<!-- This is the upstream QEMU issue tracker. If you are able to, it will greatly facilitate bug triage if you attempt to reproduce the problem with the latest qemu.git master built from source. See https://www.qemu.org/download/#source for instructions on how to do this. QEMU generally supports the last two releases advertised on https://www.qemu.org/. Problems with distro-packaged versions of QEMU older than this should be reported to the distribution instead. See https://www.qemu.org/contribute/report-a-bug/ for additional guidance. If this is a security issue, please consult https://www.qemu.org/contribute/security-process/ --> ## Host environment - Operating system: <!-- Windows 10 21H1, Fedora 37, etc. -->Linux - OS/kernel version: <!-- For POSIX hosts, use `uname -a` -->5.10 - Architecture: x86,ARM <!-- x86, ARM, s390x, etc. --> - QEMU flavor: qemu-system-x86_64, qemu-aarch64 <!-- qemu-system-x86_64, qemu-aarch64, qemu-img, etc. --> - QEMU version: 6.2 <!-- e.g. `qemu-system-x86_64 --version` --> - QEMU command line: <!-- Give the smallest, complete command line that exhibits the problem. If you are using libvirt, virsh, or vmm, you can likely find the QEMU command line arguments in /var/log/libvirt/qemu/$GUEST.log. --> ``` ./qemu-system-x86_64 -name qemu_vm -machine pc-i440fx-6.2,accel=kvm,usb=off -cpu host -smp 4 -m 4G -device nec-usb-xhci -device usb-kbd -device usb-tablet -device usb-storage,drive=install -device virtio-balloon -drive if=none,id=install,format=raw,file=/Images/TestImg -device virtio-gpu-pci -qmp unix:/tmp/qmp.sock,server,nowait -serial stdio -object '{"qom-type":"tls-creds-x509","id":"vnc-tls-creds0","dir":"/etc/pki/libvirt-vnc","endpoint":"server","verify-peer":true}' -vnc 0.0.0.0:0,tls-creds=vnc-tls-creds0 -device VGA,id=video0,vgamem_mb=16,bus=pci.0,addr=0x6 -D /tmp/log ``` ## Emulated/Virtualized environment - Operating system: centos8.2 <!-- Windows 10 21H1, Fedora 37, etc. --> - OS/kernel version: 4.18.0-193.el8.x86_64 <!-- For POSIX guests, use `uname -a`. --> - Architecture: x86,arm <!-- x86, ARM, s390x, etc. --> ## Description of problem <!-- Describe the problem, including any error/crash messages seen. --> When qemu is performing a TLS handshake for VNC, it will monitor vs->sioc in the qio_channel_tls_handshake_task. If the number of concurrent VNC connections exceeds the maximum number allowed by qemu, vnc_connect will traverse all connection requests in share mode VNC_SHARE_MODE_CONNECTING and disconnect the first one. If the disconnected request has not yet entered qio_channel_tls_handshake_io, it will cause the data pointer allocated in qio_channel_tls_handshake_task to leak directly, leading to an indirect leak of the task and its associated pointers. ## Steps to reproduce To make it easier to reproduce the issue： 1. Change the condition in qio_channel_tls_handshake_task to a special value (for example, G_IO_PRI). 2. Change vd->connections_limit to a smaller value (such as 2) in vnc_connect. 3. Specify enable-sanitizers when compiling qemu 4. Use the compiled qemu binary to create a virtual machine and continuously connect to it via VNC TLS. 5. Shut down the virtual machine and check the logs. Reported by my colleague: jiangyegen@h-partners.com ## Additional information The connection count verification and disconnection logic in vnc_connect comes from this commit: https://github.com/qemu/qemu/commit/e5f34cdd2da54f28d90889a3afd15fad2d6105ff Its description states that the purpose of this modification is to prohibit new connections when the number of concurrent connections reaches the limit, but the code actually disconnects other connections, which indirectly led to this memory leak. I tried removing the QTAILQ_FOREACH, disconnecting only the current connection when the connection limit is reached. It seems that memory leaks will no longer be triggered, but I'm not sure if there will be other issues. <!-- Attach logs, stack traces, screenshots, etc. Compress the files if necessary. If using libvirt, libvirt logs and XML domain information may be relevant. --> <!-- The line below ensures that proper tags are added to the issue. Please do not remove it. -->