From: "lihangjing@baidu.com" <lihangjing@baidu.com> To: <mst@redhat.com> Cc: Li Hangjing <lihangjing@baidu.com>, qemu-devel@nongnu.org Subject: [Qemu-devel] [PATCH] vhost: fix vhost_log size overflow during migration Date: Mon, 3 Jun 2019 14:15:24 +0800 [thread overview] Message-ID: <20190603061524.24076-1-lihangjing@baidu.com> (raw) From: Li Hangjing <lihangjing@baidu.com> When a guest which doesn't support multiqueue is migrated with a multi queues vhost-user-blk deivce, a crash will occur like: 0 qemu_memfd_alloc (name=<value optimized out>, size=562949953421312, seals=<value optimized out>, fd=0x7f87171fe8b4, errp=0x7f87171fe8a8) at util/memfd.c:153 1 0x00007f883559d7cf in vhost_log_alloc (size=70368744177664, share=true) at hw/virtio/vhost.c:186 2 0x00007f88355a0758 in vhost_log_get (listener=0x7f8838bd7940, enable=1) at qemu-2-12/hw/virtio/vhost.c:211 3 vhost_dev_log_resize (listener=0x7f8838bd7940, enable=1) at hw/virtio/vhost.c:263 4 vhost_migration_log (listener=0x7f8838bd7940, enable=1) at hw/virtio/vhost.c:787 5 0x00007f88355463d6 in memory_global_dirty_log_start () at memory.c:2503 6 0x00007f8835550577 in ram_init_bitmaps (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2173 7 ram_init_all (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2192 8 ram_save_setup (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2219 9 0x00007f88357a419d in qemu_savevm_state_setup (f=0x7f88384ce600) at migration/savevm.c:1002 10 0x00007f883579fc3e in migration_thread (opaque=0x7f8837530400) at migration/migration.c:2382 11 0x00007f8832447893 in start_thread () from /lib64/libpthread.so.0 12 0x00007f8832178bfd in clone () from /lib64/libc.so.6 This is because vhost_get_log_size() returns a overflowed vhost-log size. In this function, it uses the uninitialized variable vqs->used_phys and vqs->used_size to get the vhost-log size. Signed-off-by: Li Hangjing <lihangjing@baidu.com> Reviewed-by: Xie Yongji <xieyongji@baidu.com> Reviewed-by: Chai Wen <chaiwen@baidu.com> --- hw/virtio/vhost.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c index 7f61018f2a..6d3a013f49 100644 --- a/hw/virtio/vhost.c +++ b/hw/virtio/vhost.c @@ -131,6 +131,11 @@ static int vhost_sync_dirty_bitmap(struct vhost_dev *dev, } for (i = 0; i < dev->nvqs; ++i) { struct vhost_virtqueue *vq = dev->vqs + i; + + if (!vq->used_phys && !vq->used_size) { + continue; + } + vhost_dev_sync_region(dev, section, start_addr, end_addr, vq->used_phys, range_get_last(vq->used_phys, vq->used_size)); } @@ -168,6 +173,11 @@ static uint64_t vhost_get_log_size(struct vhost_dev *dev) } for (i = 0; i < dev->nvqs; ++i) { struct vhost_virtqueue *vq = dev->vqs + i; + + if (!vq->used_phys && !vq->used_size) { + continue; + } + uint64_t last = vq->used_phys + vq->used_size - 1; log_size = MAX(log_size, last / VHOST_LOG_CHUNK + 1); } -- 2.15.1.windows.2
WARNING: multiple messages have this Message-ID (diff)
