[PATCH 1/1] migration/multifd: fix channel count TOCTOU race on cancel and retry

[Trieu Huynh <vikingtc4@gmail.com>]

From: Trieu Huynh <vikingtc4@gmail.com>

When a multifd migration is cancelled and the user changes
multifd-channels via QMP before cleanup completes, the shutdown and
termination loops re-read migrate_multifd_channels() which now returns
the new value. This causes the loops to iterate over, for instance
fewer channels than were created, leaving yank functions of the
abandoned channels still registered when yank_unregister_instance()
is called, triggering an abort:
  qemu-system-x86_64: ../util/yank.c:107: yank_unregister_instance:
  Assertion `QLIST_EMPTY(&entry->yankfns)' failed.
  Aborted (core dumped)

Fix by storing the channel count at setup time and using that frozen
value in all subsequent loops. The live parameter
migrate_multifd_channels() is now only read once during setup, ensuring
teardown always operates on the exact set of channels that were created.

Signed-off-by: Trieu Huynh <vikingtc4@gmail.com>
---
 migration/multifd.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/migration/multifd.c b/migration/multifd.c
index 035cb70f7b..69c8f6747b 100644
--- a/migration/multifd.c
+++ b/migration/multifd.c
@@ -75,6 +75,8 @@ struct {
     int exiting;
     /* multifd ops */
     const MultiFDMethods *ops;
+    /* number of channels created (fixed at setup) */
+    int channel_num;
 } *multifd_send_state;
 
 struct {
@@ -483,7 +485,7 @@ static void multifd_send_terminate_threads(void)
      * Firstly, kick all threads out; no matter whether they are just idle,
      * or blocked in an IO system call.
      */
-    for (i = 0; i < migrate_multifd_channels(); i++) {
+    for (i = 0; i < multifd_send_state->channel_num; i++) {
         MultiFDSendParams *p = &multifd_send_state->params[i];
 
         qemu_sem_post(&p->sem);
@@ -495,7 +497,7 @@ static void multifd_send_terminate_threads(void)
     /*
      * Finally recycle all the threads.
      */
-    for (i = 0; i < migrate_multifd_channels(); i++) {
+    for (i = 0; i < multifd_send_state->channel_num; i++) {
         MultiFDSendParams *p = &multifd_send_state->params[i];
 
         if (p->tls_thread_created) {
@@ -577,7 +579,7 @@ void multifd_send_shutdown(void)
 
     multifd_send_terminate_threads();
 
-    for (i = 0; i < migrate_multifd_channels(); i++) {
+    for (i = 0; i < multifd_send_state->channel_num; i++) {
         MultiFDSendParams *p = &multifd_send_state->params[i];
         Error *local_err = NULL;
 
@@ -615,7 +617,7 @@ int multifd_send_sync_main(MultiFDSyncReq req)
 
     flush_zero_copy = migrate_zero_copy_send();
 
-    for (i = 0; i < migrate_multifd_channels(); i++) {
+    for (i = 0; i < multifd_send_state->channel_num; i++) {
         MultiFDSendParams *p = &multifd_send_state->params[i];
 
         if (multifd_send_should_exit()) {
@@ -632,7 +634,7 @@ int multifd_send_sync_main(MultiFDSyncReq req)
         qatomic_set(&p->pending_sync, req);
         qemu_sem_post(&p->sem);
     }
-    for (i = 0; i < migrate_multifd_channels(); i++) {
+    for (i = 0; i < multifd_send_state->channel_num; i++) {
         MultiFDSendParams *p = &multifd_send_state->params[i];
 
         if (multifd_send_should_exit()) {
@@ -926,6 +928,7 @@ bool multifd_send_setup(void)
     thread_count = migrate_multifd_channels();
     multifd_send_state = g_malloc0(sizeof(*multifd_send_state));
     multifd_send_state->params = g_new0(MultiFDSendParams, thread_count);
+    multifd_send_state->channel_num = thread_count;
     qemu_mutex_init(&multifd_send_state->multifd_send_mutex);
     qemu_sem_init(&multifd_send_state->channels_created, 0);
     qemu_sem_init(&multifd_send_state->channels_ready, 0);
-- 
2.43.0