- Desktop
- Enterprise
- Gaming
- Graphics
- Hardware
- Linux Kernel
- Multimedia
- Operating Systems
- Programming
- System Internals
- All Projects
- Latest News
- fate/iamf: add a demux text
- pg_combinebackup: Add --version to --help output
- PostgreSQL: Support SSL_R_VERSION_TOO_LOW when using LibreSSL
- avcodec/mediacodecenc: Add global header support
- tdf#159660: also add normal blend filter
- Linux Kernel: Linux 6.9-rc5
- WINE: Release 9.7.
- Sync psm/evdev/atkbd with FreeBSD
- Latest News (cont.)
- lavfi: Add pad_vaapi filter
- lavfi: Add drawbox_vaapi filter
- Linux Kernel: Linux 6.9-rc4
- Embind: support .implement()-based JS UNO objects
- tdf#33603: sd: rework notes panel
- xwayland: Add SourceValidate hook
- UPower: Release 1.90.4
- timezone: sync to TZDB 2024a
- Linux Kernel: Linux 6.9-rc3
- Optimize pg_popcount() with AVX-512 instructions
- Enhance nbtree ScalarArrayOp execution
Featured content is also available via:
spicevmc: Drop unsent data on client disconnection
Enterprise / Virtualization / SPICE - Christophe Fergeau [redhat.com] - 13 January 2016 04:45 UTC
When redirecting a USB webcam over a slow link, it's currently possible to hit an assertion in spice-server by running cheese (application using the webcam), killing the client with ctrl+c and then restarting the client: qemu-kvm: spicevmc.c:324: spicevmc_red_channel_alloc_msg_rcv_buf: Assertion `!state->recv_from_client_buf' failed.
This happens when red_peer_handle_incoming tries to allocate memory for a message using spicevmc: handler->msg = handler->cb->alloc_msg_buf(handler->opaque, msg_type, msg_size);
red_peer_handle_incoming() is called when there is client data to be read, and does- call alloc_msg_buf() to allocate memory for the message- read the message- if the read was partial, return early, the main loop will call again red_peer_handle_incoming() when there is more data available for that channel- parse the message- call release_msg_buf() to free the message
For channels based on spicevmc (usbredir and port), alloc_msg_buf() stores message data in SpiceVmcState::recv_from_client_buf and before allocating new memory, it asserts that it's NULL.
This is what causes this crash in the following scenario:- SpiceVmc::alloc_msg_buf() is called and allocates memory for a new message in SpiceVmcState::recv_from_client_buf- red_peer_handle_incoming() returns early as all the spicevmc message data hasn't been received yet- the client gets killed- the main channel notices the disconnect and calls main_dispatcher_client_disconnect() which will disconnect all the channels- SpiceVmc::on_disconnect is called- after the new client connects, SpiceVmc::alloc_msg_buf() is called, notices that SpiceVmcState::recv_from_client_buf is already set, and asserts()
This commit makes sure the partial SpiceVmcState::recv_from_client_buf data is cleared on disconnect so that the assert does not trigger.
This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1264113
9ea5348 spicevmc: Drop unsent data on client disconnection
server/spicevmc.c | 5 +++++
1 file changed, 5 insertions(+)
Upstream: cgit.freedesktop.org
Share
- Tweet