Bug 1355704

Summary:	spice: core dump when 'quit'
Product:	Red Hat Enterprise Linux 7	Reporter:	yduan
Component:	qemu-kvm-rhev	Assignee:	Marc-Andre Lureau <marcandre.lureau>
Status:	CLOSED ERRATA	QA Contact:	Guo, Zhiyi <zhguo>
Severity:	medium	Docs Contact:
Priority:	high
Version:	7.3	CC:	amit.shah, armbru, chayang, dgilbert, jherrman, jinzhao, juzhang, knoel, marcandre.lureau, quintela, virt-maint, xfu, yduan
Target Milestone:	rc	Keywords:	ZStream
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	qemu-kvm-rhev-2.6.0-21.el7	Doc Type:	Bug Fix
Doc Text:	Previously, attempting to shut down a guest virtual machine that was using SPICE audio caused the guest to enter a deadlock state. This update improves the ordering of clean-up actions when exiting a guest, and guests using SPICE audio now shut down correctly.	Story Points:	---
Clone Of:
Clones:	1362405 1372192 (view as bug list)		Environment:
Last Closed:	2016-11-07 21:23:22 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1362405, 1372192

Description yduan 2016-07-12 09:55:50 UTC

Description of problem:
After migration finished, quit source emulator from HMP and core dumped.

Version-Release number of selected component (if applicable):
Host:
  kernel: 3.10.0-458.el7.x86_64
  qemu-kvm-rhev-2.6.0-13.el7.x86_64
Guest:
  kernel: 3.10.0-460.el7.x86_64

How reproducible:
2/2

Steps to Reproduce:
1.Start VM with following commands:
/usr/libexec/qemu-kvm \
 -S \
 -name 'rhel7.3' \
 -machine q35,accel=kvm,vmport=off \
 -m 4096 \
 -smp 4,maxcpus=4,sockets=1,cores=2,threads=2 \
 -cpu SandyBridge,enforce \
 -rtc base=localtime,clock=host,driftfix=slew \
 -nodefaults \
 -vga qxl \
 -device AC97,bus=pcie.0 \
 -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20151214-111528-C6FB1EaX,server,nowait \
 -mon chardev=qmp_id_qmpmonitor1,mode=control \
 -chardev socket,id=qmp_id_catch_monitor,path=/tmp/monitor-catch_monitor-20151214-111528-C6FB1EaX,server,nowait \
 -mon chardev=qmp_id_catch_monitor,mode=control \
 -device pvpanic,ioport=0x505,id=idSWJ5gV \
 -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20151214-111528-C6FB1EaX,server,nowait \
 -device isa-serial,chardev=serial_id_serial0 \
 -chardev socket,id=seabioslog_log,path=/tmp/seabios-log,server,nowait \
 -device isa-debugcon,chardev=seabioslog_log,iobase=0x402 \
 -device ich9-usb-ehci1,id=usb1,addr=1d.7,multifunction=on,bus=pcie.0 \
 -device ich9-usb-uhci1,id=usb1.0,multifunction=on,masterbus=usb1.0,addr=1d.0,firstport=0,bus=pcie.0 \
 -device ich9-usb-uhci2,id=usb1.1,multifunction=on,masterbus=usb1.0,addr=1d.2,firstport=2,bus=pcie.0 \
 -device ich9-usb-uhci3,id=usb1.2,multifunction=on,masterbus=usb1.0,addr=1d.4,firstport=4,bus=pcie.0 \
 -device usb-tablet,id=usb-tablet1 \
 -enable-kvm \
 -monitor stdio \
 -spice port=5900,disable-ticketing \
 -qmp tcp:0:9999,server,nowait \
 -netdev tap,id=netdev0,vhost=on,script=/etc/qemu-ifup,downscript=/etc/ifdown_script \
 -device virtio-net-pci,mac=BA:BC:13:83:4F:BD,id=net0,netdev=netdev0,status=on,bus=pcie.0,bootindex=2 \
 -device ioh3420,bus=pcie.0,id=root.0,slot=0 \
 -device x3130-upstream,bus=root.0,id=upstream0 \
 -device xio3130-downstream,bus=upstream0,id=downstream0,chassis=1 \
 -device xio3130-downstream,bus=upstream0,id=downstream1,chassis=2 \
 -device xio3130-downstream,bus=upstream0,id=downstream2,chassis=3 \
 -device virtio-scsi-pci,bus=downstream0,id=scsi_pci_bus0,disable-legacy=on,disable-modern=off \
 -drive file=/home/seabios-q35-sysdisk.qcow2,format=qcow2,id=drive_sysdisk,if=none,cache=none,aio=native,werror=stop,rerror=stop \
 -device scsi-disk,drive=drive_sysdisk,bus=scsi_pci_bus0.0,id=device_sysdisk,bootindex=0 \
 -device virtio-scsi-pci,bus=downstream1,id=scsi_pci_bus1,disable-legacy=on,disable-modern=off \
 -drive file=/home/datadisk2G.qcow2,format=qcow2,id=drive_datadisk2G,if=none,cache=none,aio=native,werror=stop,rerror=stop \
 -device scsi-hd,drive=drive_datadisk2G,bus=scsi_pci_bus1.0,id=device_datadisk2G \

