Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2226561/?format=api
{ "id": 2226561, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2226561/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260422161202.34150-2-viking4@gmail.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/1.1/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260422161202.34150-2-viking4@gmail.com>", "date": "2026-04-22T16:12:02", "name": "[1/1] migration/multifd: fix channel count TOCTOU race on cancel and retry", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "999ab7544bdbbc4d07929484eee4a5c55b94ad91", "submitter": { "id": 92831, "url": "http://patchwork.ozlabs.org/api/1.1/people/92831/?format=api", "name": "Trieu Huynh", "email": "vikingtc4@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260422161202.34150-2-viking4@gmail.com/mbox/", "series": [ { "id": 501039, "url": "http://patchwork.ozlabs.org/api/1.1/series/501039/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=501039", "date": "2026-04-22T16:12:01", "name": "migration/multifd: fix channel count TOCTOU race on cancel and retry", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/501039/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2226561/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2226561/checks/", "tags": {}, "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=P79YSlRJ;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g145J1KtFz1yHB\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 23 Apr 2026 02:13:06 +1000 (AEST)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wFaBn-0000RC-0u; Wed, 22 Apr 2026 12:12:36 -0400", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <vikingtc4@gmail.com>)\n id 1wFaBf-0000QT-IY\n for qemu-devel@nongnu.org; Wed, 22 Apr 2026 12:12:27 -0400", "from mail-pg1-x536.google.com ([2607:f8b0:4864:20::536])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <vikingtc4@gmail.com>)\n id 1wFaBd-0005PU-6X\n for qemu-devel@nongnu.org; Wed, 22 Apr 2026 12:12:26 -0400", "by mail-pg1-x536.google.com with SMTP id\n 41be03b00d2f7-c7358a7a8d1so3488787a12.3\n for <qemu-devel@nongnu.org>; Wed, 22 Apr 2026 09:12:24 -0700 (PDT)", "from localhost.localdomain ([42.114.219.141])\n by smtp.gmail.com with ESMTPSA id\n d2e1a72fcca58-82f8e9cbb28sm16558138b3a.13.2026.04.22.09.12.19\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 22 Apr 2026 09:12:21 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776874342; x=1777479142; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=XIJNbJLFgEq2pH+htk4KgGE3k73wrk86Zv/GANULP9Q=;\n b=P79YSlRJ/M//wX5J0PRzWet9Y7difIEHeZdsRX1clD8R1iCtPaDpWbJT7sOIYpWiLy\n 686VStkMIHPkocCwcNk0zWDLeuvI/lcS5jPeequsev35hSeGNWGWBqZSUj05Z1VjkMJC\n yd0XA06QZ5ZkNz8Dw2it+wzDz/LFIjeYb6a2ywZsn8b61AemLpncfYpN4V49HaxpbzcE\n eAmFkhL3+IEJu90BZsjK+KAaDUHrfcEfQGpNZMBfFGRtWkcfxNefXuCg1O7R9TOVeMCu\n XnzEj5zlqz6QWpNing+ubZ+AFczGE8A9LhlB452ViYGmlLdtF8HUjNKgM+ZY0A5reJme\n GbLg==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776874342; x=1777479142;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=XIJNbJLFgEq2pH+htk4KgGE3k73wrk86Zv/GANULP9Q=;\n b=LwmG0hGD2YIv+a+tGjEiDEbiPu6Xzp/NT0jz4pPpRwQb6j2aryWTHDL8kVns/T5IOm\n A3/QLw/kOu8v7c9fj7GBbFRnMsic2eigWWWx9L+MEqj7WIXgNC2lW89wurBkFFyb8WfE\n sEq/y+aAkNfwTVn6oYw5/3agN3E2TPVSEDhNW27b5/pHvgadi5RkmLHZJy6xQwIKWHaH\n RdZDl2bXjSeP65oJT8shCd5EGkrij1+MZ1ydBz+fM1OBn0ZfezY10xaDPlzcGCmnEo6a\n Z50PiShdN8sCN3mEN2HxtlF3NFgSSzqgPiQ+VY3D5csERS3nbqhTL1VBoQLcuVk9b+6y\n HM0w==", "X-Gm-Message-State": "AOJu0YxrIcOzxHEU5y7qs8u7jGIWp46BmPMeX6B2hBoWKPgVBolkk10/\n pexH2HZOGiEsJxSV0/p4IBamDykYJeqWfic93BxnoA4471+95Fw9t9Q1q+PI5g==", "X-Gm-Gg": "AeBDieuXAGJkysjo3eHfzgF80dPP4MVcO+MW2A7xd9G1E1GsBrQjCztPGWuowBa1yyE\n us7o0GbCk5Yj+AxLjl2nwdrS7GocjOpbFggvL13rGW5EEuHs1MhX70cTyaNXoVJYdD81Ciimx3y\n Yq8Zs6JiIOiEmJX7lBWnMrtQkzoL5XONTO5js5vDF578642vlotLo2/VvWyWKs9rvKxmnvxDY3j\n mDeRv0jVxRmpBOf6DkicxCl6WpISqQjdQ5LzCfRTCoSI6yaCUbHMLfg6CmVpGLUg3JaknPNYG5t\n T/KbwZ6gfLCJCWmij5GkcWNEiGybUdLRzkMa09TXBC1pZoNtPZlbjWlBqBEIUybswdJebSpysTb\n RuNHU//gEl9EEQgZQJYu5bHGoD31c0ErrxrFhSL71e0h0tUsrktQ6uxGJacmjs/3j7WfXwaz+tX\n VfG3DsXY6j1zMxqOi7hzm1x8c76mW+OyDU7ZQp2EmgR3PDaNcMqw/LUmrlMxS8j/UY6T9W", "X-Received": "by 2002:a05:6a21:e098:b0:3a1:d516:36f0 with SMTP id\n adf61e73a8af0-3a1d5163ab4mr17460252637.36.1776874342211;\n Wed, 22 Apr 2026 09:12:22 -0700 (PDT)", "From": "Trieu Huynh <vikingtc4@gmail.com>", "X-Google-Original-From": "Trieu Huynh <viking4@gmail.com>", "To": "qemu-devel@nongnu.org", "Cc": "Trieu Huynh <vikingtc4@gmail.com>, Peter Xu <peterx@redhat.com>,\n Fabiano Rosas <farosas@suse.de>", "Subject": "[PATCH 1/1] migration/multifd: fix channel count TOCTOU race on\n cancel and retry", "Date": "Wed, 22 Apr 2026 23:12:02 +0700", "Message-ID": "<20260422161202.34150-2-viking4@gmail.com>", "X-Mailer": "git-send-email 2.43.0", "In-Reply-To": "<20260422161202.34150-1-viking4@gmail.com>", "References": "<20260422161202.34150-1-viking4@gmail.