migration: Accept 'cont' only after successful incoming migration

When a 'cont' is issued on a VM that's just waiting for an incoming migration, the VM reboots and boots into the guest, possibly corrupting its storage since it could be shared with another VM running elsewhere. Ensure that a VM started with '-incoming' is only run when an incoming migration successfully completes. A new qerror, QERR_MIGRATION_EXPECTED, is added to signal that 'cont' failed due to no incoming migration has been attempted yet. Reported-by: Laine Stump <laine@redhat.com> Signed-off-by: Amit Shah <amit.shah@redhat.com> Reviewed-by: Luiz Capitulino <lcapitulino@redhat.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
2025-01-26 15:40:11 +08:00 · 2010-07-27 15:49:19 +05:30 · 2010-07-27 15:49:19 +05:30 · 8e84865e54
commit 8e84865e54
parent 7899f799b7
6 changed files with 16 additions and 0 deletions
--- a/migration.c
+++ b/migration.c
@ -67,6 +67,8 @@ void process_incoming_migration(QEMUFile *f)
    qemu_announce_self();
    DPRINTF("successfully loaded vm state\n");

+    incoming_expected = false;
+
    if (autostart)
        vm_start();
 }
--- a/monitor.c
+++ b/monitor.c
@ -1056,6 +1056,10 @@ static int do_cont(Monitor *mon, const QDict *qdict, QObject **ret_data)
 {
    struct bdrv_iterate_context context = { mon, 0 };

+    if (incoming_expected) {
+        qerror_report(QERR_MIGRATION_EXPECTED);
+        return -1;
+    }
    bdrv_iterate(encrypted_bdrv_it, &context);
    /* only resume the vm if all keys are set and valid */
    if (!context.err) {
--- a/qerror.c
+++ b/qerror.c
@ -140,6 +140,10 @@ static const QErrorStringTable qerror_table[] = {
        .error_fmt = QERR_KVM_MISSING_CAP,
        .desc      = "Using KVM without %(capability), %(feature) unavailable",
    },
+    {
+        .error_fmt = QERR_MIGRATION_EXPECTED,
+        .desc      = "An incoming migration is expected before this command can be executed",
+    },
    {
        .error_fmt = QERR_MISSING_PARAMETER,
        .desc      = "Parameter '%(name)' is missing",
--- a/qerror.h
+++ b/qerror.h
@ -121,6 +121,9 @@ QError *qobject_to_qerror(const QObject *obj);
 #define QERR_KVM_MISSING_CAP \
    "{ 'class': 'KVMMissingCap', 'data': { 'capability': %s, 'feature': %s } }"

+#define QERR_MIGRATION_EXPECTED \
+    "{ 'class': 'MigrationExpected', 'data': {} }"
+
 #define QERR_MISSING_PARAMETER \
    "{ 'class': 'MissingParameter', 'data': { 'name': %s } }"

--- a/sysemu.h
+++ b/sysemu.h
@ -99,6 +99,7 @@ typedef enum DisplayType
 } DisplayType;

 extern int autostart;
+extern int incoming_expected;
 extern int bios_size;

 typedef enum {
--- a/vl.c
+++ b/vl.c
@ -182,6 +182,7 @@ int nb_nics;
 NICInfo nd_table[MAX_NICS];
 int vm_running;
 int autostart;
+int incoming_expected; /* Started with -incoming and waiting for incoming */
 static int rtc_utc = 1;
 static int rtc_date_offset = -1; /* -1 means no change */
 QEMUClock *rtc_clock;
@ -2555,6 +2556,7 @@ int main(int argc, char **argv, char **envp)
                break;
            case QEMU_OPTION_incoming:
                incoming = optarg;
+                incoming_expected = true;
                break;
            case QEMU_OPTION_nodefaults:
                default_serial = 0;