2.Boot the guest on destination host with incoming option.
/usr/libexec/qemu-kvm \
 -S \
 -name 'rhel7.3' \
 -machine q35,accel=kvm,vmport=off \
 -m 4096 \
 -smp 4,maxcpus=4,sockets=1,cores=2,threads=2 \
 -cpu SandyBridge,enforce \
 -rtc base=localtime,clock=host,driftfix=slew \
 -nodefaults \
 -vga qxl \
 -device AC97,bus=pcie.0 \
 -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20151214-111528-C6FB1EaX,server,nowait \
 -mon chardev=qmp_id_qmpmonitor1,mode=control \
 -chardev socket,id=qmp_id_catch_monitor,path=/tmp/monitor-catch_monitor-20151214-111528-C6FB1EaX,server,nowait \
 -mon chardev=qmp_id_catch_monitor,mode=control \
 -device pvpanic,ioport=0x505,id=idSWJ5gV \
 -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20151214-111528-C6FB1EaX,server,nowait \
 -device isa-serial,chardev=serial_id_serial0 \
 -chardev socket,id=seabioslog_log,path=/tmp/seabios-log,server,nowait \
 -device isa-debugcon,chardev=seabioslog_log,iobase=0x402 \
 -device ich9-usb-ehci1,id=usb1,addr=1d.7,multifunction=on,bus=pcie.0 \
 -device ich9-usb-uhci1,id=usb1.0,multifunction=on,masterbus=usb1.0,addr=1d.0,firstport=0,bus=pcie.0 \
 -device ich9-usb-uhci2,id=usb1.1,multifunction=on,masterbus=usb1.0,addr=1d.2,firstport=2,bus=pcie.0 \
 -device ich9-usb-uhci3,id=usb1.2,multifunction=on,masterbus=usb1.0,addr=1d.4,firstport=4,bus=pcie.0 \
 -device usb-tablet,id=usb-tablet1 \
 -enable-kvm \
 -monitor stdio \
 -spice port=5800,disable-ticketing \
 -qmp tcp:0:8888,server,nowait \
 -netdev tap,id=netdev0,vhost=on,script=/etc/qemu-ifup,downscript=/etc/ifdown_script \
 -device virtio-net-pci,mac=BA:BC:13:83:4F:BD,id=net0,netdev=netdev0,status=on,bus=pcie.0,bootindex=2 \
 -device ioh3420,bus=pcie.0,id=root.0,slot=0 \
 -device x3130-upstream,bus=root.0,id=upstream0 \
 -device xio3130-downstream,bus=upstream0,id=downstream0,chassis=1 \
 -device xio3130-downstream,bus=upstream0,id=downstream1,chassis=2 \
 -device xio3130-downstream,bus=upstream0,id=downstream2,chassis=3 \
 -device virtio-scsi-pci,bus=downstream0,id=scsi_pci_bus0,disable-legacy=on,disable-modern=off \
 -drive file=/home/seabios-q35-sysdisk.qcow2,format=qcow2,id=drive_sysdisk,if=none,cache=none,aio=native,werror=stop,rerror=stop \
 -device scsi-disk,drive=drive_sysdisk,bus=scsi_pci_bus0.0,id=device_sysdisk,bootindex=0 \
 -device virtio-scsi-pci,bus=downstream1,id=scsi_pci_bus1,disable-legacy=on,disable-modern=off \
 -drive file=/home/datadisk2G.qcow2,format=qcow2,id=drive_datadisk2G,if=none,cache=none,aio=native,werror=stop,rerror=stop \
 -device scsi-hd,drive=drive_datadisk2G,bus=scsi_pci_bus1.0,id=device_datadisk2G \
 -incoming tcp:0:1234

