From: Laurent Vivier <[email protected]> If we close the QEMUFile descriptor in process_incoming_migration_co() while it has been stopped by an error, the postcopy_ram_listen_thread() can try to continue to use it. And as the memory has been freed it is working with an invalid pointer and crashes.
Fix this by releasing the memory after having managed the error case (which, in fact, calls exit()) Signed-off-by: Laurent Vivier <[email protected]> Reviewed-by: Dr. David Alan Gilbert <[email protected]> Reviewed-by: Juan Quintela <[email protected]> Reviewed-by: Amit Shah <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Signed-off-by: Juan Quintela <[email protected]> --- migration/migration.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/migration/migration.c b/migration/migration.c index a92d7f7..31e8141 100644 --- a/migration/migration.c +++ b/migration/migration.c @@ -435,17 +435,17 @@ static void process_incoming_migration_co(void *opaque) qemu_thread_join(&mis->colo_incoming_thread); } + if (ret < 0) { + migrate_set_state(&mis->state, MIGRATION_STATUS_ACTIVE, + MIGRATION_STATUS_FAILED); + error_report("load of migration failed: %s", strerror(-ret)); + migrate_decompress_threads_join(); + exit(EXIT_FAILURE); + } + qemu_fclose(f); free_xbzrle_decoded_buf(); - if (ret < 0) { - migrate_set_state(&mis->state, MIGRATION_STATUS_ACTIVE, - MIGRATION_STATUS_FAILED); - error_report("load of migration failed: %s", strerror(-ret)); - migrate_decompress_threads_join(); - exit(EXIT_FAILURE); - } - mis->bh = qemu_bh_new(process_incoming_migration_bh, mis); qemu_bh_schedule(mis->bh); } -- 2.9.3
