On 18.07.19 05:50, David Gibson wrote:
> On Wed, Jul 17, 2019 at 12:35:48PM +0200, David Hildenbrand wrote:
>> We are using the wrong functions to set/clear bits, effectively touching
>> multiple bits, writing out of range of the bitmap, resulting in memory
>> corruptions. We have to use set_bit()/clear_bit() instead.
>>
>> Can easily be reproduced by starting a qemu guest on hugetlbfs memory,
>> inflating the balloon. QEMU crashes. This never could have worked
>> properly - especially, also pages would have been discarded when the
>> first sub-page would be inflated (the whole bitmap would be set).
>>
>> While testing I realized, that on hugetlbfs it is pretty much impossible
>> to discard a page - the guest just frees the 4k sub-pages in random order
>> most of the time. I was only able to discard a hugepage a handful of
>> times - so I hope that now works correctly.
>>
>> Fixes: ed48c59875b6 ("virtio-balloon: Safely handle BALLOON_PAGE_SIZE <
>> host page size")
>> Fixes: b27b32391404 ("virtio-balloon: Fix possible guest memory corruption
>> with inflates & deflates")
>> Cc: qemu-sta...@nongnu.org #v4.0.0
>> Cc: Stefan Hajnoczi <stefa...@redhat.com>
>> Cc: David Gibson <da...@gibson.dropbear.id.au>
>> Cc: Michael S. Tsirkin <m...@redhat.com>
>> Cc: Igor Mammedov <imamm...@redhat.com>
>> Signed-off-by: David Hildenbrand <da...@redhat.com>
>
> Ahem. You can pass me the brown paper bag now.
>
No worries, BUGs are inevitable.
Thanks!
--
Thanks,
David / dhildenb
