)]}'
{
  "commit": "27eb8499edb2bc952c29ddae0bdac9fc959bf7b1",
  "tree": "a82c4f9d7959ed2d37b0f0bd320a92c2a8093ef5",
  "parents": [
    "0a5d1108aba6308752a82201a441f957e5937211"
  ],
  "author": {
    "name": "Fabiano Rosas",
    "email": "farosas@suse.de",
    "time": "Fri Jan 19 20:39:18 2024 -0300"
  },
  "committer": {
    "name": "Peter Xu",
    "email": "peterx@redhat.com",
    "time": "Mon Jan 29 11:02:12 2024 +0800"
  },
  "message": "migration: Fix use-after-free of migration state object\n\nWe\u0027re currently allowing the process_incoming_migration_bh bottom-half\nto run without holding a reference to the \u0027current_migration\u0027 object,\nwhich leads to a segmentation fault if the BH is still live after\nmigration_shutdown() has dropped the last reference to\ncurrent_migration.\n\nIn my system the bug manifests as migrate_multifd() returning true\nwhen it shouldn\u0027t and multifd_load_shutdown() calling\nmultifd_recv_terminate_threads() which crashes due to an uninitialized\nmultifd_recv_state.\n\nFix the issue by holding a reference to the object when scheduling the\nBH and dropping it before returning from the BH. The same is already\ndone for the cleanup_bh at migrate_fd_cleanup_schedule().\n\nResolves: https://gitlab.com/qemu-project/qemu/-/issues/1969\nSigned-off-by: Fabiano Rosas \u003cfarosas@suse.de\u003e\nLink: https://lore.kernel.org/r/20240119233922.32588-2-farosas@suse.de\nSigned-off-by: Peter Xu \u003cpeterx@redhat.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "219447dea174ee69f3f9760fa9ee8fa0c804bbe7",
      "old_mode": 33188,
      "old_path": "migration/migration.c",
      "new_id": "cf17b68e57679bbd5d4a43a6e53543fb8a5e2df3",
      "new_mode": 33188,
      "new_path": "migration/migration.c"
    }
  ]
}
