Zhenzhong Duan <[email protected]> writes: > After CPR transfer, source QEMU close kvm fd and free kvm_state, > "query-balloon" will check kvm_state->sync_mmu and trigger NULL > pointer reference. > > Signed-off-by: Zhenzhong Duan <[email protected]> > --- > accel/kvm/kvm-all.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c > index 9060599cd7..a3e2d11763 100644 > --- a/accel/kvm/kvm-all.c > +++ b/accel/kvm/kvm-all.c > @@ -3479,7 +3479,7 @@ int kvm_device_access(int fd, int group, uint64_t attr, > > bool kvm_has_sync_mmu(void) > { > - return kvm_state->sync_mmu; > + return kvm_state && kvm_state->sync_mmu; > } > > int kvm_has_vcpu_events(void)
This dereference could signify there's a general assumption *kvm_state is valid, i.e. there might be more dereferences hiding in the code. Have you checked? Is freeing @kvm_state after CPR transfer useful?
