--- /dev/null
+From fab7f259227b8f70aa6d54e1de1a1f5f4729041c Mon Sep 17 00:00:00 2001
+From: Maximilian Heyne <mheyne@amazon.de>
+Date: Mon, 11 Sep 2023 09:03:29 +0000
+Subject: virtio-mmio: fix memory leak of vm_dev
+
+From: Maximilian Heyne <mheyne@amazon.de>
+
+commit fab7f259227b8f70aa6d54e1de1a1f5f4729041c upstream.
+
+With the recent removal of vm_dev from devres its memory is only freed
+via the callback virtio_mmio_release_dev. However, this only takes
+effect after device_add is called by register_virtio_device. Until then
+it's an unmanaged resource and must be explicitly freed on error exit.
+
+This bug was discovered and resolved using Coverity Static Analysis
+Security Testing (SAST) by Synopsys, Inc.
+
+Cc: stable@vger.kernel.org
+Fixes: 55c91fedd03d ("virtio-mmio: don't break lifecycle of vm_dev")
+Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Tested-by: Catalin Marinas <catalin.marinas@arm.com>
+Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Message-Id: <20230911090328.40538-1-mheyne@amazon.de>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+---
+ drivers/virtio/virtio_mmio.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/virtio/virtio_mmio.c
++++ b/drivers/virtio/virtio_mmio.c
+@@ -561,14 +561,17 @@ static int virtio_mmio_probe(struct plat
+ spin_lock_init(&vm_dev->lock);
+
+ vm_dev->base = devm_platform_ioremap_resource(pdev, 0);
+- if (IS_ERR(vm_dev->base))
+- return PTR_ERR(vm_dev->base);
++ if (IS_ERR(vm_dev->base)) {
++ rc = PTR_ERR(vm_dev->base);
++ goto free_vm_dev;
++ }
+
+ /* Check magic value */
+ magic = readl(vm_dev->base + VIRTIO_MMIO_MAGIC_VALUE);
+ if (magic != ('v' | 'i' << 8 | 'r' << 16 | 't' << 24)) {
+ dev_warn(&pdev->dev, "Wrong magic value 0x%08lx!\n", magic);
+- return -ENODEV;
++ rc = -ENODEV;
++ goto free_vm_dev;
+ }
+
+ /* Check device version */
+@@ -576,7 +579,8 @@ static int virtio_mmio_probe(struct plat
+ if (vm_dev->version < 1 || vm_dev->version > 2) {
+ dev_err(&pdev->dev, "Version %ld not supported!\n",
+ vm_dev->version);
+- return -ENXIO;
++ rc = -ENXIO;
++ goto free_vm_dev;
+ }
+
+ vm_dev->vdev.id.device = readl(vm_dev->base + VIRTIO_MMIO_DEVICE_ID);
+@@ -585,7 +589,8 @@ static int virtio_mmio_probe(struct plat
+ * virtio-mmio device with an ID 0 is a (dummy) placeholder
+ * with no function. End probing now with no error reported.
+ */
+- return -ENODEV;
++ rc = -ENODEV;
++ goto free_vm_dev;
+ }
+ vm_dev->vdev.id.vendor = readl(vm_dev->base + VIRTIO_MMIO_VENDOR_ID);
+
+@@ -615,6 +620,10 @@ static int virtio_mmio_probe(struct plat
+ put_device(&vm_dev->vdev.dev);
+
+ return rc;
++
++free_vm_dev:
++ kfree(vm_dev);
++ return rc;
+ }
+
+ static int virtio_mmio_remove(struct platform_device *pdev)
--- /dev/null
+From 07622bd415639e9709579f400afd19e7e9866e5e Mon Sep 17 00:00:00 2001
+From: Gavin Shan <gshan@redhat.com>
+Date: Thu, 31 Aug 2023 11:10:07 +1000
+Subject: virtio_balloon: Fix endless deflation and inflation on arm64
+
+From: Gavin Shan <gshan@redhat.com>
+
+commit 07622bd415639e9709579f400afd19e7e9866e5e upstream.
