From: Juan Quintela <quintela@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Corey Minyard" <cminyard@mvista.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Jason Wang" <jasowang@redhat.com>,
"Jiahui Cen" <cenjiahui@huawei.com>,
"Juan Quintela" <quintela@redhat.com>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Ying Fang" <fangying1@huawei.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Richard Henderson" <rth@twiddle.net>,
"Laurent Vivier" <lvivier@redhat.com>,
"Thomas Huth" <thuth@redhat.com>,
"Eduardo Habkost" <ehabkost@redhat.com>,
"Stefan Weil" <sw@weilnetz.de>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
qemu-arm@nongnu.org, "David Gibson" <david@gibson.dropbear.id.au>,
"Daniel P. Berrangé" <berrange@redhat.com>,
qemu-ppc@nongnu.org, "Paolo Bonzini" <pbonzini@redhat.com>,
"Stefan Berger" <stefanb@linux.ibm.com>
Subject: [PULL 24/29] migration/multifd: fix destroyed mutex access in terminating multifd threads
Date: Tue, 14 Jan 2020 10:26:01 +0100 [thread overview]
Message-ID: <20200114092606.1761-25-quintela@redhat.com> (raw)
In-Reply-To: <20200114092606.1761-1-quintela@redhat.com>
From: Jiahui Cen <cenjiahui@huawei.com>
One multifd will lock all the other multifds' IOChannel mutex to inform them
to quit by setting p->quit or shutting down p->c. In this senario, if some
multifds had already been terminated and multifd_load_cleanup/multifd_save_cleanup
had destroyed their mutex, it could cause destroyed mutex access when trying
lock their mutex.
Here is the coredump stack:
#0 0x00007f81a2794437 in raise () from /usr/lib64/libc.so.6
#1 0x00007f81a2795b28 in abort () from /usr/lib64/libc.so.6
#2 0x00007f81a278d1b6 in __assert_fail_base () from /usr/lib64/libc.so.6
#3 0x00007f81a278d262 in __assert_fail () from /usr/lib64/libc.so.6
#4 0x000055eb1bfadbd3 in qemu_mutex_lock_impl (mutex=0x55eb1e2d1988, file=<optimized out>, line=<optimized out>) at util/qemu-thread-posix.c:64
#5 0x000055eb1bb4564a in multifd_send_terminate_threads (err=<optimized out>) at migration/ram.c:1015
#6 0x000055eb1bb4bb7f in multifd_send_thread (opaque=0x55eb1e2d19f8) at migration/ram.c:1171
#7 0x000055eb1bfad628 in qemu_thread_start (args=0x55eb1e170450) at util/qemu-thread-posix.c:502
#8 0x00007f81a2b36df5 in start_thread () from /usr/lib64/libpthread.so.0
#9 0x00007f81a286048d in clone () from /usr/lib64/libc.so.6
To fix it up, let's destroy the mutex after all the other multifd threads had
been terminated.
Signed-off-by: Jiahui Cen <cenjiahui@huawei.com>
Signed-off-by: Ying Fang <fangying1@huawei.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
---
migration/ram.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/migration/ram.c b/migration/ram.c
index 278b2ff87a..7221f54139 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -1053,6 +1053,10 @@ void multifd_save_cleanup(void)
if (p->running) {
qemu_thread_join(&p->thread);
}
+ }
+ for (i = 0; i < migrate_multifd_channels(); i++) {
+ MultiFDSendParams *p = &multifd_send_state->params[i];
+
socket_send_channel_destroy(p->c);
p->c = NULL;
qemu_mutex_destroy(&p->mutex);
@@ -1336,6 +1340,10 @@ int multifd_load_cleanup(Error **errp)
qemu_sem_post(&p->sem_sync);
qemu_thread_join(&p->thread);
}
+ }
+ for (i = 0; i < migrate_multifd_channels(); i++) {
+ MultiFDRecvParams *p = &multifd_recv_state->params[i];
+
object_unref(OBJECT(p->c));
p->c = NULL;
qemu_mutex_destroy(&p->mutex);
--
2.24.1
next prev parent reply other threads:[~2020-01-14 9:53 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-14 9:25 [PULL 00/29] Migration pull patches (second try) Juan Quintela
