Hi,
When qemu do live migration with xbzrle, qemu malloc decoded_buf
at destniation end but free it at source end.It will crash qemu
by double free error in some scenarios.
Signed-off-by: chenliang <chenlian...@huawei.com>
---
arch_init.c | 9 ++++++++-
include/migration/migration.h | 1 +
migration.c | 1 +
3 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/arch_init.c b/arch_init.c
index e0acbc5..0453f84 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -572,6 +572,14 @@ uint64_t ram_bytes_total(void)
return total;
}
+void free_xbzrle_decoded_buf(void)
+{
+ if (XBZRLE.decoded_buf) {
+ g_free(XBZRLE.decoded_buf);
+ XBZRLE.decoded_buf = NULL;
+ }
+}
+
static void migration_end(void)
{
if (migration_bitmap) {
@@ -585,7 +593,6 @@ static void migration_end(void)
g_free(XBZRLE.cache);
g_free(XBZRLE.encoded_buf);
g_free(XBZRLE.current_buf);
- g_free(XBZRLE.decoded_buf);
XBZRLE.cache = NULL;
}
}
diff --git a/include/migration/migration.h b/include/migration/migration.h
index 140e6b4..9314511 100644
--- a/include/migration/migration.h
+++ b/include/migration/migration.h
@@ -98,6 +98,7 @@ MigrationState *migrate_get_current(void);
uint64_t ram_bytes_remaining(void);
uint64_t ram_bytes_transferred(void);
uint64_t ram_bytes_total(void);
+void free_xbzrle_decoded_buf(void);
void acct_update_position(QEMUFile *f, size_t size, bool zero);
diff --git a/migration.c b/migration.c
index 2b1ab20..310c8bf 100644
--- a/migration.c
+++ b/migration.c
@@ -104,6 +104,7 @@ static void process_incoming_migration_co(void *opaque)
ret = qemu_loadvm_state(f);
qemu_fclose(f);
+ free_xbzrle_decoded_buf();
if (ret < 0) {
fprintf(stderr, "load of migration failed\n");
exit(EXIT_FAILURE);
--
1.6.0.2
Best regards,
-Gonglei
