From: Greg Kroah-Hartman Date: Fri, 27 Oct 2023 15:14:45 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.1.61~72 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5e612409e2431e129faf7ce0439af71f1a0e5863;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: drm-amd-disable-aspm-for-vi-w-all-intel-systems.patch drm-i915-pmu-check-if-pmu-is-closed-before-stopping-event.patch mm-migrate-fix-do_pages_move-for-compat-pointers.patch mm-page_alloc-correct-start-page-when-guard-page-debug-is-enabled.patch nfsd-lock_rename-needs-both-directories-to-live-on-the-same-fs.patch vhost-allow-null-msg.size-on-vhost_iotlb_invalidate.patch virtio-mmio-fix-memory-leak-of-vm_dev.patch virtio_balloon-fix-endless-deflation-and-inflation-on-arm64.patch --- diff --git a/queue-5.15/drm-amd-disable-aspm-for-vi-w-all-intel-systems.patch b/queue-5.15/drm-amd-disable-aspm-for-vi-w-all-intel-systems.patch new file mode 100644 index 00000000000..f802fac7c38 --- /dev/null +++ b/queue-5.15/drm-amd-disable-aspm-for-vi-w-all-intel-systems.patch @@ -0,0 +1,39 @@ +From 64ffd2f1d00c6235dabe9704bbb0d9ce3e28147f Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Fri, 20 Oct 2023 10:26:29 -0500 +Subject: drm/amd: Disable ASPM for VI w/ all Intel systems + +From: Mario Limonciello + +commit 64ffd2f1d00c6235dabe9704bbb0d9ce3e28147f upstream. + +Originally we were quirking ASPM disabled specifically for VI when +used with Alder Lake, but it appears to have problems with Rocket +Lake as well. + +Like we've done in the case of dpm for newer platforms, disable +ASPM for all Intel systems. + +Cc: stable@vger.kernel.org # 5.15+ +Fixes: 0064b0ce85bb ("drm/amd/pm: enable ASPM by default") +Reported-and-tested-by: Paolo Gentili +Closes: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2036742 +Signed-off-by: Mario Limonciello +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/vi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vi.c ++++ b/drivers/gpu/drm/amd/amdgpu/vi.c +@@ -1147,7 +1147,7 @@ static void vi_program_aspm(struct amdgp + bool bL1SS = false; + bool bClkReqSupport = true; + +- if (!amdgpu_device_should_use_aspm(adev) || !amdgpu_device_aspm_support_quirk()) ++ if (!amdgpu_device_should_use_aspm(adev) || !amdgpu_device_pcie_dynamic_switching_supported()) + return; + + if (adev->flags & AMD_IS_APU || diff --git a/queue-5.15/drm-i915-pmu-check-if-pmu-is-closed-before-stopping-event.patch b/queue-5.15/drm-i915-pmu-check-if-pmu-is-closed-before-stopping-event.patch new file mode 100644 index 00000000000..736990ab4ea --- /dev/null +++ b/queue-5.15/drm-i915-pmu-check-if-pmu-is-closed-before-stopping-event.patch @@ -0,0 +1,59 @@ +From 4cbed7702eb775cca22fff6827a549092cb59f61 Mon Sep 17 00:00:00 2001 +From: Umesh Nerlige Ramappa +Date: Fri, 20 Oct 2023 08:24:41 -0700 +Subject: drm/i915/pmu: Check if pmu is closed before stopping event + +From: Umesh Nerlige Ramappa + +commit 4cbed7702eb775cca22fff6827a549092cb59f61 upstream. + +When the driver unbinds, pmu is unregistered and i915->uabi_engines is +set to RB_ROOT. Due to this, when i915 PMU tries to stop the engine +events, it issues a warn_on because engine lookup fails. + +All perf hooks are taking care of this using a pmu->closed flag that is +set when PMU unregisters. The stop event seems to have been left out. + +Check for