During seamless migration, after switching host, if a client was connected
during the migration, it will have data to send back to the new
qemu/spice-server instance. This is handled through MIGRATE_DATA messages.
SPICE char devices use such MIGRATE_DATA messages to restore their state.
However, the MIGRATE_DATA message can arrive any time after the new qemu
instance has started, this can happen before or after the SPICE char
devices have been created. In order to handle this, if the migrate data
arrives early, it's stored in reds->agent_state.mig_data, and
attach_to_red_agent() will restore the agent state as appropriate.
Unfortunately this does not work as expected, for main
channel (agent messages).
If attach_to_red_agent() is called before the MIGRATE_DATA
message reaches the server, all goes well,
but if MIGRATE_DATA reaches the server before
attach_to_red_agent() gets called, then some assert() gets
triggered in spice_char_device_state_restore():
((null):32507): Spice-ERROR **: char_device.c:937:spice_char_device_state_restore: assertion `dev->num_clients == 1 && dev->wait_for_migrate_data' failed
Thread 3 (Thread 0x7f406b543700 (LWP 32543)):
Thread 2 (Thread 0x7f40697ff700 (LWP 32586)):
Thread 1 (Thread 0x7f4079b45a40 (LWP 32507)):
When restoring state, a client must already be added to the
spice-char-device.
What happens is that a client is not being added to the char-device
when when MIGRATE_DATA arrives first, which leaves both
dev->num_clients and dev->wait_for_migrate_data value at 0.
This commit changes the logic in spice_server_char_device_add_interface(),
such that if there is migrate data pending in reds->agent_state.mig_data
but no client was added to the spice-char-device yet,
then first the client is added to the device by calling
spice_char_device_client_add(), and only then the state is restored.
=== How to Reproduce
To reproduce, add delays to the migration connection between
qmeu-kvm on the source host (SRC) and on the destination (DST).
Specifically I added a man in the middle DLY host between
migration ports from SRC to DST.
+-----+ +-----+ +-----+
| SRC |--> | DLY | --> | DST |
+-----+ +-----+ +-----+
DLY listens on port P1 (e.g. 4444) and DST listens on port
PINCOMING (e.g. 4444, from qemu-kvm '-incoming' command line option)
Precondition: make sure port P1 on DLY is accessible in iptables.
Option 1: use ssh tcp port forwarding
On DLY host run ssh:
ssh DLY:P1:DST:PINCOMING DST
Then use the following migration command (on qemu-kvm monitor):
client_migrate_info spice DST PSPICE
migrate -d tcp:DLY:P1
Option 2: Use a simple proxy program that forwards
packets from SRC to DST while adding some delays.
The program runs on DLY, listens to port D1, upon
accept connects to DST:PINCOMING and forward all
packets from DLY:D1 to DST:PINCOMING.
Then use the same migrate command as in option 1:
client_migrate_info spice DST PSPICE
migrate -d tcp:DLY:P1
=== How to Reproduce Ends
This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1035184
Based-on-a-patch-by: Christophe Fergeau <cfergeau@redhat.com>
It's possible for a buggy guest driver to pass invalid bounding box
dimensions in QXL commands, which would then cause spice-server to
segfault. This patch checks the size of the bounding box of the QXL
command right after it has been parsed.
This fixes rhbz#1135372
Caught by covscan:
spice/server/spice_bitmap_utils.c:54: var_decl: Declaring variable "n_pixel_bits" without initializer.
spice/server/spice_bitmap_utils.c:106: uninit_use: Using uninitialized value "n_pixel_bits".
In reds_send_link_ack(), lookup the channel with the same id as the link
message.
The bug was found during code review a while ago.
A reproducer bug was later reported:
https://bugzilla.redhat.com/show_bug.cgi?id=1058625
When adding Opus support, SPICE_INTERFACE_PLAYBACK_FREQ and
SPICE_INTERFACE_RECORD_FREQ in the public header 'spice.h' were changed
from 44100 to 48000.
However, this was not really useful as these constants are not used in
spice-server, but only by users of spice-server (ie QEMU).
It turns out changing these values is actually harmful. QEMU uses these
constants in 2 situations:
1. when it's a version of QEMU with this commit, but we are compiling
against older spice-server headers (before Opus support was added)
2. when it's a version of QEMU without commit 795ca114d35 which added
what is needed for Opus support
When we are in the second situation, having 48000 in the public header
will actually cause issues as spice-server will know QEMU does not
support Opus, so internally spice-server will be using a 44100 rate for
audio. However, QEMU will be using SPICE_INTERFACE_.*_FREQ and think it
should use a 48000 rate, which will cause distorsions as experienced in
bug https://bugzilla.redhat.com/show_bug.cgi?id=1129961
Reverting these constants back to 44100 will fix audio in the 'new
spice-server/old QEMU' scenario, and won't cause issues either when both
support Opus as in this case these constants are not used.
