1355704 – spice: core dump when 'quit'

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1355704 - spice: core dump when 'quit'

Summary: spice: core dump when 'quit'

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm-rhev
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Marc-Andre Lureau
QA Contact:	Guo, Zhiyi
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1362405 (view as bug list)
Depends On:
Blocks:	1362405 1372192
TreeView+	depends on / blocked

Reported:	2016-07-12 09:55 UTC by yduan
Modified:	2017-02-09 15:56 UTC (History)
CC List:	13 users (show)
Fixed In Version:	qemu-kvm-rhev-2.6.0-21.el7
Doc Type:	Bug Fix
Doc Text:	Previously, attempting to shut down a guest virtual machine that was using SPICE audio caused the guest to enter a deadlock state. This update improves the ordering of clean-up actions when exiting a guest, and guests using SPICE audio now shut down correctly.
Clone Of:
Clones:	1362405 1372192 (view as bug list)
Environment:
Last Closed:	2016-11-07 21:23:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2673	0	normal	SHIPPED_LIVE	qemu-kvm-rhev bug fix and enhancement update	2016-11-08 01:06:13 UTC

Description yduan 2016-07-12 09:55:50 UTC

Description of problem:
After migration finished, quit source emulator from HMP and core dumped.

Version-Release number of selected component (if applicable):
Host:
  kernel: 3.10.0-458.el7.x86_64
  qemu-kvm-rhev-2.6.0-13.el7.x86_64
Guest:
  kernel: 3.10.0-460.el7.x86_64

How reproducible:
2/2

Steps to Reproduce:
1.Start VM with following commands:
/usr/libexec/qemu-kvm \
 -S \
 -name 'rhel7.3' \
 -machine q35,accel=kvm,vmport=off \
 -m 4096 \
 -smp 4,maxcpus=4,sockets=1,cores=2,threads=2 \
 -cpu SandyBridge,enforce \
 -rtc base=localtime,clock=host,driftfix=slew \
 -nodefaults \
 -vga qxl \
 -device AC97,bus=pcie.0 \
 -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20151214-111528-C6FB1EaX,server,nowait \
 -mon chardev=qmp_id_qmpmonitor1,mode=control \
 -chardev socket,id=qmp_id_catch_monitor,path=/tmp/monitor-catch_monitor-20151214-111528-C6FB1EaX,server,nowait \
 -mon chardev=qmp_id_catch_monitor,mode=control \
 -device pvpanic,ioport=0x505,id=idSWJ5gV \
 -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20151214-111528-C6FB1EaX,server,nowait \
 -device isa-serial,chardev=serial_id_serial0 \
 -chardev socket,id=seabioslog_log,path=/tmp/seabios-log,server,nowait \
 -device isa-debugcon,chardev=seabioslog_log,iobase=0x402 \
 -device ich9-usb-ehci1,id=usb1,addr=1d.7,multifunction=on,bus=pcie.0 \
 -device ich9-usb-uhci1,id=usb1.0,multifunction=on,masterbus=usb1.0,addr=1d.0,firstport=0,bus=pcie.0 \
 -device ich9-usb-uhci2,id=usb1.1,multifunction=on,masterbus=usb1.0,addr=1d.2,firstport=2,bus=pcie.0 \
 -device ich9-usb-uhci3,id=usb1.2,multifunction=on,masterbus=usb1.0,addr=1d.4,firstport=4,bus=pcie.0 \
 -device usb-tablet,id=usb-tablet1 \
 -enable-kvm \
 -monitor stdio \
 -spice port=5900,disable-ticketing \
 -qmp tcp:0:9999,server,nowait \
 -netdev tap,id=netdev0,vhost=on,script=/etc/qemu-ifup,downscript=/etc/ifdown_script \
 -device virtio-net-pci,mac=BA:BC:13:83:4F:BD,id=net0,netdev=netdev0,status=on,bus=pcie.0,bootindex=2 \
 -device ioh3420,bus=pcie.0,id=root.0,slot=0 \
 -device x3130-upstream,bus=root.0,id=upstream0 \
 -device xio3130-downstream,bus=upstream0,id=downstream0,chassis=1 \
 -device xio3130-downstream,bus=upstream0,id=downstream1,chassis=2 \
 -device xio3130-downstream,bus=upstream0,id=downstream2,chassis=3 \
 -device virtio-scsi-pci,bus=downstream0,id=scsi_pci_bus0,disable-legacy=on,disable-modern=off \
 -drive file=/home/seabios-q35-sysdisk.qcow2,format=qcow2,id=drive_sysdisk,if=none,cache=none,aio=native,werror=stop,rerror=stop \
 -device scsi-disk,drive=drive_sysdisk,bus=scsi_pci_bus0.0,id=device_sysdisk,bootindex=0 \
 -device virtio-scsi-pci,bus=downstream1,id=scsi_pci_bus1,disable-legacy=on,disable-modern=off \
 -drive file=/home/datadisk2G.qcow2,format=qcow2,id=drive_datadisk2G,if=none,cache=none,aio=native,werror=stop,rerror=stop \
 -device scsi-hd,drive=drive_datadisk2G,bus=scsi_pci_bus1.0,id=device_datadisk2G \

