[PATCH v2 2/4] migration: Reset current_migration properly

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Peter Xu <peterx@redhat.com>
To: qemu-devel@nongnu.org
Cc: peterx@redhat.com, "Alex Williamson" <alex.williamson@redhat.com>,
	"Fabiano Rosas" <farosas@suse.de>,
	"Avihai Horon" <avihaih@nvidia.com>,
	"Cédric Le Goater" <clg@redhat.com>
Subject: [PATCH v2 2/4] migration: Reset current_migration properly
Date: Wed, 23 Oct 2024 14:02:14 -0400	[thread overview]
Message-ID: <20241023180216.1072575-3-peterx@redhat.com> (raw)
In-Reply-To: <20241023180216.1072575-1-peterx@redhat.com>

current_migration is never reset, even if the migration object is freed
already.  It means anyone references that can trigger UAF and it'll be hard
to debug.

Properly clear the pointer now, so far by doing it in the finalize() (as we
know there's only one instance of it).

Add a TODO entry for it showing that we can do better in the future.

To make it clear, also initialize the variable in the instance_init() so
it's very well paired at least.

Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/migration.c | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/migration/migration.c b/migration/migration.c
index bcb735869b..a82297db0f 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -232,9 +232,9 @@ static int migration_stop_vm(MigrationState *s, RunState state)
 
 void migration_object_init(void)
 {
-    /* This can only be called once. */
-    assert(!current_migration);
-    current_migration = MIGRATION_OBJ(object_new(TYPE_MIGRATION));
+    MIGRATION_OBJ(object_new(TYPE_MIGRATION));
+    /* This should be set when initialize the object */
+    assert(current_migration);
 
     /*
      * Init the migrate incoming object as well no matter whether
@@ -3877,12 +3877,31 @@ static void migration_instance_finalize(Object *obj)
     qemu_sem_destroy(&ms->rp_state.rp_pong_acks);
     qemu_sem_destroy(&ms->postcopy_qemufile_src_sem);
     error_free(ms->error);
+
+    /*
+     * We know we only have one intance of migration, and when reaching
+     * here it means migration object is gone.  Clear the global reference
+     * to reflect that.
+     */
+    current_migration = NULL;
 }
 
 static void migration_instance_init(Object *obj)
 {
     MigrationState *ms = MIGRATION_OBJ(obj);
 
+    /*
+     * There can only be one migration object globally. Keep a record of
+     * the pointer in current_migration, which will be reset after the
+     * object finalize().
+     *
+     * TODO: after migration/ code can always take a MigrationObject*
+     * pointer all over the place, logically we can drop current_migration
+     * variable.
+     */
+    assert(!current_migration);
+    current_migration = ms;
+
     ms->state = MIGRATION_STATUS_NONE;
     ms->mbps = -1;
     ms->pages_per_second = -1;
-- 
2.45.0

next prev parent reply	other threads:[~2024-10-23 18:03 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-23 18:02 [PATCH v2 0/4] Migration: Make misc.h helpers available for whole VM lifecycle Peter Xu
2024-10-23 18:02 ` [PATCH v2 1/4] migration: Unexport dirty_bitmap_mig_init() in misc.h Peter Xu
2024-10-23 18:02 ` Peter Xu [this message]
2024-10-23 18:02 ` [PATCH v2 3/4] migration: Add global_migration Peter Xu
2024-10-23 18:02 ` [PATCH v2 4/4] migration: Make all helpers in misc.h safe to use without migration Peter Xu
2024-10-23 18:19   ` Peter Xu
2024-10-23 19:25 ` [PATCH v2 0/4] Migration: Make misc.h helpers available for whole VM lifecycle Peter Xu
2024-10-23 19:32 ` Fabiano Rosas
2024-10-23 20:03   ` Peter Xu
2024-10-23 21:03     ` Fabiano Rosas
2024-10-23 21:43       ` Peter Xu

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:bcb735869 dfblob:a82297db0 )
 OR (
bs:"[PATCH v2 2/4] migration: Reset current_migration properly" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241023180216.1072575-3-peterx@redhat.com \
    --to=peterx@redhat.com \
    --cc=alex.williamson@redhat.com \
    --cc=avihaih@nvidia.com \
    --cc=clg@redhat.com \
    --cc=farosas@suse.de \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).