[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/5] migration: Fix use-after-free of migration state object
|
From: |
Fabiano Rosas |
|
Subject: |
Re: [PATCH 1/5] migration: Fix use-after-free of migration state object |
|
Date: |
Fri, 19 Jan 2024 20:43:50 -0300 |
Fabiano Rosas <farosas@suse.de> writes:
> We're currently allowing the process_incoming_migration_bh bottom-half
> to run without holding a reference to the 'current_migration' object,
> which leads to a segmentation fault if the BH is still live after
> migration_shutdown() has dropped the last reference to
> current_migration.
>
> In my system the bug manifests as migrate_multifd() returning true
> when it shouldn't and multifd_load_shutdown() calling
> multifd_recv_terminate_threads() which crashes due to an uninitialized
> multifd_recv_state.
>
> Fix the issue by holding a reference to the object when scheduling the
> BH and dropping it before returning from the BH. The same is already
> done for the cleanup_bh at migrate_fd_cleanup_schedule().
>
> Signed-off-by: Fabiano Rosas <farosas@suse.de>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1969
[PATCH 5/5] migration: Centralize BH creation and dispatch, Fabiano Rosas, 2024/01/19
[PATCH 4/5] migration: Add a wrapper to qemu_bh_schedule, Fabiano Rosas, 2024/01/19
Re: [PATCH 0/5] migration: Fix migration state reference counting, Peter Xu, 2024/01/22