2.Boot the guest on destination host with incoming option.
/usr/libexec/qemu-kvm \
 -S \
 -name 'rhel7.3' \
 -machine q35,accel=kvm,vmport=off \
 -m 4096 \
 -smp 4,maxcpus=4,sockets=1,cores=2,threads=2 \
 -cpu SandyBridge,enforce \
 -rtc base=localtime,clock=host,driftfix=slew \
 -nodefaults \
 -vga qxl \
 -device AC97,bus=pcie.0 \
 -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20151214-111528-C6FB1EaX,server,nowait \
 -mon chardev=qmp_id_qmpmonitor1,mode=control \
 -chardev socket,id=qmp_id_catch_monitor,path=/tmp/monitor-catch_monitor-20151214-111528-C6FB1EaX,server,nowait \
 -mon chardev=qmp_id_catch_monitor,mode=control \
 -device pvpanic,ioport=0x505,id=idSWJ5gV \
 -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20151214-111528-C6FB1EaX,server,nowait \
 -device isa-serial,chardev=serial_id_serial0 \
 -chardev socket,id=seabioslog_log,path=/tmp/seabios-log,server,nowait \
 -device isa-debugcon,chardev=seabioslog_log,iobase=0x402 \
 -device ich9-usb-ehci1,id=usb1,addr=1d.7,multifunction=on,bus=pcie.0 \
 -device ich9-usb-uhci1,id=usb1.0,multifunction=on,masterbus=usb1.0,addr=1d.0,firstport=0,bus=pcie.0 \
 -device ich9-usb-uhci2,id=usb1.1,multifunction=on,masterbus=usb1.0,addr=1d.2,firstport=2,bus=pcie.0 \
 -device ich9-usb-uhci3,id=usb1.2,multifunction=on,masterbus=usb1.0,addr=1d.4,firstport=4,bus=pcie.0 \
 -device usb-tablet,id=usb-tablet1 \
 -enable-kvm \
 -monitor stdio \
 -spice port=5800,disable-ticketing \
 -qmp tcp:0:8888,server,nowait \
 -netdev tap,id=netdev0,vhost=on,script=/etc/qemu-ifup,downscript=/etc/ifdown_script \
 -device virtio-net-pci,mac=BA:BC:13:83:4F:BD,id=net0,netdev=netdev0,status=on,bus=pcie.0,bootindex=2 \
 -device ioh3420,bus=pcie.0,id=root.0,slot=0 \
 -device x3130-upstream,bus=root.0,id=upstream0 \
 -device xio3130-downstream,bus=upstream0,id=downstream0,chassis=1 \
 -device xio3130-downstream,bus=upstream0,id=downstream1,chassis=2 \
 -device xio3130-downstream,bus=upstream0,id=downstream2,chassis=3 \
 -device virtio-scsi-pci,bus=downstream0,id=scsi_pci_bus0,disable-legacy=on,disable-modern=off \
 -drive file=/home/seabios-q35-sysdisk.qcow2,format=qcow2,id=drive_sysdisk,if=none,cache=none,aio=native,werror=stop,rerror=stop \
 -device scsi-disk,drive=drive_sysdisk,bus=scsi_pci_bus0.0,id=device_sysdisk,bootindex=0 \
 -device virtio-scsi-pci,bus=downstream1,id=scsi_pci_bus1,disable-legacy=on,disable-modern=off \
 -drive file=/home/datadisk2G.qcow2,format=qcow2,id=drive_datadisk2G,if=none,cache=none,aio=native,werror=stop,rerror=stop \
 -device scsi-hd,drive=drive_datadisk2G,bus=scsi_pci_bus1.0,id=device_datadisk2G \
 -incoming tcp:0:1234

