From: Dmitry Fleytman <dmitry@daynix.com>
To: P J P <ppandit@redhat.com>
Cc: Qinghao Tang <luodalongde@gmail.com>,
Jason Wang <jasowang@redhat.com>,
qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] net: vmxnet3: memory leakage issue
Date: Tue, 15 Dec 2015 09:01:46 +0200 [thread overview]
Message-ID: <71F8314F-F19C-47D0-8038-39D664E8DC79@daynix.com> (raw)
In-Reply-To: <alpine.LFD.2.20.1512151220050.8212@wniryva>
[-- Attachment #1: Type: text/plain, Size: 4071 bytes --]
Hello Prasad,
Looks good.
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
Regards,
Dmitry
> On 15 Dec 2015, at 08:57 AM, P J P <ppandit@redhat.com> wrote:
>
> Hello Dmitry,
>
> +-- On Mon, 14 Dec 2015, Dmitry Fleytman wrote --+
> | The patch looks basically good.
> | The only issue I can think of is that now vmxnet_tx_pkt_uninit and
> | vmxnet_rx_pkt_uninit may be called a few times in a row. For example guest
> | may quiesce device and then shutdown. In this case vmxnet_tx_pkt_uninit may
> | try to free the same memory twice. Could you take a look at this please?
>
> Yes, I've added a check in vmxnet3_deactivate_device() to avoid double free.
> Please see below an updated patch.
>
> ===
> From 3ef66b01874fcc2fe3bfc73d2b61ee3a5b29fdb6 Mon Sep 17 00:00:00 2001
> From: Prasad J Pandit <pjp@fedoraproject.org>
> Date: Tue, 15 Dec 2015 12:17:28 +0530
> Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device
>
> Vmxnet3 device emulator does not check if the device is active
> before activating it, also it did not free the transmit & receive
> buffers while deactivating the device, thus resulting in memory
> leakage on the host. This patch fixes both these issues to avoid
> host memory leakage.
>
> Reported-by: Qinghao Tang <luodalongde@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/net/vmxnet3.c | 24 ++++++++++++++++--------
> 1 file changed, 16 insertions(+), 8 deletions(-)
>
> diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
> index 37373e5..2b4aad7 100644
> --- a/hw/net/vmxnet3.c
> +++ b/hw/net/vmxnet3.c
> @@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s)
>
> static void vmxnet3_deactivate_device(VMXNET3State *s)
> {
> - VMW_CBPRN("Deactivating vmxnet3...");
> - s->device_active = false;
> + if (s->device_active) {
> + VMW_CBPRN("Deactivating vmxnet3...");
> + vmxnet_tx_pkt_reset(s->tx_pkt);
> + vmxnet_tx_pkt_uninit(s->tx_pkt);
> + vmxnet_rx_pkt_uninit(s->rx_pkt);
> + s->device_active = false;
> + }
> }
>
> static void vmxnet3_reset(VMXNET3State *s)
> @@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s)
>
> vmxnet3_deactivate_device(s);
> vmxnet3_reset_interrupt_states(s);
> - vmxnet_tx_pkt_reset(s->tx_pkt);
> s->drv_shmem = 0;
> s->tx_sop = true;
> s->skip_current_tx_pkt = false;
> @@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s)
> return;
> }
>
> + /* Verify if device is active */
> + if (s->device_active) {
> + VMW_CFPRN("Vmxnet3 device is active");
> + return;
> + }
> +
> vmxnet3_adjust_by_guest_type(s);
> vmxnet3_update_features(s);
> vmxnet3_update_pm_state(s);
> @@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd)
> break;
>
> case VMXNET3_CMD_QUIESCE_DEV:
> - VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
> + VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device");
> vmxnet3_deactivate_device(s);
> break;
>
> @@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque,
> * shared address only after we get the high part
> */
> if (val == 0) {
> - s->device_active = false;
> + vmxnet3_deactivate_device(s);
> }
> s->temp_shared_guest_driver_memory = val;
> s->drv_shmem = 0;
> @@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s)
> static void vmxnet3_net_uninit(VMXNET3State *s)
> {
> g_free(s->mcast_list);
> - vmxnet_tx_pkt_reset(s->tx_pkt);
> - vmxnet_tx_pkt_uninit(s->tx_pkt);
> - vmxnet_rx_pkt_uninit(s->rx_pkt);
> + vmxnet3_deactivate_device(s);
> qemu_del_nic(s->nic);
> }
>
> --
> 2.4.3
> ===
>
>
> Thank you.
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
[-- Attachment #2: Type: text/html, Size: 8170 bytes --]
next prev parent reply other threads:[~2015-12-15 7:01 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-02 12:17 [Qemu-devel] net: vmxnet3: memory leakage issue P J P
2015-12-03 7:17 ` Dmitry Fleytman
2015-12-03 11:20 ` P J P
2015-12-04 3:16 ` Jason Wang
2015-12-08 10:17 ` P J P
2015-12-09 15:28 ` P J P
2015-12-11 9:10 ` Jason Wang
2015-12-11 9:34 ` Dmitry Fleytman
2015-12-11 10:04 ` P J P
2015-12-13 8:27 ` Dmitry Fleytman
2015-12-13 9:45 ` Dmitry Fleytman
2015-12-14 11:58 ` P J P
2015-12-14 17:27 ` Dmitry Fleytman
2015-12-15 6:57 ` P J P
2015-12-15 7:01 ` Dmitry Fleytman [this message]
2015-12-15 8:00 ` P J P
2015-12-15 8:24 ` Jason Wang
2015-12-15 8:50 ` P J P
2015-12-15 8:43 ` Miao Yan
2015-12-15 10:08 ` P J P
2015-12-04 2:22 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=71F8314F-F19C-47D0-8038-39D664E8DC79@daynix.com \
--to=dmitry@daynix.com \
--cc=jasowang@redhat.com \
--cc=luodalongde@gmail.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.