{"id":2226561,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2226561/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260422161202.34150-2-viking4@gmail.com/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.1/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260422161202.34150-2-viking4@gmail.com>","date":"2026-04-22T16:12:02","name":"[1/1] migration/multifd: fix channel count TOCTOU race on cancel and retry","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"999ab7544bdbbc4d07929484eee4a5c55b94ad91","submitter":{"id":92831,"url":"http://patchwork.ozlabs.org/api/1.1/people/92831/?format=json","name":"Trieu Huynh","email":"vikingtc4@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260422161202.34150-2-viking4@gmail.com/mbox/","series":[{"id":501039,"url":"http://patchwork.ozlabs.org/api/1.1/series/501039/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=501039","date":"2026-04-22T16:12:01","name":"migration/multifd: fix channel count TOCTOU race on cancel and retry","version":1,"mbox":"http://patchwork.ozlabs.org/series/501039/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2226561/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2226561/checks/","tags":{},"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=P79YSlRJ;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g145J1KtFz1yHB\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 23 Apr 2026 02:13:06 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wFaBn-0000RC-0u; Wed, 22 Apr 2026 12:12:36 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <vikingtc4@gmail.com>)\n id 1wFaBf-0000QT-IY\n for qemu-devel@nongnu.org; Wed, 22 Apr 2026 12:12:27 -0400","from mail-pg1-x536.google.com ([2607:f8b0:4864:20::536])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <vikingtc4@gmail.com>)\n id 1wFaBd-0005PU-6X\n for qemu-devel@nongnu.org; Wed, 22 Apr 2026 12:12:26 -0400","by mail-pg1-x536.google.com with SMTP id\n 41be03b00d2f7-c7358a7a8d1so3488787a12.3\n for <qemu-devel@nongnu.org>; Wed, 22 Apr 2026 09:12:24 -0700 (PDT)","from localhost.localdomain ([42.114.219.141])\n by smtp.gmail.com with ESMTPSA id\n d2e1a72fcca58-82f8e9cbb28sm16558138b3a.13.2026.04.22.09.12.19\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 22 Apr 2026 09:12:21 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1776874342; x=1777479142; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=XIJNbJLFgEq2pH+htk4KgGE3k73wrk86Zv/GANULP9Q=;\n b=P79YSlRJ/M//wX5J0PRzWet9Y7difIEHeZdsRX1clD8R1iCtPaDpWbJT7sOIYpWiLy\n 686VStkMIHPkocCwcNk0zWDLeuvI/lcS5jPeequsev35hSeGNWGWBqZSUj05Z1VjkMJC\n yd0XA06QZ5ZkNz8Dw2it+wzDz/LFIjeYb6a2ywZsn8b61AemLpncfYpN4V49HaxpbzcE\n eAmFkhL3+IEJu90BZsjK+KAaDUHrfcEfQGpNZMBfFGRtWkcfxNefXuCg1O7R9TOVeMCu\n XnzEj5zlqz6QWpNing+ubZ+AFczGE8A9LhlB452ViYGmlLdtF8HUjNKgM+ZY0A5reJme\n GbLg==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776874342; x=1777479142;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=XIJNbJLFgEq2pH+htk4KgGE3k73wrk86Zv/GANULP9Q=;\n b=LwmG0hGD2YIv+a+tGjEiDEbiPu6Xzp/NT0jz4pPpRwQb6j2aryWTHDL8kVns/T5IOm\n A3/QLw/kOu8v7c9fj7GBbFRnMsic2eigWWWx9L+MEqj7WIXgNC2lW89wurBkFFyb8WfE\n sEq/y+aAkNfwTVn6oYw5/3agN3E2TPVSEDhNW27b5/pHvgadi5RkmLHZJy6xQwIKWHaH\n RdZDl2bXjSeP65oJT8shCd5EGkrij1+MZ1ydBz+fM1OBn0ZfezY10xaDPlzcGCmnEo6a\n Z50PiShdN8sCN3mEN2HxtlF3NFgSSzqgPiQ+VY3D5csERS3nbqhTL1VBoQLcuVk9b+6y\n HM0w==","X-Gm-Message-State":"AOJu0YxrIcOzxHEU5y7qs8u7jGIWp46BmPMeX6B2hBoWKPgVBolkk10/\n pexH2HZOGiEsJxSV0/p4IBamDykYJeqWfic93BxnoA4471+95Fw9t9Q1q+PI5g==","X-Gm-Gg":"AeBDieuXAGJkysjo3eHfzgF80dPP4MVcO+MW2A7xd9G1E1GsBrQjCztPGWuowBa1yyE\n us7o0GbCk5Yj+AxLjl2nwdrS7GocjOpbFggvL13rGW5EEuHs1MhX70cTyaNXoVJYdD81Ciimx3y\n Yq8Zs6JiIOiEmJX7lBWnMrtQkzoL5XONTO5js5vDF578642vlotLo2/VvWyWKs9rvKxmnvxDY3j\n mDeRv0jVxRmpBOf6DkicxCl6WpISqQjdQ5LzCfRTCoSI6yaCUbHMLfg6CmVpGLUg3JaknPNYG5t\n T/KbwZ6gfLCJCWmij5GkcWNEiGybUdLRzkMa09TXBC1pZoNtPZlbjWlBqBEIUybswdJebSpysTb\n RuNHU//gEl9EEQgZQJYu5bHGoD31c0ErrxrFhSL71e0h0tUsrktQ6uxGJacmjs/3j7WfXwaz+tX\n VfG3DsXY6j1zMxqOi7hzm1x8c76mW+OyDU7ZQp2EmgR3PDaNcMqw/LUmrlMxS8j/UY6T9W","X-Received":"by 2002:a05:6a21:e098:b0:3a1:d516:36f0 with SMTP id\n adf61e73a8af0-3a1d5163ab4mr17460252637.36.1776874342211;\n Wed, 22 Apr 2026 09:12:22 -0700 (PDT)","From":"Trieu Huynh <vikingtc4@gmail.com>","X-Google-Original-From":"Trieu Huynh <viking4@gmail.com>","To":"qemu-devel@nongnu.org","Cc":"Trieu Huynh <vikingtc4@gmail.com>, Peter Xu <peterx@redhat.com>,\n Fabiano Rosas <farosas@suse.de>","Subject":"[PATCH 1/1] migration/multifd: fix channel count TOCTOU race on\n cancel and retry","Date":"Wed, 22 Apr 2026 23:12:02 +0700","Message-ID":"<20260422161202.34150-2-viking4@gmail.