3.Migrate to the destination.
{"execute": "migrate","arguments":{"uri": "tcp:0:1234"}}

4.When migration is completed, 'quit' in the source HMP.

Actual results:
Core dump.
(qemu) q
red_channel_client_disconnect_dummy: rcc=0x7f0e713b9000 (channel=0x7f0e716cc260 type=5 id=0)
qemu: qemu_mutex_lock: Invalid argument
0boot.sh: line 43:  2810 Aborted                 (core dumped)

Expected results:
It should quit successfully.

Additional info:
(gdb) bt
#0  0x00007f0e63b645f7 in raise () from /lib64/libc.so.6
#1  0x00007f0e63b65ce8 in abort () from /lib64/libc.so.6
#2  0x00007f0e6be9f063 in error_exit (err=<optimized out>, 
    msg=msg@entry=0x7f0e6c228f60 <__func__.14263> "qemu_mutex_lock") at util/qemu-thread-posix.c:39
#3  0x00007f0e6c16c9c0 in qemu_mutex_lock (mutex=mutex@entry=0x7f0e6eca4400) at util/qemu-thread-posix.c:66
#4  0x00007f0e6bfa58d4 in qemu_chr_fe_write (s=0x7f0e6eca4400, 
    buf=buf@entry=0x7f0e70707000 "{\"timestamp\": {\"seconds\": 1468316858, \"microseconds\": 365538}, \"event\": \"SPICE_DISCONNECTED\", \"data\": {\"server\": {\"port\": \"5900\", \"family\": \"ipv4\", \"host\": \"10.66.9.49\"}, \"client\": {\"port\": \"36834\", \""..., len=243) at qemu-char.c:282
#5  0x00007f0e6bed492d in monitor_flush_locked (mon=mon@entry=0x7f0e6ebe2220)
    at /usr/src/debug/qemu-2.6.0/monitor.c:311
#6  0x00007f0e6bed4aba in monitor_flush_locked (mon=0x7f0e6ebe2220) at /usr/src/debug/qemu-2.6.0/monitor.c:303
#7  monitor_puts (mon=mon@entry=0x7f0e6ebe2220, str=0x7f0e6ec96eb2 "")
    at /usr/src/debug/qemu-2.6.0/monitor.c:353
#8  0x00007f0e6bed4aff in monitor_json_emitter (mon=0x7f0e6ebe2220, data=<optimized out>)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/debug/qemu-2.6.0/monitor.c:401
#9  0x00007f0e6bed4bb6 in monitor_qapi_event_emit (event=event@entry=QAPI_EVENT_SPICE_DISCONNECTED, 
    qdict=qdict@entry=0x7f0e6ed14400) at /usr/src/debug/qemu-2.6.0/monitor.c:472
#10 0x00007f0e6bed4dfa in monitor_qapi_event_queue (event=QAPI_EVENT_SPICE_DISCONNECTED, qdict=0x7f0e6ed14400, 
    errp=<optimized out>) at /usr/src/debug/qemu-2.6.0/monitor.c:497
#11 0x00007f0e6c161528 in qapi_event_send_spice_disconnected (server=server@entry=0x7f0e705da040, 
    client=client@entry=0x7f0e706cef40, errp=0x7f0e6cafde38 <error_abort>) at qapi-event.c:972
#12 0x00007f0e6c0b4e91 in channel_event (event=3, info=0x7f0e70a2ec80) at ui/spice-core.c:248
#13 0x00007f0e66971ef3 in reds_handle_channel_event () from /lib64/libspice-server.so.1
#14 0x00007f0e6694dfaa in main_dispatcher_channel_event () from /lib64/libspice-server.so.1
#15 0x00007f0e6697885e in reds_stream_free () from /lib64/libspice-server.so.1
#16 0x00007f0e66982413 in snd_disconnect_channel () from /lib64/libspice-server.so.1
#17 0x00007f0e66982b5e in snd_detach_common () from /lib64/libspice-server.so.1
#18 0x00007f0e66984fed in snd_detach_playback () from /lib64/libspice-server.so.1
#19 0x00007f0e669755c8 in spice_server_remove_interface () from /lib64/libspice-server.so.1
---Type <return> to continue, or q <return> to quit---
#20 0x00007f0e6bfbd2cd in audio_atexit () at audio/audio.c:1760
#21 0x00007f0e63b67e69 in __run_exit_handlers () from /lib64/libc.so.6
#22 0x00007f0e63b67eb5 in exit () from /lib64/libc.so.6
#23 0x00007f0e63b50b1c in __libc_start_main () from /lib64/libc.so.6
#24 0x00007f0e6bea5bed in _start ()



