From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:35213)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dgilbert@redhat.com>) id 1adjFZ-0004a1-0r
	for qemu-devel@nongnu.org; Wed, 09 Mar 2016 13:54:25 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <dgilbert@redhat.com>) id 1adjFV-0006RP-Ml
	for qemu-devel@nongnu.org; Wed, 09 Mar 2016 13:54:24 -0500
Received: from mx1.redhat.com ([209.132.183.28]:56742)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dgilbert@redhat.com>) id 1adjFV-0006RD-Ft
	for qemu-devel@nongnu.org; Wed, 09 Mar 2016 13:54:21 -0500
Date: Wed, 9 Mar 2016 18:54:16 +0000
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Message-ID: <20160309185416.GB28302@work-vm>
References: <1457537708-8622-1-git-send-email-den@openvz.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1457537708-8622-1-git-send-email-den@openvz.org>
Subject: Re: [Qemu-devel] [PATCH 1/1] migration: fix use-after-free in
 loadvm_postcopy_handle_run_bh
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Denis V. Lunev" <den@openvz.org>
Cc: Amit Shah <amit.shah@redhat.com>, qemu-devel@nongnu.org, Juan Quintela <quintela@redhat.com>

* Denis V. Lunev (den@openvz.org) wrote:
> MigrationState is destroyed before we can come into bottom half.
> 
> Signed-off-by: Denis V. Lunev <den@openvz.org>
> CC: Juan Quintela <quintela@redhat.com>
> CC: Amit Shah <amit.shah@redhat.com>
> CC: Dr. David Alan Gilbert <dgilbert@redhat.com>

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

(I was about to post a similar fix; although I'd used 
a static QEMUBH * in loadvm_postcopy_handle_run)

This one does work (and I checked the binary actually is the
version I'm running!)

> ---
> Dave, do you have tests you have mention available on public? I'd better
> run them in advance next time.

Not yet; I've got two test sets that both need cleaning up:
   1) Is a test harness that boots a full vm, runs a heavy stress test etc
      - I can clean that up and put it somewhere; but it has a rather hacky
      set of waits for login prompts etc but my intention is
      to write a qemu test script in the next month or two.

   2) I've got a very hacky autotest/virt-test world that is good
      at finding races (it runs no load and has a random delay as to when the
      postcopy phase starts);  unfortunately virt-test is deprecated
      and I've not had time to look at it's replacement yet (avocado);
      but my intention is to do that.

I tend to run both of them in a loop - 2 in particular is really good
at finding race conditions such as what happens if the listen thread finishes
at just the same time as something else.

Dave

> 
>  migration/savevm.c | 16 ++++++++++++----
>  1 file changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/migration/savevm.c b/migration/savevm.c
> index 96e7db5..384e872 100644
> --- a/migration/savevm.c
> +++ b/migration/savevm.c
> @@ -1501,10 +1501,15 @@ static int loadvm_postcopy_handle_listen(MigrationIncomingState *mis)
>      return 0;
>  }
>  
> +
> +typedef struct {
> +    QEMUBH *bh;
> +} HandleRunBhData;
> +
>  static void loadvm_postcopy_handle_run_bh(void *opaque)
>  {
>      Error *local_err = NULL;
> -    MigrationIncomingState *mis = opaque;
> +    HandleRunBhData *data = opaque;
>  
>      /* TODO we should move all of this lot into postcopy_ram.c or a shared code
>       * in migration.c
> @@ -1532,13 +1537,15 @@ static void loadvm_postcopy_handle_run_bh(void *opaque)
>          runstate_set(RUN_STATE_PAUSED);
>      }
>  
> -    qemu_bh_delete(mis->bh);
> +    qemu_bh_delete(data->bh);
> +    g_free(data);
>  }
>  
>  /* After all discards we can start running and asking for pages */
>  static int loadvm_postcopy_handle_run(MigrationIncomingState *mis)
>  {
>      PostcopyState ps = postcopy_state_set(POSTCOPY_INCOMING_RUNNING);
> +    HandleRunBhData *data;
>  
>      trace_loadvm_postcopy_handle_run();
>      if (ps != POSTCOPY_INCOMING_LISTENING) {
> @@ -1546,8 +1553,9 @@ static int loadvm_postcopy_handle_run(MigrationIncomingState *mis)
>          return -1;
>      }
>  
> -    mis->bh = qemu_bh_new(loadvm_postcopy_handle_run_bh, NULL);
> -    qemu_bh_schedule(mis->bh);
> +    data = g_new(HandleRunBhData, 1);
> +    data->bh = qemu_bh_new(loadvm_postcopy_handle_run_bh, data);
> +    qemu_bh_schedule(data->bh);
>  
>      /* We need to finish reading the stream from the package
>       * and also stop reading anything more from the stream that loaded the
> -- 
> 2.1.4
> 
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK