Bug 1299411

Summary: libvirtd crash when create external snapshot for empty cdrom on running guest
Product: Red Hat Enterprise Linux 6 Reporter: Han Han <hhan>
Component: libvirtAssignee: Jiri Denemark <jdenemar>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: low Docs Contact:
Priority: low    
Version: 6.8CC: dyuan, jdenemar, rbalakri, xuzhang, yanyang
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-0.10.2-56.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-10 19:25:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
full backtrace of coredump
none
Libvirtd log none

Description Han Han 2016-01-18 10:24:43 UTC 
Created attachment 1115796 [details]
full backtrace of coredump

Description of problem:
Prepare a guest with empty cdrom, create an external snapshot for the empty cdrom disk when guest is running, libvirtd will crash.

Version-Release number of selected component (if applicable):
libvirt-0.10.2-55.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.483.el6.x86_64
kernel-2.6.32-592.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Prepare an healthy guest with os image and an empty cdrom as following xml
...
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' cache='none'/>
      <source file='/var/lib/libvirt/images/c1.qcow2'/>
      <target dev='vda' bus='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <target dev='hda' bus='ide'/>
      <readonly/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
...

2. Start guest and create a external snapshot for hda only.
# virsh start c1
Domain c1 started
# virsh snapshot-create-as c1 keke --disk-only --diskspec vda,snapshot=no --diskspec hda,file=/tmp/keke
error: End of file while reading data: Input/output error
error: One or more references were leaked after disconnect from the hypervisor
error: Failed to reconnect to the hypervisor

The libvirtd crashes due to SIGSEGV.
The full backtrace is in backtrace attachment

3. Try to create inactive external snapshot:
# virsh snapshot-create-as c1 keke --disk-only --diskspec vda,snapshot=no --diskspec s\da,file=/tmp/keke
error: internal error Child process (/usr/bin/qemu-img create -f qcow2 -o 'backing_file=(null),backing_fmt=raw' /tmp/keke) unexpected exit status 1: 2016-01-18 10:09:57.466+0000: 15496: debug : virFileClose:72 : Closed fd 23
2016-01-18 10:09:57.466+0000: 15496: debug : virFileClose:72 : Closed fd 25
2016-01-18 10:09:57.466+0000: 15496: debug : virFileClose:72 : Closed fd 21
2016-01-18 10:09:57.466+0000: 15496: debug : virCommandHook:2148 : Hook is done 0
Could not open '(null)': No such file or directory

Actual results:
Step2 segment fault.

Expected results:
Step2 print as following, no crash:
error: internal error: unable to execute QEMU command 'transaction': Device 'drive-ide0-0-0' has no medium

Additional info:
I. In RHEl7.2 gets the expect result.
II. In step2, try it with scsi cdrom, bug reproduced. And when the cdrom has media, snapshot created successfully.
Comment 1 Han Han 2016-01-18 10:26:43 UTC 
Created attachment 1115797 [details]
Libvirtd log
Comment 5 Han Han 2016-01-28 02:27:23 UTC 
I can reproduce it on libvirt-0.10.2-55.el6.x86_64.
Verify it on libvirt-0.10.2-56.el6.x86_64:
1. Prepare a running guest with empty cdrom:
```
<disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' cache='none'/>
      <source file='/var/lib/libvirt/images/n1.qcow2'/>
      <target dev='vda' bus='virtio'/>
      <alias name='virtio-disk0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <target dev='hda' bus='ide'/>
      <readonly/>
      <alias name='ide0-0-0'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
```
# virsh list 
 Id    Name                           State
----------------------------------------------------
 1     n1                             running

2. Try to do snapshot for the cdrom:
# virsh snapshot-create-as n1 keke --disk-only --diskspec vda,snapshot=no --diskspec hda,file=/tmp/keke
error: Requested operation is not valid: disk 'hda' has no source

# cat snap.xml 
<domainsnapshot>
<disks>
<disk name='vda' snapshot='external'>
<driver type='qcow2'/>
<source file='/var/lib/libvirt/images/n1.va'/>
</disk>
<disk name='hda' snapshot='external'>
<driver type='qcow2'/>
<source file='/tmp/cdrom'/>
</disk>
</disks>
</domainsnapshot> 
# virsh snapshot-create n1 snap.xml --disk-only                                                           
error: Requested operation is not valid: disk 'hda' has no source
# virsh snapshot-create-as n1 keke --disk-only --diskspec vda,file=/tmp/keke --diskspec hda,snapshot=no
Domain snapshot keke created

# virsh snapshot-list n1
 Name                 Creation Time             State
------------------------------------------------------------
 keke                 2016-01-28 10:25:30 +0800 disk-snapshot
Comment 7 errata-xmlrpc 2016-05-10 19:25:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0738.html