* Thu Feb 24 2022 Miroslav Rezanina <mrezanin@redhat.com> - 6.2.0-10

- kvm-Revert-ui-clipboard-Don-t-use-g_autoptr-just-to-free.patch [bz#2042820]
- kvm-ui-avoid-compiler-warnings-from-unused-clipboard-inf.patch [bz#2042820]
- kvm-ui-clipboard-fix-use-after-free-regression.patch [bz#2042820]
- kvm-ui-vnc.c-Fixed-a-deadlock-bug.patch [bz#2042820]
- kvm-memory-Fix-incorrect-calls-of-log_global_start-stop.patch [bz#2044818]
- kvm-memory-Fix-qemu-crash-on-starting-dirty-log-twice-wi.patch [bz#2044818]
- Resolves: bz#2042820
  (qemu crash when try to copy and paste contents from client to VM)
- Resolves: bz#2044818
  (Qemu Core Dumped when migrate -> migrate_cancel -> migrate again during guest is paused)

kvm-Revert-ui-clipboard-Don-t-use-g_autoptr-just-to-free.patch

@@ -0,0 +1,45 @@
+From 213d2c6d3138f3570bca36edaacfd1ee86b18967 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 4 Feb 2022 06:45:51 +0100
+Subject: [PATCH 1/6] Revert "ui/clipboard: Don't use g_autoptr just to free a
+ variable"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+RH-MergeRequest: 75: fix vnc cut+paste crash
+RH-Commit: [1/4] 0937d15054ad6e902bc22d1872231504f442ddcc (kraxel/centos-qemu-kvm)
+RH-Bugzilla: 2042820
+RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+This reverts commit 8df1ea81ee6c674522967d056daa8d3748fa3883.
+---
+ ui/clipboard.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/ui/clipboard.c b/ui/clipboard.c
+index d53576b0f6..d7b008d62a 100644
+--- a/ui/clipboard.c
++++ b/ui/clipboard.c
+@@ -44,14 +44,13 @@ void qemu_clipboard_peer_release(QemuClipboardPeer *peer,
+ 
+ void qemu_clipboard_update(QemuClipboardInfo *info)
+ {
+-    QemuClipboardInfo *old = NULL;
++    g_autoptr(QemuClipboardInfo) old = NULL;
+     assert(info->selection < QEMU_CLIPBOARD_SELECTION__COUNT);
+ 
+     notifier_list_notify(&clipboard_notifiers, info);
+ 
+     old = cbinfo[info->selection];
+     cbinfo[info->selection] = qemu_clipboard_info_ref(info);
+-    g_free(old);
+ }
+ 
+ QemuClipboardInfo *qemu_clipboard_info(QemuClipboardSelection selection)
+-- 
+2.27.0
+