(gdb) bt full
#0  0x00007f0e63b645f7 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f0e63b65ce8 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007f0e6be9f063 in error_exit (err=<optimized out>, 
    msg=msg@entry=0x7f0e6c228f60 <__func__.14263> "qemu_mutex_lock") at util/qemu-thread-posix.c:39
No locals.
#3  0x00007f0e6c16c9c0 in qemu_mutex_lock (mutex=mutex@entry=0x7f0e6eca4400) at util/qemu-thread-posix.c:66
        err = <optimized out>
        __func__ = "qemu_mutex_lock"
#4  0x00007f0e6bfa58d4 in qemu_chr_fe_write (s=0x7f0e6eca4400, 
    buf=buf@entry=0x7f0e70707000 "{\"timestamp\": {\"seconds\": 1468316858, \"microseconds\": 365538}, \"event\": \"SPICE_DISCONNECTED\", \"data\": {\"server\": {\"port\": \"5900\", \"family\": \"ipv4\", \"host\": \"10.66.9.49\"}, \"client\": {\"port\": \"36834\", \""..., len=243) at qemu-char.c:282
        ret = 255
---Type <return> to continue, or q <return> to quit---
        __PRETTY_FUNCTION__ = "qemu_chr_fe_write"
#5  0x00007f0e6bed492d in monitor_flush_locked (mon=mon@entry=0x7f0e6ebe2220)
    at /usr/src/debug/qemu-2.6.0/monitor.c:311
        rc = <optimized out>
        len = 243
        buf = 0x7f0e70707000 "{\"timestamp\": {\"seconds\": 1468316858, \"microseconds\": 365538}, \"event\": \"SPICE_DISCONNECTED\", \"data\": {\"server\": {\"port\": \"5900\", \"family\": \"ipv4\", \"host\": \"10.66.9.49\"}, \"client\": {\"port\": \"36834\", \""...
#6  0x00007f0e6bed4aba in monitor_flush_locked (mon=0x7f0e6ebe2220) at /usr/src/debug/qemu-2.6.0/monitor.c:303
No locals.
#7  monitor_puts (mon=mon@entry=0x7f0e6ebe2220, str=0x7f0e6ec96eb2 "")
    at /usr/src/debug/qemu-2.6.0/monitor.c:353
        c = <optimized out>
#8  0x00007f0e6bed4aff in monitor_json_emitter (mon=0x7f0e6ebe2220, data=<optimized out>)
    at /usr/src/debug/qemu-2.6.0/monitor.c:401
---Type <return> to continue, or q <return> to quit---
        json = 0x7f0e709f21c0
#9  0x00007f0e6bed4bb6 in monitor_qapi_event_emit (event=event@entry=QAPI_EVENT_SPICE_DISCONNECTED, 
    qdict=qdict@entry=0x7f0e6ed14400) at /usr/src/debug/qemu-2.6.0/monitor.c:472
        mon = 0x7f0e6ebe2220
#10 0x00007f0e6bed4dfa in monitor_qapi_event_queue (event=QAPI_EVENT_SPICE_DISCONNECTED, qdict=0x7f0e6ed14400, 
    errp=<optimized out>) at /usr/src/debug/qemu-2.6.0/monitor.c:497