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<20260422161202.34150-1-viking4@gmail.com>","References":"<20260422161202.34150-1-viking4@gmail.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Received-SPF":"pass client-ip=2607:f8b0:4864:20::536;\n envelope-from=vikingtc4@gmail.com; helo=mail-pg1-x536.google.com","X-Spam_score_int":"-17","X-Spam_score":"-1.8","X-Spam_bar":"-","X-Spam_report":"(-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"From: Trieu Huynh <vikingtc4@gmail.com>\n\nWhen a multifd migration is cancelled and the user changes\nmultifd-channels via QMP before cleanup completes, the shutdown and\ntermination loops re-read migrate_multifd_channels() which now returns\nthe new value. This causes the loops to iterate over, for instance\nfewer channels than were created, leaving yank functions of the\nabandoned channels still registered when yank_unregister_instance()\nis called, triggering an abort:\n  qemu-system-x86_64: ../util/yank.c:107: yank_unregister_instance:\n  Assertion `QLIST_EMPTY(&entry->yankfns)' failed.\n  Aborted (core dumped)\n\nFix by storing the channel count at setup time and using that frozen\nvalue in all subsequent loops. The live parameter\nmigrate_multifd_channels() is now only read once during setup, ensuring\nteardown always operates on the exact set of channels that were created.\n\nSigned-off-by: Trieu Huynh <vikingtc4@gmail.com>\n---\n migration/multifd.c | 13 ++++++++-----\n 1 file changed, 8 insertions(+), 5 deletions(-)","diff":"diff --git a/migration/multifd.c b/migration/multifd.c\nindex 035cb70f7b..69c8f6747b 100644\n--- a/migration/multifd.c\n+++ b/migration/multifd.c\n@@ -75,6 +75,8 @@ struct {\n     int exiting;\n     /* multifd ops */\n     const MultiFDMethods *ops;\n+    /* number of channels created (fixed at setup) */\n+    int channel_num;\n } *multifd_send_state;\n \n struct {\n@@ -483,7 +485,7 @@ static void multifd_send_terminate_threads(void)\n      * Firstly, kick all threads out; no matter whether they are just idle,\n      * or blocked in an IO system call.\n      */\n-    for (i = 0; i < migrate_multifd_channels(); i++) {\n+    for (i = 0; i < multifd_send_state->channel_num; i++) {\n         MultiFDSendParams *p = &multifd_send_state->params[i];\n \n         qemu_sem_post(&p->sem);\n@@ -495,7 +497,7 @@ static void multifd_send_terminate_threads(void)\n     /*\n      * Finally recycle all the threads.\n      */\n-    for (i = 0; i < migrate_multifd_channels(); i++) {\n+    for (i = 0; i < multifd_send_state->channel_num; i++) {\n         MultiFDSendParams *p = &multifd_send_state->params[i];\n \n         if (p->tls_thread_created) {\n@@ -577,7 +579,7 @@ void multifd_send_shutdown(void)\n \n     multifd_send_terminate_threads();\n \n-    for (i = 0; i < migrate_multifd_channels(); i++) {\n+    for (i = 0; i < multifd_send_state->channel_num; i++) {\n         MultiFDSendParams *p = &multifd_send_state->params[i];\n         Error *local_err = NULL;\n \n@@ -615,7 +617,7 @@ int multifd_send_sync_main(MultiFDSyncReq req)\n \n     flush_zero_copy = migrate_zero_copy_send();\n \n-    for (i = 0; i < migrate_multifd_channels(); i++) {\n+    for (i = 0; i < multifd_send_state->channel_num; i++) {\n         MultiFDSendParams *p = &multifd_send_state->params[i];\n \n         if (multifd_send_should_exit()) {\n@@ -632,7 +634,7 @@ int multifd_send_sync_main(MultiFDSyncReq req)\n         qatomic_set(&p->pending_sync, req);\n         qemu_sem_post(&p->sem);\n     }\n-    for (i = 0; i < migrate_multifd_channels(); i++) {\n+    for (i = 0; i < multifd_send_state->channel_num; i++) {\n         MultiFDSendParams *p = &multifd_send_state->params[i];\n \n         if (multifd_send_should_exit()) {\n@@ -926,6 +928,7 @@ bool multifd_send_setup(void)\n     thread_count = migrate_multifd_channels();\n     multifd_send_state = g_malloc0(sizeof(*multifd_send_state));\n     multifd_send_state->params = g_new0(MultiFDSendParams, thread_count);\n+    multifd_send_state->channel_num = thread_count;\n     qemu_mutex_init(&multifd_send_state->multifd_send_mutex);\n     qemu_sem_init(&multifd_send_state->channels_created, 0);\n     qemu_sem_init(&multifd_send_state->channels_ready, 0);\n","prefixes":["1/1"]}