From: David Hildenbrand <david@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Michael S . Tsirkin" <mst@redhat.com>,
David Hildenbrand <david@redhat.com>,
qemu-stable@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>,
Igor Mammedov <imammedo@redhat.com>,
David Gibson <david@gibson.dropbear.id.au>
Subject: [Qemu-devel] [PATCH-for-4.1 v3 2/6] virtio-balloon: Fix QEMU crashes on pagesize > BALLOON_PAGE_SIZE
Date: Mon, 22 Jul 2019 15:41:04 +0200 [thread overview]
Message-ID: <20190722134108.22151-3-david@redhat.com> (raw)
In-Reply-To: <20190722134108.22151-1-david@redhat.com>
We are using the wrong functions to set/clear bits, effectively touching
multiple bits, writing out of range of the bitmap, resulting in memory
corruptions. We have to use set_bit()/clear_bit() instead.
Can easily be reproduced by starting a qemu guest on hugetlbfs memory,
inflating the balloon. QEMU crashes. This never could have worked
properly - especially, also pages would have been discarded when the
first sub-page would be inflated (the whole bitmap would be set).
While testing I realized, that on hugetlbfs it is pretty much impossible
to discard a page - the guest just frees the 4k sub-pages in random order
most of the time. I was only able to discard a hugepage a handful of
times - so I hope that now works correctly.
Fixes: ed48c59875b6 ("virtio-balloon: Safely handle BALLOON_PAGE_SIZE <
host page size")
Fixes: b27b32391404 ("virtio-balloon: Fix possible guest memory corruption
with inflates & deflates")
Cc: qemu-stable@nongnu.org #v4.0.0
Acked-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Hildenbrand <david@redhat.com>
---
hw/virtio/virtio-balloon.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index 515abf6553..a78d2d2184 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -94,9 +94,8 @@ static void balloon_inflate_page(VirtIOBalloon *balloon,
balloon->pbp->base = host_page_base;
}
- bitmap_set(balloon->pbp->bitmap,
- (ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,
- subpages);
+ set_bit((ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,
+ balloon->pbp->bitmap);
if (bitmap_full(balloon->pbp->bitmap, subpages)) {
/* We've accumulated a full host page, we can actually discard
@@ -140,9 +139,8 @@ static void balloon_deflate_page(VirtIOBalloon *balloon,
* for a guest to do this in practice, but handle it anyway,
* since getting it wrong could mean discarding memory the
* guest is still using. */
- bitmap_clear(balloon->pbp->bitmap,
- (ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,
- subpages);
+ clear_bit((ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,
+ balloon->pbp->bitmap);
if (bitmap_empty(balloon->pbp->bitmap, subpages)) {
g_free(balloon->pbp);
--
2.21.0
WARNING: multiple messages have this Message-ID (diff)
From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
David Gibson <david@gibson.dropbear.id.au>,
qemu-stable@nongnu.org, David Hildenbrand <david@redhat.com>
Subject: [Qemu-devel] [PULL 06/12] virtio-balloon: Fix QEMU crashes on pagesize > BALLOON_PAGE_SIZE
Date: Thu, 25 Jul 2019 11:31:55 -0400 [thread overview]
Message-ID: <20190722134108.22151-3-david@redhat.com> (raw)
Message-ID: <20190725153155.FPV5JPHNf8iXpoDw4t9Frtqtef33ciDjQq0mmw8gTvk@z> (raw)
In-Reply-To: <20190725153059.7313-1-mst@redhat.com>
From: David Hildenbrand <david@redhat.com>
We are using the wrong functions to set/clear bits, effectively touching
multiple bits, writing out of range of the bitmap, resulting in memory
corruptions. We have to use set_bit()/clear_bit() instead.
Can easily be reproduced by starting a qemu guest on hugetlbfs memory,
inflating the balloon. QEMU crashes. This never could have worked
properly - especially, also pages would have been discarded when the
first sub-page would be inflated (the whole bitmap would be set).
While testing I realized, that on hugetlbfs it is pretty much impossible
to discard a page - the guest just frees the 4k sub-pages in random order
most of the time. I was only able to discard a hugepage a handful of
times - so I hope that now works correctly.
