Red Hat Bugzilla – Bug 501131
qemu segfault when VNC client disconnects
Last modified: 2009-11-19 05:47:41 EST
Description of problem:
I got the attached segfault when a VNC client disconnects while guest gives out something. In current case, I executed 'type long-textfile' in a Windoze guest (SMP, 2 cpu i686). I used 'vinagre' VNC client and the VNC connection was tunneled through slow SSH portforwarding.
Abort seems to be caused by a double-free().
Version-Release number of selected component (if applicable):
Created attachment 344297 [details]
Thanks for the backtrace Enrico
I can't reproduce this, but I think I see the issue
vnc_client_io_error() frees the VncState if there was an error
This means that after e.g. vnc_flush() or vnc_write() are called, VncState might have been freed. There is no error return from vnc_flush() and there are lots of places we continue to use the VncState even though it may have been freed.
So, in this stack trace we may have hit an I/O error in vnc_update_client() and freed the VncState yet vnc_copy() continues on and tries to do a vnc_flush()
Created attachment 345104 [details]
So, this is a hacky and incomplete fix, but it will help us confirm whether we've identified the cause.
I don't think this solution is workable - it's just too difficult to audit the entire protocol handling to make sure that we correctly handle an I/O error everywhere. Instead, I think we'll probably add a ->deleted flag to VncState, set that on I/O error and only in a small fixed number of places actually handle deleting.
Enrico: when it finished building, could you try out this scratch build:
the RPMs should wind up here:
Created attachment 345451 [details]
still there :(
Created attachment 345452 [details]
gdb backtraces (100% reproducible)
These are two backtraces which are 100% reproducibly by
$ rdesktop localhost:7905
Perhaps my test patch didn't catch all cases where this could happen - oh well, we need to fix this in a better way anyway
Someone else reported this when running qemu on windows:
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.
More information and reason for this action is here:
Created attachment 348098 [details]
Against latest git, will send this one upstream shortly.
*** Bug 505640 has been marked as a duplicate of this bug. ***
Thanks Gerd - any chance you could re-base it to F-11 ?
*** Bug 508567 has been marked as a duplicate of this bug. ***
The upstream commit we need re-based to stable-0.10 is:
0.10.7 should be released relatively soon with this backport:
Will push this to updates-testing soon:
* Fri Sep 11 2009 Mark McLoughlin <email@example.com> - 2:0.10.6-5
- Fix vnc segfault on disconnect (#501131)
- Fix vnc screen corruption with e.g. xterm (#503156)
- Rebase vnc sasl patches on top of these two vnc fixes
qemu-0.10.6-5.fc11 has been submitted as an update for Fedora 11.
qemu-0.10.6-5.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update qemu'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-9542
qemu-0.10.6-5.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 537903 has been marked as a duplicate of this bug. ***