3.Migrate to the destination.
{"execute": "migrate","arguments":{"uri": "tcp:0:1234"}}

4.When migration is completed, 'quit' in the source HMP.

Actual results:
Core dump.
(qemu) q
red_channel_client_disconnect_dummy: rcc=0x7f0e713b9000 (channel=0x7f0e716cc260 type=5 id=0)
qemu: qemu_mutex_lock: Invalid argument
0boot.sh: line 43:  2810 Aborted                 (core dumped)

Expected results:
It should quit successfully.

Additional info:
(gdb) bt
#0  0x00007f0e63b645f7 in raise () from /lib64/libc.so.6
#1  0x00007f0e63b65ce8 in abort () from /lib64/libc.so.6
#2  0x00007f0e6be9f063 in error_exit (err=<optimized out>, 
    msg=msg@entry=0x7f0e6c228f60 <__func__.14263> "qemu_mutex_lock") at util/qemu-thread-posix.c:39
#3  0x00007f0e6c16c9c0 in qemu_mutex_lock (mutex=mutex@entry=0x7f0e6eca4400) at util/qemu-thread-posix.c:66
#4  0x00007f0e6bfa58d4 in qemu_chr_fe_write (s=0x7f0e6eca4400, 
    buf=buf@entry=0x7f0e70707000 "{\"timestamp\": {\"seconds\": 1468316858, \"microseconds\": 365538}, \"event\": \"SPICE_DISCONNECTED\", \"data\": {\"server\": {\"port\": \"5900\", \"family\": \"ipv4\", \"host\": \"10.66.9.49\"}, \"client\": {\"port\": \"36834\", \""..., len=243) at qemu-char.c:282
#5  0x00007f0e6bed492d in monitor_flush_locked (mon=mon@entry=0x7f0e6ebe2220)
    at /usr/src/debug/qemu-2.6.0/monitor.c:311
#6  0x00007f0e6bed4aba in monitor_flush_locked (mon=0x7f0e6ebe2220) at /usr/src/debug/qemu-2.6.0/monitor.c:303
#7  monitor_puts (mon=mon@entry=0x7f0e6ebe2220, str=0x7f0e6ec96eb2 "")
    at /usr/src/debug/qemu-2.6.0/monitor.c:353
#8  0x00007f0e6bed4aff in monitor_json_emitter (mon=0x7f0e6ebe2220, data=<optimized out>)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/debug/qemu-2.6.0/monitor.c:401
#9  0x00007f0e6bed4bb6 in monitor_qapi_event_emit (event=event@entry=QAPI_EVENT_SPICE_DISCONNECTED, 
    qdict=qdict@entry=0x7f0e6ed14400) at /usr/src/debug/qemu-2.6.0/monitor.c:472
#10 0x00007f0e6bed4dfa in monitor_qapi_event_queue (event=QAPI_EVENT_SPICE_DISCONNECTED, qdict=0x7f0e6ed14400, 
    errp=<optimized out>) at /usr/src/debug/qemu-2.6.0/monitor.c:497
#11 0x00007f0e6c161528 in qapi_event_send_spice_disconnected (server=server@entry=0x7f0e705da040, 
    client=client@entry=0x7f0e706cef40, errp=0x7f0e6cafde38 <error_abort>) at qapi-event.c:972
#12 0x00007f0e6c0b4e91 in channel_event (event=3, info=0x7f0e70a2ec80) at ui/spice-core.c:248
#13 0x00007f0e66971ef3 in reds_handle_channel_event () from /lib64/libspice-server.so.1
#14 0x00007f0e6694dfaa in main_dispatcher_channel_event () from /lib64/libspice-server.so.1
#15 0x00007f0e6697885e in reds_stream_free () from /lib64/libspice-server.so.1
#16 0x00007f0e66982413 in snd_disconnect_channel () from /lib64/libspice-server.so.1
#17 0x00007f0e66982b5e in snd_detach_common () from /lib64/libspice-server.so.1
#18 0x00007f0e66984fed in snd_detach_playback () from /lib64/libspice-server.so.1
#19 0x00007f0e669755c8 in spice_server_remove_interface () from /lib64/libspice-server.so.1
---Type <return> to continue, or q <return> to quit---
#20 0x00007f0e6bfbd2cd in audio_atexit () at audio/audio.c:1760
#21 0x00007f0e63b67e69 in __run_exit_handlers () from /lib64/libc.so.6
#22 0x00007f0e63b67eb5 in exit () from /lib64/libc.so.6
#23 0x00007f0e63b50b1c in __libc_start_main () from /lib64/libc.so.6
#24 0x00007f0e6bea5bed in _start ()



(gdb) bt full
#0  0x00007f0e63b645f7 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f0e63b65ce8 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007f0e6be9f063 in error_exit (err=<optimized out>, 
    msg=msg@entry=0x7f0e6c228f60 <__func__.14263> "qemu_mutex_lock") at util/qemu-thread-posix.c:39
No locals.
#3  0x00007f0e6c16c9c0 in qemu_mutex_lock (mutex=mutex@entry=0x7f0e6eca4400) at util/qemu-thread-posix.c:66
        err = <optimized out>
        __func__ = "qemu_mutex_lock"
#4  0x00007f0e6bfa58d4 in qemu_chr_fe_write (s=0x7f0e6eca4400, 
    buf=buf@entry=0x7f0e70707000 "{\"timestamp\": {\"seconds\": 1468316858, \"microseconds\": 365538}, \"event\": \"SPICE_DISCONNECTED\", \"data\": {\"server\": {\"port\": \"5900\", \"family\": \"ipv4\", \"host\": \"10.66.9.49\"}, \"client\": {\"port\": \"36834\", \""..., len=243) at qemu-char.c:282
        ret = 255
---Type <return> to continue, or q <return> to quit---
        __PRETTY_FUNCTION__ = "qemu_chr_fe_write"
#5  0x00007f0e6bed492d in monitor_flush_locked (mon=mon@entry=0x7f0e6ebe2220)
    at /usr/src/debug/qemu-2.6.0/monitor.c:311
        rc = <optimized out>
        len = 243
        buf = 0x7f0e70707000 "{\"timestamp\": {\"seconds\": 1468316858, \"microseconds\": 365538}, \"event\": \"SPICE_DISCONNECTED\", \"data\": {\"server\": {\"port\": \"5900\", \"family\": \"ipv4\", \"host\": \"10.66.9.49\"}, \"client\": {\"port\": \"36834\", \""...
#6  0x00007f0e6bed4aba in monitor_flush_locked (mon=0x7f0e6ebe2220) at /usr/src/debug/qemu-2.6.0/monitor.c:303
No locals.
#7  monitor_puts (mon=mon@entry=0x7f0e6ebe2220, str=0x7f0e6ec96eb2 "")
    at /usr/src/debug/qemu-2.6.0/monitor.c:353
        c = <optimized out>
#8  0x00007f0e6bed4aff in monitor_json_emitter (mon=0x7f0e6ebe2220, data=<optimized out>)
    at /usr/src/debug/qemu-2.6.0/monitor.c:401
---Type <return> to continue, or q <return> to quit---
        json = 0x7f0e709f21c0
#9  0x00007f0e6bed4bb6 in monitor_qapi_event_emit (event=event@entry=QAPI_EVENT_SPICE_DISCONNECTED, 
    qdict=qdict@entry=0x7f0e6ed14400) at /usr/src/debug/qemu-2.6.0/monitor.c:472
        mon = 0x7f0e6ebe2220
#10 0x00007f0e6bed4dfa in monitor_qapi_event_queue (event=QAPI_EVENT_SPICE_DISCONNECTED, qdict=0x7f0e6ed14400, 
    errp=<optimized out>) at /usr/src/debug/qemu-2.6.0/monitor.c:497
