[PATCH] migration: Assign current_migration as NULL after migration

Keqian Zhu posted 1 patch 3 years, 9 months ago
Test FreeBSD passed
Test docker-quick@centos7 passed
Test checkpatch passed
Test docker-mingw@fedora passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20200628064923.13192-1-zhukeqian1@huawei.com
Maintainers: Juan Quintela <quintela@redhat.com>, "Dr. David Alan Gilbert" <dgilbert@redhat.com>
migration/migration.c | 1 +
1 file changed, 1 insertion(+)
[PATCH] migration: Assign current_migration as NULL after migration
Posted by Keqian Zhu 3 years, 9 months ago
In migration_shutdown, global var current_migration is freed but not
assigned to NULL, which may cause heap-use-after-free problem if the
following code logic is abnormal.

Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
---
 migration/migration.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/migration/migration.c b/migration/migration.c
index 481a590f72..effffd7332 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -189,6 +189,7 @@ void migration_shutdown(void)
      */
     migrate_fd_cancel(current_migration);
     object_unref(OBJECT(current_migration));
+    current_migration = NULL;
 }
 
 /* For outgoing */
-- 
2.19.1


Re: [PATCH] migration: Assign current_migration as NULL after migration
Posted by zhukeqian 3 years, 9 months ago
Please ignore this patch :-)

If we shutdown VM during migration, the migration thread may still
ref current_migration at this point.

On 2020/6/28 14:49, Keqian Zhu wrote:
> In migration_shutdown, global var current_migration is freed but not
> assigned to NULL, which may cause heap-use-after-free problem if the
> following code logic is abnormal.
> 
> Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
> ---
>  migration/migration.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/migration/migration.c b/migration/migration.c
> index 481a590f72..effffd7332 100644
> --- a/migration/migration.c
> +++ b/migration/migration.c
> @@ -189,6 +189,7 @@ void migration_shutdown(void)
>       */
>      migrate_fd_cancel(current_migration);
>      object_unref(OBJECT(current_migration));
> +    current_migration = NULL;
>  }
>  
>  /* For outgoing */
>