On 9/28/2025 4:54 AM, Zhenzhong Duan wrote:
After CPR transfer, source QEMU closes kvm fd and sets kvm_state to NULL,
"query-balloon" will check kvm_state->sync_mmu and trigger NULL pointer
reference.
We don't need to NULL kvm_state as all states in kvm_state aren't released
actually. Just closing kvm fd is enough so we could still query states
through "query_*" qmp command.
IMO this does not make sense. Much of the state in kvm_state was derived
from ioctl's on the descriptors, and closing them invalidates it. Asking
historical questions about what used to be makes no sense.
Clearing kvm_state and setting kvm_allowed=false would be a safer fix.
- Steve
Opportunistically drop an unnecessary check in kvm_close().
Fixes: 7ed0919119b0 ("migration: close kvm after cpr")
Suggested-by: Markus Armbruster <[email protected]>
Signed-off-by: Zhenzhong Duan <[email protected]>
---
accel/kvm/kvm-all.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index 23fd491441..b4c717290d 100644
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@@ -639,13 +639,10 @@ void kvm_close(void)
cpu->kvm_vcpu_stats_fd = -1;
}
- if (kvm_state && kvm_state->fd != -1) {
- close(kvm_state->vmfd);
- kvm_state->vmfd = -1;
- close(kvm_state->fd);
- kvm_state->fd = -1;
- }
- kvm_state = NULL;
+ close(kvm_state->vmfd);
+ kvm_state->vmfd = -1;
+ close(kvm_state->fd);
+ kvm_state->fd = -1;
}
/*