From: "Michael S. Tsirkin" <mst@redhat.com> To: qemu-devel@nongnu.org Cc: Peter Maydell <peter.maydell@linaro.org>, Xie Yongji <xieyongji@baidu.com>, Li Hangjing <lihangjing@baidu.com>, qemu-stable@nongnu.org, Chai Wen <chaiwen@baidu.com> Subject: [Qemu-devel] [PULL 07/11] vhost: fix vhost_log size overflow during migration Date: Sun, 16 Jun 2019 17:36:16 -0400 [thread overview] Message-ID: <20190603061524.24076-1-lihangjing@baidu.com> (raw) Message-ID: <20190616213616.Wgk73sTQCPBgFUmAKn5B3ITH0xqnzFG6msDlI95L304@z> (raw) In-Reply-To: <20190616213540.20430-1-mst@redhat.com> From: Li Hangjing <lihangjing@baidu.com> When a guest which doesn't support multiqueue is migrated with a multi queues vhost-user-blk deivce, a crash will occur like: 0 qemu_memfd_alloc (name=<value optimized out>, size=562949953421312, seals=<value optimized out>, fd=0x7f87171fe8b4, errp=0x7f87171fe8a8) at util/memfd.c:153 1 0x00007f883559d7cf in vhost_log_alloc (size=70368744177664, share=true) at hw/virtio/vhost.c:186 2 0x00007f88355a0758 in vhost_log_get (listener=0x7f8838bd7940, enable=1) at qemu-2-12/hw/virtio/vhost.c:211 3 vhost_dev_log_resize (listener=0x7f8838bd7940, enable=1) at hw/virtio/vhost.c:263 4 vhost_migration_log (listener=0x7f8838bd7940, enable=1) at hw/virtio/vhost.c:787 5 0x00007f88355463d6 in memory_global_dirty_log_start () at memory.c:2503 6 0x00007f8835550577 in ram_init_bitmaps (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2173 7 ram_init_all (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2192 8 ram_save_setup (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2219 9 0x00007f88357a419d in qemu_savevm_state_setup (f=0x7f88384ce600) at migration/savevm.c:1002 10 0x00007f883579fc3e in migration_thread (opaque=0x7f8837530400) at migration/migration.c:2382 11 0x00007f8832447893 in start_thread () from /lib64/libpthread.so.0 12 0x00007f8832178bfd in clone () from /lib64/libc.so.6 This is because vhost_get_log_size() returns a overflowed vhost-log size. In this function, it uses the uninitialized variable vqs->used_phys and vqs->used_size to get the vhost-log size. Signed-off-by: Li Hangjing <lihangjing@baidu.com> Reviewed-by: Xie Yongji <xieyongji@baidu.com> Reviewed-by: Chai Wen <chaiwen@baidu.com> Message-Id: <20190603061524.24076-1-lihangjing@baidu.com> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> --- hw/virtio/vhost.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c index 60747a6f93..bc899fc60e 100644 --- a/hw/virtio/vhost.c +++ b/hw/virtio/vhost.c @@ -131,6 +131,11 @@ static int vhost_sync_dirty_bitmap(struct vhost_dev *dev, } for (i = 0; i < dev->nvqs; ++i) { struct vhost_virtqueue *vq = dev->vqs + i; + + if (!vq->used_phys && !vq->used_size) { + continue; + } + vhost_dev_sync_region(dev, section, start_addr, end_addr, vq->used_phys, range_get_last(vq->used_phys, vq->used_size)); } @@ -168,6 +173,11 @@ static uint64_t vhost_get_log_size(struct vhost_dev *dev) } for (i = 0; i < dev->nvqs; ++i) { struct vhost_virtqueue *vq = dev->vqs + i; + + if (!vq->used_phys && !vq->used_size) { + continue; + } + uint64_t last = vq->used_phys + vq->used_size - 1; log_size = MAX(log_size, last / VHOST_LOG_CHUNK + 1); } -- MST
