Bug 881980 - agent disconnection while agent data is sent to it from the client, can result in client disconnection or server crash
Summary: agent disconnection while agent data is sent to it from the client, can resul...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: spice-server
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Yonit Halperin
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks: 886216
TreeView+ depends on / blocked
 
Reported: 2012-11-29 22:16 UTC by Yonit Halperin
Modified: 2013-07-03 12:16 UTC (History)
8 users (show)

Fixed In Version: spice-server-0.12.0-7.el6
Doc Type: Bug Fix
Doc Text:
It may happen that after a spice-vdagent disconnects from the server, messages from the client to the agent are received by the server. These messages were mishandled and sometimes even caused spice-server to crash. This is fixed by dropping such messages.
Clone Of:
Environment:
Last Closed: 2013-02-21 10:04:04 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0529 normal SHIPPED_LIVE spice-server bug fix and enhancement update 2013-02-20 21:51:04 UTC

Description Yonit Halperin 2012-11-29 22:16:58 UTC
Description of problem:

upstream bug: https://bugs.freedesktop.org/show_bug.cgi?id=55726

When the client sends data to the guest agent, if the agent gets disconnected, and the client manages to send more data addressed to the agent (before it receives the AGENT_DISCONNECTED msg) the server will disconnect the client with the following log msg:
red_peer_handle_incoming: ERROR: channel refused to allocate buffer 

Moreover, in case the agent got reconnected, and only then it receives the msgs that were sent from the client to the old instance of the agent, a crash occurs

reds.c:3636:spice_server_char_device_remove_interface: remove CHAR_DEVICE vdagent
(/usr/bin/gdb:4522): Spice-Debug **: char_device.c:127:spice_char_device_client_send_queue_free: send_queue_empty 1
(/usr/bin/gdb:4522): Spice-Debug **: char_device.c:154:spice_char_device_client_free: write_queue_is_empty 1
(/usr/bin/gdb:4522): SpiceWorker-Info **: red_worker.c:11516:handle_dev_set_mouse_mode: mouse mode 1
(/usr/bin/gdb:4522): Spice-Info **: reds.c:3598:spice_server_char_device_add_interface: CHAR_DEVICE vdagent
attach_to_red_agent: mig data ptr (nil)
(/usr/bin/gdb:4522): Spice-Debug **: char_device.c:651:spice_char_device_state_create: sin 0xd24798 dev_state 0x7ffff0020010
(/usr/bin/gdb:4522): Spice-Debug **: reds.c:3478:attach_to_red_agent: call spice_char_device_state_create
(/usr/bin/gdb:4522): Spice-Debug **: char_device.c:784:spice_char_device_start: dev_state 0x7ffff0020010
__spice_char_device_write_buffer_get: client not found: dev 0x7ffff0020010 client 0x1369df0
[New Thread 0x7ffff56ef700 (LWP 4560)]
[New Thread 0x7ffff4c8d700 (LWP 4561)]

Program received signal SIGSEGV, Segmentation fault.
reds_get_agent_data_buffer (mcc=0x16be7f0, size=48) at reds.c:1009
warning: Source file is more recent than executable.
1009	    return dev_state->recv_from_client_buf->buf + sizeof(VDIChunkHeader);
Missing separate debuginfos, use: debuginfo-install SDL-1.2.14-16.fc17.x86_64 celt051-0.5.1.3-4.fc17.x86_64 cyrus-sasl-gssapi-2.1.23-31.fc17.x86_64 cyrus-sasl-lib-2.1.23-31.fc17.x86_64 cyrus-sasl-md5-2.1.23-31.fc17.x86_64 cyrus-sasl-plain-2.1.23-31.fc17.x86_64 glib2-2.32.4-2.fc17.x86_64 glibc-2.15-57.fc17.x86_64 gnutls-2.12.17-1.fc17.x86_64 keyutils-libs-1.5.5-2.fc17.x86_64 krb5-libs-1.10.2-6.fc17.x86_64 libX11-1.5.0-2.fc17.x86_64 libXau-1.0.6-3.fc17.x86_64 libcom_err-1.42.3-3.fc17.x86_64 libcurl-7.24.0-5.fc17.x86_64 libdb-5.2.36-5.fc17.x86_64 libgcc-4.7.2-2.fc17.x86_64 libgcrypt-1.5.0-3.fc17.x86_64 libgpg-error-1.10-2.fc17.x86_64 libidn-1.24-1.fc17.x86_64 libjpeg-turbo-1.2.1-1.fc17.x86_64 libselinux-2.1.10-3.fc17.x86_64 libssh2-1.4.1-2.fc17.x86_64 libtasn1-2.12-1.fc17.x86_64 libuuid-2.21.2-2.fc17.x86_64 libxcb-1.9-1.fc17.x86_64 ncurses-libs-5.9-4.20120204.fc17.x86_64 nspr-4.9.2-1.fc17.x86_64 nss-3.13.6-1.fc17.x86_64 nss-softokn-freebl-3.13.6-1.fc17.x86_64 nss-util-3.13.6-1.fc17.x86_64 openldap-2.4.33-2.fc17.x86_64 p11-kit-0.12-1.fc17.x86_64 pixman-0.24.4-2.fc17.x86_64 zlib-1.2.5-7.fc17.x86_64
(gdb) bt
#0  reds_get_agent_data_buffer (mcc=0x16be7f0, size=48) at reds.c:1009
#1  0x00007ffff7a36477 in red_peer_handle_incoming (handler=0x16c2900, stream=0x1332dc0) at red_channel.c:240
#2  red_channel_client_receive (rcc=rcc@entry=0x16be7f0) at red_channel.c:294
#3  0x00007ffff7a38b3c in red_channel_client_event (fd=, event=, data=0x16be7f0) at red_channel.c:1206
#4  0x00000000004129bf in main_loop_wait (timeout=timeout@entry=1000) at /home/yonit/projects/redhat/qemu/vl.c:3975
#5  0x0000000000430612 in kvm_main_loop () at /home/yonit/projects/redhat/qemu/qemu-kvm.c:2244
#6  0x000000000040c033 in main_loop () at /home/yonit/projects/redhat/qemu/vl.c:4187
#7  main (argc=, argv=, envp=) at /home/yonit/projects/redhat/qemu/vl.c:6524



Steps to Reproduce:
1. Copy a large amount of data from the client to the guest (e.g., 4M of text)
2. reboot the guest while the copying is ongoing.

Comment 4 errata-xmlrpc 2013-02-21 10:04:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0529.html


Note You need to log in before you can comment on or make changes to this bug.