From: "lihangjing@baidu.com" <lihangjing@baidu.com>
To: <mst@redhat.com>
Cc: Li Hangjing <lihangjing@baidu.com>, qemu-devel@nongnu.org
Subject: [Qemu-devel] [PATCH] vhost: fix vhost_log size overflow during migration
Date: Mon, 3 Jun 2019 14:15:24 +0800 [thread overview]
Message-ID: <20190603061524.24076-1-lihangjing@baidu.com> (raw)
From: Li Hangjing <lihangjing@baidu.com>
When a guest which doesn't support multiqueue is migrated with a multi queues
vhost-user-blk deivce, a crash will occur like:
0 qemu_memfd_alloc (name=<value optimized out>, size=562949953421312, seals=<value optimized out>, fd=0x7f87171fe8b4, errp=0x7f87171fe8a8) at util/memfd.c:153
1 0x00007f883559d7cf in vhost_log_alloc (size=70368744177664, share=true) at hw/virtio/vhost.c:186
2 0x00007f88355a0758 in vhost_log_get (listener=0x7f8838bd7940, enable=1) at qemu-2-12/hw/virtio/vhost.c:211
3 vhost_dev_log_resize (listener=0x7f8838bd7940, enable=1) at hw/virtio/vhost.c:263
4 vhost_migration_log (listener=0x7f8838bd7940, enable=1) at hw/virtio/vhost.c:787
5 0x00007f88355463d6 in memory_global_dirty_log_start () at memory.c:2503
6 0x00007f8835550577 in ram_init_bitmaps (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2173
7 ram_init_all (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2192
8 ram_save_setup (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2219
9 0x00007f88357a419d in qemu_savevm_state_setup (f=0x7f88384ce600) at migration/savevm.c:1002
10 0x00007f883579fc3e in migration_thread (opaque=0x7f8837530400) at migration/migration.c:2382
11 0x00007f8832447893 in start_thread () from /lib64/libpthread.so.0
12 0x00007f8832178bfd in clone () from /lib64/libc.so.6
This is because vhost_get_log_size() returns a overflowed vhost-log size.
In this function, it uses the uninitialized variable vqs->used_phys and
vqs->used_size to get the vhost-log size.
Signed-off-by: Li Hangjing <lihangjing@baidu.com>
Reviewed-by: Xie Yongji <xieyongji@baidu.com>
Reviewed-by: Chai Wen <chaiwen@baidu.com>
---
hw/virtio/vhost.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index 7f61018f2a..6d3a013f49 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -131,6 +131,11 @@ static int vhost_sync_dirty_bitmap(struct vhost_dev *dev,
}
for (i = 0; i < dev->nvqs; ++i) {
struct vhost_virtqueue *vq = dev->vqs + i;
+
+ if (!vq->used_phys && !vq->used_size) {
+ continue;
+ }
+
vhost_dev_sync_region(dev, section, start_addr, end_addr, vq->used_phys,
range_get_last(vq->used_phys, vq->used_size));
}
@@ -168,6 +173,11 @@ static uint64_t vhost_get_log_size(struct vhost_dev *dev)
}
for (i = 0; i < dev->nvqs; ++i) {
struct vhost_virtqueue *vq = dev->vqs + i;
+
+ if (!vq->used_phys && !vq->used_size) {
+ continue;
+ }
+
uint64_t last = vq->used_phys + vq->used_size - 1;
log_size = MAX(log_size, last / VHOST_LOG_CHUNK + 1);
}
--
2.15.1.windows.2
WARNING: multiple messages have this Message-ID (diff)
From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
Xie Yongji <xieyongji@baidu.com>,
Li Hangjing <lihangjing@baidu.com>,
qemu-stable@nongnu.org, Chai Wen <chaiwen@baidu.com>
Subject: [Qemu-devel] [PULL 07/11] vhost: fix vhost_log size overflow during migration
Date: Sun, 16 Jun 2019 17:36:16 -0400 [thread overview]
Message-ID: <20190603061524.24076-1-lihangjing@baidu.com> (raw)
Message-ID: <20190616213616.Wgk73sTQCPBgFUmAKn5B3ITH0xqnzFG6msDlI95L304@z> (raw)
In-Reply-To: <20190616213540.20430-1-mst@redhat.com>
From: Li Hangjing <lihangjing@baidu.com>
When a guest which doesn't support multiqueue is migrated with a multi queues
vhost-user-blk deivce, a crash will occur like:
0 qemu_memfd_alloc (name=<value optimized out>, size=562949953421312, seals=<value optimized out>, fd=0x7f87171fe8b4, errp=0x7f87171fe8a8) at util/memfd.c:153
1 0x00007f883559d7cf in vhost_log_alloc (size=70368744177664, share=true) at hw/virtio/vhost.c:186
2 0x00007f88355a0758 in vhost_log_get (listener=0x7f8838bd7940, enable=1) at qemu-2-12/hw/virtio/vhost.c:211
3 vhost_dev_log_resize (listener=0x7f8838bd7940, enable=1) at hw/virtio/vhost.c:263
4 vhost_migration_log (listener=0x7f8838bd7940, enable=1) at hw/virtio/vhost.c:787
5 0x00007f88355463d6 in memory_global_dirty_log_start () at memory.c:2503
6 0x00007f8835550577 in ram_init_bitmaps (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2173
7 ram_init_all (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2192
8 ram_save_setup (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2219
9 0x00007f88357a419d in qemu_savevm_state_setup (f=0x7f88384ce600) at migration/savevm.c:1002
10 0x00007f883579fc3e in migration_thread (opaque=0x7f8837530400) at migration/migration.c:2382
11 0x00007f8832447893 in start_thread () from /lib64/libpthread.so.0
12 0x00007f8832178bfd in clone () from /lib64/libc.so.6
This is because vhost_get_log_size() returns a overflowed vhost-log size.
