From nobody Wed Sep 17 13:54:42 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE79CC10F1B for ; Mon, 19 Dec 2022 07:05:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231449AbiLSHFA (ORCPT ); Mon, 19 Dec 2022 02:05:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60640 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229537AbiLSHE6 (ORCPT ); Mon, 19 Dec 2022 02:04:58 -0500 Received: from hmat.qianxin.com (hmat.qianxin.com [220.181.41.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 596D7E33; Sun, 18 Dec 2022 23:04:51 -0800 (PST) Received: from hmat.qianxin.com (srv-mail04.esg.360es.cn [172.24.6.24]) by hmat.qianxin.com (SkyGuard) with ESMTPS id 4Nb9gZ4ltxz2LZwN; Mon, 19 Dec 2022 15:04:42 +0800 (CST) Received: from qax-bjmail04.ESG.360ES.CN (10.44.121.98) by SRV-MAIL06.ESG.360ES.CN (172.24.6.26) with Microsoft SMTP Server (TLS) id 15.0.1497.26; Mon, 19 Dec 2022 15:04:27 +0800 Received: from qax-bjmail06.ESG.360ES.CN (2402:d040:0:8425:2849:52e7:3abe:7096) by qax-bjmail04.ESG.360ES.CN (2402:d040:0:8425:e8d8:c276:4bf1:2b8c) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Mon, 19 Dec 2022 15:04:27 +0800 Received: from qax-bjmail06.ESG.360ES.CN ([fe80::2849:52e7:3abe:7096]) by qax-bjmail06.ESG.360ES.CN ([fe80::2849:52e7:3abe:7096%5]) with mapi id 15.01.2308.020; Mon, 19 Dec 2022 15:04:27 +0800 From: =?utf-8?B?5p+z6I+B5bOw?= To: Sean Christopherson CC: "linux-kernel@vger.kernel.org" , "kvm@vger.kernel.org" , "pbonzini@redhat.com" , "syzkaller@googlegroups.com" Subject: =?utf-8?B?562U5aSNOiBGb3VuZCBhIG1lbW9yeSBsZWFrIGluIGt2bSBtb2R1bGU=?= Thread-Topic: Found a memory leak in kvm module Thread-Index: AdkN1svXVRrWKvJvSge7YI3WbO6bxgCl5kaAAMJGbkA= Date: Mon, 19 Dec 2022 07:04:27 +0000 Message-ID: <2895069420eb4af3a3b3a949af4010f3@qianxin.com> References: <7144ff750e554ad28aaa59e98c36d4fc@qianxin.com> In-Reply-To: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.110.119.69] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I had tried to retest with your patch,and I think the memory leak was resol= ved by it. Thanks! -----=E9=82=AE=E4=BB=B6=E5=8E=9F=E4=BB=B6----- =E5=8F=91=E4=BB=B6=E4=BA=BA: Sean Christopherson [mailto:seanjc@google.com]=20 =E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: 2022=E5=B9=B412=E6=9C=8816=E6=97=A5 2= :17 =E6=94=B6=E4=BB=B6=E4=BA=BA: =E6=9F=B3=E8=8F=81=E5=B3=B0 =E6=8A=84=E9=80=81: linux-kernel@vger.kernel.org; kvm@vger.kernel.org; pbon= zini@redhat.com; syzkaller@googlegroups.com =E4=B8=BB=E9=A2=98: Re: Found a memory leak in kvm module On Mon, Dec 12, 2022, =E6=9F=B3=E8=8F=81=E5=B3=B0 wrote: > Hello,I have found a memory leak bug in kvm module by syzkaller.It was=20 > found in linux-5.4 but it also could be reproduced in the latest linux ve= rsion. Ah, I assume by "linux-5.4" you mean "stable v5.4.x kernels that contain co= mmit 7d1bc32d6477 ("KVM: Stop looking for coalesced MMIO zones if the bus is des= troyed")", because without that fix I can't see any bug that would affect b= oth 5.4 and the upstream kernel. If my assumption is correct, then I'm 99% certain the issue is that the tar= get device isn't destroyed if allocating the new bus fails. I haven't had = luck with the automatic fault injection, but was able to confirm a leak wit= h this hack. diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 13e88297f999..= 22d9ab1b5c25 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -5424,7 +5424,7 @@ int kvm_io_bus_unregister_dev(struct kvm *kvm, enum k= vm_bus bus_idx, struct kvm_io_device *dev) { int i, j; - struct kvm_io_bus *new_bus, *bus; + struct kvm_io_bus *new_bus =3D NULL, *bus; =20 lockdep_assert_held(&kvm->slots_lock); =20 @@ -5441,6 +5441,7 @@ int kvm_io_bus_unregister_dev(struct kvm *kvm, enum k= vm_bus bus_idx, if (i =3D=3D bus->dev_count) return 0; =20 + if (!IS_ENABLED(CONFIG_X86_64)) new_bus =3D kmalloc(struct_size(bus, range, bus->dev_count - 1), GFP_KERNEL_ACCOUNT); if (new_bus) { The fix is to destroy the target device before bailing. I'll send a proper= patch either way, but it would be nice to get confirmation that this is th= e same bug that you hit with "linux-5.4". Thanks! --- virt/kvm/coalesced_mmio.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c index 0b= e80c213f7f..5ef88f5a0864 100644 --- a/virt/kvm/coalesced_mmio.c +++ b/virt/kvm/coalesced_mmio.c @@ -187,15 +187,17 @@ int kvm_vm_ioctl_unregister_coalesced_mmio(struct kvm= *kvm, r =3D kvm_io_bus_unregister_dev(kvm, zone->pio ? KVM_PIO_BUS : KVM_MMIO_BUS, &dev->dev); =20 + kvm_iodevice_destructor(&dev->dev); + /* * On failure, unregister destroys all devices on the * bus _except_ the target device, i.e. coalesced_zones - * has been modified. No need to restart the walk as - * there aren't any zones left. + * has been modified. Bail after destroying the target + * device, there's no need to restart the walk as there + * aren't any zones left. */ if (r) break; - kvm_iodevice_destructor(&dev->dev); } } =20 base-commit: 0f30b25edea48433eb32448990557364436818e6 --=20