65 lines
2.9 KiB
Diff
65 lines
2.9 KiB
Diff
From 483f13524bb2a08b7ff6a7560b846564ed3b0c33 Mon Sep 17 00:00:00 2001
|
|
From: David Hildenbrand <david@redhat.com>
|
|
Date: Mon, 22 Jul 2019 15:41:04 +0200
|
|
Subject: [PATCH] virtio-balloon: Fix QEMU crashes on pagesize >
|
|
BALLOON_PAGE_SIZE
|
|
|
|
We are using the wrong functions to set/clear bits, effectively touching
|
|
multiple bits, writing out of range of the bitmap, resulting in memory
|
|
corruptions. We have to use set_bit()/clear_bit() instead.
|
|
|
|
Can easily be reproduced by starting a qemu guest on hugetlbfs memory,
|
|
inflating the balloon. QEMU crashes. This never could have worked
|
|
properly - especially, also pages would have been discarded when the
|
|
first sub-page would be inflated (the whole bitmap would be set).
|
|
|
|
While testing I realized, that on hugetlbfs it is pretty much impossible
|
|
to discard a page - the guest just frees the 4k sub-pages in random order
|
|
most of the time. I was only able to discard a hugepage a handful of
|
|
times - so I hope that now works correctly.
|
|
|
|
Fixes: ed48c59875b6 ("virtio-balloon: Safely handle BALLOON_PAGE_SIZE < host page size")
|
|
Fixes: b27b32391404 ("virtio-balloon: Fix possible guest memory corruption with inflates & deflates")
|
|
Cc: qemu-stable@nongnu.org #v4.0.0
|
|
Acked-by: David Gibson <david@gibson.dropbear.id.au>
|
|
Signed-off-by: David Hildenbrand <david@redhat.com>
|
|
Message-Id: <20190722134108.22151-3-david@redhat.com>
|
|
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
(cherry-pick from commit 483f13524bb2a08b7ff6a7560b846564ed3b0c33)
|
|
---
|
|
hw/virtio/virtio-balloon.c | 10 ++++------
|
|
1 file changed, 4 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
|
|
index 515abf6553..a78d2d2184 100644
|
|
--- a/hw/virtio/virtio-balloon.c
|
|
+++ b/hw/virtio/virtio-balloon.c
|
|
@@ -94,9 +94,8 @@ static void balloon_inflate_page(VirtIOBalloon *balloon,
|
|
balloon->pbp->base = host_page_base;
|
|
}
|
|
|
|
- bitmap_set(balloon->pbp->bitmap,
|
|
- (ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,
|
|
- subpages);
|
|
+ set_bit((ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,
|
|
+ balloon->pbp->bitmap);
|
|
|
|
if (bitmap_full(balloon->pbp->bitmap, subpages)) {
|
|
/* We've accumulated a full host page, we can actually discard
|
|
@@ -140,9 +139,8 @@ static void balloon_deflate_page(VirtIOBalloon *balloon,
|
|
* for a guest to do this in practice, but handle it anyway,
|
|
* since getting it wrong could mean discarding memory the
|
|
* guest is still using. */
|
|
- bitmap_clear(balloon->pbp->bitmap,
|
|
- (ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,
|
|
- subpages);
|
|
+ clear_bit((ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,
|
|
+ balloon->pbp->bitmap);
|
|
|
|
if (bitmap_empty(balloon->pbp->bitmap, subpages)) {
|
|
g_free(balloon->pbp);
|
|
--
|
|
2.19.1
|
|
|