diff options
author | Peter Xu <peterx@redhat.com> | 2024-10-24 17:30:49 -0400 |
---|---|---|
committer | Peter Xu <peterx@redhat.com> | 2024-10-31 15:48:18 -0400 |
commit | 7fc8beb16ee05399837efb41d0924fa1897da864 (patch) | |
tree | 1e83c4f1fb33ebb2e1545d2b25129e5cd32a995c /migration/migration.c | |
parent | 228529d1fec305c05a7c7e173258b1c939ef3b1b (diff) |
migration: Take migration object refcount earlier for threads
Both migration thread or background snapshot thread will take a refcount of
the migration object at the entrace of the thread function.
That makes sense, because it protects the object from being freed by the
main thread in migration_shutdown() later, but it might still race with it
if the thread is scheduled too late. Consider the case right after
pthread_create() happened, VM shuts down with the object released, but
right after that the migration thread finally got created, referencing
MigrationState* in the opaque pointer which is already freed.
The only 100% safe way to make sure it won't get freed is taking the
refcount right before the thread is created, meanwhile when BQL is held.
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Link: https://lore.kernel.org/r/20241024213056.1395400-2-peterx@redhat.com
Signed-off-by: Peter Xu <peterx@redhat.com>
Diffstat (limited to 'migration/migration.c')
-rw-r--r-- | migration/migration.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/migration/migration.c b/migration/migration.c index 9bcc9db4fb..a3bf494d91 100644 --- a/migration/migration.c +++ b/migration/migration.c @@ -3488,7 +3488,6 @@ static void *migration_thread(void *opaque) rcu_register_thread(); - object_ref(OBJECT(s)); update_iteration_initial_status(s); if (!multifd_send_setup()) { @@ -3626,7 +3625,6 @@ static void *bg_migration_thread(void *opaque) int ret; rcu_register_thread(); - object_ref(OBJECT(s)); migration_rate_set(RATE_LIMIT_DISABLED); @@ -3838,6 +3836,14 @@ void migrate_fd_connect(MigrationState *s, Error *error_in) } } + /* + * Take a refcount to make sure the migration object won't get freed by + * the main thread already in migration_shutdown(). + * + * The refcount will be released at the end of the thread function. + */ + object_ref(OBJECT(s)); + if (migrate_background_snapshot()) { qemu_thread_create(&s->thread, MIGRATION_THREAD_SNAPSHOT, bg_migration_thread, s, QEMU_THREAD_JOINABLE); |