        evconf = 0x7f0e6c62b6a8 <monitor_qapi_event_conf+200>
        evstate = <optimized out>
        __PRETTY_FUNCTION__ = "monitor_qapi_event_queue"
#11 0x00007f0e6c161528 in qapi_event_send_spice_disconnected (server=server@entry=0x7f0e705da040, 
    client=client@entry=0x7f0e706cef40, errp=0x7f0e6cafde38 <error_abort>) at qapi-event.c:972
        qmp = 0x7f0e6ed14400
        err = 0x0
        emit = 0x7f0e6bed4cd0 <monitor_qapi_event_queue>
        qov = 0x7f0e6ec8b360
---Type <return> to continue, or q <return> to quit---
        v = 0x7f0e6ec8b360
        param = {server = 0x7f0e705da040, client = 0x7f0e706cef40}
#12 0x00007f0e6c0b4e91 in channel_event (event=3, info=0x7f0e70a2ec80) at ui/spice-core.c:248
        server = 0x7f0e705da040
        client = 0x7f0e706cef40
        need_lock = false
        __func__ = "channel_event"
#13 0x00007f0e66971ef3 in reds_handle_channel_event () from /lib64/libspice-server.so.1
No symbol table info available.
#14 0x00007f0e6694dfaa in main_dispatcher_channel_event () from /lib64/libspice-server.so.1
No symbol table info available.
#15 0x00007f0e6697885e in reds_stream_free () from /lib64/libspice-server.so.1
No symbol table info available.
#16 0x00007f0e66982413 in snd_disconnect_channel () from /lib64/libspice-server.so.1
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#17 0x00007f0e66982b5e in snd_detach_common () from /lib64/libspice-server.so.1
No symbol table info available.
#18 0x00007f0e66984fed in snd_detach_playback () from /lib64/libspice-server.so.1
No symbol table info available.
#19 0x00007f0e669755c8 in spice_server_remove_interface () from /lib64/libspice-server.so.1
No symbol table info available.
#20 0x00007f0e6bfbd2cd in audio_atexit () at audio/audio.c:1760
        sc = <optimized out>
        s = 0x7f0e6c6e7e60 <glob_audio_state>
        hwo = 0x7f0e6ec82750
        hwi = 0x0
#21 0x00007f0e63b67e69 in __run_exit_handlers () from /lib64/libc.so.6
No symbol table info available.
#22 0x00007f0e63b67eb5 in exit () from /lib64/libc.so.6
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#23 0x00007f0e63b50b1c in __libc_start_main () from /lib64/libc.so.6
No symbol table info available.
#24 0x00007f0e6bea5bed in _start ()
No symbol table info available.

Comment 3 Dr. David Alan Gilbert 2016-07-29 09:10:28 UTC

I've had this one without migration at all - just at the end of an install;
I was chatting to armbru the other day about it.

(gdb) where
#0  0x00007ff7dad931d7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ff7dad948c8 in __GI_abort () at abort.c:90
#2  0x00007ff7e30c9a43 in error_exit (err=<optimized out>, msg=msg@entry=0x7ff7e3456280 <__func__.14263> "qemu_mutex_lock") at util/qemu-thread-posix.c:39
#3  0x00007ff7e3399230 in qemu_mutex_lock (mutex=mutex@entry=0x7ff7e5a31d40) at util/qemu-thread-posix.c:66
64          err = pthread_mutex_lock(&mutex->lock);
65          if (err)
66              error_exit(err, __func__);

#4  0x00007ff7e31d1634 in qemu_chr_fe_write (s=0x7ff7e5a31d40, 
    buf=buf@entry=0x7ff7e8361700 "{\"timestamp\": {\"seconds\": 1469695921, \"microseconds\": 106087}, \"event\": \"SPICE_DISCONNECTED\", \"data\": {\"server\": {\"port\": \"5900\", \"family\": \"ipv4\", \"host\": \"127.0.0.1\"}, \"client\": {\"port\": \"52658\", \"f"..., len=240) at qemu-char.c:282
#5  0x00007ff7e30ff58d in monitor_flush_locked (mon=mon@entry=0x7ff7e5a19f80) at /usr/src/debug/qemu-2.6.0/monitor.c:311
#6  0x00007ff7e30ff71a in monitor_flush_locked (mon=0x7ff7e5a19f80) at /usr/src/debug/qemu-2.6.0/monitor.c:303
#7  monitor_puts (mon=mon@entry=0x7ff7e5a19f80, str=0x7ff7e5a24a8f "") at /usr/src/debug/qemu-2.6.0/monitor.c:353
#8  0x00007ff7e30ff75f in monitor_json_emitter (mon=0x7ff7e5a19f80, data=<optimized out>) at /usr/src/debug/qemu-2.6.0/monitor.c:401
#9  0x00007ff7e30ff816 in monitor_qapi_event_emit (event=event@entry=QAPI_EVENT_SPICE_DISCONNECTED, qdict=qdict@entry=0x7ff7e7cfa800) at /usr/src/debug/qemu-2.6.0/monitor.c:472
#10 0x00007ff7e30ffa5a in monitor_qapi_event_queue (event=QAPI_EVENT_SPICE_DISCONNECTED, qdict=0x7ff7e7cfa800, errp=<optimized out>) at /usr/src/debug/qemu-2.6.0/monitor.c:497
#11 0x00007ff7e338ddb8 in qapi_event_send_spice_disconnected (server=server@entry=0x7ff7e85d2840, client=client@entry=0x7ff7e6c30040, errp=0x7ff7e3d2c5b8 <error_abort>) at qapi-event.c:972
#12 0x00007ff7e32e1281 in channel_event (event=3, info=0x7ff7e7d2e500) at ui/spice-core.c:248
#13 0x00007ff7ddb79ef3 in reds_handle_channel_event () from /lib64/libspice-server.so.1
#14 0x00007ff7ddb55faa in main_dispatcher_channel_event () from /lib64/libspice-server.so.1
#15 0x00007ff7ddb8085e in reds_stream_free () from /lib64/libspice-server.so.1
#16 0x00007ff7ddb507e1 in red_channel_client_disconnect () from /lib64/libspice-server.so.1
#17 0x00007ff7ddb50adc in red_channel_client_destroy () from /lib64/libspice-server.so.1
#18 0x00007ff7ddb50cc1 in red_channel_destroy () from /lib64/libspice-server.so.1
#19 0x00007ff7ddb7d511 in spice_server_remove_interface () from /lib64/libspice-server.so.1
#20 0x00007ff7e31d594d in vmc_unregister_interface (scd=scd@entry=0x7ff7e597edc0) at spice-qemu-char.c:134
#21 0x00007ff7e31d59b0 in vmc_unregister_interface (scd=0x7ff7e597edc0) at spice-qemu-char.c:213
#22 spice_chr_close (chr=<optimized out>) at spice-qemu-char.c:206
#23 0x00007ff7e31d3f02 in qemu_chr_free (chr=0x7ff7e5a321c0) at qemu-char.c:4037
#24 0x00007ff7e31d4c4f in qemu_chr_cleanup () at qemu-char.c:4574
#25 0x00007ff7e30ce076 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4676

Comment 4 Markus Armbruster 2016-07-29 09:14:07 UTC

Analysis of a similar (the same?) spice-related bug:
https://lists.gnu.org/archive/html/qemu-devel/2016-07/msg06283.html

Comment 5 Marc-Andre Lureau 2016-08-01 08:24:50 UTC

I am not able to reproduce with my version of 10:qemu-kvm-rhev-2.6.0-13.el7.x86_64 (perhaps it was a locally modified version, and it's no longer available in rpm repo)

Can you reproduce with qemu-kvm-rhev-2.6.0-15.el7?

