Fabiano Rosas <[email protected]> writes: > We're currently allowing the process_incoming_migration_bh bottom-half > to run without holding a reference to the 'current_migration' object, > which leads to a segmentation fault if the BH is still live after > migration_shutdown() has dropped the last reference to > current_migration. > > In my system the bug manifests as migrate_multifd() returning true > when it shouldn't and multifd_load_shutdown() calling > multifd_recv_terminate_threads() which crashes due to an uninitialized > multifd_recv_state. > > Fix the issue by holding a reference to the object when scheduling the > BH and dropping it before returning from the BH. The same is already > done for the cleanup_bh at migrate_fd_cleanup_schedule(). > > Signed-off-by: Fabiano Rosas <[email protected]>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1969
