On 24.08.2017 11:14, Paul Mackerras wrote: > Nixiaoming pointed out that there is a memory leak in > kvm_vm_ioctl_create_spapr_tce() if the call to anon_inode_getfd() > fails; the memory allocated for the kvmppc_spapr_tce_table struct is > not freed, and nor are the pages allocated for the iommu tables. In > addition, we have already incremented the process's count of locked > memory pages, and this doesn't get restored on error. > > David Hildenbrand pointed out that there is a race in that the > function checks early on that there is not already an entry in the > stt->iommu_tables list with the same LIOBN, but an entry with the > same LIOBN could get added between then and when the new entry is > added to the list. > > This fixes all three problems. To simplify things, we now call > anon_inode_getfd() before placing the new entry in the list. The > check for an existing entry is done while holding the kvm->lock mutex, > immediately before adding the new entry to the list. > Finally, on failure we now call kvmppc_account_memlimit to decrement > the process's count of locked memory pages. > > Reported-by: Nixiaoming <nixiaoming@xxxxxxxxxx> > Reported-by: David Hildenbrand <david@xxxxxxxxxx> > Signed-off-by: Paul Mackerras <paulus@xxxxxxxxxx> > --- > v2: Don't overwrite stt in loop over spapr_tce_tables > Reviewed-by: nixiaoming <nixiaoming@xxxxxxxxxx>