In this function, it uses the uninitialized variable vqs->used_phys and
vqs->used_size to get the vhost-log size.
Signed-off-by: Li Hangjing <lihangjing@baidu.com>
Reviewed-by: Xie Yongji <xieyongji@baidu.com>
Reviewed-by: Chai Wen <chaiwen@baidu.com>
Message-Id: <20190603061524.24076-1-lihangjing@baidu.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/virtio/vhost.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index 60747a6f93..bc899fc60e 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -131,6 +131,11 @@ static int vhost_sync_dirty_bitmap(struct vhost_dev *dev,
}
for (i = 0; i < dev->nvqs; ++i) {
struct vhost_virtqueue *vq = dev->vqs + i;
+
+ if (!vq->used_phys && !vq->used_size) {
+ continue;
+ }
+
vhost_dev_sync_region(dev, section, start_addr, end_addr, vq->used_phys,
range_get_last(vq->used_phys, vq->used_size));
}
@@ -168,6 +173,11 @@ static uint64_t vhost_get_log_size(struct vhost_dev *dev)
}
for (i = 0; i < dev->nvqs; ++i) {
struct vhost_virtqueue *vq = dev->vqs + i;
+
+ if (!vq->used_phys && !vq->used_size) {
+ continue;
+ }
+
uint64_t last = vq->used_phys + vq->used_size - 1;
log_size = MAX(log_size, last / VHOST_LOG_CHUNK + 1);
}
--
MST
next reply other threads:[~2019-06-03 12:58 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-03 6:15 lihangjing [this message]
2019-06-16 21:36 ` [Qemu-devel] [PULL 07/11] vhost: fix vhost_log size overflow during migration Michael S. Tsirkin
2019-06-05 13:12 [Qemu-devel] [PATCH] docs/vhost-user.json: some firmware.json copy leftovers Marc-André Lureau
2019-06-16 21:36 ` [Qemu-devel] [PULL 06/11] " Michael S. Tsirkin
2019-06-14 8:36 ` [Qemu-devel] [PATCH] " Stefan Hajnoczi
2019-06-26 16:24 ` [Qemu-devel] [Qemu-trivial] " Laurent Vivier
2019-06-26 16:28 ` Laurent Vivier
2019-06-05 14:58 [Qemu-devel] [PATCH 0/5] Misc vhost-user fixes Marc-André Lureau
2019-06-05 14:58 ` [Qemu-devel] [PATCH 1/5] vhost-user-gpu: do not send scanout update if no GPU socket Marc-André Lureau
2019-06-16 21:36 ` [Qemu-devel] [PULL 01/11] " Michael S. Tsirkin
2019-06-05 14:58 ` [Qemu-devel] [PATCH 2/5] vhost-user: check unix_listen() return value Marc-André Lureau
2019-06-16 21:36 ` [Qemu-devel] [PULL 02/11] " Michael S. Tsirkin
2019-06-07 8:49 ` [Qemu-devel] [PATCH 2/5] " Peter Maydell
2019-06-26 17:55 ` [Qemu-devel] [PULL 02/11] " Eric Blake
2019-06-26 19:37 ` Marc-André Lureau
2019-06-05 14:58 ` [Qemu-devel] [PATCH 3/5] vhost-user: improve error report Marc-André Lureau
2019-06-16 21:36 ` [Qemu-devel] [PULL 03/11] " Michael S. Tsirkin
2019-06-05 14:58 ` [Qemu-devel] [PATCH 4/5] vhost-user-input: check ioctl(EVIOCGNAME) return value Marc-André Lureau
2019-06-16 21:36 ` [Qemu-devel] [PULL 04/11] " Michael S. Tsirkin
2019-06-07 8:50 ` [Qemu-devel] [PATCH 4/5] " Peter Maydell
2019-06-05 14:58 ` [Qemu-devel] [PATCH 5/5] vhost-user-gpu: initialize msghdr & iov at declaration Marc-André Lureau
2019-06-16 21:36 ` [Qemu-devel] [PULL 05/11] " Michael S. Tsirkin
2019-06-07 8:47 ` [Qemu-devel] [PATCH 5/5] " Peter Maydell
2019-06-07 7:34 [Qemu-devel] [PATCH v2] q35: fix mmconfig and PCI0._CRS Gerd Hoffmann
2019-06-16 21:36 ` [Qemu-devel] [PULL 09/11] " Michael S. Tsirkin
2019-06-07 7:49 ` [Qemu-devel] [PATCH v2] " Laszlo Ersek
2019-06-11 8:15 ` Marcel Apfelbaum
2019-06-11 11:37 ` Paolo Bonzini
2019-06-11 12:06 ` Michael S. Tsirkin
2019-06-10 1:18 [Qemu-devel] [PATCH v7] hw/acpi: extract acpi_add_rom_blob() Wei Yang
2019-06-16 21:36 ` [Qemu-devel] [PULL 08/11] " Michael S. Tsirkin
2019-06-16 21:36 [Qemu-devel] [PULL 00/11] virtio, acpi: fixes, cleanups Michael S. Tsirkin
2019-06-16 21:36 ` [Qemu-devel] [PULL 10/11] q35: update DSDT Michael S. Tsirkin
2019-06-16 21:36 ` [Qemu-devel] [PULL 11/11] tests/rebuild-expected-aml.sh: blow out difflist Michael S. Tsirkin
2019-06-17 12:59 ` [Qemu-devel] [PULL 00/11] virtio, acpi: fixes, cleanups Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190603061524.24076-1-lihangjing@baidu.com \
--to=lihangjing@baidu.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.