[PULL 2/9] migration/rdma: Fix cm event use after free

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com>
To: qemu-devel@nongnu.org, huangy81@chinatelecom.cn,
	peterx@redhat.com, lizhijian@cn.fujitsu.com, leobras.c@gmail.com,
	pabeni@redhat.com
Subject: [PULL 2/9] migration/rdma: Fix cm event use after free
Date: Wed,  9 Jun 2021 15:45:05 +0100	[thread overview]
Message-ID: <20210609144512.211746-3-dgilbert@redhat.com> (raw)
In-Reply-To: <20210609144512.211746-1-dgilbert@redhat.com>

From: Li Zhijian <lizhijian@cn.fujitsu.com>

Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
Message-Id: <20210602023506.3821293-1-lizhijian@cn.fujitsu.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
---
 migration/rdma.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/migration/rdma.c b/migration/rdma.c
index 1cdb4561f3..d90b29a4b5 100644
--- a/migration/rdma.c
+++ b/migration/rdma.c
@@ -1539,16 +1539,20 @@ static int qemu_rdma_wait_comp_channel(RDMAContext *rdma)
 
                 if (pfds[1].revents) {
                     ret = rdma_get_cm_event(rdma->channel, &cm_event);
-                    if (!ret) {
-                        rdma_ack_cm_event(cm_event);
+                    if (ret) {
+                        error_report("failed to get cm event while wait "
+                                     "completion channel");
+                        return -EPIPE;
                     }
 
                     error_report("receive cm event while wait comp channel,"
                                  "cm event is %d", cm_event->event);
                     if (cm_event->event == RDMA_CM_EVENT_DISCONNECTED ||
                         cm_event->event == RDMA_CM_EVENT_DEVICE_REMOVAL) {
+                        rdma_ack_cm_event(cm_event);
                         return -EPIPE;
                     }
+                    rdma_ack_cm_event(cm_event);
                 }
                 break;
 
@@ -3285,7 +3289,6 @@ static void rdma_cm_poll_handler(void *opaque)
         error_report("get_cm_event failed %d", errno);
         return;
     }
-    rdma_ack_cm_event(cm_event);
 
     if (cm_event->event == RDMA_CM_EVENT_DISCONNECTED ||
         cm_event->event == RDMA_CM_EVENT_DEVICE_REMOVAL) {
@@ -3298,12 +3301,14 @@ static void rdma_cm_poll_handler(void *opaque)
                 rdma->return_path->error_state = -EPIPE;
             }
         }
+        rdma_ack_cm_event(cm_event);
 
         if (mis->migration_incoming_co) {
             qemu_coroutine_enter(mis->migration_incoming_co);
         }
         return;
     }
+    rdma_ack_cm_event(cm_event);
 }
 
 static int qemu_rdma_accept(RDMAContext *rdma)
-- 
2.31.1

next prev parent reply	other threads:[~2021-06-09 14:48 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-09 14:45 [PULL 0/9] migration queue Dr. David Alan Gilbert (git)
2021-06-09 14:45 ` [PULL 1/9] yank: Unregister function when using TLS migration Dr. David Alan Gilbert (git)
2021-06-14  5:14   ` Philippe Mathieu-Daudé
2021-06-15 21:17     ` Leonardo Brás
2021-06-09 14:45 ` Dr. David Alan Gilbert (git) [this message]
2021-06-09 14:45 ` [PULL 3/9] channel-socket: Only set CLOEXEC if we have space for fds Dr. David Alan Gilbert (git)
2021-06-09 14:45 ` [PULL 4/9] io/net-listener: Call the notifier during finalize Dr. David Alan Gilbert (git)
2021-06-09 14:45 ` [PULL 5/9] migration: Add cleanup hook for inwards migration Dr. David Alan Gilbert (git)
2021-06-09 14:45 ` [PULL 6/9] migration/socket: Close the listener at the end Dr. David Alan Gilbert (git)
2021-06-09 14:45 ` [PULL 7/9] sockets: Support multipath TCP Dr. David Alan Gilbert (git)
2021-06-09 14:45 ` [PULL 8/9] migration/dirtyrate: make sample page count configurable Dr. David Alan Gilbert (git)
2021-06-09 14:45 ` [PULL 9/9] hmp: Add "calc_dirty_rate" and "info dirty_rate" cmds Dr. David Alan Gilbert (git)
2021-06-09 16:56 ` [PULL 0/9] migration queue Peter Maydell
2021-06-14 22:06 ` no-reply

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1cdb4561f dfblob:d90b29a4b )
 OR (
bs:"[PULL 2/9] migration/rdma: Fix cm event use after free" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210609144512.211746-3-dgilbert@redhat.com \
    --to=dgilbert@redhat.com \
    --cc=huangy81@chinatelecom.cn \
    --cc=leobras.c@gmail.com \
    --cc=lizhijian@cn.fujitsu.com \
    --cc=pabeni@redhat.com \
    --cc=peterx@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).