Comment 6 Marc-Andre Lureau 2016-08-01 08:29:54 UTC

Ok, I managed to reproduced (I realized you need a qmp monitor connected)

Comment 7 Marc-Andre Lureau 2016-08-01 08:37:53 UTC

and you need a connected spice client

Comment 8 Marc-Andre Lureau 2016-08-01 12:14:41 UTC

fix for upstream:
http://patchew.org/QEMU/20160801112343.29082-1-marcandre.lureau%40redhat.com/

Comment 9 Marc-Andre Lureau 2016-08-02 06:59:29 UTC

A simpler reproducer: run a VM with spice+audio, connect a spice client, and shutdown the VM. The VM will abort when leaving qemu.

This is reproducible with 7.2z (qemu-kvm-rhev-2.3.0-31.el7_2.18, with a different behaviour, it seems to deadlock), and 7.3. I'll duplicate the bug.

Comment 11 Ademar Reis 2016-08-03 21:25:07 UTC

*** Bug 1362405 has been marked as a duplicate of this bug. ***

Comment 12 Marc-Andre Lureau 2016-08-09 10:00:32 UTC

can we get acks for 7.3?

Comment 13 Marc-Andre Lureau 2016-08-10 20:14:33 UTC

backport for 7.3 on rhvirt-patches list

Comment 14 Miroslav Rezanina 2016-08-16 11:23:11 UTC

Fix included in qemu-kvm-rhev-2.6.0-21.el7

Comment 16 Guo, Zhiyi 2016-08-25 06:50:48 UTC

Follow comments 6+7+9, reproduce the issues against qemu-kvm-rhev-2.6.0-20.el7.x86_64 with below steps:

qemu cli:
/usr/libexec/qemu-kvm -name rhel7.3 -m 2048 \
        -cpu Haswell-noTSX \
        -smp 1,threads=2,cores=1,sockets=3,maxcpus=6 \
         -vga qxl\
        -spice port=3001,disable-ticketing \
        -device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent \
        -serial unix:/tmp/m,server,nowait \
        -device virtserialport,chardev=vdagent,name=com.redhat.spice.0 \
        -drive file=/home/rhel73.qcow2,if=none,id=drive-scsi-disk0,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-scsi-pci,id=scsi0,disable-modern=off,disable-legacy=off -device scsi-hd,drive=drive-scsi-disk0,bus=scsi0.0,scsi-id=0,lun=0,id=scsi-disk0,bootindex=1 \
        -monitor stdio \
        -usb -device usb-kbd,id=input0 \
        -netdev tap,id=idinWyYp,vhost=on -device virtio-net-pci,mac=42:ce:a9:d2:4d:d7,id=idlbq7eA,netdev=idinWyYp \
        -qmp tcp:localhost:4444,server,nowait \
	-device intel-hda,id=sound0 -device hda-duplex,id=sound0-codec0 \

steps:
1.Boot rhel7.3 guest with above qemu cli
2.Connect qmp with: telnet localhost 4444
3.Connect spice client with remote-viewer spice://host_ip:3001
4.Issue qmp command:{ "execute": "qmp_capabilities" },{ "execute": "quit"}

