[Spice-devel] [PATCH spice-gtk 2/2] channel: Abort migration in delayed unref

Victor Toso lists at victortoso.com
Tue Apr 26 10:05:42 UTC 2016 

Hi,

On Fri, Apr 22, 2016 at 04:47:48PM +0200, Pavel Grunt wrote:
> When channel is unref'ed during migration migrate_channel_event_cb
> is called causing a crash by coroutine yielding to nonexistent channel.
>
> As comment in spice_channel_coroutine says:
>   Co-routine exits now - the SpiceChannel object may no longer exist,
>   so don't do anything else now unless you like SEGVs
> 
> Related: rhbz#1318574
> ---
>  src/spice-channel.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/src/spice-channel.c b/src/spice-channel.c
> index 19237b3..7b0a3dc 100644
> --- a/src/spice-channel.c
> +++ b/src/spice-channel.c
> @@ -2296,6 +2296,7 @@ static gboolean spice_channel_delayed_unref(gpointer data)
>      SpiceChannel *channel = SPICE_CHANNEL(data);
>      SpiceChannelPrivate *c = channel->priv;
>      gboolean was_ready = c->state == SPICE_CHANNEL_STATE_READY;
> +    SpiceSession *session;
>  
>      CHANNEL_DEBUG(channel, "Delayed unref channel %p", channel);
>  
> @@ -2303,6 +2304,13 @@ static gboolean spice_channel_delayed_unref(gpointer data)
>  
>      c->state = SPICE_CHANNEL_STATE_UNCONNECTED;
>  
> +    session = spice_channel_get_session(channel);
> +    if (spice_session_is_for_migration(session)) {
> +        /* error during migration - abort migration */
> +        spice_session_abort_migration(session);
> +        return FALSE;
> +    }
> +

Just to be sure if I got it right. The migration fails for some reason which
triggers and error in the migration process for spice-gtk. That will make the
channel for the target host to be delayed_unref.

If we don't spice_session_abort_migration() now, migrate_channel_event_cb() will
be called for the channel for the former host which will try to yield to a
coroutine and cause the crash.

Does this only happen under failure in the migration like [0] or it could happen
if we do cancel the migration in the right moment?

[0] https://bugs.freedesktop.org/show_bug.cgi?id=92019

Cheers,
  toso

>      if (c->event != SPICE_CHANNEL_NONE) {
>          g_coroutine_signal_emit(channel, signals[SPICE_CHANNEL_EVENT], 0, c->event);
>          c->event = SPICE_CHANNEL_NONE;
> -- 
> 2.8.1
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel

More information about the Spice-devel mailing list