[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL v2 24/40] ivshmem: Plug leaks on unplug, fix peer dis
From: |
Markus Armbruster |
Subject: |
[Qemu-devel] [PULL v2 24/40] ivshmem: Plug leaks on unplug, fix peer disconnect |
Date: |
Mon, 21 Mar 2016 21:43:47 +0100 |
close_peer_eventfds() cleans up three things: ioeventfd triggers if
they exist, eventfds, and the array to store them.
Commit 98609cd (v1.2.0) fixed it not to clean up ioeventfd triggers
when they don't exist (property ioeventfd=off, which is the default).
Unfortunately, the fix also made it skip cleanup of the eventfds and
the array then. This is a memory and file descriptor leak on unplug.
Additionally, the reset of nb_eventfds is skipped. Doesn't matter on
unplug. On peer disconnect, however, this permanently wedges the
interrupt vectors used for that peer's ID. The eventfds stay behind,
but aren't connected to a peer anymore. When the ID gets recycled for
a new peer, the new peer's eventfds get assigned to vectors after the
old ones. Commonly, the device's number of vectors matches the
server's, so the new ones get dropped with a "Too many eventfd
received" message. Interrupts either don't work (common case) or go
to the wrong vector.
Fix by narrowing the conditional to just the ioeventfd trigger
cleanup.
While there, move the "invalid" peer check to the only caller where it
can actually happen, and tighten it to reject own ID.
Cc: Paolo Bonzini <address@hidden>
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Marc-André Lureau <address@hidden>
Message-Id: <address@hidden>
---
hw/misc/ivshmem.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
index d8d363e..c6d5dd5 100644
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -428,21 +428,17 @@ static void close_peer_eventfds(IVShmemState *s, int posn)
{
int i, n;
- if (!ivshmem_has_feature(s, IVSHMEM_IOEVENTFD)) {
- return;
- }
- if (posn < 0 || posn >= s->nb_peers) {
- error_report("invalid peer %d", posn);
- return;
- }
-
+ assert(posn >= 0 && posn < s->nb_peers);
n = s->peers[posn].nb_eventfds;
- memory_region_transaction_begin();
- for (i = 0; i < n; i++) {
- ivshmem_del_eventfd(s, posn, i);
+ if (ivshmem_has_feature(s, IVSHMEM_IOEVENTFD)) {
+ memory_region_transaction_begin();
+ for (i = 0; i < n; i++) {
+ ivshmem_del_eventfd(s, posn, i);
+ }
+ memory_region_transaction_commit();
}
- memory_region_transaction_commit();
+
for (i = 0; i < n; i++) {
event_notifier_cleanup(&s->peers[posn].eventfds[i]);
}
@@ -598,6 +594,10 @@ static void process_msg_shmem(IVShmemState *s, int fd)
static void process_msg_disconnect(IVShmemState *s, uint16_t posn)
{
IVSHMEM_DPRINTF("posn %d has gone away\n", posn);
+ if (posn >= s->nb_peers || posn == s->vm_id) {
+ error_report("invalid peer %d", posn);
+ return;
+ }
close_peer_eventfds(s, posn);
}
--
2.4.3
- [Qemu-devel] [PULL v2 18/40] ivshmem: Clean up register callbacks, (continued)
- [Qemu-devel] [PULL v2 18/40] ivshmem: Clean up register callbacks, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 17/40] ivshmem: Failed realize() can leave migration blocker behind, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 22/40] ivshmem: Simplify rejection of invalid peer ID from server, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 16/40] ivshmem: Fix harmless misuse of Error, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 34/40] qdev: New DEFINE_PROP_ON_OFF_AUTO, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 38/40] ivshmem: Drop ivshmem property x-memdev, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 06/40] tests/libqos/pci-pc: Fix qpci_pc_iomap() to map BARs aligned, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 11/40] ivshmem: Add missing newlines to debug printfs, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 14/40] ivshmem: Drop ivshmem_event() stub, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 15/40] ivshmem: Don't destroy the chardev on version mismatch, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 24/40] ivshmem: Plug leaks on unplug, fix peer disconnect,
Markus Armbruster <=
- [Qemu-devel] [PULL v2 20/40] ivshmem: Leave INTx alone when using MSI-X, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 27/40] ivshmem: Rely on server sending the ID right after the version, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 29/40] ivshmem: Simplify how we cope with short reads from server, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 31/40] ivshmem: Implement shm=... with a memory backend, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 35/40] ivshmem: Replace int role_val by OnOffAuto master, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 01/40] target-ppc: Document TOCTTOU in hugepage support, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 25/40] ivshmem: Receive shared memory synchronously in realize(), Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 10/40] ivshmem: Rewrite specification document, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 39/40] ivshmem: Require master to have ID zero, Markus Armbruster, 2016/03/21
- [Qemu-devel] [PULL v2 03/40] ivshmem-server: Don't overload POSIX shmem and file name, Markus Armbruster, 2016/03/21