Results:
qemu coredump with trace:
#0  0x00007f78342521d7 in raise () from /lib64/libc.so.6
#1  0x00007f78342538c8 in abort () from /lib64/libc.so.6
#2  0x00007f783ff30771 in error_exit (err=<optimized out>, 
    msg=msg@entry=0x7f78402d1540 <__func__.14266> "qemu_mutex_lock")
    at util/qemu-thread-posix.c:39
#3  0x00007f78401f8430 in qemu_mutex_lock (mutex=mutex@entry=0x7f7841c85e60)
    at util/qemu-thread-posix.c:66
#4  0x00007f7840037b54 in qemu_chr_fe_write (s=0x7f7841c85e60, 
    buf=buf@entry=0x7f7842f73a00 "{\"timestamp\": {\"seconds\": 1472106852, \"microseconds\": 358781}, \"event\": \"SPICE_DISCONNECTED\", \"data\": {\"server\": {\"port\": \"3001\", \"family\": \"ipv4\", \"host\": \"10.66.9.154\"}, \"client\": {\"port\": \"35386\", "..., len=244) at qemu-char.c:282
#5  0x00007f783ff6612d in monitor_flush_locked (mon=mon@entry=0x7f7841bd7ea0)
    at /usr/src/debug/qemu-2.6.0/monitor.c:311
#6  0x00007f783ff662ba in monitor_flush_locked (mon=0x7f7841bd7ea0)
    at /usr/src/debug/qemu-2.6.0/monitor.c:303
#7  monitor_puts (mon=mon@entry=0x7f7841bd7ea0, str=0x7f7841c79433 "")
    at /usr/src/debug/qemu-2.6.0/monitor.c:353
#8  0x00007f783ff662ff in monitor_json_emitter (mon=0x7f7841bd7ea0, 
    data=<optimized out>) at /usr/src/debug/qemu-2.6.0/monitor.c:401
#9  0x00007f783ff663b6 in monitor_qapi_event_emit (
---Type <return> to continue, or q <return> to quit---
    event=event@entry=QAPI_EVENT_SPICE_DISCONNECTED, 
    qdict=qdict@entry=0x7f7842a39600)
    at /usr/src/debug/qemu-2.6.0/monitor.c:472
#10 0x00007f783ff665fa in monitor_qapi_event_queue (
    event=QAPI_EVENT_SPICE_DISCONNECTED, qdict=0x7f7842a39600, 
    errp=<optimized out>) at /usr/src/debug/qemu-2.6.0/monitor.c:497
#11 0x00007f78401ecf88 in qapi_event_send_spice_disconnected (
    server=server@entry=0x7f7841c9fbe0, client=client@entry=0x7f7844a1f440, 
    errp=0x7f7840bfdaf8 <error_abort>) at qapi-event.c:972
#12 0x00007f784013f681 in channel_event (event=3, info=0x7f784428b040)
    at ui/spice-core.c:248
#13 0x00007f7837046113 in reds_handle_channel_event ()
   from /lib64/libspice-server.so.1
#14 0x00007f783702216a in main_dispatcher_channel_event ()
   from /lib64/libspice-server.so.1
#15 0x00007f783704ca7e in reds_stream_free () from /lib64/libspice-server.so.1
#16 0x00007f7837056633 in snd_disconnect_channel ()
   from /lib64/libspice-server.so.1
#17 0x00007f7837056d7e in snd_detach_common () from /lib64/libspice-server.so.1
#18 0x00007f783705920d in snd_detach_playback ()
   from /lib64/libspice-server.so.1
---Type <return> to continue, or q <return> to quit---
#19 0x00007f78370497e8 in spice_server_remove_interface ()
   from /lib64/libspice-server.so.1
#20 0x00007f784004f89d in audio_atexit () at audio/audio.c:1760
#21 0x00007f7834255a49 in __run_exit_handlers () from /lib64/libc.so.6
#22 0x00007f7834255a95 in exit () from /lib64/libc.so.6
#23 0x00007f783423eb3c in __libc_start_main () from /lib64/libc.so.6
#24 0x00007f783ff3721d in _start ()

Verified against qemu-kvm-rhev-2.6.0-21.el7.x86_64.
Following same steps, and no core dump happen after step 4

Comment 17 Guo, Zhiyi 2016-08-25 07:02:14 UTC

Move to verified per comment 16

Comment 20 errata-xmlrpc 2016-11-07 21:23:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2673.html

Note You need to log in before you can comment on or make changes to this bug.