From 109e5756e7762fed376b64c2dcbafc865f32c17d Mon Sep 17 00:00:00 2001 From: Pavel Grunt Date: Fri, 22 Apr 2016 16:47:48 +0200 Subject: [PATCH] channel: Abort migration in delayed unref When channel is unref'ed during migration migrate_channel_event_cb is called causing a crash by coroutine yielding to nonexistent channel. The delayed_unref happens for the target host channel and will only occur when the migration process fails. As comment in spice_channel_coroutine says: Co-routine exits now - the SpiceChannel object may no longer exist, so don't do anything else now unless you like SEGVs Related: rhbz#1318574 Acked-by: Victor Toso --- src/spice-channel.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/spice-channel.c b/src/spice-channel.c index 19237b3..7b0a3dc 100644 --- a/src/spice-channel.c +++ b/src/spice-channel.c @@ -2296,6 +2296,7 @@ static gboolean spice_channel_delayed_unref(gpointer data) SpiceChannel *channel = SPICE_CHANNEL(data); SpiceChannelPrivate *c = channel->priv; gboolean was_ready = c->state == SPICE_CHANNEL_STATE_READY; + SpiceSession *session; CHANNEL_DEBUG(channel, "Delayed unref channel %p", channel); @@ -2303,6 +2304,13 @@ static gboolean spice_channel_delayed_unref(gpointer data) c->state = SPICE_CHANNEL_STATE_UNCONNECTED; + session = spice_channel_get_session(channel); + if (spice_session_is_for_migration(session)) { + /* error during migration - abort migration */ + spice_session_abort_migration(session); + return FALSE; + } + if (c->event != SPICE_CHANNEL_NONE) { g_coroutine_signal_emit(channel, signals[SPICE_CHANNEL_EVENT], 0, c->event); c->event = SPICE_CHANNEL_NONE;