+
+The deflation request to the target, which isn't unaligned to the
+guest page size causes endless deflation and inflation actions. For
+example, we receive the flooding QMP events for the changes on memory
+balloon's size after a deflation request to the unaligned target is
+sent for the ARM64 guest, where we have 64KB base page size.
+
+ /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \
+ -accel kvm -machine virt,gic-version=host -cpu host \
+ -smp maxcpus=8,cpus=8,sockets=2,clusters=2,cores=2,threads=1 \
+ -m 1024M,slots=16,maxmem=64G \
+ -object memory-backend-ram,id=mem0,size=512M \
+ -object memory-backend-ram,id=mem1,size=512M \
+ -numa node,nodeid=0,memdev=mem0,cpus=0-3 \
+ -numa node,nodeid=1,memdev=mem1,cpus=4-7 \
+ : \
+ -device virtio-balloon-pci,id=balloon0,bus=pcie.10
+
+ { "execute" : "balloon", "arguments": { "value" : 1073672192 } }
+ {"return": {}}
+ {"timestamp": {"seconds": 1693272173, "microseconds": 88667}, \
+ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
+ {"timestamp": {"seconds": 1693272174, "microseconds": 89704}, \
+ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
+ {"timestamp": {"seconds": 1693272175, "microseconds": 90819}, \
+ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
+ {"timestamp": {"seconds": 1693272176, "microseconds": 91961}, \
+ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
+ {"timestamp": {"seconds": 1693272177, "microseconds": 93040}, \
+ "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}}
+ {"timestamp": {"seconds": 1693272178, "microseconds": 94117}, \
+ "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}}
+ {"timestamp": {"seconds": 1693272179, "microseconds": 95337}, \
+ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
+ {"timestamp": {"seconds": 1693272180, "microseconds": 96615}, \
+ "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}}
+ {"timestamp": {"seconds": 1693272181, "microseconds": 97626}, \
+ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
+ {"timestamp": {"seconds": 1693272182, "microseconds": 98693}, \
+ "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}}
+ {"timestamp": {"seconds": 1693272183, "microseconds": 99698}, \
+ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
+ {"timestamp": {"seconds": 1693272184, "microseconds": 100727}, \
+ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
+ {"timestamp": {"seconds": 1693272185, "microseconds": 90430}, \
+ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
+ {"timestamp": {"seconds": 1693272186, "microseconds": 102999}, \
+ "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}}
+ :
+ <The similar QMP events repeat>
+
+Fix it by aligning the target up to the guest page size, 64KB in this
+specific case. With this applied, no flooding QMP events are observed
+and the memory balloon's size can be stablizied to 0x3ffe0000 soon
+after the deflation request is sent.
+
+ { "execute" : "balloon", "arguments": { "value" : 1073672192 } }
+ {"return": {}}
+ {"timestamp": {"seconds": 1693273328, "microseconds": 793075}, \
+ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
+ { "execute" : "query-balloon" }
+ {"return": {"actual": 1073610752}}
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gavin Shan <gshan@redhat.com>
+Tested-by: Zhenyu Zhang <zhenyzha@redhat.com>
+Message-Id: <20230831011007.1032822-1-gshan@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/virtio/virtio_balloon.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -345,7 +345,11 @@ static inline s64 towards_target(struct
+ if (!virtio_has_feature(vb->vdev, VIRTIO_F_VERSION_1))
+ num_pages = le32_to_cpu((__force __le32)num_pages);
+
+- target = num_pages;
++ /*
++ * Aligned up to guest page size to avoid inflating and deflating
++ * balloon endlessly.
++ */
++ target = ALIGN(num_pages, VIRTIO_BALLOON_PAGES_PER_PAGE);
+ return target - vb->num_pages;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
