Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Subject: Re: [RESEND PATCH v2] KVM: fix memory leak in
 kvm_io_bus_unregister_dev()
To:     Rustam Kovhaev <rkovhaev@gmail.com>, vkuznets@redhat.com,
        gustavoars@kernel.org, kvm@vger.kernel.org
Cc:     linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org,
        stable@vger.kernel.org
References: <20200907185535.233114-1-rkovhaev@gmail.com>
From:   Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <979a4030-6934-41bd-ee55-a3e301f04cc6@redhat.com>
Date:   Fri, 11 Sep 2020 18:02:21 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <20200907185535.233114-1-rkovhaev@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On 07/09/20 20:55, Rustam Kovhaev wrote:
> when kmalloc() fails in kvm_io_bus_unregister_dev(), before removing
> the bus, we should iterate over all other devices linked to it and call
> kvm_iodevice_destructor() for them
> 
> Fixes: 90db10434b16 ("KVM: kvm_io_bus_unregister_dev() should never fail")
> Cc: stable@vger.kernel.org
> Reported-and-tested-by: syzbot+f196caa45793d6374707@syzkaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?extid=f196caa45793d6374707
> Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
> Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
> ---
> v2:
> - remove redundant whitespace
> - remove goto statement and use if/else
> - add Fixes tag
> ---
>  virt/kvm/kvm_main.c | 21 ++++++++++++---------
>  1 file changed, 12 insertions(+), 9 deletions(-)
> 
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index 67cd0b88a6b6..cf88233b819a 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -4332,7 +4332,7 @@ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
>  void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
>  			       struct kvm_io_device *dev)
>  {
> -	int i;
> +	int i, j;
>  	struct kvm_io_bus *new_bus, *bus;
>  
>  	bus = kvm_get_bus(kvm, bus_idx);
> @@ -4349,17 +4349,20 @@ void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
>  
>  	new_bus = kmalloc(struct_size(bus, range, bus->dev_count - 1),
>  			  GFP_KERNEL_ACCOUNT);
> -	if (!new_bus)  {
> +	if (new_bus) {
> +		memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range));
> +		new_bus->dev_count--;
> +		memcpy(new_bus->range + i, bus->range + i + 1,
> +		       (new_bus->dev_count - i) * sizeof(struct kvm_io_range));
> +	} else {
>  		pr_err("kvm: failed to shrink bus, removing it completely\n");
> -		goto broken;
> +		for (j = 0; j < bus->dev_count; j++) {
> +			if (j == i)
> +				continue;
> +			kvm_iodevice_destructor(bus->range[j].dev);
> +		}
>  	}
>  
> -	memcpy(new_bus, bus, sizeof(*bus) + i * sizeof(struct kvm_io_range));
> -	new_bus->dev_count--;
> -	memcpy(new_bus->range + i, bus->range + i + 1,
> -	       (new_bus->dev_count - i) * sizeof(struct kvm_io_range));
> -
> -broken:
>  	rcu_assign_pointer(kvm->buses[bus_idx], new_bus);
>  	synchronize_srcu_expedited(&kvm->srcu);
>  	kfree(bus);
> 

Queued, thanks.

I am currently on leave so I am going through the patches and queuing
them, but I will only push kvm/next and kvm/queue next week.  kvm/master
patches will be sent to Linus for the next -rc though.

Paolo