Minor What were you trying to do that didn't work?
As subject
Please provide the package NVR for which bug is seen:
libvirt v9.9.0-60-g3ad5817053
qemu-kvm-8.0.0-16.el9_3.1.x86_64
How reproducible:
100%
Steps to reproduce
- Prepare a running domain. Create an internal snapshot for it
- โ ~ virsh snapshot-create-as rhel-9.2 a
Domain snapshot a created
- โ ~ virsh snapshot-create-as rhel-9.2 a
- Revert to the snapshot:
- โ ~ virsh snapshot-revert rhel-9.2 a
error: Failed to revert snapshot a
error: internal error: QEMU unexpectedly closed the monitor (vm='rhel-9.2'): qemu-kvm: ../block/io.c:1955: int bdrv_co_write_req_prepare(BdrvChild *, int64_t, int64_t, BdrvTrackedRequest *, int): Assertion `!(bs->open_flags & BDRV_O_INACTIVE)' failed.
- โ ~ virsh snapshot-revert rhel-9.2 a
- Check the coredump:
- โ ~ coredumpctl -1
TIME PID UID GID SIG COREFILE EXE SIZE
Fri 2023-11-17 03:24:57 EST 740268 107 107 SIGABRT present /usr/libexec/qemu-kvm 1.2M
- โ ~ coredumpctl -1
QMP logs:
Step1:
67.217 > 0x7f8a9003f010 {"execute":"human-monitor-command","arguments":{"command-line":"savevm \"a\""},"id":"libvirt-435"}
67.219 ! 0x7f8a9003f010 {"timestamp": {"seconds": 1700209672, "microseconds": 204096}, "event": "MIGRATION", "data": {"status": "setup"}}
67.220 ! 0x7f8a9003f010 {"timestamp": {"seconds": 1700209672, "microseconds": 205635}, "event": "MIGRATION_PASS", "data": {"pass": 1}}
67.538 ! 0x7f8a9003f010 {"timestamp": {"seconds": 1700209672, "microseconds": 523001}, "event": "MIGRATION_PASS", "data": {"pass": 2}}
67.541 ! 0x7f8a9003f010 {"timestamp": {"seconds": 1700209672, "microseconds": 526664}, "event": "MIGRATION", "data": {"status": "completed"}}
67.936 < 0x7f8a9003f010 {"return": "", "id": "libvirt-435"}
67.936 > 0x7f8a9003f010 {"execute":"cont","id":"libvirt-436"}
67.936 ! 0x7f8a9003f010 {"timestamp": {"seconds": 1700209672, "microseconds": 921787}, "event": "RESUME"}
67.939 < 0x7f8a9003f010 {"return": {}, "id": "libvirt-436"}
Step2:
86.428 > 0x7f8a9003f010 {"execute":"qmp_capabilities","id":"libvirt-1"}
Backtrace:
(gdb) bt #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007fd6136a36c3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 #2 0x00007fd613654d06 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007fd6136287f3 in __GI_abort () at abort.c:79 #4 0x00007fd61362871b in __assert_fail_base (fmt=<optimized out>, assertion=<optimized out>, file=<optimized out>, line=<optimized out>, function=<optimized out>) at assert.c:92 #5 0x00007fd61364dca6 in __assert_fail (assertion=0x55bf9fba0671 "!(bs->open_flags & BDRV_O_INACTIVE)", file=0x55bf9fbadb30 <str.1.llvm> "../block/io.c", line=1955, function=0x55bf9fbaed46 "int bdrv_co_write_req_prepare(BdrvChild *, int64_t, int64_t, BdrvTrackedRequest *, int)") at assert.c:101 #6 0x000055bf9f8b728f in bdrv_co_write_req_prepare (child=0x55bfa0f759a0, offset=131072, bytes=65536, req=0x7fd579ddde38, flags=0) at ../block/io.c:1955 #7 0x000055bf9f8b4ead in bdrv_aligned_pwritev (child=0x55bfa0f759a0, req=0x7fd579ddde38, offset=131072, bytes=65536, align=1, qiov=0x7fd579dddf50, qiov_offset=0, flags=0) at ../block/io.c:2070 #8 0x000055bf9f8b46a3 in bdrv_co_pwritev_part (child=<optimized out>, offset=131072, bytes=<optimized out>, qiov=0xa2e64656c6961, qiov_offset=<optimized out>, flags=0) at ../block/io.c:2287 #9 0x000055bf9f8685e9 in bdrv_co_pwritev (child=0x55bfa0f759a0, offset=131072, bytes=65536, flags=0, qiov=<optimized out>) at ../block/io.c:2204 #10 bdrv_co_pwrite (child=0x55bfa0f759a0, offset=131072, bytes=65536, buf=0x7fd610016000, flags=0) at /usr/src/debug/qemu-kvm-8.0.0-16.el9_3.1.x86_64/include/block/block_int-io.h:77 #11 bdrv_pwrite (child=0x55bfa0f759a0, offset=131072, bytes=65536, buf=0x7fd610016000, flags=0) at block/block-gen.c:158 #12 0x000055bf9f8d1621 in qcow2_cache_entry_flush (bs=<optimized out>, c=0x55bfa0f75e70, i=<optimized out>) at ../block/qcow2-cache.c:227 #13 0x000055bf9f8d112e in qcow2_cache_write (bs=0x55bfa0f6d950, c=0x55bfa0f75e70) at ../block/qcow2-cache.c:248 #14 0x000055bf9f8e9c69 in qcow2_write_caches (bs=0x55bfa0f6d950) at ../block/qcow2-refcount.c:1221 #15 qcow2_co_flush_to_os (bs=0x55bfa0f6d950) at ../block/qcow2.c:4991 #16 0x000055bf9f8b2d8a in bdrv_co_flush (bs=0x55bfa0f6d950) at ../block/io.c:3018 #17 0x000055bf9f8695a1 in bdrv_co_flush_entry (opaque=0x7fd61265fd70) at block/block-gen.c:646 #18 0x000055bf9fa8bc86 in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at ../util/coroutine-ucontext.c:177 #19 0x00007fd61362a360 in __start_context () at ../sysdeps/unix/sysv/linux/x86_64/__start_context.S:91 #20 0x00007fd61265f930 in () #21 0x0000000000000000 in ()
See the domain XML and full backtrace in the attachment internal-snapshot-sigabrt.tar.gz
Expected results
No SIGABRT
Actual results
As above
- is cloned by
-
RHEL-17841 Libvirt starts qemu with '-loadvm SNAP' combined with '-incoming defer' on snapshot revert
-
- Closed
-
- links to
[RHEL-16782] QEMU gets SIGABRT when '-loadvm SNAP' is combined with '-incoming defer'
Dear Assignee/Developer and QE counterpart: this ticket is currently in an out-of-process state because it sits in the "Release Pending" status but the "Errata Link" is empty: the code here worked on is likely to not have landed in advisory, or perhaps it was, but in a later build/ticket. Was the advisory dropped? Or was this ticket manually moved to "Release Pending" without there being an advisory?
In either case, please evaluate the situation of this ticket and move it to a better state: either to Closed with an appropriate resolution (e.g. Obsolete) or back to "In progress", "Integration", or "Planning", as you see fit.
Verified this issue as below.
Tested with:
qemu-kvm-9.0.0-3.el9
kernel-5.14.0-452.el9
Steps:
1.Boot a guest with -incoming defer
#/usr/libexec/qemu-kvm \ -S \ -name 'avocado-vt-vm1' \ -sandbox on,elevateprivileges=deny,obsolete=deny,resourcecontrol=deny \ -machine pc,memory-backend=mem-machine_mem \ -nodefaults \ -device '{"driver": "VGA", "bus": "pci.0", "addr": "0x2"}' \ -m 24576 \ -object '{"size": 25769803776, "id": "mem-machine_mem", "qom-type": "memory-backend-ram"}' \ -smp 32,maxcpus=32,cores=16,threads=1,dies=1,sockets=2 \ -cpu 'Cascadelake-Server',vmx=on,pdcm=on,hypervisor=on,ss=on,tsc-adjust=on,umip=on,pku=on,md-clear=on,stibp=on,flush-l1d=on,arch-capabilities=on,xsaves=on,ibpb=on,ibrs=on,amd-stibp=on,amd-ssbd=on,rdctl-no=on,ibrs-all=on,skip-l1dfl-vmentry=on,mds-no=on,pschange-mc-no=on,tsx-ctrl=on,sbdr-ssdp-no=on,psdp-no=on,fb-clear=on,gds-no=on,vmx-ins-outs=on,vmx-true-ctls=on,vmx-store-lma=on,vmx-activity-hlt=on,vmx-activity-wait-sipi=on,vmx-vmwrite-vmexit-fields=on,vmx-apicv-xapic=on,vmx-ept=on,vmx-desc-exit=on,vmx-rdtscp-exit=on,vmx-apicv-x2apic=on,vmx-vpid=on,vmx-wbinvd-exit=on,vmx-unrestricted-guest=on,vmx-apicv-register=on,vmx-apicv-vid=on,vmx-rdrand-exit=on,vmx-invpcid-exit=on,vmx-vmfunc=on,vmx-shadow-vmcs=on,vmx-rdseed-exit=on,vmx-pml=on,vmx-xsaves=on,vmx-tsc-scaling=on,vmx-ept-execonly=on,vmx-page-walk-4=on,vmx-ept-2mb=