From nobody Sun May 19 04:34:56 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1563359800; cv=none; d=zoho.com; s=zohoarc; b=VvPK5OONhn88H0XYNab6hXNNK2fgmSATot75JIK+EHgvUcN8Hd7yTz1GNWl1uyX+v0LxpMMbN06JWMXz3jwUSmVSWzRDMx95k1/i1kLoMOR2v/JO6f/cVKUCAsyS2mA5NgE8c6pq2yC1sniA+7PElWlqMz0xhkUYrTLjRZDS0OQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1563359800; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=G2Zw1hNczcaMw8ISA5FTWV8DQb1ALvd+LBBw2tZ7hkw=; b=W2jHn0sZz2LsCksOeMdKeAaACgyN0t3OtiXMhUiWAppxY+/j6ym+p9GqHxIpDLUIzekDu6wIOa3sFoY6UkudC0pz/rSmxWAJZNP6mwxzpamecadAiILwM38a5hgP9G501PghA0kdEJpjZ7zAEYrwTZBoaz1ZR0Nhcp1HSph32FA= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1563359800143150.9408703041895; Wed, 17 Jul 2019 03:36:40 -0700 (PDT) Received: from localhost ([::1]:55782 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hnhId-0003LN-30 for importer@patchew.org; Wed, 17 Jul 2019 06:36:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55902) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hnhI3-0001yE-7D for qemu-devel@nongnu.org; Wed, 17 Jul 2019 06:36:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hnhI1-0001Xz-Qp for qemu-devel@nongnu.org; Wed, 17 Jul 2019 06:36:03 -0400 Received: from mx1.redhat.com ([209.132.183.28]:34736) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hnhI1-0001XV-Kh; Wed, 17 Jul 2019 06:36:01 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DD32887622; Wed, 17 Jul 2019 10:36:00 +0000 (UTC) Received: from t460s.redhat.com (ovpn-117-65.ams2.redhat.com [10.36.117.65]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5EFD919C68; Wed, 17 Jul 2019 10:35:59 +0000 (UTC) From: David Hildenbrand To: qemu-devel@nongnu.org Date: Wed, 17 Jul 2019 12:35:48 +0200 Message-Id: <20190717103550.24657-2-david@redhat.com> In-Reply-To: <20190717103550.24657-1-david@redhat.com> References: <20190717103550.24657-1-david@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Wed, 17 Jul 2019 10:36:00 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH-for-4.1 v2 1/3] virtio-balloon: fix QEMU crashes on pagesize > BALLOON_PAGE_SIZE X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Michael S . Tsirkin" , David Hildenbrand , qemu-stable@nongnu.org, Stefan Hajnoczi , Igor Mammedov , David Gibson Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" We are using the wrong functions to set/clear bits, effectively touching multiple bits, writing out of range of the bitmap, resulting in memory corruptions. We have to use set_bit()/clear_bit() instead. Can easily be reproduced by starting a qemu guest on hugetlbfs memory, inflating the balloon. QEMU crashes. This never could have worked properly - especially, also pages would have been discarded when the first sub-page would be inflated (the whole bitmap would be set). While testing I realized, that on hugetlbfs it is pretty much impossible to discard a page - the guest just frees the 4k sub-pages in random order most of the time. I was only able to discard a hugepage a handful of times - so I hope that now works correctly. Fixes: ed48c59875b6 ("virtio-balloon: Safely handle BALLOON_PAGE_SIZE < host page size") Fixes: b27b32391404 ("virtio-balloon: Fix possible guest memory corruption with inflates & deflates") Cc: qemu-stable@nongnu.org #v4.0.0 Cc: Stefan Hajnoczi Cc: David Gibson Cc: Michael S. Tsirkin Cc: Igor Mammedov Signed-off-by: David Hildenbrand Acked-by: David Gibson --- hw/virtio/virtio-balloon.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c index e85d1c0d5c..669067d661 100644 --- a/hw/virtio/virtio-balloon.c +++ b/hw/virtio/virtio-balloon.c @@ -94,9 +94,8 @@ static void balloon_inflate_page(VirtIOBalloon *balloon, balloon->pbp->base =3D host_page_base; } =20 - bitmap_set(balloon->pbp->bitmap, - (ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE, - subpages); + set_bit((ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE, + balloon->pbp->bitmap); =20 if (bitmap_full(balloon->pbp->bitmap, subpages)) { /* We've accumulated a full host page, we can actually discard @@ -140,9 +139,8 @@ static void balloon_deflate_page(VirtIOBalloon *balloon, * for a guest to do this in practice, but handle it anyway, * since getting it wrong could mean discarding memory the * guest is still using. */ - bitmap_clear(balloon->pbp->bitmap, - (ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE, - subpages); + clear_bit((ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE, + balloon->pbp->bitmap); =20 if (bitmap_empty(balloon->pbp->bitmap, subpages)) { g_free(balloon->pbp); --=20 2.21.0 From nobody Sun May 19 04:34:56 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1563359804; cv=none; d=zoho.com; s=zohoarc; b=GRKDkfcJ2Judaj/fbYuQHpHb14pj3Y7iqUSWHoZhgvR7lAKbCRwwDAZxyV+5ZiUvUw2o0MRHvFGOp+2xnEyCqF8IdoKgfQJY9w2r8Taf+CoUd6yxPAoGHMoyoFxpuTS/UrRLTQDxJ7HaDbCvxQq9DNqxIYD2ELs456WeBBPw7wg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1563359804; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=+Q98is6doTyiAknCz3iUIapwr0zhIN7PY9B0NEL8tIk=; b=OXtNTeaEDGKmKOlZeTAjM6uFHUqvZJbzERhi7x0UJ/4OOZpIWxBtwRkeOcGyQrz+0k6/wWLiJWWCcrRlIcIvBLzOdu4kd031j0uE072zusDBGKeyLtRiUH02GEoczLVFVBJ5t0rHluDj9lvembEGj0djiwA1EeZcpB/G9sHCynM= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1563359804708422.2356157713614; Wed, 17 Jul 2019 03:36:44 -0700 (PDT) Received: from localhost ([::1]:55784 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hnhIh-0003ch-9S for importer@patchew.org; Wed, 17 Jul 2019 06:36:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55942) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hnhI4-00022p-UD for qemu-devel@nongnu.org; Wed, 17 Jul 2019 06:36:05 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hnhI3-0001Zg-Lh for qemu-devel@nongnu.org; Wed, 17 Jul 2019 06:36:04 -0400 Received: from mx1.redhat.com ([209.132.183.28]:60894) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hnhI3-0001Yu-FJ; Wed, 17 Jul 2019 06:36:03 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B479F81F2F; Wed, 17 Jul 2019 10:36:02 +0000 (UTC) Received: from t460s.redhat.com (ovpn-117-65.ams2.redhat.com [10.36.117.65]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2FC6319C68; Wed, 17 Jul 2019 10:36:01 +0000 (UTC) From: David Hildenbrand To: qemu-devel@nongnu.org Date: Wed, 17 Jul 2019 12:35:49 +0200 Message-Id: <20190717103550.24657-3-david@redhat.com> In-Reply-To: <20190717103550.24657-1-david@redhat.com> References: <20190717103550.24657-1-david@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Wed, 17 Jul 2019 10:36:02 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH-for-4.1 v2 2/3] virtio-balloon: fix memory leak on unrealize() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Michael S . Tsirkin" , David Hildenbrand , qemu-stable@nongnu.org, Stefan Hajnoczi , Igor Mammedov , David Gibson Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" We could have tracking data for a pbp (PartiallyBalloonedPage) allocated. Let's free it. Fixes: ed48c59875b6 ("virtio-balloon: Safely handle BALLOON_PAGE_SIZE < host page size") Cc: qemu-stable@nongnu.org #v4.0.0 Cc: Stefan Hajnoczi Cc: David Gibson Cc: Michael S. Tsirkin Cc: Igor Mammedov Signed-off-by: David Hildenbrand Acked-by: David Gibson --- hw/virtio/virtio-balloon.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c index 669067d661..84d01bceb3 100644 --- a/hw/virtio/virtio-balloon.c +++ b/hw/virtio/virtio-balloon.c @@ -40,6 +40,12 @@ struct PartiallyBalloonedPage { unsigned long bitmap[]; }; =20 +static void virtio_balloon_reset_pbp(VirtIOBalloon *balloon) +{ + g_free(balloon->pbp); + balloon->pbp =3D NULL; +} + static void balloon_inflate_page(VirtIOBalloon *balloon, MemoryRegion *mr, hwaddr offset) { @@ -82,8 +88,7 @@ static void balloon_inflate_page(VirtIOBalloon *balloon, /* We've partially ballooned part of a host page, but now * we're trying to balloon part of a different one. Too hard, * give up on the old partial page */ - g_free(balloon->pbp); - balloon->pbp =3D NULL; + virtio_balloon_reset_pbp(balloon); } =20 if (!balloon->pbp) { @@ -106,8 +111,7 @@ static void balloon_inflate_page(VirtIOBalloon *balloon, * has already reported them, and failing to discard a balloon * page is not fatal */ =20 - g_free(balloon->pbp); - balloon->pbp =3D NULL; + virtio_balloon_reset_pbp(balloon); } } =20 @@ -143,8 +147,7 @@ static void balloon_deflate_page(VirtIOBalloon *balloon, balloon->pbp->bitmap); =20 if (bitmap_empty(balloon->pbp->bitmap, subpages)) { - g_free(balloon->pbp); - balloon->pbp =3D NULL; + virtio_balloon_reset_pbp(balloon); } } =20 @@ -831,6 +834,7 @@ static void virtio_balloon_device_unrealize(DeviceState= *dev, Error **errp) virtio_balloon_free_page_stop(s); precopy_remove_notifier(&s->free_page_report_notify); } + virtio_balloon_reset_pbp(s); balloon_stats_destroy_timer(s); qemu_remove_balloon_handler(s); virtio_cleanup(vdev); --=20 2.21.0 From nobody Sun May 19 04:34:56 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1563359825; cv=none; d=zoho.com; s=zohoarc; b=X+0dmcVixX8PYBtd6fDJQmWkNLYQxprzscgohXubVXlQaP7ghdoUs5aDHnSnMVAKToHYYtq3AXGmxIUAy45nZDJQ+Mzd82Uv5WCl3dL2Ixbjx0jg5XDfTONKd7ZPUmh97xfOsM3ye1ql3jzoYrPhXuwCHsQyfU4W9UhmVdMk9Bo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1563359825; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=kyArb0rQb0snVHlfapYECPulhhODN/u5CAcKSU+yabM=; b=iJQPS4ARq1FhZl2+rv7bJQ1pShJKgaa43mXQ6UcJrQUuxYo2blF+KR2JBxV6WuDGi6ChWXqHtdJeVzDP7aONCxbWipExttF2Z50yFbMXutW+ipEacrVU3Cl6IVZeDxcJ8cJ2e81M3Fe/vWetjYpFxRMx+N/R0SqQxjpflXsaPKk= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1563359825073794.8901126838384; Wed, 17 Jul 2019 03:37:05 -0700 (PDT) Received: from localhost ([::1]:55798 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hnhJ1-0005Hf-1u for importer@patchew.org; Wed, 17 Jul 2019 06:37:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55979) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hnhI6-00029E-O7 for qemu-devel@nongnu.org; Wed, 17 Jul 2019 06:36:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hnhI5-0001b8-DG for qemu-devel@nongnu.org; Wed, 17 Jul 2019 06:36:06 -0400 Received: from mx1.redhat.com ([209.132.183.28]:51038) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hnhI5-0001ai-7U; Wed, 17 Jul 2019 06:36:05 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 858C53092657; Wed, 17 Jul 2019 10:36:04 +0000 (UTC) Received: from t460s.redhat.com (ovpn-117-65.ams2.redhat.com [10.36.117.65]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0376519C70; Wed, 17 Jul 2019 10:36:02 +0000 (UTC) From: David Hildenbrand To: qemu-devel@nongnu.org Date: Wed, 17 Jul 2019 12:35:50 +0200 Message-Id: <20190717103550.24657-4-david@redhat.com> In-Reply-To: <20190717103550.24657-1-david@redhat.com> References: <20190717103550.24657-1-david@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Wed, 17 Jul 2019 10:36:04 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH-for-4.1 v2 3/3] virtio-balloon: reset pbp on device resets X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Michael S . Tsirkin" , David Hildenbrand , qemu-stable@nongnu.org, Stefan Hajnoczi , Igor Mammedov , David Gibson Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" When a guest reboots (ordinary reboots, but also via kexec), it will happily reuse any system memory, including previously inflated memory. We could have tracking data for a pbp (PartiallyBalloonedPage). It could happen that a new inflation request from the guest will result in a discard of such a pbp, although the guest is (again) reusing some memory. We should reset the pbp on any device resets. Fixes: ed48c59875b6 ("virtio-balloon: Safely handle BALLOON_PAGE_SIZE < host page size") Cc: qemu-stable@nongnu.org #v4.0.0 Cc: Stefan Hajnoczi Cc: David Gibson Cc: Michael S. Tsirkin Cc: Igor Mammedov Signed-off-by: David Hildenbrand Acked-by: David Gibson --- hw/virtio/virtio-balloon.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c index 84d01bceb3..9de3c030bf 100644 --- a/hw/virtio/virtio-balloon.c +++ b/hw/virtio/virtio-balloon.c @@ -847,6 +847,7 @@ static void virtio_balloon_device_reset(VirtIODevice *v= dev) if (virtio_balloon_free_page_support(s)) { virtio_balloon_free_page_stop(s); } + virtio_balloon_reset_pbp(s); =20 if (s->stats_vq_elem !=3D NULL) { virtqueue_unpop(s->svq, s->stats_vq_elem, 0); --=20 2.21.0