kvm-memory-Fix-incorrect-calls-of-log_global_start-stop.patch

@@ -0,0 +1,97 @@
+From b169059c8fbf15c3ffeec0f68b938cb9febd8db7 Mon Sep 17 00:00:00 2001
+From: Peter Xu <peterx@redhat.com>
+Date: Tue, 30 Nov 2021 16:00:28 +0800
+Subject: [PATCH 5/6] memory: Fix incorrect calls of log_global_start/stop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Peter Xu <peterx@redhat.com>
+RH-MergeRequest: 77: memory: Fix qemu crash on continuous migrations of stopped VM
+RH-Commit: [1/2] 6271ee689266b24d29d4c87f60e5b096ef5f5d63 (peterx/qemu-kvm)
+RH-Bugzilla: 2044818
+RH-Acked-by: Paolo Bonzini <None>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: quintela1 <quintela@redhat.com>
+
+We should only call the log_global_start/stop when the global dirty track
+bitmask changes from zero<->non-zero.
+
+No real issue reported for this yet probably because no immediate user to
+enable both dirty rate measurement and migration at the same time.  However
+it'll be good to be prepared for it.
+
+Fixes: 63b41db4bc ("memory: make global_dirty_tracking a bitmask")
+Cc: qemu-stable@nongnu.org
+Cc: Hyman Huang <huangy81@chinatelecom.cn>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Cc: Juan Quintela <quintela@redhat.com>
+Cc: David Hildenbrand <david@redhat.com>
+Signed-off-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Message-Id: <20211130080028.6474-1-peterx@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+(cherry picked from commit 7b0538ed3a22ce30817f818449d10701fb0821f9)
+Signed-off-by: Peter Xu <peterx@redhat.com>
+---
+ softmmu/memory.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/softmmu/memory.c b/softmmu/memory.c
+index 7340e19ff5..81d4bf1454 100644
+--- a/softmmu/memory.c
++++ b/softmmu/memory.c
+@@ -2773,6 +2773,8 @@ static VMChangeStateEntry *vmstate_change;
+ 
+ void memory_global_dirty_log_start(unsigned int flags)
+ {
++    unsigned int old_flags = global_dirty_tracking;
++
+     if (vmstate_change) {
+         qemu_del_vm_change_state_handler(vmstate_change);
+         vmstate_change = NULL;
+@@ -2781,15 +2783,14 @@ void memory_global_dirty_log_start(unsigned int flags)
+     assert(flags && !(flags & (~GLOBAL_DIRTY_MASK)));
+     assert(!(global_dirty_tracking & flags));
+     global_dirty_tracking |= flags;
+-
+     trace_global_dirty_changed(global_dirty_tracking);
+ 
+-    MEMORY_LISTENER_CALL_GLOBAL(log_global_start, Forward);
+-
+-    /* Refresh DIRTY_MEMORY_MIGRATION bit.  */
+-    memory_region_transaction_begin();
+-    memory_region_update_pending = true;
+-    memory_region_transaction_commit();
++    if (!old_flags) {
++        MEMORY_LISTENER_CALL_GLOBAL(log_global_start, Forward);
++        memory_region_transaction_begin();
++        memory_region_update_pending = true;
++        memory_region_transaction_commit();
++    }
+ }
+ 
+ static void memory_global_dirty_log_do_stop(unsigned int flags)
+@@ -2800,12 +2801,12 @@ static void memory_global_dirty_log_do_stop(unsigned int flags)
+ 
+     trace_global_dirty_changed(global_dirty_tracking);
+ 
+-    /* Refresh DIRTY_MEMORY_MIGRATION bit.  */
+-    memory_region_transaction_begin();
+-    memory_region_update_pending = true;
+-    memory_region_transaction_commit();
+-
+-    MEMORY_LISTENER_CALL_GLOBAL(log_global_stop, Reverse);
++    if (!global_dirty_tracking) {
++        memory_region_transaction_begin();
++        memory_region_update_pending = true;
++        memory_region_transaction_commit();
++        MEMORY_LISTENER_CALL_GLOBAL(log_global_stop, Reverse);
++    }
+ }
+ 
+ static void memory_vm_change_state_handler(void *opaque, bool running,
+-- 
+2.27.0
+

