[Qemu-devel] [PATCH 0/2] virtio-gpu: fix issues with VM load code

[Qemu-devel] [PATCH 0/2] virtio-gpu: fix issues with VM load code

[Peter Maydell]

These patches fix a couple of issues with the VM load code
which I noticed while investigating a coverity warning.

The first patch fixes a problem with the accounting for
host pixmap memory usage -- we didn't recalculate the
current usage following a VM migration, but instead
started again at zero, which means that if you keep
bumping the VM from host to host you can sidestep the
host_maxmem limit.

The second patch fixes the coverity warning (that if we
fail in the "creating resources" loop in the load function
we will leak memory and so on). The leak isn't very
serious, because if we fail the inbound migration then
the whole QEMU process is pretty useless for anything,
but it's easy enough to fix "correctly", ie so that a
subsequent system reset will put the device back into
a sane state.

Peter Maydell (2):
  virtio-gpu: Recalculate VirtIOGPU::hostmem on VM load
  virtio-gpu: Fix memory leak in virtio_gpu_load()

 hw/display/virtio-gpu.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

-- 
2.7.4

[Qemu-devel] [PATCH 1/2] virtio-gpu: Recalculate VirtIOGPU::hostmem on VM load

[Peter Maydell]

The 'hostmem' field in VirtIOGPU is used to track the total memory
used in pixmaps so that we can impose a maximum limit on it.
However this field is neither migrated nor recalculated on
VM load, which means that after a migration it will be incorrectly
too low, which can allow the guest to use more pixmap memory
than it should. The per-resource hostmem fields are not filled
in either as we reallocate them in the load function.

Recalculate the memory used for each pixmap and the total memory
used as we reallocate the pixmaps in virtio_gpu_load().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/display/virtio-gpu.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index ca88cf4..c3cf47e 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -1038,6 +1038,8 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size)
     uint32_t resource_id, pformat;
     int i;
 
+    g->hostmem = 0;
+
     resource_id = qemu_get_be32(f);
     while (resource_id != 0) {
         res = g_new0(struct virtio_gpu_simple_resource, 1);
@@ -1059,6 +1061,8 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size)
             return -EINVAL;
         }
 
+        res->hostmem = PIXMAN_FORMAT_BPP(pformat) * res->width * res->height;
+
         res->addrs = g_new(uint64_t, res->iov_cnt);
         res->iov = g_new(struct iovec, res->iov_cnt);
 
@@ -1081,6 +1085,7 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size)
         }
 
         QTAILQ_INSERT_HEAD(&g->reslist, res, next);
+        g->hostmem += res->hostmem;
 
         resource_id = qemu_get_be32(f);
     }
-- 
2.7.4

[Qemu-devel] [PATCH 2/2] virtio-gpu: Fix memory leak in virtio_gpu_load()

[Peter Maydell]

Coverity points out that if we fail in the "creating resources"
loop in virtio_gpu_load() we will leak various resources (CID 1356431).
Failing a VM load is going to leave the simulation in a complete mess,
but we can tidy up to the point that a full system reset should
get us back to sanity.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/display/virtio-gpu.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index c3cf47e..cef736c 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -1052,12 +1052,14 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size)
         /* allocate */
         pformat = get_pixman_format(res->format);
         if (!pformat) {
+            g_free(res);
             return -EINVAL;
         }
         res->image = pixman_image_create_bits(pformat,
                                               res->width, res->height,
                                               NULL, 0);
         if (!res->image) {
+            g_free(res);
             return -EINVAL;
         }
 
@@ -1080,6 +1082,16 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size)
             res->iov[i].iov_base =
                 cpu_physical_memory_map(res->addrs[i], &len, 1);
             if (!res->iov[i].iov_base || len != res->iov[i].iov_len) {
+                /* Clean up the half-a-mapping we just created... */
+                if (res->iov[i].iov_base) {
+                    cpu_physical_memory_unmap(res->iov[i].iov_base,
+                                              len, 0, 0);
+                }
+                /* ...and the mappings for previous loop iterations */
+                res->iov_cnt = i;
+                virtio_gpu_cleanup_mapping(res);
+                pixman_image_unref(res->image);
+                g_free(res);
                 return -EINVAL;
             }
         }
-- 
2.7.4

Re: [Qemu-devel] [PATCH 0/2] virtio-gpu: fix issues with VM load code

[Gerd Hoffmann]

On Mo, 2017-01-09 at 13:38 +0000, Peter Maydell wrote:
> These patches fix a couple of issues with the VM load code
> which I noticed while investigating a coverity warning.
> 
> The first patch fixes a problem with the accounting for
> host pixmap memory usage -- we didn't recalculate the
> current usage following a VM migration, but instead
> started again at zero, which means that if you keep
> bumping the VM from host to host you can sidestep the
> host_maxmem limit.
> 
> The second patch fixes the coverity warning (that if we
> fail in the "creating resources" loop in the load function
> we will leak memory and so on). The leak isn't very
> serious, because if we fail the inbound migration then
> the whole QEMU process is pretty useless for anything,
> but it's easy enough to fix "correctly", ie so that a
> subsequent system reset will put the device back into
> a sane state.
> 
> Peter Maydell (2):
>   virtio-gpu: Recalculate VirtIOGPU::hostmem on VM load
>   virtio-gpu: Fix memory leak in virtio_gpu_load()
> 
>  hw/display/virtio-gpu.c | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
> 
Added to vga queue.

thanks,
  Gerd