Fixes: ed48c59875b6 ("virtio-balloon: Safely handle BALLOON_PAGE_SIZE < host page size")
Fixes: b27b32391404 ("virtio-balloon: Fix possible guest memory corruption with inflates & deflates")
Cc: qemu-stable@nongnu.org #v4.0.0
Acked-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <20190722134108.22151-3-david@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/virtio/virtio-balloon.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index 515abf6553..a78d2d2184 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -94,9 +94,8 @@ static void balloon_inflate_page(VirtIOBalloon *balloon,
balloon->pbp->base = host_page_base;
}
- bitmap_set(balloon->pbp->bitmap,
- (ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,
- subpages);
+ set_bit((ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,
+ balloon->pbp->bitmap);
if (bitmap_full(balloon->pbp->bitmap, subpages)) {
/* We've accumulated a full host page, we can actually discard
@@ -140,9 +139,8 @@ static void balloon_deflate_page(VirtIOBalloon *balloon,
* for a guest to do this in practice, but handle it anyway,
* since getting it wrong could mean discarding memory the
* guest is still using. */
- bitmap_clear(balloon->pbp->bitmap,
- (ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,
- subpages);
+ clear_bit((ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,
+ balloon->pbp->bitmap);
if (bitmap_empty(balloon->pbp->bitmap, subpages)) {
g_free(balloon->pbp);
--
MST
next prev parent reply other threads:[~2019-07-22 13:42 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-22 13:41 [Qemu-devel] [PATCH-for-4.1 v3 0/6] virtio-balloon: fixes David Hildenbrand
2019-07-22 13:41 ` [Qemu-devel] [PATCH-for-4.1 v3 1/6] virtio-balloon: Fix wrong sign extension of PFNs David Hildenbrand
2019-07-25 15:31 ` [Qemu-devel] [PULL 05/12] " Michael S. Tsirkin
2019-07-23 2:27 ` [Qemu-devel] [PATCH-for-4.1 v3 1/6] " David Gibson
2019-07-22 13:41 ` David Hildenbrand [this message]
2019-07-25 15:31 ` [Qemu-devel] [PULL 06/12] virtio-balloon: Fix QEMU crashes on pagesize > BALLOON_PAGE_SIZE Michael S. Tsirkin
2019-07-22 13:41 ` [Qemu-devel] [PATCH-for-4.1 v3 3/6] virtio-balloon: Simplify deflate with pbp David Hildenbrand
2019-07-25 15:32 ` [Qemu-devel] [PULL 07/12] " Michael S. Tsirkin
2019-07-22 13:41 ` [Qemu-devel] [PATCH-for-4.1 v3 4/6] virtio-balloon: Better names for offset variables in inflate/deflate code David Hildenbrand
2019-07-25 15:32 ` [Qemu-devel] [PULL 08/12] " Michael S. Tsirkin
2019-07-22 13:41 ` [Qemu-devel] [PATCH-for-4.1 v3 5/6] virtio-balloon: Rework pbp tracking data David Hildenbrand
2019-07-25 15:32 ` [Qemu-devel] [PULL 09/12] " Michael S. Tsirkin
2019-07-23 2:54 ` [Qemu-devel] [PATCH-for-4.1 v3 5/6] " David Gibson
2019-07-23 7:38 ` David Hildenbrand
2019-07-22 13:41 ` [Qemu-devel] [PATCH-for-4.1 v3 6/6] virtio-balloon: Use temporary PBP only David Hildenbrand
2019-07-25 15:32 ` [Qemu-devel] [PULL 10/12] " Michael S. Tsirkin
2019-07-23 3:22 ` [Qemu-devel] [PATCH-for-4.1 v3 6/6] " David Gibson
