Commit 483f1352 authored by David Hildenbrand's avatar David Hildenbrand Committed by Michael S. Tsirkin
Browse files

virtio-balloon: Fix QEMU crashes on pagesize > BALLOON_PAGE_SIZE 



We are using the wrong functions to set/clear bits, effectively touching
multiple bits, writing out of range of the bitmap, resulting in memory
corruptions. We have to use set_bit()/clear_bit() instead.

Can easily be reproduced by starting a qemu guest on hugetlbfs memory,
inflating the balloon. QEMU crashes. This never could have worked
properly - especially, also pages would have been discarded when the
first sub-page would be inflated (the whole bitmap would be set).

While testing I realized, that on hugetlbfs it is pretty much impossible
to discard a page - the guest just frees the 4k sub-pages in random order
most of the time. I was only able to discard a hugepage a handful of
times - so I hope that now works correctly.

Fixes: ed48c598 ("virtio-balloon: Safely handle BALLOON_PAGE_SIZE < host page size")
Fixes: b27b3239 ("virtio-balloon: Fix possible guest memory corruption with inflates & deflates")
Cc: qemu-stable@nongnu.org #v4.0.0
Acked-by: default avatarDavid Gibson <david@gibson.dropbear.id.au>
Signed-off-by: default avatarDavid Hildenbrand <david@redhat.com>
Message-Id: <20190722134108.22151-3-david@redhat.com>
Reviewed-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
parent ffa207d0

hw/virtio/virtio-balloon.c

+4 −6
Original line number Diff line number Diff line
@@ -94,9 +94,8 @@ static void balloon_inflate_page(VirtIOBalloon *balloon, 
        balloon->pbp->base = host_page_base;

    }



    bitmap_set(balloon->pbp->bitmap,

               (ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,

               subpages);

    set_bit((ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,

            balloon->pbp->bitmap);



    if (bitmap_full(balloon->pbp->bitmap, subpages)) {

        /* We've accumulated a full host page, we can actually discard
@@ -140,9 +139,8 @@ static void balloon_deflate_page(VirtIOBalloon *balloon, 
         * for a guest to do this in practice, but handle it anyway,

         * since getting it wrong could mean discarding memory the

         * guest is still using. */

        bitmap_clear(balloon->pbp->bitmap,

                     (ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,

                     subpages);

        clear_bit((ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE,

                  balloon->pbp->bitmap);



        if (bitmap_empty(balloon->pbp->bitmap, subpages)) {

            g_free(balloon->pbp);