Bug 1318181

The backtrace:
#0  qstring_get_str (qstring=0x0) at qobject/qstring.c:134
No locals.
#1  0x00007f6bf1c331ed in qdict_get_str (qdict=<optimized out>, key=key@entry=0x7f6bf1cc095d "id") at qobject/qdict.c:285
No locals.
#2  0x00007f6bf1a8e437 in hmp_drive_del (mon=<optimized out>, qdict=<optimized out>) at blockdev.c:2741
        id = <optimized out>
        blk = <optimized out>
        bs = <optimized out>
        aio_context = <optimized out>
        local_err = 0x7f6bf4943200
#3  0x00007f6bf19ca65b in handle_qmp_command (parser=<optimized out>, tokens=<optimized out>) at /usr/src/debug/qemu-2.5.0/monitor.c:3905
        local_err = 0x0
        obj = <optimized out>
        data = 0x0
        input = <optimized out>
        args = 0x7f6bf4936800
        cmd_name = <optimized out>
        mon = 0x7f6bf35d1500
        __func__ = "handle_qmp_command"
#4  0x00007f6bf1c34c70 in json_message_process_token (lexer=0x7f6bf35d1568, input=0x7f6bf35e8ba0, type=JSON_RCURLY, x=94, y=32) at qobject/json-streamer.c:93
        parser = 0x7f6bf35d1560
        token = 0x7f6bf4f23640
#5  0x00007f6bf1c48973 in json_lexer_feed_char (lexer=lexer@entry=0x7f6bf35d1568, ch=125 '}', flush=flush@entry=false) at qobject/json-lexer.c:310
        new_state = <optimized out>
        __PRETTY_FUNCTION__ = "json_lexer_feed_char"
#6  0x00007f6bf1c48a3e in json_lexer_feed (lexer=0x7f6bf35d1568, buffer=<optimized out>, size=<optimized out>) at qobject/json-lexer.c:360
        err = <optimized out>
        i = <optimized out>
#7  0x00007f6bf1c34d69 in json_message_parser_feed (parser=<optimized out>, buffer=<optimized out>, size=<optimized out>) at qobject/json-streamer.c:113
No locals.
#8  0x00007f6bf19c895b in monitor_qmp_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>) at /usr/src/debug/qemu-2.5.0/monitor.c:3921
        old_mon = 0x0
#9  0x00007f6bf1a9614e in qemu_chr_be_write (len=<optimized out>, buf=0x7fff79920e50 "}\016\222y\377\177", s=0x7f6bf35ce880) at qemu-char.c:280
No locals.
#10 tcp_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x7f6bf35ce880) at qemu-char.c:2902
        chr = 0x7f6bf35ce880
        s = 0x7f6bf35a0540
        buf = "}\016\222y\377\177\000\000 \"\356\341k\177\000\000x\"\222y\377\177", '\000' <repeats 18 times>, "\020", '\000' <repeats 15 times>, "\001", '\000' <repeats 151 times>...
        len = <optimized out>
        size = <optimized out>
#11 0x00007f6be6d8679a in g_main_dispatch (context=0x7f6bf3557200) at gmain.c:3109
        dispatch = 0x7f6be6dca050 <g_io_unix_dispatch>
        prev_source = 0x0
        was_in_call = 0
        user_data = 0x7f6bf35ce880
        callback = 0x7f6bf1a960c0 <tcp_chr_read>
        cb_funcs = 0x7f6be70728a0 <g_source_callback_funcs>
        cb_data = 0x7f6bf35ed080
        need_destroy = <optimized out>
        source = 0x7f6bf3553980
        current = 0x7f6bf355cc50
        i = 0
#12 g_main_context_dispatch (context=context@entry=0x7f6bf3557200) at gmain.c:3708
No locals.
#13 0x00007f6bf1bbffc0 in glib_pollfds_poll () at main-loop.c:211
        context = 0x7f6bf3557200
        pfds = <optimized out>
#14 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:256
        ret = 2
        spin_counter = 0
#15 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:504
        ret = 2
        timeout = 4294967295
        timeout_ns = <optimized out>
#16 0x00007f6bf199e65e in main_loop () at vl.c:1923
        nonblocking = <optimized out>
        last_io = 2
#17 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4695
        i = <optimized out>
        snapshot = <optimized out>
        linux_boot = <optimized out>
        initrd_filename = <optimized out>
        kernel_filename = <optimized out>
        kernel_cmdline = <optimized out>
        boot_order = 0x7f6bf1c5f4b2 "cad"
        boot_once = 0x0
        cyls = <optimized out>
        heads = <optimized out>
        secs = <optimized out>
        translation = <optimized out>
        hda_opts = <optimized out>
        opts = <optimized out>
        machine_opts = <optimized out>
        icount_opts = <optimized out>
        olist = <optimized out>
        optind = 96
        optarg = 0x7f6bf35ec980 "pc-i440fx-rhel7.2.0"
        loadvm = <optimized out>
        machine_class = <optimized out>
        cpu_model = <optimized out>
        vga_model = 0x0
        qtest_chrdev = <optimized out>
        qtest_log = <optimized out>
        pid_file = <optimized out>
        incoming = <optimized out>
        show_vnc_port = <optimized out>
        defconfig = <optimized out>
        userconfig = false
        log_mask = <optimized out>
        log_file = <optimized out>
        trace_events = <optimized out>
        trace_file = <optimized out>
        maxram_size = <optimized out>
        ram_slots = <optimized out>
        vmstate_dump_file = <optimized out>
        main_loop_err = 0x0
        err = 0x0
        __func__ = "main"

The bug seems fixed in upstream, qemu-kvm-2.5.0-9.fc24.x86_64 not reproduced.

*** Bug 1318490 has been marked as a duplicate of this bug. ***

*** Bug 1334340 has been marked as a duplicate of this bug. ***

Hostdev device also have the problem. eg. unplug following xml:
<hostdev mode='subsystem' type='scsi' managed='no'>
<source>
<adapter name='scsi_host4'/>
<address bus='0' target='0' unit='0'/>
</source>
<alias name='hostdev0'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</hostdev>

I suspect this is duplicate of bug 1341531.  We fixed that one in qemu-kvm-rhev-2.6.0-12.el7.  Could you please retest this bug with that version?  If it appears to be fixed there, also testing the version before would be nice.

I test it on qemu-kvm-rhev-2.6.0-12.el7 and qemu-kvm-rhev-2.6.0-11.el7 via detach virtio disk. qemu-kvm-rhev-2.6.0-12.el7 is fixed while qemu-kvm-rhev-2.6.0-11.el7 is unfixed.

Han Han, thank you very much for your prompt testing.

*** This bug has been marked as a duplicate of bug 1341531 ***