diff options
author | Denis V. Lunev <den@openvz.org> | 2016-03-09 18:35:08 +0300 |
---|---|---|
committer | Amit Shah <amit.shah@redhat.com> | 2016-03-11 12:58:45 +0530 |
commit | 864699227911909ef1e33ecf91bf3c900715a9b1 (patch) | |
tree | 2d06cf659ecf325a281e3eb004be19fa7faa0b91 | |
parent | 568b01caf38a5e156c2dc58ea002daa4e2dcab20 (diff) |
migration: fix use-after-free in loadvm_postcopy_handle_run_bh
MigrationState is destroyed before we can come into bottom half.
Signed-off-by: Denis V. Lunev <den@openvz.org>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
CC: Juan Quintela <quintela@redhat.com>
CC: Amit Shah <amit.shah@redhat.com>
CC: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <1457537708-8622-1-git-send-email-den@openvz.org>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
-rw-r--r-- | migration/savevm.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/migration/savevm.c b/migration/savevm.c index 96e7db5967..384e8727ef 100644 --- a/migration/savevm.c +++ b/migration/savevm.c @@ -1501,10 +1501,15 @@ static int loadvm_postcopy_handle_listen(MigrationIncomingState *mis) return 0; } + +typedef struct { + QEMUBH *bh; +} HandleRunBhData; + static void loadvm_postcopy_handle_run_bh(void *opaque) { Error *local_err = NULL; - MigrationIncomingState *mis = opaque; + HandleRunBhData *data = opaque; /* TODO we should move all of this lot into postcopy_ram.c or a shared code * in migration.c @@ -1532,13 +1537,15 @@ static void loadvm_postcopy_handle_run_bh(void *opaque) runstate_set(RUN_STATE_PAUSED); } - qemu_bh_delete(mis->bh); + qemu_bh_delete(data->bh); + g_free(data); } /* After all discards we can start running and asking for pages */ static int loadvm_postcopy_handle_run(MigrationIncomingState *mis) { PostcopyState ps = postcopy_state_set(POSTCOPY_INCOMING_RUNNING); + HandleRunBhData *data; trace_loadvm_postcopy_handle_run(); if (ps != POSTCOPY_INCOMING_LISTENING) { @@ -1546,8 +1553,9 @@ static int loadvm_postcopy_handle_run(MigrationIncomingState *mis) return -1; } - mis->bh = qemu_bh_new(loadvm_postcopy_handle_run_bh, NULL); - qemu_bh_schedule(mis->bh); + data = g_new(HandleRunBhData, 1); + data->bh = qemu_bh_new(loadvm_postcopy_handle_run_bh, data); + qemu_bh_schedule(data->bh); /* We need to finish reading the stream from the package * and also stop reading anything more from the stream that loaded the |