Hello! I can't register new account in bugzilla.kernel.org. / my ISP's spamfilter problem (?) maybe./ -------------------------- I sent this mail to Greg KH (2.6.27.y maintainer), he sent me: "Can you get the kvm maintainers to agree that this is correct? thanks, greg k-h" --------------- So the bug : I found a memory allocation bug in kvm/mmu.c & kvm_main.c. /in kvm_destroy_vm()/ Affected kernel: 2.6.27.32-2.6.27.41 Mainline kernel (2.6.32) is not affected. (Modified kvm subsystem.) Cause: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.27.y.git;a=commitdiff_plain;h=d2127c8300fb1ec54af56faee17170e7a525326d Solution: Revert this patch. This bug can cause local DoS in the host system. ------------------- Description: After closing of kvm virtual machine kmv_destroy_vm() doens't free mmu_pages. The allocated memory from host's system is LOST. A script for demonstration is here: www.freeweb.hu/oscon/kvm-memory-eater.sh.gz WARNING: this script can cause local DoS. description of script: script starts a kvm with boot image file. After start this script wait 10sec. ->wait to boot guest processor (586+kernel image or a windows guest / 486 kernel_image doesn't activate the kvm_amd for example and it doesn't allocate...it seems... /) to activates kvm_svm. you can see the used memory of the host system with top or kinfocenter or other.. After 10 sec this script killes the kvm userspace process -> kvm_destroy_vm() is activated. kvm_destroy_vm doesn't free mmu_pages so you lose ~500 mbyte memory from host system. /kvm -m 512/ this script starts a kvm again...and usw... :-) you lose all memory from host. from swap (partition or file) too. ------------------ comment: oom_killer doesn't protect against this bug. Not kvm userspace process allocates the memory but the kernel module (by me: kvm_amd) so there isn't process to kill. Not user initiated process allocates the memory so ulimit or limits.conf restrictions doesn't protect. Remove kvm_amd and kvm modules from system doesn't help because: :-): After killing the script and killing kvm process I tried rmmod kvm_amd : Effect is: Dec 14 16:12:45 osconsfortress kernel: slab error in kmem_cache_destroy(): cache `kvm_pte_chain': Can't free all objects Dec 14 16:12:45 osconsfortress kernel: Pid: 9343, comm: rmmod Tainted: P 2.6.27.41 #1 Dec 14 16:12:45 osconsfortress kernel: [<c02d7a27>] ? printk+0x18/0x21 Dec 14 16:12:45 osconsfortress kernel: [<c017ed48>] kmem_cache_destroy+0xb8/0xf0 Dec 14 16:12:45 osconsfortress kernel: [<f9885481>] mmu_destroy_caches+0x11/0x30 [kvm] Dec 14 16:12:45 osconsfortress kernel: [<f9885558>] kvm_mmu_module_exit+0x8/0x20 [kvm] Dec 14 16:12:45 osconsfortress kernel: [<f987f4c2>] kvm_arch_exit+0x12/0x20 [kvm] Dec 14 16:12:45 osconsfortress kernel: [<f987b31a>] kvm_exit+0x5a/0x80 [kvm] Dec 14 16:12:46 osconsfortress kernel: [<f98ce4d4>] svm_exit+0x8/0xa [kvm_amd] Dec 14 16:12:46 osconsfortress kernel: [<c014dafa>] sys_delete_module+0x15a/0x200 Dec 14 16:12:46 osconsfortress kernel: [<c0171bc2>] ? do_munmap+0x1d2/0x230 Dec 14 16:12:46 osconsfortress kernel: [<c0103271>] sysenter_do_call+0x12/0x25 Dec 14 16:12:46 osconsfortress kernel: ======================= Dec 14 16:12:46 osconsfortress kernel: slab error in kmem_cache_destroy(): cache `kvm_rmap_desc': Can't free all objects Dec 14 16:12:46 osconsfortress kernel: Pid: 9343, comm: rmmod Tainted: P 2.6.27.41 #1 Dec 14 16:12:46 osconsfortress kernel: [<c02d7a27>] ? printk+0x18/0x21 Dec 14 16:12:46 osconsfortress kernel: [<c017ed48>] kmem_cache_destroy+0xb8/0xf0 Dec 14 16:12:46 osconsfortress kernel: [<f988548f>] mmu_destroy_caches+0x1f/0x30 [kvm] Dec 14 16:12:46 osconsfortress kernel: [<f9885558>] kvm_mmu_module_exit+0x8/0x20 [kvm] Dec 14 16:12:46 osconsfortress kernel: [<f987f4c2>] kvm_arch_exit+0x12/0x20 [kvm] Dec 14 16:12:46 osconsfortress kernel: [<f987b31a>] kvm_exit+0x5a/0x80 [kvm] Dec 14 16:12:46 osconsfortress kernel: [<f98ce4d4>] svm_exit+0x8/0xa [kvm_amd] Dec 14 16:12:46 osconsfortress kernel: [<c014dafa>] sys_delete_module+0x15a/0x200 Dec 14 16:12:46 osconsfortress kernel: [<c0171bc2>] ? do_munmap+0x1d2/0x230 Dec 14 16:12:46 osconsfortress kernel: [<c0103271>] sysenter_do_call+0x12/0x25 Dec 14 16:12:46 osconsfortress kernel: ======================= Dec 14 16:12:46 osconsfortress kernel: slab error in kmem_cache_destroy(): cache `kvm_mmu_page_header': Can't free all objects Dec 14 16:12:46 osconsfortress kernel: Pid: 9343, comm: rmmod Tainted: P 2.6.27.41 #1 Dec 14 16:12:46 osconsfortress kernel: [<c02d7a27>] ? printk+0x18/0x21 Dec 14 16:12:46 osconsfortress kernel: [<c017ed48>] kmem_cache_destroy+0xb8/0xf0 Dec 14 16:12:46 osconsfortress kernel: [<f988549d>] mmu_destroy_caches+0x2d/0x30 [kvm] Dec 14 16:12:46 osconsfortress kernel: [<f9885558>] kvm_mmu_module_exit+0x8/0x20 [kvm] Dec 14 16:12:46 osconsfortress kernel: [<f987f4c2>] kvm_arch_exit+0x12/0x20 [kvm] Dec 14 16:12:46 osconsfortress kernel: [<f987b31a>] kvm_exit+0x5a/0x80 [kvm] Dec 14 16:12:46 osconsfortress kernel: [<f98ce4d4>] svm_exit+0x8/0xa [kvm_amd] Dec 14 16:12:46 osconsfortress kernel: [<c014dafa>] sys_delete_module+0x15a/0x200 Dec 14 16:12:46 osconsfortress kernel: [<c0171bc2>] ? do_munmap+0x1d2/0x230 Dec 14 16:12:46 osconsfortress kernel: [<c0103271>] sysenter_do_call+0x12/0x25 Dec 14 16:12:46 osconsfortress kernel: ======================= I'm using nvidia binary module so my kernel images are 'tainted'. SLUB doesn't help :-). error too. :-) Bug is tested with 2.6.27.32, 2.6.27.41 and 2.6.32. (2.6.32 is not affected.) Revert this patch http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.27.y.git;a=commitdiff_plain;h=d2127c8300fb1ec54af56faee17170e7a525326d solves the problem. (it seems). I use a 2.6.27based kernel with this since 3 days. tested only with kvm_amd only with a 32bit system (debian lenny). I haven't got intel processor with vmx support and I haven't got 64bit system. Hi Oscon -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
