| Message ID | 20200628064923.13192-1-zhukeqian1@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | migration: Assign current_migration as NULL after migration | expand |
Please ignore this patch :-) If we shutdown VM during migration, the migration thread may still ref current_migration at this point. On 2020/6/28 14:49, Keqian Zhu wrote: > In migration_shutdown, global var current_migration is freed but not > assigned to NULL, which may cause heap-use-after-free problem if the > following code logic is abnormal. > > Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com> > --- > migration/migration.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/migration/migration.c b/migration/migration.c > index 481a590f72..effffd7332 100644 > --- a/migration/migration.c > +++ b/migration/migration.c > @@ -189,6 +189,7 @@ void migration_shutdown(void) > */ > migrate_fd_cancel(current_migration); > object_unref(OBJECT(current_migration)); > + current_migration = NULL; > } > > /* For outgoing */ >
diff --git a/migration/migration.c b/migration/migration.c index 481a590f72..effffd7332 100644 --- a/migration/migration.c +++ b/migration/migration.c @@ -189,6 +189,7 @@ void migration_shutdown(void) */ migrate_fd_cancel(current_migration); object_unref(OBJECT(current_migration)); + current_migration = NULL; } /* For outgoing */
In migration_shutdown, global var current_migration is freed but not assigned to NULL, which may cause heap-use-after-free problem if the following code logic is abnormal. Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com> --- migration/migration.c | 1 + 1 file changed, 1 insertion(+)