        evconf = 0x7f0e6c62b6a8 <monitor_qapi_event_conf+200>
        evstate = <optimized out>
        __PRETTY_FUNCTION__ = "monitor_qapi_event_queue"
#11 0x00007f0e6c161528 in qapi_event_send_spice_disconnected (server=server@entry=0x7f0e705da040, 
    client=client@entry=0x7f0e706cef40, errp=0x7f0e6cafde38 <error_abort>) at qapi-event.c:972
        qmp = 0x7f0e6ed14400
        err = 0x0
        emit = 0x7f0e6bed4cd0 <monitor_qapi_event_queue>
        qov = 0x7f0e6ec8b360
---Type <return> to continue, or q <return> to quit---
        v = 0x7f0e6ec8b360
        param = {server = 0x7f0e705da040, client = 0x7f0e706cef40}
#12 0x00007f0e6c0b4e91 in channel_event (event=3, info=0x7f0e70a2ec80) at ui/spice-core.c:248
        server = 0x7f0e705da040
        client = 0x7f0e706cef40
        need_lock = false
        __func__ = "channel_event"
#13 0x00007f0e66971ef3 in reds_handle_channel_event () from /lib64/libspice-server.so.1
No symbol table info available.
#14 0x00007f0e6694dfaa in main_dispatcher_channel_event () from /lib64/libspice-server.so.1
No symbol table info available.
#15 0x00007f0e6697885e in reds_stream_free () from /lib64/libspice-server.so.1
No symbol table info available.
#16 0x00007f0e66982413 in snd_disconnect_channel () from /lib64/libspice-server.so.1
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#17 0x00007f0e66982b5e in snd_detach_common () from /lib64/libspice-server.so.1
No symbol table info available.
#18 0x00007f0e66984fed in snd_detach_playback () from /lib64/libspice-server.so.1
No symbol table info available.
#19 0x00007f0e669755c8 in spice_server_remove_interface () from /lib64/libspice-server.so.1
No symbol table info available.
#20 0x00007f0e6bfbd2cd in audio_atexit () at audio/audio.c:1760
        sc = <optimized out>
        s = 0x7f0e6c6e7e60 <glob_audio_state>
        hwo = 0x7f0e6ec82750
        hwi = 0x0
#21 0x00007f0e63b67e69 in __run_exit_handlers () from /lib64/libc.so.6
No symbol table info available.
#22 0x00007f0e63b67eb5 in exit () from /lib64/libc.so.6
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#23 0x00007f0e63b50b1c in __libc_start_main () from /lib64/libc.so.6
No symbol table info available.
#24 0x00007f0e6bea5bed in _start ()
No symbol table info available.

