git.ipfire.org Git - thirdparty/qemu.git/commit

author	David Gibson <david@gibson.dropbear.id.au>
	Wed, 6 Mar 2019 03:06:00 +0000 (14:06 +1100)
committer	Michael Roth <mdroth@linux.vnet.ibm.com>
	Tue, 30 Jul 2019 17:35:14 +0000 (12:35 -0500)
commit	38e8e9007d4e40840c5277e19a45f44b4314c197
tree	a1fcc6114b77c561ed2b9b5537e62352a3664f45	tree
parent	80c96a7b604d5f3816d857d4d108518895c1db2b	commit \| diff

virtio-balloon: Fix possible guest memory corruption with inflates & deflates

This fixes a balloon bug with a nasty consequence - potentially
corrupting guest memory - but which is extremely unlikely to be
triggered in practice.

The balloon always works in 4kiB units, but the host could have a
larger page size on certain platforms.  Since ed48c59 "virtio-balloon:
Safely handle BALLOON_PAGE_SIZE < host page size" we've handled this
by accumulating requests to balloon 4kiB subpages until they formed a
full host page.  Since f6deb6d "virtio-balloon: Remove unnecessary
MADV_WILLNEED on deflate" we essentially ignore deflate requests.

Suppose we have a host with 8kiB pages, and one host page has subpages
A & B.  If we get this sequence of events -
inflate A
deflate A
inflate B
- the current logic will discard the whole host page.  That's
incorrect because the guest has deflated subpage A, and could have
written important data to it.

This patch fixes the problem by adjusting our state information about
partially ballooned host pages when deflate requests are received.

Fixes: ed48c59 "virtio-balloon: Safely handle BALLOON_PAGE_SIZE < host page size"
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Message-Id: <20190306030601.21986-3-david@gibson.dropbear.id.au>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: David Hildenbrand <david@redhat.com>
(cherry picked from commit b27b3239140470b7d593e3b0b09687bcc6fbf274)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>