The list of commands it uses seems fine to me: (gdb) p *((struct QmpCommand *) 0x556ede077d30) $50 = {name = 0x556edcfe460c "guest-sync-delimited", fn = 0x556edcfbe2b0 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede077d70, tqe_circ = { tql_next = 0x556ede077d70, tql_prev = 0x556edd002e00 }}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede077d70) $51 = {name = 0x556edcfe4601 "guest-sync", fn = 0x556edcfbe400 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede077db0, tqe_circ = {tql_next = 0x556ede077db0, tql_prev = 0x556ede077d48}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede077db0) $52 = {name = 0x556edcfe4331 "guest-ping", fn = 0x556edcfc1850 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede077df0, tqe_circ = {tql_next = 0x556ede077df0, tql_prev = 0x556ede077d88}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede077df0) $53 = {name = 0x556edcfe7122 "guest-get-time", fn = 0x556edcfbe550 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede077e30, tqe_circ = { tql_next = 0x556ede077e30, tql_prev = 0x556ede077dc8}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede077e30) $54 = {name = 0x556edcfe7131 "guest-set-time", fn = 0x556edcfbe6b0 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede077e70, tqe_circ = { tql_next = 0x556ede077e70, tql_prev = 0x556ede077e08}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede077e70) $55 = {name = 0x556edcfe4326 "guest-info", fn = 0x556edcfbe7e0 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede077eb0, tqe_circ = {tql_next = 0x556ede077eb0, tql_prev = 0x556ede077e48}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede077eb0) $56 = {name = 0x556edcfe7140 "guest-shutdown", fn = 0x556edcfbe9f0 , options = QCO_NO_SUCCESS_RESP, node = {tqe_next = 0x556ede077ef0, tqe_circ = { tql_next = 0x556ede077ef0, tql_prev = 0x556ede077e88}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede077ef0) $57 = {name = 0x556edcfe714f "guest-file-open", fn = 0x556edcfbeb20 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede077f30, tqe_circ = { tql_next = 0x556ede077f30, tql_prev = 0x556ede077ec8}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede077f30) $58 = {name = 0x556edcfe715f "guest-file-close", fn = 0x556edcfbec90 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede077f70, tqe_circ = { tql_next = 0x556ede077f70, tql_prev = 0x556ede077f08}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede077f70) $59 = {name = 0x556edcfe7170 "guest-file-read", fn = 0x556edcfbedc0 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede077fb0, tqe_circ = { tql_next = 0x556ede077fb0, tql_prev = 0x556ede077f48}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede077fb0) $60 = {name = 0x556edcfe7180 "guest-file-write", fn = 0x556edcfbefc0 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede077ff0, tqe_circ = { tql_next = 0x556ede077ff0, tql_prev = 0x556ede077f88}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede077ff0) $61 = {name = 0x556edcfe7191 "guest-file-seek", fn = 0x556edcfbf1c0 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede078030, tqe_circ = { tql_next = 0x556ede078030, tql_prev = 0x556ede077fc8}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede078030) $62 = {name = 0x556edcfe71a1 "guest-file-flush", fn = 0x556edcfbf3c0 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede078070, tqe_circ = { tql_next = 0x556ede078070, tql_prev = 0x556ede078008}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede078070) $63 = {name = 0x556edcfe4621 "guest-fsfreeze-status", fn = 0x556edcfbf4f0 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede0780b0, tqe_circ = { tql_next = 0x556ede0780b0, tql_prev = 0x556ede078048}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede0780b0) $64 = {name = 0x556edcfe71b2 "guest-fsfreeze-freeze", fn = 0x556edcfbf700 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede0780f0, tqe_circ = { tql_next = 0x556ede0780f0, tql_prev = 0x556ede078088}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede0780f0) $65 = {name = 0x556edcfe71c8 "guest-fsfreeze-freeze-list", fn = 0x556edcfbf860 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede078130, tqe_circ = {tql_next = 0x556ede078130, tql_prev = 0x556ede0780c8}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede078130) $66 = {name = 0x556edcfe4637 "guest-fsfreeze-thaw", fn = 0x556edcfbf9c0 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede078170, tqe_circ = { tql_next = 0x556ede078170, tql_prev = 0x556ede078108}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede078170) $67 = {name = 0x556edcfe71e3 "guest-fstrim", fn = 0x556edcfbfb20 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede0781b0, tqe_circ = { tql_next = 0x556ede0781b0, tql_prev = 