-- strict thread matches above, loose matches on Subject: below --
2019-07-25 15:31 [Qemu-devel] [PULL 00/12] virtio, pc: fixes, cleanups Michael S. Tsirkin
2019-07-25 15:32 ` [Qemu-devel] [PULL 12/12] virtio-balloon: free pbp more aggressively Michael S. Tsirkin
2019-07-26 9:53 ` [Qemu-devel] [PULL 00/12] virtio, pc: fixes, cleanups Peter Maydell
2019-07-25 11:36 [Qemu-devel] [PATCH-for-4.1 v4 0/7] virtio-balloon: fixes David Hildenbrand
2019-07-25 11:36 ` [Qemu-devel] [PATCH-for-4.1 v4 1/7] virtio-balloon: Fix wrong sign extension of PFNs David Hildenbrand
2019-07-25 12:36 ` Pankaj Gupta
2019-07-25 11:36 ` [Qemu-devel] [PATCH-for-4.1 v4 2/7] virtio-balloon: Fix QEMU crashes on pagesize > BALLOON_PAGE_SIZE David Hildenbrand
2019-07-25 11:36 ` [Qemu-devel] [PATCH-for-4.1 v4 3/7] virtio-balloon: Simplify deflate with pbp David Hildenbrand
2019-07-25 11:36 ` [Qemu-devel] [PATCH-for-4.1 v4 4/7] virtio-balloon: Better names for offset variables in inflate/deflate code David Hildenbrand
2019-07-25 11:36 ` [Qemu-devel] [PATCH-for-4.1 v4 5/7] virtio-balloon: Rework pbp tracking data David Hildenbrand
2019-07-26 8:08 ` David Gibson
2019-07-25 11:36 ` [Qemu-devel] [PATCH-for-4.1 v4 6/7] virtio-balloon: Use temporary PBP only David Hildenbrand
2019-07-25 11:53 ` Michael S. Tsirkin
2019-07-25 11:56 ` David Hildenbrand
2019-07-25 11:36 ` [Qemu-devel] [PATCH-for-4.1 v4 7/7] virtio-balloon: No need to track subpages for the PBP anymore David Hildenbrand
2019-07-25 15:32 ` [Qemu-devel] [PULL 11/12] virtio-balloon: don't track subpages for the PBP Michael S. Tsirkin
2019-07-26 8:10 ` [Qemu-devel] [PATCH-for-4.1 v4 7/7] virtio-balloon: No need to track subpages for the PBP anymore David Gibson
2019-07-19 8:54 [Qemu-devel] [PATCH] i386/acpi: show PCI Express bus on pxb-pcie expanders Evgeny Yakovlev
2019-07-25 15:31 ` [Qemu-devel] [PULL 04/12] " Michael S. Tsirkin
2019-07-19 12:14 ` [Qemu-devel] [PATCH] " Igor Mammedov
2019-07-18 16:14 [Qemu-devel] [PATCH v2] i386/acpi: fix gint overflow in crs_range_compare Evgeny Yakovlev
2019-07-25 15:31 ` [Qemu-devel] [PULL 02/12] " Michael S. Tsirkin
2019-07-18 20:30 ` [Qemu-devel] [PATCH v2] " Michael S. Tsirkin
2019-06-24 9:13 [Qemu-devel] [PATCH] docs: clarify multiqueue vs multiple virtqueues Stefan Hajnoczi
2019-07-25 15:31 ` [Qemu-devel] [PULL 01/12] " Michael S. Tsirkin
2019-06-24 10:19 ` [Qemu-devel] [PATCH] " Marc-André Lureau
2019-07-17 10:14 ` Stefan Hajnoczi
2019-07-17 10:35 ` Michael S. Tsirkin
2019-06-02 11:42 [Qemu-devel] [PATCH] ioapic: kvm: Skip route updates for masked pins Jan Kiszka
2019-07-25 15:31 ` [Qemu-devel] [PULL 03/12] " Michael S. Tsirkin
2019-06-02 12:10 ` [Qemu-devel] [PATCH] " Peter Xu
2019-06-03 6:30 ` Jan Kiszka
2019-06-03 0:36 ` Michael S. Tsirkin
2019-07-21 8:58 ` Jan Kiszka
2019-07-21 10:04 ` Michael S. Tsirkin
2019-07-21 16:55 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190722134108.22151-3-david@redhat.com \
--to=david@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=imammedo@redhat.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.