on,vmx-ept-1gb=on,vmx-invept=on,vmx-eptad=on,vmx-invept-single-context=on,vmx-invept-all-context=on,vmx-invvpid=on,vmx-invvpid-single-addr=on,vmx-invvpid-all-context=on,vmx-intr-exit=on,vmx-nmi-exit=on,vmx-vnmi=on,vmx-preemption-timer=on,vmx-posted-intr=on,vmx-vintr-pending=on,vmx-tsc-offset=on,vmx-hlt-exit=on,vmx-invlpg-exit=on,vmx-mwait-exit=on,vmx-rdpmc-exit=on,vmx-rdtsc-exit=on,vmx-cr3-load-noexit=on,vmx-cr3-store-noexit=on,vmx-cr8-load-exit=on,vmx-cr8-store-exit=on,vmx-flexpriority=on,vmx-vnmi-pending=on,vmx-movdr-exit=on,vmx-io-exit=on,vmx-io-bitmap=on,vmx-mtf=on,vmx-msr-bitmap=on,vmx-monitor-exit=on,vmx-pause-exit=on,vmx-secondary-ctls=on,vmx-exit-nosave-debugctl=on,vmx-exit-load-perf-global-ctrl=on,vmx-exit-ack-intr=on,vmx-exit-save-pat=on,vmx-exit-load-pat=on,vmx-exit-save-efer=on,vmx-exit-load-efer=on,vmx-exit-save-preemption-timer=on,vmx-exit-clear-bndcfgs=on,vmx-entry-noload-debugctl=on,vmx-entry-ia32e-mode=on,vmx-entry-load-perf-global-ctrl=on,vmx-entry-load-pat=on,vmx-entry-load-efer=on,vmx-entry-load-bndcfgs=on,vmx-eptp-switching=on,hle=off,rtm=off,kvm_pv_unhalt=on \ -chardev socket,wait=off,path=/var/tmp/avocado_t1lf1a45/monitor-qmpmonitor1-20240610-222825-jRrXEKpQ,id=qmp_id_qmpmonitor1,server=on \ -mon chardev=qmp_id_qmpmonitor1,mode=control \ -chardev socket,wait=off,path=/var/tmp/avocado_t1lf1a45/monitor-catch_monitor-20240610-222825-jRrXEKpQ,id=qmp_id_catch_monitor,server=on \ -mon chardev=qmp_id_catch_monitor,mode=control \ -device '{"ioport": 1285, "driver": "pvpanic", "id": "idcW58d6"}' \ -chardev socket,wait=off,path=/var/tmp/avocado_t1lf1a45/serial-serial0-20240610-222825-jRrXEKpQ,id=chardev_serial0,server=on \ -device '{"id": "serial0", "driver": "isa-serial", "chardev": "chardev_serial0"}' \ -chardev socket,id=seabioslog_id_20240610-222825-jRrXEKpQ,path=/var/tmp/avocado_t1lf1a45/seabios-20240610-222825-jRrXEKpQ,server=on,wait=off \ -device isa-debugcon,chardev=seabioslog_id_20240610-222825-jRrXEKpQ,iobase=0x402 \ -device '{"driver": "ich9-usb-ehci1", "id": "usb1", "addr": "0x1d.0x7", "multifunction": true, "bus": "pci.0"}' \ -device '{"driver": "ich9-usb-uhci1", "id": "usb1.0", "multifunction": true, "masterbus": "usb1.0", "addr": "0x1d.0x0", "firstport": 0, "bus": "pci.0"}' \ -device '{"driver": "ich9-usb-uhci2", "id": "usb1.1", "multifunction": true, "masterbus": "usb1.0", "addr": "0x1d.0x2", "firstport": 2, "bus": "pci.0"}' \ -device '{"driver": "ich9-usb-uhci3", "id": "usb1.2", "multifunction": true, "masterbus": "usb1.0", "addr": "0x1d.0x4", "firstport": 4, "bus": "pci.0"}' \ -device '{"driver": "usb-tablet", "id": "usb-tablet1", "bus": "usb1.0", "port": "1"}' \ -blockdev '{"node-name": "file_image1", "driver": "file", "auto-read-only": true, "discard": "unmap", "aio": "threads", "filename": "/home/kvm_autotest_root/images/rhel950-64-virtio.qcow2", "cache": {"direct": true, "no-flush": false}}' \ -blockdev '{"node-name": "drive_image1", "driver": "qcow2", "read-only": false, "cache": {"direct": true, "no-flush": false}, "file": "file_image1"}' \ -device '{"driver": "virtio-blk-pci", "id": "image1", "drive": "drive_image1", "bootindex": 1, "write-cache": "on", "bus": "pci.0", "addr": "0x3"}' \ -device '{"driver": "virtio-net-pci", "mac": "9a:7e:23:5f:87:e0", "id": "idDU8Xin", "netdev": "idIpnbjL", "bus": "pci.0", "addr": "0x4"}' \ -netdev '{"id": "idIpnbjL", "type": "tap", "vhost": true}' \ -vnc :0 \ -rtc base=utc,clock=host,driftfix=slew \ -boot menu=off,order=cdn,once=d,strict=off \ -enable-kvm \ -monitor stdio \ -incoming defer