pmu->closed in pmu_event_stop as well. + +Based on discussion here - +https://patchwork.freedesktop.org/patch/492079/?series=105790&rev=2 + +v2: s/is/if/ in commit title +v3: Add fixes tag and cc stable + +Cc: # v5.11+ +Fixes: b00bccb3f0bb ("drm/i915/pmu: Handle PCI unbind") +Signed-off-by: Umesh Nerlige Ramappa +Reviewed-by: Tvrtko Ursulin +Reviewed-by: Andi Shyti +Signed-off-by: Andi Shyti +Link: https://patchwork.freedesktop.org/patch/msgid/20231020152441.3764850-1-umesh.nerlige.ramappa@intel.com +(cherry picked from commit 31f6a06f0c543b43a38fab10f39e5fc45ad62aa2) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/i915_pmu.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/gpu/drm/i915/i915_pmu.c ++++ b/drivers/gpu/drm/i915/i915_pmu.c +@@ -761,9 +761,18 @@ static void i915_pmu_event_start(struct + + static void i915_pmu_event_stop(struct perf_event *event, int flags) + { ++ struct drm_i915_private *i915 = ++ container_of(event->pmu, typeof(*i915), pmu.base); ++ struct i915_pmu *pmu = &i915->pmu; ++ ++ if (pmu->closed) ++ goto out; ++ + if (flags & PERF_EF_UPDATE) + i915_pmu_event_read(event); + i915_pmu_disable(event); ++ ++out: + event->hw.state = PERF_HES_STOPPED; + } + diff --git a/queue-5.15/mm-migrate-fix-do_pages_move-for-compat-pointers.patch b/queue-5.15/mm-migrate-fix-do_pages_move-for-compat-pointers.patch new file mode 100644 index 00000000000..7ca3d9fb3b4 --- /dev/null +++ b/queue-5.15/mm-migrate-fix-do_pages_move-for-compat-pointers.patch @@ -0,0 +1,74 @@ +From 229e2253766c7cdfe024f1fe280020cc4711087c Mon Sep 17 00:00:00 2001 +From: Gregory Price +Date: Tue, 3 Oct 2023 10:48:56 -0400 +Subject: mm/migrate: fix do_pages_move for compat pointers + +From: Gregory Price + +commit 229e2253766c7cdfe024f1fe280020cc4711087c upstream. + +do_pages_move does not handle compat pointers for the page list. +correctly. Add in_compat_syscall check and appropriate get_user fetch +when iterating the page list. + +It makes the syscall in compat mode (32-bit userspace, 64-bit kernel) +work the same way as the native 32-bit syscall again, restoring the +behavior before my broken commit 5b1b561ba73c ("mm: simplify +compat_sys_move_pages"). + +More specifically, my patch moved the parsing of the 'pages' array from +the main entry point into do_pages_stat(), which left the syscall +working correctly for the 'stat' operation (nodes = NULL), while the +'move' operation (nodes != NULL) is now missing the conversion and +interprets 'pages' as an array of 64-bit pointers instead of the +intended 32-bit userspace pointers. + +It is possible that nobody noticed this bug because the few +applications that actually call move_pages are unlikely to run in +compat mode because of their large memory requirements, but this +clearly fixes a user-visible regression and should have been caught by +ltp. + +Link: https://lkml.kernel.org/r/20231003144857.752952-1-gregory.price@memverge.com +Fixes: 5b1b561ba73c ("mm: simplify compat_sys_move_pages") +Signed-off-by: Gregory Price +Reported-by: Arnd Bergmann +Co-developed-by: Arnd Bergmann +Cc: Jonathan Cameron +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/migrate.