From patchwork Wed Mar 6 03:05:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gibson X-Patchwork-Id: 10840335 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B27EE17E0 for ; Wed, 6 Mar 2019 03:09:46 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9EB372C517 for ; Wed, 6 Mar 2019 03:09:46 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 935452C575; Wed, 6 Mar 2019 03:09:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 438852C517 for ; Wed, 6 Mar 2019 03:09:36 +0000 (UTC) Received: from localhost ([127.0.0.1]:53365 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h1Mw3-0007mE-Kl for patchwork-qemu-devel@patchwork.kernel.org; Tue, 05 Mar 2019 22:09:35 -0500 Received: from eggs.gnu.org ([209.51.188.92]:51051) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h1Msm-0005Kv-LY for qemu-devel@nongnu.org; Tue, 05 Mar 2019 22:06:13 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1h1Msl-0003sM-QT for qemu-devel@nongnu.org; Tue, 05 Mar 2019 22:06:12 -0500 Received: from ozlabs.org ([203.11.71.1]:59311) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1h1Msk-0003r1-Rn; Tue, 05 Mar 2019 22:06:11 -0500 Received: by ozlabs.org (Postfix, from userid 1007) id 44Ddv1264Qz9sBF; Wed, 6 Mar 2019 14:06:05 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gibson.dropbear.id.au; s=201602; t=1551841565; bh=R+nwR6O5bjcrVQQkkhgKbN1a7JpgYUD7QXFwM9sVs1k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AoLLxTs3YjRFv7n/OCcjmtbvPa7b36PC1NAXUpFR7e7e4ztPVsAZo7OFKNCZfv3Bu kkE8DCLVscb8C0QOjL7H6c9iq9l1oapKnQkNecPHfbAmlzye1wY9PC8ox8jQ4AQzkN sTy/iFgtBLxb0lCqYRkvpQq36YyABkcAtrFbPORA= From: David Gibson To: Michael Tsirkin , David Hildenbrand , Peter Maydell Date: Wed, 6 Mar 2019 14:05:59 +1100 Message-Id: <20190306030601.21986-2-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190306030601.21986-1-david@gibson.dropbear.id.au> References: <20190306030601.21986-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 203.11.71.1 Subject: [Qemu-devel] [PATCH 1/3] virtio-balloon: Don't mismatch g_malloc()/free (CID 1399146) X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-ppc@nongnu.org, qemu-devel@nongnu.org, David Gibson Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP ed48c59875b6 "virtio-balloon: Safely handle BALLOON_PAGE_SIZE < host page size" introduced a new temporary data structure which tracks 4kiB chunks which have been inserted into the balloon by the guest but don't yet form a full host page which we can discard. Unfortunately, I had a thinko and allocated that structure with g_malloc0() but freed it with a plain free() rather than g_free(). This corrects the problem. Fixes: ed48c59875b6 Reported-by: Peter Maydell Signed-off-by: David Gibson Reviewed-by: David Hildenbrand --- hw/virtio/virtio-balloon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c index d3f2913a85..127289ae0e 100644 --- a/hw/virtio/virtio-balloon.c +++ b/hw/virtio/virtio-balloon.c @@ -81,7 +81,7 @@ static void balloon_inflate_page(VirtIOBalloon *balloon, /* We've partially ballooned part of a host page, but now * we're trying to balloon part of a different one. Too hard, * give up on the old partial page */ - free(balloon->pbp); + g_free(balloon->pbp); balloon->pbp = NULL; } @@ -106,7 +106,7 @@ static void balloon_inflate_page(VirtIOBalloon *balloon, * has already reported them, and failing to discard a balloon * page is not fatal */ - free(balloon->pbp); + g_free(balloon->pbp); balloon->pbp = NULL; } } From patchwork Wed Mar 6 03:06:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gibson X-Patchwork-Id: 10840333 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CE37717E9 for ; Wed, 6 Mar 2019 03:07:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BB85027BA5 for ; Wed, 6 Mar 2019 03:07:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B01B029134; Wed, 6 Mar 2019 03:07:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 49A612C18F for ; Wed, 6 Mar 2019 03:07:35 +0000 (UTC) Received: from localhost ([127.0.0.1]:53328 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h1Mu6-0005Lt-D8 for patchwork-qemu-devel@patchwork.kernel.org; Tue, 05 Mar 2019 22:07:34 -0500 Received: from eggs.gnu.org ([209.51.188.92]:51049) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h1Msm-0005Ku-Ky for qemu-devel@nongnu.org; Tue, 05 Mar 2019 22:06:13 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1h1Msl-0003s8-Le