next reply other threads:[~2019-06-03 12:58 UTC|newest] Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-06-03 6:15 lihangjing [this message] 2019-06-16 21:36 ` [Qemu-devel] [PULL 07/11] vhost: fix vhost_log size overflow during migration Michael S. Tsirkin 2019-06-05 13:12 [Qemu-devel] [PATCH] docs/vhost-user.json: some firmware.json copy leftovers Marc-André Lureau 2019-06-16 21:36 ` [Qemu-devel] [PULL 06/11] " Michael S. Tsirkin 2019-06-14 8:36 ` [Qemu-devel] [PATCH] " Stefan Hajnoczi 2019-06-26 16:24 ` [Qemu-devel] [Qemu-trivial] " Laurent Vivier 2019-06-26 16:28 ` Laurent Vivier 2019-06-05 14:58 [Qemu-devel] [PATCH 0/5] Misc vhost-user fixes Marc-André Lureau 2019-06-05 14:58 ` [Qemu-devel] [PATCH 1/5] vhost-user-gpu: do not send scanout update if no GPU socket Marc-André Lureau 2019-06-16 21:36 ` [Qemu-devel] [PULL 01/11] " Michael S. Tsirkin 2019-06-05 14:58 ` [Qemu-devel] [PATCH 2/5] vhost-user: check unix_listen() return value Marc-André Lureau 2019-06-16 21:36 ` [Qemu-devel] [PULL 02/11] " Michael S. Tsirkin 2019-06-07 8:49 ` [Qemu-devel] [PATCH 2/5] " Peter Maydell 2019-06-26 17:55 ` [Qemu-devel] [PULL 02/11] " Eric Blake 2019-06-26 19:37 ` Marc-André Lureau 2019-06-05 14:58 ` [Qemu-devel] [PATCH 3/5] vhost-user: improve error report Marc-André Lureau 2019-06-16 21:36 ` [Qemu-devel] [PULL 03/11] " Michael S. Tsirkin 2019-06-05 14:58 ` [Qemu-devel] [PATCH 4/5] vhost-user-input: check ioctl(EVIOCGNAME) return value Marc-André Lureau 2019-06-16 21:36 ` [Qemu-devel] [PULL 04/11] " Michael S. Tsirkin 2019-06-07 8:50 ` [Qemu-devel] [PATCH 4/5] " Peter Maydell 2019-06-05 14:58 ` [Qemu-devel] [PATCH 5/5] vhost-user-gpu: initialize msghdr & iov at declaration Marc-André Lureau 2019-06-16 21:36 ` [Qemu-devel] [PULL 05/11] " Michael S. Tsirkin 2019-06-07 8:47 ` [Qemu-devel] [PATCH 5/5] " Peter Maydell 2019-06-07 7:34 [Qemu-devel] [PATCH v2] q35: fix mmconfig and PCI0._CRS Gerd Hoffmann 2019-06-16 21:36 ` [Qemu-devel] [PULL 09/11] " Michael S. Tsirkin 2019-06-07 7:49 ` [Qemu-devel] [PATCH v2] " Laszlo Ersek 2019-06-11 8:15 ` Marcel Apfelbaum 2019-06-11 11:37 ` Paolo Bonzini 2019-06-11 12:06 ` Michael S. Tsirkin 2019-06-10 1:18 [Qemu-devel] [PATCH v7] hw/acpi: extract acpi_add_rom_blob() Wei Yang 2019-06-16 21:36 ` [Qemu-devel] [PULL 08/11] " Michael S. Tsirkin 2019-06-16 21:36 [Qemu-devel] [PULL 00/11] virtio, acpi: fixes, cleanups Michael S. Tsirkin 2019-06-16 21:36 ` [Qemu-devel] [PULL 10/11] q35: update DSDT Michael S. Tsirkin 2019-06-16 21:36 ` [Qemu-devel] [PULL 11/11] tests/rebuild-expected-aml.sh: blow out difflist Michael S. Tsirkin 2019-06-17 12:59 ` [Qemu-devel] [PULL 00/11] virtio, acpi: fixes, cleanups Peter Maydell
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190603061524.24076-1-lihangjing@baidu.com \ --to=lihangjing@baidu.com \ --cc=mst@redhat.com \ --cc=qemu-devel@nongnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.