[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 24/40] ivshmem: Plug leaks on unplug, fix peer discon
From: |
Markus Armbruster |
Subject: |
[Qemu-devel] [PULL 24/40] ivshmem: Plug leaks on unplug, fix peer disconnect |
Date: |
Fri, 18 Mar 2016 18:01:11 +0100 |
close_peer_eventfds() cleans up three things: ioeventfd triggers if
they exist, eventfds, and the array to store them.
Commit 98609cd (v1.2.0) fixed it not to clean up ioeventfd triggers
when they don't exist (property ioeventfd=off, which is the default).
Unfortunately, the fix also made it skip cleanup of the eventfds and
the array then. This is a memory and file descriptor leak on unplug.
Additionally, the reset of nb_eventfds is skipped. Doesn't matter on
unplug. On peer disconnect, however, this permanently wedges the
interrupt vectors used for that peer's ID. The eventfds stay behind,
but aren't connected to a peer anymore. When the ID gets recycled for
a new peer, the new peer's eventfds get assigned to vectors after the
old ones. Commonly, the device's number of vectors matches the
server's, so the new ones get dropped with a "Too many eventfd
received" message. Interrupts either don't work (common case) or go
to the wrong vector.
Fix by narrowing the conditional to just the ioeventfd trigger
cleanup.
While there, move the "invalid" peer check to the only caller where it
can actually happen, and tighten it to reject own ID.
Cc: Paolo Bonzini <address@hidden>
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Marc-André Lureau <address@hidden>
Message-Id: <address@hidden>
---
hw/misc/ivshmem.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
index d8d363e..c6d5dd5 100644
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -428,21 +428,17 @@ static void close_peer_eventfds(IVShmemState *s, int posn)
{
int i, n;
- if (!ivshmem_has_feature(s, IVSHMEM_IOEVENTFD)) {
- return;
- }
- if (posn < 0 || posn >= s->nb_peers) {
- error_report("invalid peer %d", posn);
- return;
- }
-
+ assert(posn >= 0 && posn < s->nb_peers);
n = s->peers[posn].nb_eventfds;
- memory_region_transaction_begin();
- for (i = 0; i < n; i++) {
- ivshmem_del_eventfd(s, posn, i);
+ if (ivshmem_has_feature(s, IVSHMEM_IOEVENTFD)) {
+ memory_region_transaction_begin();
+ for (i = 0; i < n; i++) {
+ ivshmem_del_eventfd(s, posn, i);
+ }
+ memory_region_transaction_commit();
}
- memory_region_transaction_commit();
+
for (i = 0; i < n; i++) {
event_notifier_cleanup(&s->peers[posn].eventfds[i]);
}
@@ -598,6 +594,10 @@ static void process_msg_shmem(IVShmemState *s, int fd)
static void process_msg_disconnect(IVShmemState *s, uint16_t posn)
{
IVSHMEM_DPRINTF("posn %d has gone away\n", posn);
+ if (posn >= s->nb_peers || posn == s->vm_id) {
+ error_report("invalid peer %d", posn);
+ return;
+ }
close_peer_eventfds(s, posn);
}
--
2.4.3
- [Qemu-devel] [PULL 06/40] tests/libqos/pci-pc: Fix qpci_pc_iomap() to map BARs aligned, (continued)
- [Qemu-devel] [PULL 06/40] tests/libqos/pci-pc: Fix qpci_pc_iomap() to map BARs aligned, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 03/40] ivshmem-server: Don't overload POSIX shmem and file name, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 08/40] ivshmem-test: Clean up wait for devices to become operational, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 01/40] target-ppc: Document TOCTTOU in hugepage support, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 05/40] event_notifier: Make event_notifier_init_fd() #ifdef CONFIG_EVENTFD, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 15/40] ivshmem: Don't destroy the chardev on version mismatch, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 11/40] ivshmem: Add missing newlines to debug printfs, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 22/40] ivshmem: Simplify rejection of invalid peer ID from server, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 18/40] ivshmem: Clean up register callbacks, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 14/40] ivshmem: Drop ivshmem_event() stub, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 24/40] ivshmem: Plug leaks on unplug, fix peer disconnect,
Markus Armbruster <=
- [Qemu-devel] [PULL 38/40] ivshmem: Drop ivshmem property x-memdev, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 20/40] ivshmem: Leave INTx alone when using MSI-X, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 39/40] ivshmem: Require master to have ID zero, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 33/40] ivshmem: Inline check_shm_size() into its only caller, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 26/40] ivshmem: Propagate errors through ivshmem_recv_setup(), Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 10/40] ivshmem: Rewrite specification document, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 32/40] ivshmem: Simplify memory regions for BAR 2 (shared memory), Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 04/40] qemu-doc: Fix ivshmem huge page example, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 29/40] ivshmem: Simplify how we cope with short reads from server, Markus Armbruster, 2016/03/18
- [Qemu-devel] [PULL 19/40] ivshmem: Clean up MSI-X conditions, Markus Armbruster, 2016/03/18