Comment 3 Dr. David Alan Gilbert 2016-07-29 09:10:28 UTC

I've had this one without migration at all - just at the end of an install;
I was chatting to armbru the other day about it.

(gdb) where
#0  0x00007ff7dad931d7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ff7dad948c8 in __GI_abort () at abort.c:90
#2  0x00007ff7e30c9a43 in error_exit (err=<optimized out>, msg=msg@entry=0x7ff7e3456280 <__func__.14263> "qemu_mutex_lock") at util/qemu-thread-posix.c:39
#3  0x00007ff7e3399230 in qemu_mutex_lock (mutex=mutex@entry=0x7ff7e5a31d40) at util/qemu-thread-posix.c:66
64          err = pthread_mutex_lock(&mutex->lock);
65          if (err)
66              error_exit(err, __func__);

#4  0x00007ff7e31d1634 in qemu_chr_fe_write (s=0x7ff7e5a31d40, 
    buf=buf@entry=0x7ff7e8361700 "{\"timestamp\": {\"seconds\": 1469695921, \"microseconds\": 106087}, \"event\": \"SPICE_DISCONNECTED\", \"data\": {\"server\": {\"port\": \"5900\", \"family\": \"ipv4\", \"host\": \"127.0.0.1\"}, \"client\": {\"port\": \"52658\", \"f"..., len=240) at qemu-char.c:282
#5  0x00007ff7e30ff58d in monitor_flush_locked (mon=mon@entry=0x7ff7e5a19f80) at /usr/src/debug/qemu-2.6.0/monitor.c:311
#6  0x00007ff7e30ff71a in monitor_flush_locked (mon=0x7ff7e5a19f80) at /usr/src/debug/qemu-2.6.0/monitor.c:303
#7  monitor_puts (mon=mon@entry=0x7ff7e5a19f80, str=0x7ff7e5a24a8f "") at /usr/src/debug/qemu-2.6.0/monitor.c:353
#8  0x00007ff7e30ff75f in monitor_json_emitter (mon=0x7ff7e5a19f80, data=<optimized out>) at /usr/src/debug/qemu-2.6.0/monitor.c:401
#9  0x00007ff7e30ff816 in monitor_qapi_event_emit (event=event@entry=QAPI_EVENT_SPICE_DISCONNECTED, qdict=qdict@entry=0x7ff7e7cfa800) at /usr/src/debug/qemu-2.6.0/monitor.c:472
#10 0x00007ff7e30ffa5a in monitor_qapi_event_queue (event=QAPI_EVENT_SPICE_DISCONNECTED, qdict=0x7ff7e7cfa800, errp=<optimized out>) at /usr/src/debug/qemu-2.6.0/monitor.c:497
#11 0x00007ff7e338ddb8 in qapi_event_send_spice_disconnected (server=server@entry=0x7ff7e85d2840, client=client@entry=0x7ff7e6c30040, errp=0x7ff7e3d2c5b8 <error_abort>) at qapi-event.c:972
#12 0x00007ff7e32e1281 in channel_event (event=3, info=0x7ff7e7d2e500) at ui/spice-core.c:248
#13 0x00007ff7ddb79ef3 in reds_handle_channel_event () from /lib64/libspice-server.so.1
#14 0x00007ff7ddb55faa in main_dispatcher_channel_event () from /lib64/libspice-server.so.1
#15 0x00007ff7ddb8085e in reds_stream_free () from /lib64/libspice-server.so.1
#16 0x00007ff7ddb507e1 in red_channel_client_disconnect () from /lib64/libspice-server.so.1
#17 0x00007ff7ddb50adc in red_channel_client_destroy () from /lib64/libspice-server.so.1
#18 0x00007ff7ddb50cc1 in red_channel_destroy () from /lib64/libspice-server.so.1
#19 0x00007ff7ddb7d511 in spice_server_remove_interface () from /lib64/libspice-server.so.1
#20 0x00007ff7e31d594d in vmc_unregister_interface (scd=scd@entry=0x7ff7e597edc0) at spice-qemu-char.c:134
#21 0x00007ff7e31d59b0 in vmc_unregister_interface (scd=0x7ff7e597edc0) at spice-qemu-char.c:213
#22 spice_chr_close (chr=<optimized out>) at spice-qemu-char.c:206
#23 0x00007ff7e31d3f02 in qemu_chr_free (chr=0x7ff7e5a321c0) at qemu-char.c:4037
#24 0x00007ff7e31d4c4f in qemu_chr_cleanup () at qemu-char.c:4574
#25 0x00007ff7e30ce076 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4676

Comment 4 Markus Armbruster 2016-07-29 09:14:07 UTC

Analysis of a similar (the same?) spice-related bug:
https://lists.gnu.org/archive/html/qemu-devel/2016-07/msg06283.html

Comment 5 Marc-Andre Lureau 2016-08-01 08:24:50 UTC

I am not able to reproduce with my version of 10:qemu-kvm-rhev-2.6.0-13.el7.x86_64 (perhaps it was a locally modified version, and it's no longer available in rpm repo)

Can you reproduce with qemu-kvm-rhev-2.6.0-15.el7?