for qemu-devel@nongnu.org; Tue, 05 Mar 2019 22:06:12 -0500 Received: from ozlabs.org ([203.11.71.1]:36839) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1h1Msk-0003q9-7b; Tue, 05 Mar 2019 22:06:11 -0500 Received: by ozlabs.org (Postfix, from userid 1007) id 44Ddv13c0Sz9sML; Wed, 6 Mar 2019 14:06:05 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gibson.dropbear.id.au; s=201602; t=1551841565; bh=ZxZWY1Qfof6YaZAOjCLsMiFmLzDs4yX8lXJowsBoTYk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EQUIQcuCVR0dTmTncWTa7c91QAXus9eByatsuatV7lCsS2pJSWnf4fNqPnnMUNaIw wUlcxYYxgcDKgf9Sk8OvhOBnQY8witmbVymj1Uyn+TZ3Fve5ppEYyC9IfmZ5zjUAX9 Tz+cG7bHmsxb2lrxKzU7VEOY8VCW3TDIoqbgmcRg= From: David Gibson To: Michael Tsirkin , David Hildenbrand , Peter Maydell Date: Wed, 6 Mar 2019 14:06:00 +1100 Message-Id: <20190306030601.21986-3-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190306030601.21986-1-david@gibson.dropbear.id.au> References: <20190306030601.21986-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 203.11.71.1 Subject: [Qemu-devel] [PATCH 2/3] virtio-balloon: Fix possible guest memory corruption with inflates & deflates X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-ppc@nongnu.org, qemu-devel@nongnu.org, David Gibson Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP This fixes a balloon bug with a nasty consequence - potentially corrupting guest memory - but which is extremely unlikely to be triggered in practice. The balloon always works in 4kiB units, but the host could have a larger page size on certain platforms. Since ed48c59 "virtio-balloon: Safely handle BALLOON_PAGE_SIZE < host page size" we've handled this by accumulating requests to balloon 4kiB subpages until they formed a full host page. Since f6deb6d "virtio-balloon: Remove unnecessary MADV_WILLNEED on deflate" we essentially ignore deflate requests. Suppose we have a host with 8kiB pages, and one host page has subpages A & B. If we get this sequence of events - inflate A deflate A inflate B - the current logic will discard the whole host page. That's incorrect because the guest has deflated subpage A, and could have written important data to it. This patch fixes the problem by adjusting our state information about partially ballooned host pages when deflate requests are received. Fixes: ed48c59 "virtio-balloon: Safely handle BALLOON_PAGE_SIZE < host page size" Signed-off-by: David Gibson Acked-by: David Hildenbrand --- hw/virtio/virtio-balloon.c | 48 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 46 insertions(+), 2 deletions(-) diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c index 127289ae0e..7412bf8c85 100644 --- a/hw/virtio/virtio-balloon.c +++ b/hw/virtio/virtio-balloon.c @@ -111,6 +111,43 @@ static void balloon_inflate_page(VirtIOBalloon *balloon, } } +static void balloon_deflate_page(VirtIOBalloon *balloon, + MemoryRegion *mr, hwaddr offset) +{ + void *addr = memory_region_get_ram_ptr(mr) + offset; + RAMBlock *rb; + size_t rb_page_size; + ram_addr_t ram_offset, host_page_base; + + /* XXX is there a better way to get to the RAMBlock than via a + * host address? */ + rb = qemu_ram_block_from_host(addr, false, &ram_offset); + rb_page_size = qemu_ram_pagesize(rb); + host_page_base = ram_offset & ~(rb_page_size - 1); + + if (balloon->pbp + && rb == balloon->pbp->rb + && host_page_base == balloon->pbp->base) { + int subpages = rb_page_size / BALLOON_PAGE_SIZE; + + /* + * This means the guest has asked to discard some of the 4kiB + * subpages of a host page, but then changed its mind and + * asked to keep them after all. It's exceedingly unlikely + * for a guest to do this in practice, but handle it anyway, + * since getting it wrong could mean discarding memory the + * guest is still using. */ + bitmap_clear(balloon->pbp->bitmap, + (ram_offset - balloon->pbp->base) / BALLOON_PAGE_SIZE, + subpages); + + if (bitmap_empty(balloon->pbp->bitmap, subpages)) { + g_free(balloon->pbp); + balloon->pbp = NULL; + } + } +} + static const char *balloon_stat_names[] = { [VIRTIO_BALLOON_S_SWAP_IN] = "stat-swap-in", [VIRTIO_BALLOON_S_SWAP_OUT] = "stat-swap-out", @@ -314,8 +351,15 @@ static void virtio_balloon_handle_output(VirtIODevice *vdev, VirtQueue *vq) trace_virtio_balloon_handle_output(memory_region_name(section.mr), pa); - if (!qemu_balloon_is_inhibited() && vq != s->dvq) { - balloon_inflate_page(s, section.mr, section.offset_within_region); + if (!qemu_balloon_is_inhibited()) { + if (vq == s->ivq) { + balloon_inflate_page(s, section.mr, + section.offset_within_region); + } else if (vq == s->dvq) { + balloon_deflate_page(s, section.mr, section.offset_within_region); + } else { + g_assert_not_reached(); + } } memory_region_unref(section.mr); } From patchwork Wed Mar 6 03:06:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Gibson X-Patchwork-Id: 10840331 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4F31B17E0 for ; Wed, 6 Mar 2019 03:07:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 39F4427BA5 for ; Wed, 6 Mar 2019 03:07:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2DC7A2BF4F; Wed, 6 Mar 2019 03:07:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id C9C6D27BA5 for ; Wed, 6 Mar 2019 03:07:34 +0000 (UTC) Received: from localhost ([127.0.0.1]:53337 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h1Mu5-0006JW-3n for patchwork-qemu-devel@patchwork.kernel.org; Tue, 05 Mar 2019 22:07:33 -0500 Received: from eggs.gnu.org ([209.51.188.92]:51073) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h1Msn-0005L0-EL for qemu-devel@nongnu.org; Tue, 05 Mar 2019 22:06:14 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1h1Msm-0003t1-I1 for qemu-devel@nongnu.org; Tue, 05 Mar 2019 22:06:13 -0500 Received: from ozlabs.org ([203.11.71.1]:41033) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1h1Msm-0003rZ-6A; Tue, 05 Mar 2019 22:06:12 -0500 Received: by ozlabs.org (Postfix, from userid 1007) id 44Ddv15cpcz9sMx; Wed, 6 Mar 2019 14:06:05 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gibson.dropbear.id.au; s=201602; t=1551841565; bh=yusD85qIYVgH/pKubWtX6vS2lRoxDJ4ZczKDtB6/rcw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Qiltl24zgL4B1/14evluqeyaICoya0mP2yANn6lzx62tIudxYm4y9+6Q7AWIsubOQ uTes0nfYVoVdFXgA3N31GYf/Pf9kZaVY/iTZHsqmn9V6DRjbTzAACnwolA9OstFyzo txjINGkaqVzly+h+HWf5t9liS+iF7SC/UnQVLVNk= From: David Gibson To: Michael Tsirkin , David Hildenbrand , Peter Maydell Date: Wed, 6 Mar 2019 14:06:01 +1100 Message-Id: <20190306030601.21986-4-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190306030601.21986-1-david@gibson.dropbear.id.au> References: <20190306030601.21986-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 203.11.71.1 Subject: [Qemu-devel] [PATCH 3/3] virtio-balloon: Restore MADV_WILLNEED hint on balloon deflate X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-ppc@nongnu.org, qemu-devel@nongnu.org, David Gibson Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP Prior to f6deb6d9 "virtio-balloon: Remove unnecessary MADV_WILLNEED on deflate", the balloon device issued an madvise() MADV_WILLNEED on pages removed from the balloon. That would hint to the host kernel that the pages were likely to be needed by the guest in the near future. It's unclear if this is actually valuable or not, and so f6deb6d9 removed this, essentially ignoring balloon deflate requests. However, concerns have been raised that this might cause a performance regression by causing extra latency for the guest in certain configurations. So, until we can get actual benchmark data to see if that's the case, this restores the old behaviour, issuing a MADV_WILLNEED when a page is removed from the balloon. Signed-off-by: David Gibson --- hw/virtio/virtio-balloon.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c index 7412bf8c85..ac36988605 100644 --- a/hw/virtio/virtio-balloon.c +++ b/hw/virtio/virtio-balloon.c @@ -118,6 +118,8 @@ static void balloon_deflate_page(VirtIOBalloon *balloon, RAMBlock *rb; size_t rb_page_size; ram_addr_t ram_offset, host_page_base; + void *host_addr; + int ret; /* XXX is there a better way to get to the RAMBlock than via a * host address? */ @@ -146,6 +148,17 @@ static void balloon_deflate_page(VirtIOBalloon *balloon, balloon->pbp = NULL; } } + + host_addr = (void *)((uintptr_t)addr & ~(rb_page_size - 1)); + + /* When a page is deflated, we hint the whole host page it lives + * on, since we can't do anything smaller */ + ret = qemu_madvise(host_addr, rb_page_size, QEMU_MADV_WILLNEED); + if (ret != 0) { + warn_report("Couldn't MADV_WILLNEED on balloon deflate: %s", + strerror(errno)); + /* Otherwise ignore, failing to page hint shouldn't be fatal */ + } } static const char *balloon_stat_names[] = {