0x556ede078148}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede0781b0) $68 = {name = 0x556edcfe71f0 "guest-suspend-disk", fn = 0x556edcfc1930 , options = QCO_NO_SUCCESS_RESP, node = {tqe_next = 0x556ede0781f0, tqe_circ = { tql_next = 0x556ede0781f0, tql_prev = 0x556ede078188}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede0781f0) $69 = {name = 0x556edcfe7203 "guest-suspend-ram", fn = 0x556edcfc1a10 , options = QCO_NO_SUCCESS_RESP, node = {tqe_next = 0x556ede078230, tqe_circ = { tql_next = 0x556ede078230, tql_prev = 0x556ede0781c8}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede078230) $70 = {name = 0x556edcfe7215 "guest-suspend-hybrid", fn = 0x556edcfc1af0 , options = QCO_NO_SUCCESS_RESP, node = {tqe_next = 0x556ede078270, tqe_circ = { tql_next = 0x556ede078270, tql_prev = 0x556ede078208}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede078270) $71 = {name = 0x556edcfe722a "guest-network-get-interfaces", fn = 0x556edcfbfd10 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede0782b0, tqe_circ = {tql_next = 0x556ede0782b0, tql_prev = 0x556ede078248}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede0782b0) $72 = {name = 0x556edcfe7247 "guest-get-vcpus", fn = 0x556edcfbff20 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede0782f0, tqe_circ = { tql_next = 0x556ede0782f0, tql_prev = 0x556ede078288}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede0782f0) $73 = {name = 0x556edcfe7257 "guest-set-vcpus", fn = 0x556edcfc0130 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede078330, tqe_circ = { tql_next = 0x556ede078330, tql_prev = 0x556ede0782c8}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede078330) $74 = {name = 0x556edcfe7267 "guest-get-fsinfo", fn = 0x556edcfc0280 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede078370, tqe_circ = { tql_next = 0x556ede078370, tql_prev = 0x556ede078308}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede078370) $75 = {name = 0x556edcfe7278 "guest-set-user-password", fn = 0x556edcfc0490 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede0783b0, tqe_circ = { tql_next = 0x556ede0783b0, tql_prev = 0x556ede078348}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede0783b0) $76 = {name = 0x556edcfe7290 "guest-get-memory-blocks", fn = 0x556edcfc05d0 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede0783f0, tqe_circ = { tql_next = 0x556ede0783f0, tql_prev = 0x556ede078388}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede0783f0) $77 = {name = 0x556edcfe72a8 "guest-set-memory-blocks", fn = 0x556edcfc07e0 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede078430, tqe_circ = { tql_next = 0x556ede078430, tql_prev = 0x556ede0783c8}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede078430) $78 = {name = 0x556edcfe72c0 "guest-get-memory-block-info", fn = 0x556edcfc09c0 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede078470, tqe_circ = {tql_next = 0x556ede078470, tql_prev = 0x556ede078408}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede078470) $79 = {name = 0x556edcfe72dc "guest-exec-status", fn = 0x556edcfc0bd0 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede0784b0, tqe_circ = { tql_next = 0x556ede0784b0, tql_prev = 0x556ede078448}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede0784b0) $80 = {name = 0x556edcfe72ee "guest-exec", fn = 0x556edcfc0db0 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede0784f0, tqe_circ = {tql_next = 0x556ede0784f0, tql_prev = 0x556ede078488}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede0784f0) $81 = {name = 0x556edcfe72f9 "guest-get-host-name", fn = 0x556edcfc0fe0 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede078530, tqe_circ = { tql_next = 0x556ede078530, tql_prev = 0x556ede0784c8}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede078530) $82 = {name = 0x556edcfe730d "guest-get-users", fn = 0x556edcfc11f0 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede078570, tqe_circ = { tql_next = 0x556ede078570, tql_prev = 0x556ede078508}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede078570) $83 = {name = 0x556edcfe731d "guest-get-timezone", fn = 0x556edcfc1400 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x556ede0785b0, tqe_circ = { tql_next = 0x556ede0785b0, tql_prev = 0x556ede078548}}, enabled = true} (gdb) p *((struct QmpCommand *) 0x556ede0785b0) $84 = {name = 0x556edcfe7330 "guest-get-osinfo", fn = 0x556edcfc1610 , options = QCO_NO_OPTIONS, node = {tqe_next = 0x0, tqe_circ = {tql_next = 0x0, tql_prev = 0x556ede078588}}, enabled = true} Hmm we see where this is going on, but I can't yet action on it (hardening it as suggested above would only mitigate the immediate crash, but not resolve what/why fails). Waiting to hear about reproducibility and if it can be re-triggered with anything.