kvm-memory-Fix-qemu-crash-on-starting-dirty-log-twice-wi.patch

@@ -0,0 +1,156 @@
+From b3ed8e344c733bc8c2223c1b9e424a9fbcea56d4 Mon Sep 17 00:00:00 2001
+From: Peter Xu <peterx@redhat.com>
+Date: Mon, 7 Feb 2022 20:30:19 +0800
+Subject: [PATCH 6/6] memory: Fix qemu crash on starting dirty log twice with
+ stopped VM
+
+RH-Author: Peter Xu <peterx@redhat.com>
+RH-MergeRequest: 77: memory: Fix qemu crash on continuous migrations of stopped VM
+RH-Commit: [2/2] 98ed2ef6226ec80a1896ebb554015aded0dc0c18 (peterx/qemu-kvm)
+RH-Bugzilla: 2044818
+RH-Acked-by: Paolo Bonzini <None>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: quintela1 <quintela@redhat.com>
+
+QEMU can now easily crash with two continuous migration carried out:
+
+(qemu) migrate -d exec:cat>out
+(qemu) migrate_cancel
+(qemu) migrate -d exec:cat>out
+[crash] ../softmmu/memory.c:2782: memory_global_dirty_log_start: Assertion
+`!(global_dirty_tracking & flags)' failed.
+
+It's because memory API provides a way to postpone dirty log stop if the VM is
+stopped, and that'll be re-done until the next VM start.  It was added in 2017
+with commit 1931076077 ("migration: optimize the downtime", 2017-08-01).
+
+However the recent work on allowing dirty tracking to be bitmask broke it,
+which is commit 63b41db4bc ("memory: make global_dirty_tracking a bitmask",
+2021-11-01).
+
+The fix proposed in this patch contains two things:
+
+  (1) Instead of passing over the flags to postpone stop dirty track, we add a
+      global variable (along with current vmstate_change variable) to record
+      what flags to stop dirty tracking.
+
+  (2) When start dirty tracking, instead if remove the vmstate hook directly,
+      we also execute the postponed stop process so that we make sure all the
+      starts and stops will be paired.
+
+This procedure is overlooked in the bitmask-ify work in 2021.
+
+Cc: Hyman Huang <huangy81@chinatelecom.cn>
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2044818
+Fixes: 63b41db4bc ("memory: make global_dirty_tracking a bitmask")
+Signed-off-by: Peter Xu <peterx@redhat.com>
+Message-Id: <20220207123019.27223-1-peterx@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit a5c90c61a118027b86155cffdf4fe4e2e9de1020)
+Signed-off-by: Peter Xu <peterx@redhat.com>
+---
+ softmmu/memory.c | 61 +++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 45 insertions(+), 16 deletions(-)
+
+diff --git a/softmmu/memory.c b/softmmu/memory.c
+index 81d4bf1454..0311e362ee 100644
+--- a/softmmu/memory.c
++++ b/softmmu/memory.c
+@@ -2769,19 +2769,32 @@ void memory_global_after_dirty_log_sync(void)
+     MEMORY_LISTENER_CALL_GLOBAL(log_global_after_sync, Forward);
+ }
+ 
++/*
++ * Dirty track stop flags that are postponed due to VM being stopped.  Should
++ * only be used within vmstate_change hook.
++ */
++static unsigned int postponed_stop_flags;
+ static VMChangeStateEntry *vmstate_change;
++static void memory_global_dirty_log_stop_postponed_run(void);
+ 
+ void memory_global_dirty_log_start(unsigned int flags)
+ {
+-    unsigned int old_flags = global_dirty_tracking;
++    unsigned int old_flags;
++
++    assert(flags && !(flags & (~GLOBAL_DIRTY_MASK)));
+ 
+     if (vmstate_change) {
+-        qemu_del_vm_change_state_handler(vmstate_change);
+-        vmstate_change = NULL;
++        /* If there is postponed stop(), operate on it first */
++        postponed_stop_flags &= ~flags;
++        memory_global_dirty_log_stop_postponed_run();
+     }
+ 
+-    assert(flags && !(flags & (~GLOBAL_DIRTY_MASK)));
+-    assert(!(global_dirty_tracking & flags));
++    flags &= ~global_dirty_tracking;
++    if (!flags) {
++        return;
++    }
++
++    old_flags = global_dirty_tracking;
+     global_dirty_tracking |= flags;
+     trace_global_dirty_changed(global_dirty_tracking);
+ 
+@@ -2809,29 +2822,45 @@ static void memory_global_dirty_log_do_stop(unsigned int flags)
+     }
+ }
+ 
++/*
++ * Execute the postponed dirty log stop operations if there is, then reset
++ * everything (including the flags and the vmstate change hook).
++ */
++static void memory_global_dirty_log_stop_postponed_run(void)
++{
++    /* This must be called with the vmstate handler registered */
++    assert(vmstate_change);
++
++    /* Note: postponed_stop_flags can be cleared in log start routine */
++    if (postponed_stop_flags) {
++        memory_global_dirty_log_do_stop(postponed_stop_flags);
++        postponed_stop_flags = 0;
++    }
++
++    qemu_del_vm_change_state_handler(vmstate_change);
++    vmstate_change = NULL;
++}
++
+ static void memory_vm_change_state_handler(void *opaque, bool running,
+                                            RunState state)
+ {
+-    unsigned int flags = (unsigned int)(uintptr_t)opaque;
+     if (running) {
+-        memory_global_dirty_log_do_stop(flags);
+-
+-        if (vmstate_change) {
+-            qemu_del_vm_change_state_handler(vmstate_change);
+-            vmstate_change = NULL;
+-        }
++        memory_global_dirty_log_stop_postponed_run();
+     }
+ }
+ 
+ void memory_global_dirty_log_stop(unsigned int flags)
+ {
+     if (!runstate_is_running()) {
++        /* Postpone the dirty log stop, e.g., to when VM starts again */
+         if (vmstate_change) {
+-            return;
++            /* Batch with previous postponed flags */
++            postponed_stop_flags |= flags;
++        } else {
++            postponed_stop_flags = flags;
++            vmstate_change = qemu_add_vm_change_state_handler(
++                memory_vm_change_state_handler, NULL);
+         }
+-        vmstate_change = qemu_add_vm_change_state_handler(
+-                                memory_vm_change_state_handler,
+-                                (void *)(uintptr_t)flags);
+         return;
+     }
+ 
+-- 
+2.27.0
+

