From: Fabiano Rosas <farosas@suse.de>
To: qemu-devel@nongnu.org
Cc: Peter Xu <peterx@redhat.com>
Subject: [PATCH 1/5] migration: Fix use-after-free of migration state object
Date: Fri, 19 Jan 2024 20:39:18 -0300 [thread overview]
Message-ID: <20240119233922.32588-2-farosas@suse.de> (raw)
In-Reply-To: <20240119233922.32588-1-farosas@suse.de>
We're currently allowing the process_incoming_migration_bh bottom-half
to run without holding a reference to the 'current_migration' object,
which leads to a segmentation fault if the BH is still live after
migration_shutdown() has dropped the last reference to
current_migration.
In my system the bug manifests as migrate_multifd() returning true
when it shouldn't and multifd_load_shutdown() calling
multifd_recv_terminate_threads() which crashes due to an uninitialized
multifd_recv_state.
Fix the issue by holding a reference to the object when scheduling the
BH and dropping it before returning from the BH. The same is already
done for the cleanup_bh at migrate_fd_cleanup_schedule().
Signed-off-by: Fabiano Rosas <farosas@suse.de>
---
migration/migration.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/migration/migration.c b/migration/migration.c
index 219447dea1..cf17b68e57 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -648,6 +648,7 @@ static void process_incoming_migration_bh(void *opaque)
MIGRATION_STATUS_COMPLETED);
qemu_bh_delete(mis->bh);
migration_incoming_state_destroy();
+ object_unref(OBJECT(migrate_get_current()));
}
static void coroutine_fn
@@ -713,6 +714,7 @@ process_incoming_migration_co(void *opaque)
}
mis->bh = qemu_bh_new(process_incoming_migration_bh, mis);
+ object_ref(OBJECT(migrate_get_current()));
qemu_bh_schedule(mis->bh);
return;
fail:
--
2.35.3
next prev parent reply other threads:[~2024-01-19 23:40 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-19 23:39 [PATCH 0/5] migration: Fix migration state reference counting Fabiano Rosas
2024-01-19 23:39 ` Fabiano Rosas [this message]
2024-01-19 23:43 ` [PATCH 1/5] migration: Fix use-after-free of migration state object Fabiano Rosas
2024-01-22 9:49 ` Peter Xu
2024-01-22 10:21 ` Peter Xu
2024-01-22 16:55 ` Fabiano Rosas
2024-01-23 1:56 ` Peter Xu
2024-01-19 23:39 ` [PATCH 2/5] migration: Take reference to migration state around bg_migration_vm_start_bh Fabiano Rosas
2024-01-19 23:39 ` [PATCH 3/5] migration: Reference migration state around loadvm_postcopy_handle_run_bh Fabiano Rosas
2024-01-19 23:39 ` [PATCH 4/5] migration: Add a wrapper to qemu_bh_schedule Fabiano Rosas
2024-01-19 23:39 ` [PATCH 5/5] migration: Centralize BH creation and dispatch Fabiano Rosas
2024-01-23 2:19 ` [PATCH 0/5] migration: Fix migration state reference counting Peter Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240119233922.32588-2-farosas@suse.de \
--to=farosas@suse.de \
--cc=peterx@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.