[PATCH really v2] KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce()
David Hildenbrand
david at redhat.com
Fri Aug 25 03:25:22 AEST 2017
On 24.08.2017 11:14, Paul Mackerras wrote:
> Nixiaoming pointed out that there is a memory leak in
> kvm_vm_ioctl_create_spapr_tce() if the call to anon_inode_getfd()
> fails; the memory allocated for the kvmppc_spapr_tce_table struct
> is not freed, and nor are the pages allocated for the iommu
> tables. In addition, we have already incremented the process's
> count of locked memory pages, and this doesn't get restored on
> error.
>
> David Hildenbrand pointed out that there is a race in that the
> function checks early on that there is not already an entry in the
> stt->iommu_tables list with the same LIOBN, but an entry with the
> same LIOBN could get added between then and when the new entry is
> added to the list.
>
> This fixes all three problems. To simplify things, we now call
> anon_inode_getfd() before placing the new entry in the list. The
> check for an existing entry is done while holding the kvm->lock
> mutex, immediately before adding the new entry to the list.
> Finally, on failure we now call kvmppc_account_memlimit to
> decrement the process's count of locked memory pages.
>
> Reported-by: Nixiaoming <nixiaoming at huawei.com>
> Reported-by: David Hildenbrand <david at redhat.com>
> Signed-off-by: Paul Mackerras <paulus at ozlabs.org>
> ---
> v2: Don't overwrite stt in loop over spapr_tce_tables
>
Reviewed-by: David Hildenbrand <david at redhat.com>
--
Thanks,
David
More information about the Linuxppc-dev
mailing list