2020-01-14 9:25 ` [PULL 01/29] multifd: Initialize local variable Juan Quintela
2020-01-14 9:25 ` [PULL 02/29] migration-test: Add migration multifd test Juan Quintela
2020-01-14 9:25 ` [PULL 03/29] migration: Make sure that we don't call write() in case of error Juan Quintela
2020-01-14 9:25 ` [PULL 04/29] migration-test: introduce functions to handle string parameters Juan Quintela
2020-01-14 9:25 ` [PULL 05/29] migration-test: ppc64: fix FORTH test program Juan Quintela
2020-01-14 9:25 ` [PULL 06/29] runstate: ignore finishmigrate -> prelaunch transition Juan Quintela
2020-01-14 9:25 ` [PULL 07/29] ram.c: remove unneeded labels Juan Quintela
2020-01-14 9:25 ` [PULL 08/29] migration: Rate limit inside host pages Juan Quintela
2020-01-14 9:25 ` [PULL 09/29] migration: Fix incorrect integer->float conversion caught by clang Juan Quintela
2020-01-14 9:25 ` [PULL 10/29] migration: Fix the re-run check of the migrate-incoming command Juan Quintela
2020-01-14 9:25 ` [PULL 11/29] misc: use QEMU_IS_ALIGNED Juan Quintela
2020-01-14 9:25 ` [PULL 12/29] migration: add savevm_state_handler_remove() Juan Quintela
2020-01-14 9:25 ` [PULL 13/29] migration: savevm_state_handler_insert: constant-time element insertion Juan Quintela
2020-01-14 9:25 ` [PULL 14/29] migration/ram: Yield periodically to the main loop Juan Quintela
2020-01-14 9:25 ` [PULL 15/29] migration/postcopy: reduce memset when it is zero page and matches_target_page_size Juan Quintela
2020-01-14 9:25 ` [PULL 16/29] migration/postcopy: wait for decompress thread in precopy Juan Quintela
2020-01-14 9:25 ` [PULL 17/29] migration/postcopy: count target page number to decide the place_needed Juan Quintela
2020-01-14 9:25 ` [PULL 18/29] migration/postcopy: set all_zero to true on the first target page Juan Quintela
2020-01-14 9:25 ` [PULL 19/29] migration/postcopy: enable random order target page arrival Juan Quintela
2020-01-14 9:25 ` [PULL 20/29] migration/postcopy: enable compress during postcopy Juan Quintela
2020-01-14 9:25 ` [PULL 21/29] migration/multifd: clean pages after filling packet Juan Quintela
2020-01-14 9:25 ` [PULL 22/29] migration/multifd: not use multifd during postcopy Juan Quintela
2020-01-14 9:26 ` [PULL 23/29] migration/multifd: fix nullptr access in terminating multifd threads Juan Quintela
2020-01-14 9:26 ` Juan Quintela [this message]
2020-01-14 9:26 ` [PULL 25/29] Bug #1829242 correction Juan Quintela
2020-01-14 9:26 ` [PULL 26/29] migration: Define VMSTATE_INSTANCE_ID_ANY Juan Quintela
2020-01-14 9:26 ` [PULL 27/29] migration: Change SaveStateEntry.instance_id into uint32_t Juan Quintela
2020-01-14 9:26 ` [PULL 28/29] apic: Use 32bit APIC ID for migration instance ID Juan Quintela
2020-01-14 9:26 ` [PULL 29/29] migration: Support QLIST migration Juan Quintela
2020-01-14 11:15 ` [PULL 00/29] Migration pull patches (second try) Peter Maydell
2020-01-14 11:22 ` Juan Quintela
2020-01-14 11:23 ` Peter Maydell
2020-01-14 11:26 ` Daniel P. Berrangé
2020-01-14 11:16 ` no-reply
2020-01-14 11:21 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200114092606.1761-25-quintela@redhat.com \
--to=quintela@redhat.com \
--cc=berrange@redhat.com \
--cc=cenjiahui@huawei.com \
--cc=cminyard@mvista.com \
--cc=david@gibson.dropbear.id.au \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=fangying1@huawei.com \
--cc=jasowang@redhat.com \
--cc=lvivier@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=rth@twiddle.net \
--cc=stefanb@linux.ibm.com \
--cc=sw@weilnetz.de \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).