From patchwork Fri Mar 11 12:32:12 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Shah X-Patchwork-Id: 8565371 Return-Path: X-Original-To: patchwork-qemu-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 1C4F69F38C for ; Fri, 11 Mar 2016 12:34:29 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 771DA20268 for ; Fri, 11 Mar 2016 12:34:28 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 9C65620253 for ; Fri, 11 Mar 2016 12:34:27 +0000 (UTC) Received: from localhost ([::1]:54523 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aeMGx-0002gz-2N for patchwork-qemu-devel@patchwork.kernel.org; Fri, 11 Mar 2016 07:34:27 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37204) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aeMFI-0000Bs-2t for qemu-devel@nongnu.org; Fri, 11 Mar 2016 07:32:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aeMFG-0007og-Us for qemu-devel@nongnu.org; Fri, 11 Mar 2016 07:32:44 -0500 Received: from mx1.redhat.com ([209.132.183.28]:46222) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aeMFG-0007ob-Op for qemu-devel@nongnu.org; Fri, 11 Mar 2016 07:32:42 -0500 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (Postfix) with ESMTPS id 5C10035A808; Fri, 11 Mar 2016 12:32:42 +0000 (UTC) Received: from localhost (ovpn-113-127.phx2.redhat.com [10.3.113.127]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u2BCWeD7009041; Fri, 11 Mar 2016 07:32:41 -0500 From: Amit Shah To: Peter Maydell Date: Fri, 11 Mar 2016 18:02:12 +0530 Message-Id: <864699227911909ef1e33ecf91bf3c900715a9b1.1457699452.git.amit.shah@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 Cc: Juan Quintela , qemu list , peterx@redhat.com, "Dr. David Alan Gilbert" , Amit Shah , den@openvz.org Subject: [Qemu-devel] [PULL 2/4] migration: fix use-after-free in loadvm_postcopy_handle_run_bh X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: "Denis V. Lunev" MigrationState is destroyed before we can come into bottom half. Signed-off-by: Denis V. Lunev Reviewed-by: Dr. David Alan Gilbert CC: Juan Quintela CC: Amit Shah CC: Dr. David Alan Gilbert Message-Id: <1457537708-8622-1-git-send-email-den@openvz.org> Signed-off-by: Amit Shah --- migration/savevm.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/migration/savevm.c b/migration/savevm.c index 96e7db5..384e872 100644 --- a/migration/savevm.c +++ b/migration/savevm.c @@ -1501,10 +1501,15 @@ static int loadvm_postcopy_handle_listen(MigrationIncomingState *mis) return 0; } + +typedef struct { + QEMUBH *bh; +} HandleRunBhData; + static void loadvm_postcopy_handle_run_bh(void *opaque) { Error *local_err = NULL; - MigrationIncomingState *mis = opaque; + HandleRunBhData *data = opaque; /* TODO we should move all of this lot into postcopy_ram.c or a shared code * in migration.c @@ -1532,13 +1537,15 @@ static void loadvm_postcopy_handle_run_bh(void *opaque) runstate_set(RUN_STATE_PAUSED); } - qemu_bh_delete(mis->bh); + qemu_bh_delete(data->bh); + g_free(data); } /* After all discards we can start running and asking for pages */ static int loadvm_postcopy_handle_run(MigrationIncomingState *mis) { PostcopyState ps = postcopy_state_set(POSTCOPY_INCOMING_RUNNING); + HandleRunBhData *data; trace_loadvm_postcopy_handle_run(); if (ps != POSTCOPY_INCOMING_LISTENING) { @@ -1546,8 +1553,9 @@ static int loadvm_postcopy_handle_run(MigrationIncomingState *mis) return -1; } - mis->bh = qemu_bh_new(loadvm_postcopy_handle_run_bh, NULL); - qemu_bh_schedule(mis->bh); + data = g_new(HandleRunBhData, 1); + data->bh = qemu_bh_new(loadvm_postcopy_handle_run_bh, data); + qemu_bh_schedule(data->bh); /* We need to finish reading the stream from the package * and also stop reading anything more from the stream that loaded the