From f11335db5e3901f6afc2eafa03a3b970562538b2 Mon Sep 17 00:00:00 2001 From: Andrew Vagin Date: Tue, 2 Jul 2013 15:35:13 +0930 Subject: virtio-pci: fix leaks of msix_affinity_masks vp_dev->msix_vectors should be initialized before allocating msix_affinity_masks, otherwise vp_free_vectors will not free these objects. unreferenced object 0xffff88010f969d88 (size 512): comm "systemd-udevd", pid 158, jiffies 4294673645 (age 80.545s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] kmemleak_alloc+0x5e/0xc0 [] kmem_cache_alloc_node_trace+0x141/0x2c0 [] alloc_cpumask_var_node+0x23/0x80 [] alloc_cpumask_var+0xe/0x10 [] vp_try_to_find_vqs+0x25d/0x810 [] vp_find_vqs+0x81/0xb0 [] init_vqs+0x85/0x120 [virtio_balloon] [] virtballoon_probe+0xf9/0x1a0 [virtio_balloon] [] virtio_dev_probe+0xde/0x140 [] driver_probe_device+0x98/0x3a0 [] __driver_attach+0xab/0xb0 [] bus_for_each_dev+0x94/0xb0 [] driver_attach+0x1e/0x20 [] bus_add_driver+0x200/0x280 [] driver_register+0x74/0x160 [] register_virtio_driver+0x20/0x40 v2: change msix_vectors uncoditionaly in vp_free_vectors Cc: Rusty Russell Cc: "Michael S. Tsirkin" Cc: Jason Wang Signed-off-by: Andrew Vagin Acked-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: Rusty Russell --- drivers/virtio/virtio_pci.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'drivers/virtio') diff --git a/drivers/virtio/virtio_pci.c b/drivers/virtio/virtio_pci.c index a7ce73029f59..1aba255b5879 100644 --- a/drivers/virtio/virtio_pci.c +++ b/drivers/virtio/virtio_pci.c @@ -289,9 +289,9 @@ static void vp_free_vectors(struct virtio_device *vdev) pci_disable_msix(vp_dev->pci_dev); vp_dev->msix_enabled = 0; - vp_dev->msix_vectors = 0; } + vp_dev->msix_vectors = 0; vp_dev->msix_used_vectors = 0; kfree(vp_dev->msix_names); vp_dev->msix_names = NULL; @@ -309,6 +309,8 @@ static int vp_request_msix_vectors(struct virtio_device *vdev, int nvectors, unsigned i, v; int err = -ENOMEM; + vp_dev->msix_vectors = nvectors; + vp_dev->msix_entries = kmalloc(nvectors * sizeof *vp_dev->msix_entries, GFP_KERNEL); if (!vp_dev->msix_entries) @@ -336,7 +338,6 @@ static int vp_request_msix_vectors(struct virtio_device *vdev, int nvectors, err = -ENOSPC; if (err) goto error; - vp_dev->msix_vectors = nvectors; vp_dev->msix_enabled = 1; /* Set the vector used for configuration */ -- cgit v1.2.3 From 8c6bab4f3874d31804a00782c48a8f244a0d3cc0 Mon Sep 17 00:00:00 2001 From: Luiz Capitulino Date: Tue, 2 Jul 2013 15:35:13 +0930 Subject: virtio_balloon: leak_balloon(): only tell host if we got pages deflated balloon_page_dequeue() can return NULL. If it does for the first page being freed then leak_balloon() will create a scatter list with len=0. Which in turn seems to generate an invalid virtio request. I didn't get this in practice, I found it by code review. On the other hand, such an invalid virtio request will cause errors in QEMU and fill_balloon() also performs the same check implemented by this commit. This bug was introduced in e2250429. Signed-off-by: Luiz Capitulino Acked-by: Rafael Aquini Signed-off-by: Andrew Morton Signed-off-by: Rusty Russell Cc: stable@kernel.org # 3.9 --- drivers/virtio/virtio_balloon.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'drivers/virtio') diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c index bd3ae324a1a2..71af7b5abe01 100644 --- a/drivers/virtio/virtio_balloon.c +++ b/drivers/virtio/virtio_balloon.c @@ -191,7 +191,8 @@ static void leak_balloon(struct virtio_balloon *vb, size_t num) * virtio_has_feature(vdev, VIRTIO_BALLOON_F_MUST_TELL_HOST); * is true, we *have* to do it in this order */ - tell_host(vb, vb->deflate_vq); + if (vb->num_pfns != 0) + tell_host(vb, vb->deflate_vq); mutex_unlock(&vb->balloon_lock); release_pages_by_pfn(vb->pfns, vb->num_pfns); } -- cgit v1.2.3