Hide Forgot
Description of problem: When using VNC with TLS and websockets, QEMU will crash when the client connects https://bugs.launchpad.net/qemu/+bug/1589923 This is a regression vs 2.4.0 and fixed in commit bc35d51077b33e68a0ab10a057f352747214223f Author: Daniel P. Berrange <berrange> Date: Tue Jun 7 12:27:51 2016 +0100 io: remove mistaken call to object_ref on QTask The QTask struct is just a standalone struct, not a QOM Object, so calling object_ref() on it is not appropriate. This results in mangling the 'destroy' field in the QTask struct, causing the later call to qtask_free() to try to call the function at address 0x1, with predictably segfault happy results. There is in fact no need for ref counting with QTask, as the call to qtask_abort() or qtask_complete() will automatically free associated memory. This fixes the crash shown in https://bugs.launchpad.net/qemu/+bug/1589923 Reviewed-by: Eric Blake <eblake> Signed-off-by: Daniel P. Berrange <berrange> Version-Release number of selected component (if applicable): qemu-kvm-rhev-2.6.0-22.el7 How reproducible: Always Steps to Reproduce: 1. Run QEMU with websockets + TLS eg $ qemu-system-x86_64 -vnc 0.0.0.0:1,tls,x509=/etc/pki/qemu,websocket=5701 2. Connect with the noVNC client with TLS enabled Actual results: QEMU crashes Expected results: Connection completes Additional info:
Fix included in qemu-kvm-rhev-2.6.0-26.el7
NB you can actually trigger the crash without TLS too. eg with just $QEMU -vnc 127.0.0.1:0,websocket=5902,password If you are trying to trigger the crash with TLS, then you need to make sure to import the CA certificate used by QEMU into the web browser CA store, otherwise firefox will drop the connection before triggering the crash due to invalid CA.
Reproduce this issue against qemu-kvm-rhev-2.6.0-25.el7.x86_64. Steps: 1. boot qemu by: /usr/libexec/qemu-kvm -vnc :1,websocket=5701 2. Download noVNC and lauch websocket server by: ./utils/launch.sh, follow the onVNC prompt, browse http://dhcp-9-154.nay.redhat.com:6080/vnc.html?host=dhcp-9-154.nay.redhat.com&port=5701 from firefox or chrome Results: After step 2, qemu crash with backtrace: #0 0x0000000000000001 in ?? () #1 0x00007f96fdc731d3 in qio_task_free (task=0x7f97021675a0) at io/task.c:58 #2 0x00007f96fdc732da in qio_task_complete (task=<optimized out>) at io/task.c:145 #3 0x00007f96fdc72fb1 in qio_channel_websock_handshake_send ( ioc=0x7f9701bdbce0, condition=<optimized out>, user_data=0x7f97021675a0) at io/channel-websock.c:289 #4 0x00007f96f4a08d7a in g_main_context_dispatch () from /lib64/libglib-2.0.so.0 #5 0x00007f96fdc119e0 in glib_pollfds_poll () at main-loop.c:213 #6 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:258 #7 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:506 #8 0x00007f96fd9df70f in main_loop () at vl.c:1936 #9 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4692 Verify against qemu-kvm-rhev-2.6.0-26.el7.x86_64, after step 2, no qemu crash happen, and noVNC connect to websocket of qemu
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2673.html