[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 48/97] virtio-balloon: Fix QEMU crashes on pagesize > BALLOON_PAG
From: |
Michael Roth |
Subject: |
[PATCH 48/97] virtio-balloon: Fix QEMU crashes on pagesize > BALLOON_PAGE_SIZE |
Date: |
Tue, 1 Oct 2019 18:45:27 -0500 |
From: David Hildenbrand <address@hidden>
We are using the wrong functions to set/clear bits, effectively touching
multiple bits, writing out of range of the bitmap, resulting in memory
corruptions. We have to use set_bit()/clear_bit() instead.
Can easily be reproduced by starting a qemu guest on hugetlbfs memory,
inflating the balloon. QEMU crashes. This never could have worked
properly - especially, also pages would have been discarded when the
first sub-page would be inflated (the whole bitmap would be set).
While testing I realized, that on hugetlbfs it is pretty much impossible
to discard a page - the guest just frees the 4k sub-pages in random order
most of the time. I was only able to discard a hugepage a handful of
times - so I hope that now works correctly.
Fixes: ed48c59875b6 ("virtio-balloon: Safely handle BALLOON_PAGE_SIZE < host
page size")
Fixes: b27b32391404 ("virtio-balloon: Fix possible guest memory corruption with
inflates & deflates")
Cc: address@hidden #v4.0.0
Acked-by: David Gibson <address@hidden>
Signed-off-by: David Hildenbrand <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 483f13524bb2a08b7ff6a7560b846564ed3b0c33)
Signed-off-by: Michael Roth <address@hidden>
---
hw/virtio/virtio-balloon.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index 49194f5638..038cf1c23a 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -94,9 +94,8 @@ static void balloon_inflate_page(VirtIOBalloon *balloon,
balloon->pbp->base = host_page_base;
}
- bitmap_set(balloon->pbp->bitmap,
- (ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,
- subpages);
+ set_bit((ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,
+ balloon->pbp->bitmap);
if (bitmap_full(balloon->pbp->bitmap, subpages)) {
/* We've accumulated a full host page, we can actually discard
@@ -140,9 +139,8 @@ static void balloon_deflate_page(VirtIOBalloon *balloon,
* for a guest to do this in practice, but handle it anyway,
* since getting it wrong could mean discarding memory the
* guest is still using. */
- bitmap_clear(balloon->pbp->bitmap,
- (ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,
- subpages);
+ clear_bit((ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,
+ balloon->pbp->bitmap);
if (bitmap_empty(balloon->pbp->bitmap, subpages)) {
g_free(balloon->pbp);
--
2.17.1
- [PATCH 38/97] virtio-balloon: fix QEMU 4.0 config size migration incompatibility, (continued)
- [PATCH 38/97] virtio-balloon: fix QEMU 4.0 config size migration incompatibility, Michael Roth, 2019/10/01
- [PATCH 49/97] virtio-balloon: Simplify deflate with pbp, Michael Roth, 2019/10/01
- [PATCH 44/97] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[], Michael Roth, 2019/10/01
- [PATCH 51/97] virtio-balloon: Rework pbp tracking data, Michael Roth, 2019/10/01
- [PATCH 39/97] docs/interop/bitmaps.rst: Fix typos, Michael Roth, 2019/10/01
- [PATCH 43/97] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory, Michael Roth, 2019/10/01
- [PATCH 32/97] vl: Fix -drive / -blockdev persistent reservation management, Michael Roth, 2019/10/01
- [PATCH 42/97] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs, Michael Roth, 2019/10/01
- [PATCH 47/97] virtio-balloon: Fix wrong sign extension of PFNs, Michael Roth, 2019/10/01
- [PATCH 57/97] tpm_emulator: Translate TPM error codes to strings, Michael Roth, 2019/10/01
- [PATCH 48/97] virtio-balloon: Fix QEMU crashes on pagesize > BALLOON_PAGE_SIZE,
Michael Roth <=
- [PATCH 41/97] docs/bitmaps: use QMP lexer instead of json, Michael Roth, 2019/10/01
- [PATCH 53/97] virtio-balloon: don't track subpages for the PBP, Michael Roth, 2019/10/01
- [PATCH 50/97] virtio-balloon: Better names for offset variables in inflate/deflate code, Michael Roth, 2019/10/01
- [PATCH 55/97] i386/acpi: fix gint overflow in crs_range_compare, Michael Roth, 2019/10/01
- [PATCH 45/97] ioapic: kvm: Skip route updates for masked pins, Michael Roth, 2019/10/01
- [PATCH 03/97] qcow2: Fix full preallocation with external data file, Michael Roth, 2019/10/01
- [PATCH 36/97] virtio-pci: fix missing device properties, Michael Roth, 2019/10/01
- [PATCH 05/97] qcow2: Fix qcow2_make_empty() with external data file, Michael Roth, 2019/10/01
- [PATCH 74/97] xen-bus: Fix backend state transition on device reset, Michael Roth, 2019/10/01
- [PATCH 70/97] Revert "ide/ahci: Check for -ECANCELED in aio callbacks", Michael Roth, 2019/10/01