Comment 6 Marc-Andre Lureau 2016-08-01 08:29:54 UTC

Ok, I managed to reproduced (I realized you need a qmp monitor connected)

Comment 7 Marc-Andre Lureau 2016-08-01 08:37:53 UTC

and you need a connected spice client

Comment 8 Marc-Andre Lureau 2016-08-01 12:14:41 UTC

fix for upstream:
http://patchew.org/QEMU/20160801112343.29082-1-marcandre.lureau%40redhat.com/

Comment 9 Marc-Andre Lureau 2016-08-02 06:59:29 UTC

A simpler reproducer: run a VM with spice+audio, connect a spice client, and shutdown the VM. The VM will abort when leaving qemu.

This is reproducible with 7.2z (qemu-kvm-rhev-2.3.0-31.el7_2.18, with a different behaviour, it seems to deadlock), and 7.3. I'll duplicate the bug.

Comment 11 Ademar Reis 2016-08-03 21:25:07 UTC

*** Bug 1362405 has been marked as a duplicate of this bug. ***

Comment 12 Marc-Andre Lureau 2016-08-09 10:00:32 UTC

can we get acks for 7.3?

Comment 13 Marc-Andre Lureau 2016-08-10 20:14:33 UTC

backport for 7.3 on rhvirt-patches list

Comment 14 Miroslav Rezanina 2016-08-16 11:23:11 UTC

Fix included in qemu-kvm-rhev-2.6.0-21.el7

Comment 16 Guo, Zhiyi 2016-08-25 06:50:48 UTC

Follow comments 6+7+9, reproduce the issues against qemu-kvm-rhev-2.6.0-20.el7.x86_64 with below steps:

qemu cli:
/usr/libexec/qemu-kvm -name rhel7.3 -m 2048 \
        -cpu Haswell-noTSX \
        -smp 1,threads=2,cores=1,sockets=3,maxcpus=6 \
         -vga qxl\
        -spice port=3001,disable-ticketing \
        -device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent \
        -serial unix:/tmp/m,server,nowait \
        -device virtserialport,chardev=vdagent,name=com.redhat.spice.0 \
        -drive file=/home/rhel73.qcow2,if=none,id=drive-scsi-disk0,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-scsi-pci,id=scsi0,disable-modern=off,disable-legacy=off -device scsi-hd,drive=drive-scsi-disk0,bus=scsi0.0,scsi-id=0,lun=0,id=scsi-disk0,bootindex=1 \
        -monitor stdio \
        -usb -device usb-kbd,id=input0 \
        -netdev tap,id=idinWyYp,vhost=on -device virtio-net-pci,mac=42:ce:a9:d2:4d:d7,id=idlbq7eA,netdev=idinWyYp \
        -qmp tcp:localhost:4444,server,nowait \
	-device intel-hda,id=sound0 -device hda-duplex,id=sound0-codec0 \

steps:
1.Boot rhel7.3 guest with above qemu cli
2.Connect qmp with: telnet localhost 4444
3.Connect spice client with remote-viewer spice://host_ip:3001
4.Issue qmp command:{ "execute": "qmp_capabilities" },{ "execute": "quit"}