kvm-ui-avoid-compiler-warnings-from-unused-clipboard-inf.patch

@@ -0,0 +1,63 @@
+From c5ff43026547ea20fbb496c5b6734b7e64362151 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 14 Feb 2022 12:37:49 +0100
+Subject: [PATCH 2/6] ui: avoid compiler warnings from unused clipboard info
+ variable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+RH-MergeRequest: 75: fix vnc cut+paste crash
+RH-Commit: [2/4] 6a7982a0bab86bf843fd65842e730a61b2fa2cb0 (kraxel/centos-qemu-kvm)
+RH-Bugzilla: 2042820
+RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+With latest clang 13.0.0 we get
+
+../ui/clipboard.c:47:34: error: variable 'old' set but not used [-Werror,-Wunused-but-set-variable]
+    g_autoptr(QemuClipboardInfo) old = NULL;
+                                 ^
+
+The compiler can't tell that we only declared this variable in
+order to get the side effect of free'ing it when out of scope.
+
+This pattern is a little dubious for a use of g_autoptr, so
+rewrite the code to avoid it.
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+[AJB: fix merge conflict]
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
+Message-Id: <20211215141949.3512719-2-berrange@redhat.com>
+Message-Id: <20220105135009.1584676-2-alex.bennee@linaro.org>
+(cherry picked from commit 70a54b01693eda3c61814b05d699aba41015ac48)
+---
+ ui/clipboard.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/ui/clipboard.c b/ui/clipboard.c
+index d7b008d62a..7672058e84 100644
+--- a/ui/clipboard.c
++++ b/ui/clipboard.c
+@@ -44,12 +44,11 @@ void qemu_clipboard_peer_release(QemuClipboardPeer *peer,
+ 
+ void qemu_clipboard_update(QemuClipboardInfo *info)
+ {
+-    g_autoptr(QemuClipboardInfo) old = NULL;
+     assert(info->selection < QEMU_CLIPBOARD_SELECTION__COUNT);
+ 
+     notifier_list_notify(&clipboard_notifiers, info);
+ 
+-    old = cbinfo[info->selection];
++    qemu_clipboard_info_unref(cbinfo[info->selection]);
+     cbinfo[info->selection] = qemu_clipboard_info_ref(info);
+ }
+ 
+-- 
+2.27.0
+

kvm-ui-clipboard-fix-use-after-free-regression.patch

@@ -0,0 +1,49 @@
+From 965275cd87f8008f129509c6d6fd0096e8ac2d96 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Mon, 14 Feb 2022 15:59:17 +0400
+Subject: [PATCH 3/6] ui/clipboard: fix use-after-free regression
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+RH-MergeRequest: 75: fix vnc cut+paste crash
+RH-Commit: [3/4] d8f68e0eb60d9aaa9a703d969f215816bf35f6f0 (kraxel/centos-qemu-kvm)
+RH-Bugzilla: 2042820
+RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+The same info may be used to update the clipboard, and may be freed
+before being ref'ed again.
+
+Fixes: 70a54b01693ed ("ui: avoid compiler warnings from unused clipboard info variable")
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Message-Id: <20220214115917.1679568-1-marcandre.lureau@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ ui/clipboard.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ui/clipboard.c b/ui/clipboard.c
+index 7672058e84..d7dae13760 100644
+--- a/ui/clipboard.c
++++ b/ui/clipboard.c
+@@ -48,8 +48,10 @@ void qemu_clipboard_update(QemuClipboardInfo *info)
+ 
+     notifier_list_notify(&clipboard_notifiers, info);
+ 
+-    qemu_clipboard_info_unref(cbinfo[info->selection]);
+-    cbinfo[info->selection] = qemu_clipboard_info_ref(info);
++    if (cbinfo[info->selection] != info) {
++        qemu_clipboard_info_unref(cbinfo[info->selection]);
++        cbinfo[info->selection] = qemu_clipboard_info_ref(info);
++    }
+ }
+ 
+ QemuClipboardInfo *qemu_clipboard_info(QemuClipboardSelection selection)
+-- 
+2.27.0
+

