qemu/migration
Fabiano Rosas 18c776ecf6 migration: Fix use-after-free of migration state object
We're currently allowing the process_incoming_migration_bh bottom-half
to run without holding a reference to the 'current_migration' object,
which leads to a segmentation fault if the BH is still live after
migration_shutdown() has dropped the last reference to
current_migration.

In my system the bug manifests as migrate_multifd() returning true
when it shouldn't and multifd_load_shutdown() calling
multifd_recv_terminate_threads() which crashes due to an uninitialized
multifd_recv_state.

Fix the issue by holding a reference to the object when scheduling the
BH and dropping it before returning from the BH. The same is already
done for the cleanup_bh at migrate_fd_cleanup_schedule().

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1969
Signed-off-by: Fabiano Rosas <farosas@suse.de>
Link: https://lore.kernel.org/r/20240119233922.32588-2-farosas@suse.de
Signed-off-by: Peter Xu <peterx@redhat.com>
(cherry picked from commit 27eb8499ed)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2024-01-29 23:12:15 +03:00
..
block-dirty-bitmap.c migration: block-dirty-bitmap: add missing qemu_mutex_lock_iothread 2021-10-05 13:10:29 +02:00
block.c block-migration: Ensure we don't crash during migration cleanup 2023-09-11 10:53:50 +03:00
block.h migration: disable auto-converge during bulk block migration 2017-09-27 11:27:14 +01:00
channel-block.c migration/channel-block: fix return value for qio_channel_block_{readv,writev} 2022-11-21 11:56:12 +01:00
channel-block.h migration: introduce a QIOChannel impl for BlockDriverState VMState 2022-06-22 19:33:43 +01:00
channel.c migration: Add helpers to detect TLS capability 2022-07-20 12:15:08 +01:00
channel.h migration: Route errors down through migration_channel_connect 2018-02-06 10:55:12 +00:00
colo-failover.c qemu/atomic.h: rename atomic_ to qatomic_ 2020-09-23 16:07:44 +01:00
colo.c migration: remove the QEMUFileOps abstraction 2022-06-23 10:18:13 +01:00
dirtyrate.c Use g_new() & friends where that makes obvious sense 2022-10-04 00:10:11 +02:00
dirtyrate.h migration/dirtyrate: Refactor dirty page rate calculation 2022-07-20 12:15:08 +01:00
exec.c migration: unify incoming processing 2018-07-10 12:48:53 +01:00
exec.h migration: Export exec.c functions in its own file 2017-06-01 18:49:22 +02:00
fd.c monitor: Use getter/setter functions for cur_mon 2020-10-09 07:08:19 +02:00
fd.h migration: Fix fd protocol for incoming defer 2019-06-05 12:43:55 +02:00
global_state.c migration: Silence compiler warning in global_state_store_running() 2020-10-02 12:28:48 +01:00
meson.build migration: remove the QEMUFileOps abstraction 2022-06-23 10:18:13 +01:00
migration.c migration: Fix use-after-free of migration state object 2024-01-29 23:12:15 +03:00
migration.h migration: Add property x-postcopy-preempt-break-huge 2022-07-20 12:15:08 +01:00
multifd-zlib.c multifd: Copy pages before compressing them with zlib 2022-07-20 12:15:08 +01:00
multifd-zstd.c multifd: recv side only needs the RAMBlock host address 2022-01-28 15:38:23 +01:00
multifd.c migration/multifd/zero-copy: Create helper function for flushing 2022-11-21 11:56:12 +01:00
multifd.h multifd: Document the locking of MultiFD{Send/Recv}Params 2022-07-20 12:15:09 +01:00
page_cache.c migration: Fix cache_init()'s "Failed to allocate" error messages 2021-02-08 11:19:51 +00:00
page_cache.h migration: Clean up signed vs. unsigned XBZRLE cache-size 2021-02-08 11:19:51 +00:00
postcopy-ram.c migration: Enable TLS for preempt channel 2022-07-20 12:15:09 +01:00
postcopy-ram.h migration: Create the postcopy preempt channel asynchronously 2022-07-20 12:15:08 +01:00
qemu-file.c migration: Fix race on qemu_file_shutdown() 2022-11-21 11:58:10 +01:00
qemu-file.h migration: Postcopy recover with preempt enabled 2022-07-20 12:15:08 +01:00
ram.c migration/ram: Fix populate_read_range() 2023-03-29 10:20:04 +03:00
ram.h migration/multifd: Report to user when zerocopy not working 2022-07-20 12:15:09 +01:00
rdma.c migration: remove the QEMUFileOps abstraction 2022-06-23 10:18:13 +01:00
rdma.h migration: Export rdma.c functions in its own file 2017-06-01 18:49:23 +02:00
savevm.c reset: allow registering handlers that aren't called by snapshot loading 2022-10-27 11:34:31 +01:00
savevm.h migration: Add blocker information 2021-02-08 11:19:51 +00:00
socket.c migration: Postcopy preemption preparation on channel creation 2022-07-20 12:15:08 +01:00
socket.h migration: Postcopy preemption preparation on channel creation 2022-07-20 12:15:08 +01:00
target.c migration: Move populate_vfio_info() into a separate file 2021-05-14 12:31:51 +02:00
tls.c migration: Add helpers to detect TLS capability 2022-07-20 12:15:08 +01:00
tls.h migration: Add helpers to detect TLS capability 2022-07-20 12:15:08 +01:00
trace-events Revert "migration: Simplify unqueue_page()" 2022-08-02 16:46:52 +01:00
trace.h trace: switch position of headers to what Meson requires 2020-08-21 06:18:24 -04:00
vmstate-types.c Move CPU softfloat unions to cpu-float.h 2022-04-06 14:31:43 +02:00
vmstate.c migration: rename qemu_ftell to qemu_file_total_transferred 2022-06-22 19:33:36 +01:00
xbzrle.c migration: Create migration/xbzrle.h 2017-05-18 18:04:54 +02:00
xbzrle.h migration: Create migration/xbzrle.h 2017-05-18 18:04:54 +02:00
yank_functions.c migration: Move the yank unregister of channel_close out 2021-07-26 12:45:03 +01:00
yank_functions.h migration: Move the yank unregister of channel_close out 2021-07-26 12:45:03 +01:00