qemu/migration
Fabiano Rosas 106aa13c5b migration: Fix use-after-free of migration state object
We're currently allowing the process_incoming_migration_bh bottom-half
to run without holding a reference to the 'current_migration' object,
which leads to a segmentation fault if the BH is still live after
migration_shutdown() has dropped the last reference to
current_migration.

In my system the bug manifests as migrate_multifd() returning true
when it shouldn't and multifd_load_shutdown() calling
multifd_recv_terminate_threads() which crashes due to an uninitialized
multifd_recv_state.

Fix the issue by holding a reference to the object when scheduling the
BH and dropping it before returning from the BH. The same is already
done for the cleanup_bh at migrate_fd_cleanup_schedule().

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1969
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Link: https://lore.kernel.org/r/20240119233922.32588-2-farosas@suse.de
Signed-off-by: Peter Xu <peterx@redhat.com>
(cherry picked from commit 27eb8499ed)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-01-29 23:06:53 +03:00
..
block-dirty-bitmap.c block: Mark bdrv_filter_bs() and callers GRAPH_RDLOCK 2023-11-07 19:14:19 +01:00
block.c qemu-file: Remove _noflush from qemu_file_transferred_noflush() 2023-10-31 08:44:33 +01:00
block.h migration: disable auto-converge during bulk block migration 2017-09-27 11:27:14 +01:00
channel-block.c io: follow coroutine AioContext in qio_channel_yield() 2023-09-07 20:32:11 -05:00
channel-block.h migration: introduce a QIOChannel impl for BlockDriverState VMState 2022-06-22 19:33:43 +01:00
channel.c migration: check magic value for deciding the mapping of channels 2023-02-06 19:22:57 +01:00
channel.h migration: check magic value for deciding the mapping of channels 2023-02-06 19:22:57 +01:00
colo-failover.c migration/colo: Improve an x-colo-lost-heartbeat error message 2023-02-23 14:10:17 +01:00
colo.c qemu-file: Make qemu_fflush() return errors 2023-10-31 08:44:33 +01:00
dirtyrate.c migration/dirtyrate: use QEMU_CLOCK_HOST to report start-time 2023-10-10 08:04:12 +08:00
dirtyrate.h migration/calc-dirty-rate: millisecond-granularity period 2023-10-10 08:03:50 +08:00
exec.c migration: convert exec backend to accept MigrateAddress. 2023-11-02 11:35:04 +01:00
exec.h migration: convert exec backend to accept MigrateAddress. 2023-11-02 11:35:04 +01:00
fd.c bulk: Remove pointless QOM casts 2023-06-05 20:48:34 +02:00
fd.h migration: Fix fd protocol for incoming defer 2019-06-05 12:43:55 +02:00
file.c migration: Convert the file backend to the new QAPI syntax 2023-11-02 11:35:04 +01:00
file.h migration: Convert the file backend to the new QAPI syntax 2023-11-02 11:35:04 +01:00
global_state.c migration: never fail in global_state_store() 2023-06-02 01:03:19 +02:00
meson.build migration: file URI 2023-10-04 13:16:58 +02:00
migration-hmp-cmds.c migration: Plug memory leak on HMP migrate error path 2024-01-29 23:00:39 +03:00
migration-stats.c migration: migration_rate_limit_reset() don't need the QEMUFile 2023-10-31 08:44:33 +01:00
migration-stats.h migration: Remove transferred atomic counter 2023-10-31 08:44:33 +01:00
migration.c migration: Fix use-after-free of migration state object 2024-01-29 23:06:53 +03:00
migration.h migration: Implement MigrateChannelList to hmp migration flow. 2023-11-02 11:35:04 +01:00
multifd-zlib.c migration: spelling fixes 2023-07-25 17:13:20 +03:00
multifd-zstd.c migration: spelling fixes 2023-07-25 17:13:20 +03:00
multifd.c migration/multifd: Stop setting p->ioc before connecting 2023-11-30 09:50:10 +01:00
multifd.h multifd: Add the ramblock to MultiFDRecvParams 2023-05-10 18:48:11 +02:00
options.c migration: mode parameter 2023-11-01 16:13:58 +01:00
options.h migration: mode parameter 2023-11-01 16:13:58 +01:00
page_cache.c migration: Fix cache_init()'s "Failed to allocate" error messages 2021-02-08 11:19:51 +00:00
page_cache.h migration: Clean up signed vs. unsigned XBZRLE cache-size 2021-02-08 11:19:51 +00:00
postcopy-ram.c migration: Fix race that dest preempt thread close too early 2023-09-27 13:58:02 -04:00
postcopy-ram.h migration: Allow postcopy_ram_supported_by_host() to report err 2023-04-27 10:18:25 +02:00
qemu-file.c migration: Refactor error handling in source return path 2023-11-02 11:35:03 +01:00
qemu-file.h migration: Refactor error handling in source return path 2023-11-02 11:35:03 +01:00
ram-compress.c migration: Rename ram_compressed_pages() to compress_ram_pages() 2023-10-30 17:41:55 +01:00
ram-compress.h migration: Rename ram_compressed_pages() to compress_ram_pages() 2023-10-30 17:41:55 +01:00
ram.c migration: Unlock mutex in error case 2023-11-03 10:48:37 +01:00
ram.h migration: Change ram_dirty_bitmap_reload() retval to bool 2023-11-02 11:35:03 +01:00
rdma.c migration/rdma: define htonll/ntohll only if not predefined 2024-01-20 17:56:07 +03:00
rdma.h migration: convert rdma backend to accept MigrateAddress 2023-11-02 11:35:03 +01:00
savevm.c util/uuid: Add UUID_STR_LEN definition 2023-11-03 09:20:31 +01:00
savevm.h migration: Add .save_prepare() handler to struct SaveVMHandlers 2023-09-11 08:34:06 +02:00
socket.c migration: convert socket backend to accept MigrateAddress 2023-11-02 11:35:03 +01:00
socket.h migration: convert socket backend to accept MigrateAddress 2023-11-02 11:35:03 +01:00
target.c migration: Add migration prefix to functions in target.c 2023-09-11 08:34:06 +02:00
threadinfo.c migration/multifd: Protect accesses to migration_threads 2023-07-26 10:55:56 +02:00
threadinfo.h migration/multifd: Protect accesses to migration_threads 2023-07-26 10:55:56 +02:00
tls.c migration: Drop unused parameter for migration_tls_client_create() 2023-05-03 11:24:20 +02:00
tls.h migration: Drop unused parameter for migration_tls_client_create() 2023-05-03 11:24:20 +02:00
trace-events migration: Refactor error handling in source return path 2023-11-02 11:35:03 +01:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vmstate-types.c Move CPU softfloat unions to cpu-float.h 2022-04-06 14:31:43 +02:00
vmstate.c qemu-file: Remove _noflush from qemu_file_transferred_noflush() 2023-10-31 08:44:33 +01:00
xbzrle.c migration/xbzrle: Use i386 host/cpuinfo.h 2023-05-23 16:51:18 -07:00
xbzrle.h migration/xbzrle: Use i386 host/cpuinfo.h 2023-05-23 16:51:18 -07:00
yank_functions.c bulk: Remove pointless QOM casts 2023-06-05 20:48:34 +02:00
yank_functions.h migration: Move the yank unregister of channel_close out 2021-07-26 12:45:03 +01:00