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -1788,6 +1788,7 @@ static int do_pages_move(struct mm_struc + const int __user *nodes, + int __user *status, int flags) + { ++ compat_uptr_t __user *compat_pages = (void __user *)pages; + int current_node = NUMA_NO_NODE; + LIST_HEAD(pagelist); + int start, i; +@@ -1801,8 +1802,17 @@ static int do_pages_move(struct mm_struc + int node; + + err = -EFAULT; +- if (get_user(p, pages + i)) +- goto out_flush; ++ if (in_compat_syscall()) { ++ compat_uptr_t cp; ++ ++ if (get_user(cp, compat_pages + i)) ++ goto out_flush; ++ ++ p = compat_ptr(cp); ++ } else { ++ if (get_user(p, pages + i)) ++ goto out_flush; ++ } + if (get_user(node, nodes + i)) + goto out_flush; + addr = (unsigned long)untagged_addr(p); diff --git a/queue-5.15/mm-page_alloc-correct-start-page-when-guard-page-debug-is-enabled.patch b/queue-5.15/mm-page_alloc-correct-start-page-when-guard-page-debug-is-enabled.patch new file mode 100644 index 00000000000..fbf00d63be2 --- /dev/null +++ b/queue-5.15/mm-page_alloc-correct-start-page-when-guard-page-debug-is-enabled.patch @@ -0,0 +1,63 @@ +From 61e21cf2d2c3cc5e60e8d0a62a77e250fccda62c Mon Sep 17 00:00:00 2001 +From: Kemeng Shi +Date: Wed, 27 Sep 2023 17:44:01 +0800 +Subject: mm/page_alloc: correct start page when guard page debug is enabled + +From: Kemeng Shi + +commit 61e21cf2d2c3cc5e60e8d0a62a77e250fccda62c upstream. + +When guard page debug is enabled and set_page_guard returns success, we +miss to forward page to point to start of next split range and we will do +split unexpectedly in page range without target page. Move start page +update before set_page_guard to fix this. + +As we split to wrong target page, then splited pages are not able to merge +back to original order when target page is put back and splited pages +except target page is not usable. To be specific: + +Consider target page is the third page in buddy page with order 2. +| buddy-2 | Page | Target | Page | + +After break down to target page, we will only set first page to Guard +because of bug. +| Guard | Page | Target | Page | + +When we try put_page_back_buddy with target page, the buddy page of target +if neither guard nor buddy, Then it's not able to construct original page +with order 2 +| Guard | Page | buddy-0 | Page | + +All pages except target page is not in free list and is not usable. + +Link: https://lkml.kernel.org/r/20230927094401.68205-1-shikemeng@huaweicloud.com +Fixes: 06be6ff3d2ec ("mm,hwpoison: rework soft offline for free pages") +Signed-off-by: Kemeng Shi +Acked-by: Naoya Horiguchi +Cc: Matthew Wilcox (Oracle) +Cc: Oscar Salvador +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -9481,6 +9481,7 @@ static void break_down_buddy_pages(struc + next_page = page; + current_buddy = page + size; + } ++ page = next_page; + + if (set_page_guard(zone, current_buddy, high, migratetype)) + continue; +@@ -9488,7 +9489,6 @@ static void break_down_buddy_pages(struc + if (current_buddy != target) { + add_to_free_list(current_buddy, zone, high, migratetype); + set_buddy_order(current_buddy, high); +- page = next_page; + } + } + } diff --git a/queue-5.15/nfsd-lock_rename-needs-both-directories-to-live-on-the-same-fs.patch b/queue-5.15/nfsd-lock_rename-needs-both-directories-to-live-on-the-same-fs.patch new file mode 100644 index 00000000000..081133d6db9 --- /dev/null +++ b/queue-5.15/nfsd-lock_rename-needs-both-directories-to-live-on-the-same-fs.patch @@ -0,0 +1,51 @@ +From 