The beginning of the surface data needs to be computed correctly if the
stride is negative, otherwise, it should point already to the beginning
of the surface data. This bug seems to exists since 4a208b (0.5.2)
https://bugzilla.redhat.com/show_bug.cgi?id=1029646
Some users have been reaching this error:
snd_receive: ASSERT n failed
A misbehaving client could easily hit that condition by sending too big
messages. Instead of assert(), replace with a warning. When a message
too big to fit is received, it will simply disconnect the channel.
https://bugzilla.redhat.com/show_bug.cgi?id=962187
If mjpeg_encoder_reset_quality() is called with the same quality as currently
set, it will not reset last_enc_size but not reset num_recent_enc_frames,
violating some assumptions in _adjust_params_to_bit_rate(). To avoid aborting
the server, simply return early from this function.
Resolves: rhbz#1086820
https://bugs.freedesktop.org/show_bug.cgi?id=79246
As a developer, I maybe want to see the detail compress stat of spice, like this:
Method count orig_size(MB) enc_size(MB) enc_time(s)
QUIC 846 948.02 147.22 7.51
GLZ 2895 594.90 26.60 1.33
ZLIB GLZ 0 0.00 0.00 0.00
LZ 1 3.15 0.01 0.00
JPEG 0 0.00 0.00 0.00
JPEG-RGBA 0 0.00 0.00 0.00
----------------------------------------------------------------------------
Total 3742 1546.07 173.83 8.84
But when I uncommented the COMPRESS_STAT and COMPRESS_DEBUG in red_worker.c and make.
I got some error(in Bugzilla). This error because of some simple syntax errors.
Commit this patch to fix this issue.
Signed-off-by: Wang Qiang <wangqiang.hunan@gmail.com>
gcc's some integer type definitions are different between 32/64bit system.
This causes platform dependency problem with printf function. However,
we can avoid this problem by using PRI macros that supports platform
independent printf.
9feed69 moved the async reader code to RedsStream so that it can be used
for the SASL authentication code. In particular, it introduced a
RedsStream::async_read member which is used by the SASL authentication code
for its async operations.
However, what was not done is to remove the now redundant
RedLinkInfo::async_read field. This causes failures when using SASL
authentication as the async read error callback is getting set
on the RedLinkInfo::async_read structure, but then the SASL code is trying
to use the RedeStream::async_read structure for its async IOs, which do not
have the needed error callback set.
This commit makes use of the newly introduced reds_stream_async_read()
helper in order to make use of RedsStream::async_read.
This replaces async_read_set_error_handler() which was unused. This sets a
callback to be called when an async operation fails.
We could pass the error_handler to each reds_stream_async_read() call, but as
we will be using the same one for all async calls, it's more convenient to set it
once and for all.
AsyncRead is going to be private to reds_stream.c in one of the next
commits, and the error handler will need to be set from reds.c,
hence the move to a public RedsStream method.
Fixing this is a matter of picking the spice-common fix to generate the
(de)marshaller source files in the right place, and to adjust the compiler
flags to look for includes in the build directory as well.
There are 2 SASL-related function prototypes which are unused in the
--without-sasl case. They cause a warning, and a build failure
when using -Werror. Wrapping them in #if HAVE_SASL avoids this issue.
This can fail in fips mode for example. If we ignore the failure, we'll get
a crash:
#0 0x00007f38d63728a0 in BN_num_bits () from /lib64/libcrypto.so.10
#1 0x00007f38d639661d in RSA_size () from /lib64/libcrypto.so.10
#2 0x00007f38d7991762 in reds_handle_read_link_done () from /lib64/libspice-server.so.1
#3 0x00007f38d7990c06 in spice_server_add_client () from /lib64/libspice-server.so.1
#4 0x00007f38d7990c6a in reds_accept () from /lib64/libspice-server.so.1
#5 0x00007f38dc0d2946 in qemu_iohandler_poll (pollfds=0x7f38dedce200, ret=755449965, ret@entry=1) at iohandler.c:143
#6 0x00007f38dc0d6ea8 in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:465
#7 0x00007f38dbffd7c0 in main_loop () at vl.c:1988
#8 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4357
This commit will cause the client connection to fail but qemu won't
segfault.
static void _spice_timer_set(SpiceTimer *timer, uint32_t ms, uint32_t now)
The _spice_timer_set() function takes a 32-bit integer for the "now" value.
The now value passed in however, can exceed 2^32 (it's in ms and derived
from CLOCK_MONOTONIC, which will wrap around a 32-bit integer in around 46
days).
If the now value passed in exceeds 2^32, this will mean timers are inserted
into the active list with expiry values before the current time, they will
immediately trigger, and (if they don't make themselves inactive) be
reinserted still before the current time.
This leads to an infinite loop in spice_timer_queue_cb().
https://bugzilla.redhat.com/show_bug.cgi?id=1072700
For example, with qemu, a webdav channel can be created this way:
-chardev spiceport,name=org.spice-space.webdav.0,...
And redirected to a virtio port:
-device virtserialport,...,name=org.spice-space.webdav.0