kvm-ui-vnc.c-Fixed-a-deadlock-bug.patch

@@ -0,0 +1,80 @@
+From 14582cfec72e52894f16ed5c3fb14adb2d6d8e25 Mon Sep 17 00:00:00 2001
+From: Rao Lei <lei.rao@intel.com>
+Date: Wed, 5 Jan 2022 10:08:08 +0800
+Subject: [PATCH 4/6] ui/vnc.c: Fixed a deadlock bug.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+RH-MergeRequest: 75: fix vnc cut+paste crash
+RH-Commit: [4/4] 5321e447de974d91e9a6c0cf01f4352166ffb7ce (kraxel/centos-qemu-kvm)
+RH-Bugzilla: 2042820
+RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+
+The GDB statck is as follows:
+(gdb) bt
+0  __lll_lock_wait (futex=futex@entry=0x56211df20360, private=0) at lowlevellock.c:52
+1  0x00007f263caf20a3 in __GI___pthread_mutex_lock (mutex=0x56211df20360) at ../nptl/pthread_mutex_lock.c:80
+2  0x000056211a757364 in qemu_mutex_lock_impl (mutex=0x56211df20360, file=0x56211a804857 "../ui/vnc-jobs.h", line=60)
+    at ../util/qemu-thread-posix.c:80
+3  0x000056211a0ef8c7 in vnc_lock_output (vs=0x56211df14200) at ../ui/vnc-jobs.h:60
+4  0x000056211a0efcb7 in vnc_clipboard_send (vs=0x56211df14200, count=1, dwords=0x7ffdf1701338) at ../ui/vnc-clipboard.c:138
+5  0x000056211a0f0129 in vnc_clipboard_notify (notifier=0x56211df244c8, data=0x56211dd1bbf0) at ../ui/vnc-clipboard.c:209
+6  0x000056211a75dde8 in notifier_list_notify (list=0x56211afa17d0 <clipboard_notifiers>, data=0x56211dd1bbf0) at ../util/notify.c:39
+7  0x000056211a0bf0e6 in qemu_clipboard_update (info=0x56211dd1bbf0) at ../ui/clipboard.c:50
+8  0x000056211a0bf05d in qemu_clipboard_peer_release (peer=0x56211df244c0, selection=QEMU_CLIPBOARD_SELECTION_CLIPBOARD)
+    at ../ui/clipboard.c:41
+9  0x000056211a0bef9b in qemu_clipboard_peer_unregister (peer=0x56211df244c0) at ../ui/clipboard.c:19
+10 0x000056211a0d45f3 in vnc_disconnect_finish (vs=0x56211df14200) at ../ui/vnc.c:1358
+11 0x000056211a0d4c9d in vnc_client_read (vs=0x56211df14200) at ../ui/vnc.c:1611
+12 0x000056211a0d4df8 in vnc_client_io (ioc=0x56211ce70690, condition=G_IO_IN, opaque=0x56211df14200) at ../ui/vnc.c:1649
+13 0x000056211a5b976c in qio_channel_fd_source_dispatch
+    (source=0x56211ce50a00, callback=0x56211a0d4d71 <vnc_client_io>, user_data=0x56211df14200) at ../io/channel-watch.c:84
+14 0x00007f263ccede8e in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
+15 0x000056211a77d4a1 in glib_pollfds_poll () at ../util/main-loop.c:232
+16 0x000056211a77d51f in os_host_main_loop_wait (timeout=958545) at ../util/main-loop.c:255
+17 0x000056211a77d630 in main_loop_wait (nonblocking=0) at ../util/main-loop.c:531
+18 0x000056211a45bc8e in qemu_main_loop () at ../softmmu/runstate.c:726
+19 0x000056211a0b45fa in main (argc=69, argv=0x7ffdf1701778, envp=0x7ffdf17019a8) at ../softmmu/main.c:50
+
+From the call trace, we can see it is a deadlock bug.
+vnc_disconnect_finish will acquire the output_mutex.
+But, the output_mutex will be acquired again in vnc_clipboard_send.
+Repeated locking will cause deadlock. So, I move
+qemu_clipboard_peer_unregister() behind vnc_unlock_output();
+
+Fixes: 0bf41cab93e ("ui/vnc: clipboard support")
+Signed-off-by: Lei Rao <lei.rao@intel.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20220105020808.597325-1-lei.rao@intel.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 1dbbe6f172810026c51dc84ed927a3cc23017949)
+---
+ ui/vnc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index af02522e84..b253e85c65 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -1354,12 +1354,12 @@ void vnc_disconnect_finish(VncState *vs)
+         /* last client gone */
+         vnc_update_server_surface(vs->vd);
+     }
++    vnc_unlock_output(vs);
++
+     if (vs->cbpeer.update.notify) {
+         qemu_clipboard_peer_unregister(&vs->cbpeer);
+     }
+ 
+-    vnc_unlock_output(vs);
+-
+     qemu_mutex_destroy(&vs->output_mutex);
+     if (vs->bh != NULL) {
+         qemu_bh_delete(vs->bh);
+-- 
+2.27.0
+

