Bug 1264113

Summary: qemu-kvm: spicevmc.c:324: spicevmc_red_channel_alloc_msg_rcv_buf: Assertion `!state->recv_from_client_buf' failed.
Product: Red Hat Enterprise Linux 6 Reporter: Dr. David Alan Gilbert <dgilbert>
Component: spice-serverAssignee: Default Assignee for SPICE Bugs <rh-spice-bugs>
Status: CLOSED ERRATA QA Contact: SPICE QE bug list <spice-qe-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.7CC: cfergeau, chayang, dblechte, djasa, juzhang, mkenneth, rbalakri, tpelka, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spice-server-0.12.4-13.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-11 01:27:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dr. David Alan Gilbert 2015-09-17 14:23:11 UTC
Description of problem:
qemu died with an assertion after virt-manager died; usb-redir was involved

Version-Release number of selected component (if applicable):
qemu-kvm-0.12.1.2-2.479.el6.x86_64
qemu-kvm-tools-0.12.1.2-2.479.el6.x86_64
gpxe-roms-qemu-0.9.7-6.14.el6.noarch
spice-server-0.12.4-12.el6_7.1.x86_64
usbredir-0.5.1-2.el6.x86_64

How reproducible:
not sure yet

Steps to Reproduce:
1. I had a rhel7.1 guest running, with a usb2 card
2. Boot to X
3. Usbredir attach a webcam via virt-manager
4. Start 'cheese' in the guest and watch yourself over the attached webcam.
5. Kill the virt-manager (in my case virt-manager OOM'd - I guess that's a separate problem)

Actual results:
The guest died with:
main_channel_handle_parsed: net test: latency 214.145000 ms, bitrate 18613443 bps (17.751163 Mbps)
red_dispatcher_set_cursor_peer: 
inputs_connect: inputs channel client create
red_channel_client_disconnect: rcc=0x7f922e121050 (channel=0x7f922e0d6620 type=9 id=0)
red_channel_client_disconnect: rcc=0x7f90f826e8a0 (channel=0x7f90f821f920 type=4 id=0)
red_channel_client_disconnect: rcc=0x7f922e104740 (channel=0x7f922cc42ef0 type=1 id=0)
main_channel_client_on_disconnect: rcc=0x7f922e104740
red_client_destroy: destroy client 0x7f922ce09f80 with #channels=5
red_channel_client_disconnect: rcc=0x7f922e1374e0 (channel=0x7f922cc4d4c0 type=3 id=0)
red_dispatcher_disconnect_cursor_peer: 
red_dispatcher_disconnect_display_peer: 
red_channel_client_disconnect: rcc=0x7f92194af010 (channel=0x7f90f821f350 type=2 id=0)
red_channel_client_disconnect: rcc=0x7f922e10abc0 (channel=0x7f922e0d6c70 type=9 id=1)
main_channel_link: add main channel client
main_channel_handle_parsed: net test: latency 207.018000 ms, bitrate 11477826 bps (10.946108 Mbps)
qemu-kvm: spicevmc.c:324: spicevmc_red_channel_alloc_msg_rcv_buf: Assertion `!state->recv_from_client_buf' failed.
2015-09-17 14:11:55.705+0000: shutting down


Expected results:
guest carries on even though client died

Additional info:

Comment 1 Dr. David Alan Gilbert 2015-09-17 14:31:48 UTC
(gdb) bt full
#0  0x00007f9228827625 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
        resultvar = 0
        pid = 7409
        selftid = 7409
#1  0x00007f9228828e05 in abort () at abort.c:92
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x7f9229110900, sa_sigaction = 0x7f9229110900}, sa_mask = {
            __val = {140265722790716, 140734836477008, 140265857956552, 140734836477248, 140265721803286, 
    206158430232, 140734836477264, 140734836477040, 140265721709384, 206158430256, 140734836477296, 
    140265793929088, 0, 733634176081289574, 7162256393777804385, 140734836488406}}, sa_flags = 680832044, 
          sa_restorer = 0x7f92291108f5}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007f922882074e in __assert_fail_base (fmt=<value optimized out>, assertion=
    0x7f9229110900 "!state->recv_from_client_buf", file=0x7f92291108f5 "spicevmc.c", line=<value optimized out>, 
    function=<value optimized out>) at assert.c:96
        str = 0x7f922cd23f80 ""
        total = 4096
#3  0x00007f9228820810 in __assert_fail (assertion=0x7f9229110900 "!state->recv_from_client_buf", file=
    0x7f92291108f5 "spicevmc.c", line=324, function=0x7f9229110d00 "spicevmc_red_channel_alloc_msg_rcv_buf")
    at assert.c:105
No locals.
#4  0x00007f922907efda in spicevmc_red_channel_alloc_msg_rcv_buf (rcc=<value optimized out>, 
    type=<value optimized out>, size=<value optimized out>) at spicevmc.c:324
        state = 0x7f922e0d6c70
        __PRETTY_FUNCTION__ = "spicevmc_red_channel_alloc_msg_rcv_buf"
        __FUNCTION__ = "spicevmc_red_channel_alloc_msg_rcv_buf"
#5  0x00007f922903f3a0 in red_peer_handle_incoming (rcc=0x7f9230a2f990) at red_channel.c:267
        ret_handle = <value optimized out>
        bytes_read = <value optimized out>
        msg_type = 101
        parsed = <value optimized out>
        parsed_free = 0x7fff61ef8e30
        msg_size = 80
#6  red_channel_client_receive (rcc=0x7f9230a2f990) at red_channel.c:322
No locals.
#7  0x00007f922904027c in red_channel_client_event (fd=<value optimized out>, event=<value optimized out>, data=
    0x7f9230a2f990) at red_channel.c:1561
        rcc = 0x7f9230a2f990

Comment 3 Dr. David Alan Gilbert 2015-09-17 14:45:54 UTC
Seems repeatable; just triggered it again by kill -9'ing virt-manager.
(My virt-manager is on f22)

Comment 4 Dr. David Alan Gilbert 2015-09-17 14:56:01 UTC
One observation; the assert happens when I reconnect after the virt-manager is killed, not when I kill it.

Note also it happens with virt-viewer as well, not just virt-manager.

Comment 5 Christophe Fergeau 2015-09-29 10:11:01 UTC
http://lists.freedesktop.org/archives/spice-devel/2015-September/022090.html should fix this.

Comment 11 errata-xmlrpc 2016-05-11 01:27:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0973.html