.so
#11 0x0000fffe07ec62e8 in uefi_vars_auth_init () at /usr/libexec/../lib64/qemu-kvm/hw-uefi-vars.so
#12 0x0000aaabe43a750c in resettable_phase_hold (obj=0xaaac06d2dbc0, opaque=<optimized out>, type=type@entry=RESET_TYPE_COLD) at ../hw/core/resettable.c:162
rc = 0xaaac06d2d550
s = 0xaaac06d2dc3c
obj_typename = 0xaaac06d2bc10 "uefi-vars-sysbus"
#13 0x0000aaabe43a296c in bus_reset_child_foreach (obj=<optimized out>, cb=0xaaabe43a73f8 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD)
at ../hw/core/bus.c:97
_rcu_read_auto11 = 0x1
bus = <optimized out>
kid = 0xaaac06d2f8c0
#14 0x0000aaabe43a74b8 in resettable_child_foreach (rc=0xaaac062d3250, obj=0xaaac06316690, opaque=0x0, type=RESET_TYPE_COLD, cb=<optimized out>)
at ../hw/core/resettable.c:92
#15 resettable_phase_hold (obj=0xaaac06316690, opaque=<optimized out>, type=type@entry=RESET_TYPE_COLD) at ../hw/core/resettable.c:155
rc = 0xaaac062d3250
s = 0xaaac06316700
obj_typename = 0xaaac061e2bd0 "System"
#16 0x0000aaabe43a6eac in resettable_container_child_foreach (obj=<optimized out>, cb=0xaaabe43a73f8 <resettable_phase_hold>, opaque=0x0, type=RESET_TYPE_COLD)
at ../hw/core/resetcontainer.c:54
i = 3
rc = 0xaaac0623d280
len = 8
#17 0x0000aaabe43a74b8 in resettable_child_foreach (rc=0xaaac062ba480, obj=0xaaac0623d280, opaque=0x0, type=RESET_TYPE_COLD, cb=<optimized out>)
at ../hw/core/resettable.c:92
#18 resettable_phase_hold (obj=obj@entry=0xaaac0623d280, opaque=<optimized out>, type=type@entry=RESET_TYPE_COLD) at ../hw/core/resettable.c:155
rc = 0xaaac062ba480
s = 0xaaac0623d2a8
obj_typename = 0xaaac0622a750 "resettable-container"
#19 0x0000aaabe43a6fa8 in resettable_assert_reset (obj=0xaaac0623d280, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:58
#20 resettable_reset (obj=0xaaac0623d280, type=RESET_TYPE_COLD) at ../hw/core/resettable.c:45
#21 0x0000aaabe3f60fa4 in qemu_system_reset (reason=reason@entry=SHUTDOWN_CAUSE_GUEST_RESET) at ../system/runstate.c:528
mc = 0xaaac06283bb0
type = 214984
#22 0x0000aaabe3f619a0 in main_loop_should_exit (status=<optimized out>) at ../system/runstate.c:871
r = RUN_STATE_DEBUG
request = SHUTDOWN_CAUSE_GUEST_RESET
#23 qemu_main_loop () at ../system/runstate.c:904
status = 0
#24 0x0000aaabe4485e5c in qemu_default_main (opaque=<optimized out>) at ../system/main.c:50
status = 0
#25 0x0000aaabe4485e30 in main (argc=<optimized out>, argv=<optimized out>) at ../system/main.c:93
Full test-vm.xml
<domain type='kvm'> <name>test-vm</name> <memory unit='KiB'>4194304</memory> <vcpu placement='static'>2</vcpu> <os firmware='efi'> <type arch='aarch64' machine='virt-rhel10.2.0'>hvm</type> <firmware> <feature enabled='yes' name='enrolled-keys'/> <feature enabled='yes' name='secure-boot'/> </firmware> <boot dev='hd'/> </os> <features> <acpi/> <gic version='3'/> </features> <cpu mode='host-passthrough' check='none'/> <devices> <emulator>/usr/libexec/qemu-kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='qcow2' cache='none' io='native' discard='unmap'/> <source file='/RHEL-10.2-aarch64-latest-kernel-64k.qcow2'/> <target dev='vda' bus='virtio'/> </disk> <serial type='pty'> <target type='system-serial' port='0'> <model name='pl011'/> </target> </serial> <console type='pty'> <target type='serial' port='0'/> </console> <tpm model='tpm-tis'> <backend type='emulator' version='2.0'/> </tpm> <graphics type='vnc' port='-1' autoport='yes'> <listen type='address'/> </graphics> <rng model='virtio'> <backend model='random'>/dev/urandom</backend> </rng> </devices> </domain>
- blocks
-
RHEL-82645 [aarch64] [libvirt] UEFI writable variable service in QEMU
-
- In Progress
-
