From 71789361f05fbdcca1c91b28eba9dbca5d1af249 Mon Sep 17 00:00:00 2001
From: Pavel Grunt <pgrunt@redhat.com>
Date: Fri, 22 Apr 2016 16:47:48 +0200
Subject: [PATCH] channel: Abort migration in delayed unref

When channel is unref'ed during migration migrate_channel_event_cb
is called causing a crash by coroutine yielding to nonexistent channel.

The delayed_unref happens for the target host channel and will only occur
when the migration process fails.

As comment in spice_channel_coroutine says:
  Co-routine exits now - the SpiceChannel object may no longer exist,
  so don't do anything else now unless you like SEGVs

Related: rhbz#1318574
Acked-by: Victor Toso <victortoso@redhat.com>
---
 src/spice-channel.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/spice-channel.c b/src/spice-channel.c
index d8a4ed6..e52a6a9 100644
--- a/src/spice-channel.c
+++ b/src/spice-channel.c
@@ -2306,6 +2306,7 @@ static gboolean spice_channel_delayed_unref(gpointer data)
     SpiceChannel *channel = SPICE_CHANNEL(data);
     SpiceChannelPrivate *c = channel->priv;
     gboolean was_ready = c->state == SPICE_CHANNEL_STATE_READY;
+    SpiceSession *session;
 
     CHANNEL_DEBUG(channel, "Delayed unref channel %p", channel);
 
@@ -2313,6 +2314,13 @@ static gboolean spice_channel_delayed_unref(gpointer data)
 
     c->state = SPICE_CHANNEL_STATE_UNCONNECTED;
 
+    session = spice_channel_get_session(channel);
+    if (spice_session_is_for_migration(session)) {
+        /* error during migration - abort migration */
+        spice_session_abort_migration(session);
+        return FALSE;
+    }
+
     if (c->event != SPICE_CHANNEL_NONE) {
         g_coroutine_signal_emit(channel, signals[SPICE_CHANNEL_EVENT], 0, c->event);
         c->event = SPICE_CHANNEL_NONE;
-- 
2.8.1