Bug 501131 - qemu segfault when VNC client disconnects
qemu segfault when VNC client disconnects
Product: Fedora
Classification: Fedora
Component: qemu (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Mark McLoughlin
Fedora Extras Quality Assurance
: 505640 508567 537903 (view as bug list)
Depends On:
Blocks: F11VirtTarget
  Show dependency treegraph
Reported: 2009-05-16 16:55 EDT by Enrico Scholz
Modified: 2009-11-19 05:47 EST (History)
8 users (show)

See Also:
Fixed In Version: 0.10.6-5.fc11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-24 01:24:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
gdb backtrace (7.00 KB, text/plain)
2009-05-16 16:56 EDT, Enrico Scholz
no flags Details
qemu-vnc-segfault.patch (11.69 KB, patch)
2009-05-22 11:25 EDT, Mark McLoughlin
no flags Details | Diff
gdb backtrace (3.56 KB, text/plain)
2009-05-26 08:04 EDT, Enrico Scholz
no flags Details
gdb backtraces (100% reproducible) (3.11 KB, text/plain)
2009-05-26 08:08 EDT, Enrico Scholz
no flags Details
fix (7.04 KB, patch)
2009-06-16 08:17 EDT, Gerd Hoffmann
no flags Details | Diff

  None (edit)
Description Enrico Scholz 2009-05-16 16:55:31 EDT
Description of problem:

I got the attached segfault when a VNC client disconnects while guest gives out something. In current case, I executed 'type long-textfile' in a Windoze guest (SMP, 2 cpu i686).  I used 'vinagre' VNC client and the VNC connection was tunneled through slow SSH portforwarding.

Abort seems to be caused by a double-free().

Version-Release number of selected component (if applicable):


How reproducible:

Comment 1 Enrico Scholz 2009-05-16 16:56:58 EDT
Created attachment 344297 [details]
gdb backtrace
Comment 2 Mark McLoughlin 2009-05-22 11:22:07 EDT
Thanks for the backtrace Enrico

I can't reproduce this, but I think I see the issue

vnc_client_io_error() frees the VncState if there was an error

This means that after e.g. vnc_flush() or vnc_write() are called, VncState might have been freed. There is no error return from vnc_flush() and there are lots of places we continue to use the VncState even though it may have been freed.

So, in this stack trace we may have hit an I/O error in vnc_update_client() and freed the VncState yet vnc_copy() continues on and tries to do a vnc_flush()
Comment 3 Mark McLoughlin 2009-05-22 11:25:28 EDT
Created attachment 345104 [details]

So, this is a hacky and incomplete fix, but it will help us confirm whether we've identified the cause.

I don't think this solution is workable - it's just too difficult to audit the entire protocol handling to make sure that we correctly handle an I/O error everywhere. Instead, I think we'll probably add a ->deleted flag to VncState, set that on I/O error and only in a small fixed number of places actually handle deleting.
Comment 4 Mark McLoughlin 2009-05-22 11:28:05 EDT
Enrico: when it finished building, could you try out this scratch build:


the RPMs should wind up here:

Comment 5 Enrico Scholz 2009-05-26 08:04:37 EDT
Created attachment 345451 [details]
gdb backtrace

still there :(

Comment 6 Enrico Scholz 2009-05-26 08:08:01 EDT
Created attachment 345452 [details]
gdb backtraces (100% reproducible)

These are two backtraces which are 100% reproducibly by 

$ rdesktop localhost:7905
Comment 7 Mark McLoughlin 2009-06-04 09:32:40 EDT
Perhaps my test patch didn't catch all cases where this could happen - oh well, we need to fix this in a better way anyway
Comment 8 Mark McLoughlin 2009-06-04 09:36:54 EDT
Someone else reported this when running qemu on windows:

Comment 9 Bug Zapper 2009-06-09 11:57:18 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
Comment 10 Gerd Hoffmann 2009-06-16 08:17:04 EDT
Created attachment 348098 [details]

Against latest git, will send this one upstream shortly.
Comment 11 Mark McLoughlin 2009-06-16 10:54:16 EDT
*** Bug 505640 has been marked as a duplicate of this bug. ***
Comment 12 Mark McLoughlin 2009-06-17 08:05:30 EDT
Thanks Gerd - any chance you could re-base it to F-11 ?
Comment 13 Mark McLoughlin 2009-07-03 07:14:07 EDT
*** Bug 508567 has been marked as a duplicate of this bug. ***
Comment 14 Mark McLoughlin 2009-08-07 10:44:51 EDT
The upstream commit we need re-based to stable-0.10 is:

Comment 15 Mark McLoughlin 2009-09-07 13:33:28 EDT
0.10.7 should be released relatively soon with this backport:

Comment 16 Mark McLoughlin 2009-09-11 07:17:20 EDT
Will push this to updates-testing soon:

* Fri Sep 11 2009 Mark McLoughlin <markmc@redhat.com> - 2:0.10.6-5
- Fix vnc segfault on disconnect (#501131)
- Fix vnc screen corruption with e.g. xterm (#503156)
- Rebase vnc sasl patches on top of these two vnc fixes
Comment 17 Fedora Update System 2009-09-14 03:27:22 EDT
qemu-0.10.6-5.fc11 has been submitted as an update for Fedora 11.
Comment 18 Fedora Update System 2009-09-15 03:36:17 EDT
qemu-0.10.6-5.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update qemu'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-9542
Comment 19 Fedora Update System 2009-09-24 01:24:06 EDT
qemu-0.10.6-5.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Mark McLoughlin 2009-11-19 05:47:41 EST
*** Bug 537903 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.