From patchwork Mon Dec 19 07:04:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?5p+z6I+B5bOw?= X-Patchwork-Id: 13076307 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C583EC4332F for ; Mon, 19 Dec 2022 07:05:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231307AbiLSHE7 (ORCPT ); Mon, 19 Dec 2022 02:04:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60640 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229537AbiLSHE6 (ORCPT ); Mon, 19 Dec 2022 02:04:58 -0500 Received: from hmat.qianxin.com (hmat.qianxin.com [220.181.41.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 596D7E33; Sun, 18 Dec 2022 23:04:51 -0800 (PST) Received: from hmat.qianxin.com (srv-mail04.esg.360es.cn [172.24.6.24]) by hmat.qianxin.com (SkyGuard) with ESMTPS id 4Nb9gZ4ltxz2LZwN; Mon, 19 Dec 2022 15:04:42 +0800 (CST) Received: from qax-bjmail04.ESG.360ES.CN (10.44.121.98) by SRV-MAIL06.ESG.360ES.CN (172.24.6.26) with Microsoft SMTP Server (TLS) id 15.0.1497.26; Mon, 19 Dec 2022 15:04:27 +0800 Received: from qax-bjmail06.ESG.360ES.CN (2402:d040:0:8425:2849:52e7:3abe:7096) by qax-bjmail04.ESG.360ES.CN (2402:d040:0:8425:e8d8:c276:4bf1:2b8c) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Mon, 19 Dec 2022 15:04:27 +0800 Received: from qax-bjmail06.ESG.360ES.CN ([fe80::2849:52e7:3abe:7096]) by qax-bjmail06.ESG.360ES.CN ([fe80::2849:52e7:3abe:7096%5]) with mapi id 15.01.2308.020; Mon, 19 Dec 2022 15:04:27 +0800 From: =?utf-8?b?5p+z6I+B5bOw?= To: Sean Christopherson CC: "linux-kernel@vger.kernel.org" , "kvm@vger.kernel.org" , "pbonzini@redhat.com" , "syzkaller@googlegroups.com" Subject: =?utf-8?q?=E7=AD=94=E5=A4=8D=3A_Found_a_memory_leak_in_kvm_module?= Thread-Topic: Found a memory leak in kvm module Thread-Index: AdkN1svXVRrWKvJvSge7YI3WbO6bxgCl5kaAAMJGbkA= Date: Mon, 19 Dec 2022 07:04:27 +0000 Message-ID: <2895069420eb4af3a3b3a949af4010f3@qianxin.com> References: <7144ff750e554ad28aaa59e98c36d4fc@qianxin.com> In-Reply-To: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.110.119.69] MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org I had tried to retest with your patch,and I think the memory leak was resolved by it. Thanks! -----邮件原件----- 发件人: Sean Christopherson [mailto:seanjc@google.com] 发送时间: 2022年12月16日 2:17 收件人: 柳菁峰 抄送: linux-kernel@vger.kernel.org; kvm@vger.kernel.org; pbonzini@redhat.com; syzkaller@googlegroups.com 主题: Re: Found a memory leak in kvm module On Mon, Dec 12, 2022, 柳菁峰 wrote: > Hello,I have found a memory leak bug in kvm module by syzkaller.It was > found in linux-5.4 but it also could be reproduced in the latest linux version. Ah, I assume by "linux-5.4" you mean "stable v5.4.x kernels that contain commit 7d1bc32d6477 ("KVM: Stop looking for coalesced MMIO zones if the bus is destroyed")", because without that fix I can't see any bug that would affect both 5.4 and the upstream kernel. If my assumption is correct, then I'm 99% certain the issue is that the target device isn't destroyed if allocating the new bus fails. I haven't had luck with the automatic fault injection, but was able to confirm a leak with this hack. base-commit: 0f30b25edea48433eb32448990557364436818e6 diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 13e88297f999..22d9ab1b5c25 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -5424,7 +5424,7 @@ int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, struct kvm_io_device *dev) { int i, j; - struct kvm_io_bus *new_bus, *bus; + struct kvm_io_bus *new_bus = NULL, *bus; lockdep_assert_held(&kvm->slots_lock); @@ -5441,6 +5441,7 @@ int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, if (i == bus->dev_count) return 0; + if (!IS_ENABLED(CONFIG_X86_64)) new_bus = kmalloc(struct_size(bus, range, bus->dev_count - 1), GFP_KERNEL_ACCOUNT); if (new_bus) { The fix is to destroy the target device before bailing. I'll send a proper patch either way, but it would be nice to get confirmation that this is the same bug that you hit with "linux-5.4". Thanks! --- virt/kvm/coalesced_mmio.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c index 0be80c213f7f..5ef88f5a0864 100644 --- a/virt/kvm/coalesced_mmio.c +++ b/virt/kvm/coalesced_mmio.c @@ -187,15 +187,17 @@ int kvm_vm_ioctl_unregister_coalesced_mmio(struct kvm *kvm, r = kvm_io_bus_unregister_dev(kvm, zone->pio ? KVM_PIO_BUS : KVM_MMIO_BUS, &dev->dev); + kvm_iodevice_destructor(&dev->dev); + /* * On failure, unregister destroys all devices on the * bus _except_ the target device, i.e. coalesced_zones - * has been modified. No need to restart the walk as - * there aren't any zones left. + * has been modified. Bail after destroying the target + * device, there's no need to restart the walk as there + * aren't any zones left. */ if (r) break; - kvm_iodevice_destructor(&dev->dev); } }