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Received-SPF": "pass client-ip=2607:f8b0:4864:20::536;\n envelope-from=vikingtc4@gmail.com; helo=mail-pg1-x536.google.com", "X-Spam_score_int": "-17", "X-Spam_score": "-1.8", "X-Spam_bar": "-", "X-Spam_report": "(-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "From: Trieu Huynh <vikingtc4@gmail.com>\n\nWhen a multifd migration is cancelled and the user changes\nmultifd-channels via QMP before cleanup completes, the shutdown and\ntermination loops re-read migrate_multifd_channels() which now returns\nthe new value. This causes the loops to iterate over, for instance\nfewer channels than were created, leaving yank functions of the\nabandoned channels still registered when yank_unregister_instance()\nis called, triggering an abort:\n qemu-system-x86_64: ../util/yank.c:107: yank_unregister_instance:\n Assertion `QLIST_EMPTY(&entry->yankfns)' failed.\n Aborted (core dumped)\n\nFix by storing the channel count at setup time and using that frozen\nvalue in all subsequent loops. The live parameter\nmigrate_multifd_channels() is now only read once during setup, ensuring\nteardown always operates on the exact set of channels that were created.\n\nSigned-off-by: Trieu Huynh <vikingtc4@gmail.com>\n---\n migration/multifd.c | 13 ++++++++-----\n 1 file changed, 8 insertions(+), 5 deletions(-)", "diff": "diff --git a/migration/multifd.c b/migration/multifd.c\nindex 035cb70f7b..69c8f6747b 100644\n--- a/migration/multifd.c\n+++ b/migration/multifd.c\n@@ -75,6 +75,8 @@ struct {\n int exiting;\n /* multifd ops */\n const MultiFDMethods *ops;\n+ /* number of channels created (fixed at setup) */\n+ int channel_num;\n } *multifd_send_state;\n \n struct {\n@@ -483,7 +485,7 @@ static void multifd_send_terminate_threads(void)\n * Firstly, kick all threads out; no matter whether they are just idle,\n * or blocked in an IO system call.\n */\n- for (i = 0; i < migrate_multifd_channels(); i++) {\n+ for (i = 0; i < multifd_send_state->channel_num; i++) {\n MultiFDSendParams *p = &multifd_send_state->params[i];\n \n qemu_sem_post(&p->sem);\n@@ -495,7 +497,7 @@ static void multifd_send_terminate_threads(void)\n /*\n * Finally recycle all the threads.\n */\n- for (i = 0; i < migrate_multifd_channels(); i++) {\n+ for (i = 0; i < multifd_send_state->channel_num; i++) {\n MultiFDSendParams *p = &multifd_send_state->params[i];\n \n if (p->tls_thread_created) {\n@@ -577,7 +579,7 @@ void multifd_send_shutdown(void)\n \n multifd_send_terminate_threads();\n \n- for (i = 0; i < migrate_multifd_channels(); i++) {\n+ for (i = 0; i < multifd_send_state->channel_num; i++) {\n MultiFDSendParams *p = &multifd_send_state->params[i];\n Error *local_err = NULL;\n \n@@ -615,7 +617,7 @@ int multifd_send_sync_main(MultiFDSyncReq req)\n \n flush_zero_copy = migrate_zero_copy_send();\n \n- for (i = 0; i < migrate_multifd_channels(); i++) {\n+ for (i = 0; i < multifd_send_state->channel_num; i++) {\n MultiFDSendParams *p = &multifd_send_state->params[i];\n \n if (multifd_send_should_exit()) {\n@@ -632,7 +634,7 @@ int multifd_send_sync_main(MultiFDSyncReq req)\n qatomic_set(&p->pending_sync, req);\n qemu_sem_post(&p->sem);\n }\n- for (i = 0; i < migrate_multifd_channels(); i++) {\n+ for (i = 0; i < multifd_send_state->channel_num; i++) {\n MultiFDSendParams *p = &multifd_send_state->params[i];\n \n if (multifd_send_should_exit()) {\n@@ -926,6 +928,7 @@ bool multifd_send_setup(void)\n thread_count = migrate_multifd_channels();\n multifd_send_state = g_malloc0(sizeof(*multifd_send_state));\n multifd_send_state->params = g_new0(MultiFDSendParams, thread_count);\n+ multifd_send_state->channel_num = thread_count;\n qemu_mutex_init(&multifd_send_state->multifd_send_mutex);\n qemu_sem_init(&multifd_send_state->channels_created, 0);\n qemu_sem_init(&multifd_send_state->channels_ready, 0);\n", "prefixes": [ "1/1" ] }