Results:
qemu coredump with trace:
#0  0x00007f78342521d7 in raise () from /lib64/libc.so.6
#1  0x00007f78342538c8 in abort () from /lib64/libc.so.6
#2  0x00007f783ff30771 in error_exit (err=<optimized out>, 
    msg=msg@entry=0x7f78402d1540 <__func__.14266> "qemu_mutex_lock")
    at util/qemu-thread-posix.c:39
#3  0x00007f78401f8430 in qemu_mutex_lock (mutex=mutex@entry=0x7f7841c85e60)
    at util/qemu-thread-posix.c:66
#4  0x00007f7840037b54 in qemu_chr_fe_write (s=0x7f7841c85e60, 
    buf=buf@entry=0x7f7842f73a00 "{\"timestamp\": {\"seconds\": 1472106852, \"microseconds\": 358781}, \"event\": \"SPICE_DISCONNECTED\", \"data\": {\"server\": {\"port\": \"3001\", \"family\": \"ipv4\", \"host\": \"10.66.9.154\"}, \"client\": {\"port\": \"35386\", "..., len=244) at qemu-char.c:282
#5  0x00007f783ff6612d in monitor_flush_locked (mon=mon@entry=0x7f7841bd7ea0)
    at /usr/src/debug/qemu-2.6.0/monitor.c:311
#6  0x00007f783ff662ba in monitor_flush_locked (mon=0x7f7841bd7ea0)
    at /usr/src/debug/qemu-2.6.0/monitor.c:303
#7  monitor_puts (mon=mon@entry=0x7f7841bd7ea0, str=0x7f7841c79433 "")
    at /usr/src/debug/qemu-2.6.0/monitor.c:353
#8  0x00007f783ff662ff in monitor_json_emitter (mon=0x7f7841bd7ea0, 
    data=<optimized out>) at /usr/src/debug/qemu-2.6.0/monitor.c:401
#9  0x00007f783ff663b6 in monitor_qapi_event_emit (
---Type <return> to continue, or q <return> to quit---
    event=event@entry=QAPI_EVENT_SPICE_DISCONNECTED, 
    qdict=qdict@entry=0x7f7842a39600)
    at /usr/src/debug/qemu-2.6.0/monitor.c:472
#10 0x00007f783ff665fa in monitor_qapi_event_queue (
    event=QAPI_EVENT_SPICE_DISCONNECTED, qdict=0x7f7842a39600, 
    errp=<optimized out>) at /usr/src/debug/qemu-2.6.0/monitor.c:497
#11 0x00007f78401ecf88 in qapi_event_send_spice_disconnected (
    server=server@entry=0x7f7841c9fbe0, client=client@entry=0x7f7844a1f440, 
    errp=0x7f7840bfdaf8 <error_abort>) at qapi-event.c:972
#12 0x00007f784013f681 in channel_event (event=3, info=0x7f784428b040)
    at ui/spice-core.c:248
#13 0x00007f7837046113 in reds_handle_channel_event ()
   from /lib64/libspice-server.so.1
#14 0x00007f783702216a in main_dispatcher_channel_event ()
   from /lib64/libspice-server.so.1
#15 0x00007f783704ca7e in reds_stream_free () from /lib64/libspice-server.so.1
#16 0x00007f7837056633 in snd_disconnect_channel ()
   from /lib64/libspice-server.so.1
#17 0x00007f7837056d7e in snd_detach_common () from /lib64/libspice-server.so.1
#18 0x00007f783705920d in snd_detach_playback ()
   from /lib64/libspice-server.so.1
---Type <return> to continue, or q <return> to quit---
#19 0x00007f78370497e8 in spice_server_remove_interface ()
   from /lib64/libspice-server.so.1
#20 0x00007f784004f89d in audio_atexit () at audio/audio.c:1760
#21 0x00007f7834255a49 in __run_exit_handlers () from /lib64/libc.so.6
#22 0x00007f7834255a95 in exit () from /lib64/libc.so.6
#23 0x00007f783423eb3c in __libc_start_main () from /lib64/libc.so.6
#24 0x00007f783ff3721d in _start ()

Verified against qemu-kvm-rhev-2.6.0-21.el7.x86_64.
Following same steps, and no core dump happen after step 4

Comment 17 Guo, Zhiyi 2016-08-25 07:02:14 UTC

Move to verified per comment 16

Comment 20 errata-xmlrpc 2016-11-07 21:23:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2673.html