qemu-kvm.spec

@@ -144,7 +144,7 @@ Obsoletes: %{name}-block-iscsi <= %{version}                    \
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 6.2.0
-Release: 9%{?rcrel}%{?dist}%{?cc_suffix}
+Release: 10%{?rcrel}%{?dist}%{?cc_suffix}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 # Epoch 15 used for RHEL 8
 # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5)
@@ -267,6 +267,18 @@ Patch61: kvm-iotests-281-Test-lingering-timers.patch
 Patch62: kvm-block-nbd-Move-s-ioc-on-AioContext-change.patch
 # For bz#2033626 - Qemu core dump when start guest with nbd node or do block jobs to nbd node
 Patch63: kvm-iotests-281-Let-NBD-connection-yield-in-iothread.patch
+# For bz#2042820 - qemu crash when try to copy and paste contents from client to VM
+Patch64: kvm-Revert-ui-clipboard-Don-t-use-g_autoptr-just-to-free.patch
+# For bz#2042820 - qemu crash when try to copy and paste contents from client to VM
+Patch65: kvm-ui-avoid-compiler-warnings-from-unused-clipboard-inf.patch
+# For bz#2042820 - qemu crash when try to copy and paste contents from client to VM
+Patch66: kvm-ui-clipboard-fix-use-after-free-regression.patch
+# For bz#2042820 - qemu crash when try to copy and paste contents from client to VM
+Patch67: kvm-ui-vnc.c-Fixed-a-deadlock-bug.patch
+# For bz#2044818 - Qemu Core Dumped when migrate -> migrate_cancel -> migrate again during guest is paused
+Patch68: kvm-memory-Fix-incorrect-calls-of-log_global_start-stop.patch
+# For bz#2044818 - Qemu Core Dumped when migrate -> migrate_cancel -> migrate again during guest is paused
+Patch69: kvm-memory-Fix-qemu-crash-on-starting-dirty-log-twice-wi.patch
 
 # Source-git patches
 
@@ -1325,6 +1337,18 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %endif
 
 %changelog
+* Thu Feb 24 2022 Miroslav Rezanina <mrezanin@redhat.com> - 6.2.0-10
+- kvm-Revert-ui-clipboard-Don-t-use-g_autoptr-just-to-free.patch [bz#2042820]
+- kvm-ui-avoid-compiler-warnings-from-unused-clipboard-inf.patch [bz#2042820]
+- kvm-ui-clipboard-fix-use-after-free-regression.patch [bz#2042820]
+- kvm-ui-vnc.c-Fixed-a-deadlock-bug.patch [bz#2042820]
+- kvm-memory-Fix-incorrect-calls-of-log_global_start-stop.patch [bz#2044818]
+- kvm-memory-Fix-qemu-crash-on-starting-dirty-log-twice-wi.patch [bz#2044818]
+- Resolves: bz#2042820
+  (qemu crash when try to copy and paste contents from client to VM)
+- Resolves: bz#2044818
+  (Qemu Core Dumped when migrate -> migrate_cancel -> migrate again during guest is paused)
+
 * Thu Feb 17 2022 Miroslav Rezanina <mrezanin@redhat.com> - 6.2.0-9
 - kvm-block-Lock-AioContext-for-drain_end-in-blockdev-reop.patch [bz#2046659]
 - kvm-iotests-Test-blockdev-reopen-with-iothreads-and-thro.patch [bz#2046659]