2. Connect to the QMP monitor and execute internal snapshots related operations
# nc -U /var/tmp/avocado_t1lf1a45/monitor-qmpmonitor1-20240610-222825-jRrXEKpQ {"QMP": {"version": {"qemu": {"micro": 0, "minor": 0, "major": 9}, "package": "qemu-kvm-9.0.0-3.el9"}, "capabilities": ["oob"]}} {"execute": "qmp_capabilities"} {"return": {}} {"execute":"human-monitor-command","arguments":{"command-line":"savevm sn1"}} {"return": ""} {"execute":"human-monitor-command","arguments":{"command-line":"info snapshots"}} {"return": "List of snapshots present on all disks:\r\nID TAG VM_SIZE DATE VM_CLOCK ICOUNT\r\n-- sn1 54.5 MiB 2024-06-10 23:07:09 0000:00:00.000 --\r\n"} {"execute":"human-monitor-command","arguments":{"command-line":"loadvm sn1"}} {"return": ""} {"execute":"human-monitor-command","arguments":{"command-line":"info snapshots"}} {"return": "List of snapshots present on all disks:\r\nID TAG VM_SIZE DATE VM_CLOCK ICOUNT\r\n-- sn1 54.5 MiB 2024-06-10 23:07:09 0000:00:00.000 --\r\n"} {"execute":"human-monitor-command","arguments":{"command-line":"delvm sn1"}} {"return": ""}
This was fixed in upstream QEMU 9.0. As we already rebased to it in RHEL 9.5, this should be ready to be tested.
Reproduced this issue as below:
Tested with:
qemu-kvm-8.1.0-4.el9
kernel-5.14.0-384.el9.x86_64
Steps:
1. Bootup a guest with a qcow2 image file
# /usr/libexec/qemu-kvm -hda test.qcow2 -incoming defer -monitor stdio -chardev socket,wait=off,server=on,path=/var/tmp/avocado_i2b3ppko/monitor-qmpmonitor1-20231119-202945-x5LVW3vj,id=qmp_id_qmpmonitor1 -mon chardev=qmp_id_qmpmonitor1,mode=control
2. Create internal snapshot in the image file
# nc -U /var/tmp/avocado_i2b3ppko/monitor-qmpmonitor1-20231119-202945-x5LVW3vj {"QMP": {"version": {"qemu": {"micro": 0, "minor": 1, "major": 8}, "package": "qemu-kvm-8.1.0-4.el9"}, "capabilities": ["oob"]}}{"execute": "qmp_capabilities"} {"return": {}} {"execute":"human-monitor-command","arguments":{"command-line":"savevm sn1"}} Ncat: Connection reset by peer.
Result:
After step2, the qemu crashed
(qemu) qemu-kvm: ../block/io.c:1957: int bdrv_co_write_req_prepare(BdrvChild *, int64_t, int64_t, BdrvTrackedRequest *, int): Assertion `!(bs->open_flags & BDRV_O_INACTIVE)' failed. Aborted (core dumped)
Upstream patches for the QEMU part: https://patchew.org/QEMU/20231201142520.32255-1-kwolf@redhat.com/
Oops, the awful Jira UI didn't make me see your much more detailed and better analysis before I added my comment. Sorry for the noise.
Yes libvirt needs to be fixed:
Issue: https://issues.redhat.com/browse/RHEL-17841
upstream patch: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/3UJCAAKX4IO2BLINT6J77AP33RWAANB7/
pkrempa@redhat.com So the command line contains both -incoming defer and -loadvm s1, which causes the problem. This combination doesn't make sense, either the state comes from a snapshot or from migration, but you can't have both. So even if we fix QEMU not to crash, it would only be to return an error, so libvirt needs to change something, too.
With a qcow2 file containing an internal snapshot, the crash is as easy to reproduce as this, no QMP involved at all:
$ ./qemu-system-x86_64 -hda /tmp/test.qcow2 -loadvm foo -incoming defer qemu-system-x86_64: ../block/io.c:1990: int bdrv_co_write_req_prepare(BdrvChild *, int64_t, int64_t, BdrvTrackedRequest *, int): Assertion `!(bs->open_flags & BDRV_O_INACTIVE)' failed.
As this issue is marked with testonly, so close it directly here.
Thanks.