1aee9158bc978f91701c5992e395efbc6da2de3c Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 14 Oct 2023 21:34:40 -0400 +Subject: nfsd: lock_rename() needs both directories to live on the same fs + +From: Al Viro + +commit 1aee9158bc978f91701c5992e395efbc6da2de3c upstream. + +... checking that after lock_rename() is too late. Incidentally, +NFSv2 had no nfserr_xdev... + +Fixes: aa387d6ce153 "nfsd: fix EXDEV checking in rename" +Cc: stable@vger.kernel.org # v3.9+ +Reviewed-by: Jeff Layton +Acked-by: Chuck Lever +Tested-by: Jeff Layton +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/vfs.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -1762,6 +1762,12 @@ nfsd_rename(struct svc_rqst *rqstp, stru + if (!flen || isdotent(fname, flen) || !tlen || isdotent(tname, tlen)) + goto out; + ++ err = (rqstp->rq_vers == 2) ? nfserr_acces : nfserr_xdev; ++ if (ffhp->fh_export->ex_path.mnt != tfhp->fh_export->ex_path.mnt) ++ goto out; ++ if (ffhp->fh_export->ex_path.dentry != tfhp->fh_export->ex_path.dentry) ++ goto out; ++ + retry: + host_err = fh_want_write(ffhp); + if (host_err) { +@@ -1796,12 +1802,6 @@ retry: + if (ndentry == trap) + goto out_dput_new; + +- host_err = -EXDEV; +- if (ffhp->fh_export->ex_path.mnt != tfhp->fh_export->ex_path.mnt) +- goto out_dput_new; +- if (ffhp->fh_export->ex_path.dentry != tfhp->fh_export->ex_path.dentry) +- goto out_dput_new; +- + if ((ndentry->d_sb->s_export_op->flags & EXPORT_OP_CLOSE_BEFORE_UNLINK) && + nfsd_has_cached_files(ndentry)) { + close_cached = true; diff --git a/queue-5.15/series b/queue-5.15/series index adb2cef6ae9..dcada519ed0 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -20,3 +20,11 @@ tcp-cleanup-tcp_remove_empty_skb-use.patch mptcp-more-conservative-check-for-zero-probes.patch mcb-return-actual-parsed-size-when-reading-chameleon.patch mcb-lpc-reallocate-memory-region-to-avoid-memory-ove.patch +virtio_balloon-fix-endless-deflation-and-inflation-on-arm64.patch +virtio-mmio-fix-memory-leak-of-vm_dev.patch +vhost-allow-null-msg.size-on-vhost_iotlb_invalidate.patch +mm-page_alloc-correct-start-page-when-guard-page-debug-is-enabled.patch +mm-migrate-fix-do_pages_move-for-compat-pointers.patch +nfsd-lock_rename-needs-both-directories-to-live-on-the-same-fs.patch +drm-i915-pmu-check-if-pmu-is-closed-before-stopping-event.patch +drm-amd-disable-aspm-for-vi-w-all-intel-systems.patch diff --git a/queue-5.15/vhost-allow-null-msg.size-on-vhost_iotlb_invalidate.patch b/queue-5.15/vhost-allow-null-msg.size-on-vhost_iotlb_invalidate.patch new file mode 100644 index 00000000000..d23b6e60e43 --- /dev/null +++ b/queue-5.15/vhost-allow-null-msg.size-on-vhost_iotlb_invalidate.patch @@ -0,0 +1,49 @@ +From ca50ec377c2e94b0a9f8735de2856cd0f13beab4 Mon Sep 17 00:00:00 2001 +From: Eric Auger +Date: Wed, 27 Sep 2023 16:05:44 +0200 +Subject: vhost: Allow null msg.size on VHOST_IOTLB_INVALIDATE + +From: Eric Auger + +commit ca50ec377c2e94b0a9f8735de2856cd0f13beab4 upstream. + +Commit e2ae38cf3d91 ("vhost: fix hung thread due to erroneous iotlb +entries") Forbade vhost iotlb msg with null size to prevent entries +with size = start = 0 and last = ULONG_MAX to end up in the iotlb. + +Then commit 95932ab2ea07 ("vhost: allow batching hint without size") +only applied the check for VHOST_IOTLB_UPDATE and VHOST_IOTLB_INVALIDATE +message types to fix a regression observed with batching hit. + +Still, the introduction of that check introduced a regression for +some users attempting to invalidate the whole ULONG_MAX range by +setting the size to 0. This is the case with qemu/smmuv3/vhost +integration which does not work anymore. It Looks safe to partially +revert the original commit and allow VHOST_IOTLB_INVALIDATE messages +with null size. vhost_iotlb_del_range() will compute a correct end +iova. Same for vhost_vdpa_iotlb_unmap(). + +Signed-off-by: Eric Auger +Fixes: e2ae38cf3d91 ("vhost: fix hung thread due to erroneous iotlb entries") +Cc: stable@vger.kernel.org # v5.17+ +Acked-by: Jason Wang +Message-Id: <20230927140544.205088-1-eric.auger@redhat.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vhost.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -1171,9 +1171,7 @@ ssize_t vhost_chr_write_iter(struct vhos + goto done; + } + +- if ((msg.type == VHOST_IOTLB_UPDATE || +- msg.type == VHOST_IOTLB_INVALIDATE) && +- msg.size == 0) { ++ if (msg.type == VHOST_IOTLB_UPDATE && msg.size == 0) { + ret = -EINVAL; + goto done; + } diff --git a/queue-5.15/virtio-mmio-fix-memory-leak-of-vm_dev.patch b/queue-5.15/virtio-mmio-fix-memory-leak-of-vm_dev.patch new file mode 100644 index 00000000000..03ab815d19f --- /dev/null +++ b/queue-5.15/virtio-mmio-fix-memory-leak-of-vm_dev.patch @@ -0,0 +1,86 @@ +From fab7f259227b8f70aa6d54e1de1a1f5f4729041c Mon Sep 17 00:00:00 2001 +From: Maximilian Heyne +Date: Mon, 11 Sep 2023 09:03:29 +0000 +Subject: virtio-mmio: fix memory leak of vm_dev + +From: Maximilian Heyne + +commit fab7f259227b8f70aa6d54e1de1a1f5f4729041c upstream. + +With the recent removal of vm_dev from devres its memory is only freed +via the callback virtio_mmio_release_dev. However, this only takes +effect after device_add is called by register_virtio_device. Until then +it's an unmanaged resource and must be explicitly freed on error exit. + +This bug was discovered and resolved using Coverity Static Analysis +Security Testing (SAST) by Synopsys, Inc. + +Cc: stable@vger.kernel.org +Fixes: 55c91fedd03d ("virtio-mmio: don't break lifecycle of vm_dev") +Signed-off-by: Maximilian Heyne +Reviewed-by: Catalin Marinas +Tested-by: Catalin Marinas +Reviewed-by: Xuan Zhuo +Signed-off-by: Greg Kroah-Hartman + +Message-Id: <20230911090328.40538-1-mheyne@amazon.de> +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Wolfram Sang +--- + drivers/virtio/virtio_mmio.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/virtio/virtio_mmio.c ++++ b/drivers/virtio/virtio_mmio.c +@@ -596,14 +596,17 @@ static int virtio_mmio_probe(struct plat + spin_lock_init(&vm_dev->lock); + + vm_dev->base = devm_platform_ioremap_resource(pdev, 0); +- if (IS_ERR(vm_dev->base)) +- return PTR_ERR(vm_dev->base); ++ if (IS_ERR(vm_dev->base)) { ++ rc = PTR_ERR(vm_dev->base); ++ goto free_vm_dev; ++ } + + /* Check magic value */ + magic = readl(vm_dev->base + VIRTIO_MMIO_MAGIC_VALUE); + if (magic != ('v' | 'i' << 8 | 'r' << 16 | 't' << 24)) { + dev_warn(&pdev->dev, "Wrong magic value 0x%08lx!\n", magic); +- return -ENODEV; ++ rc = -ENODEV; ++ goto free_vm_dev; + } + + /* Check device version */ +@@ -611,7 +614,8 @@ static int virtio_mmio_probe(struct plat + if (vm_dev->version < 1 || vm_dev->version > 2) { + dev_err(&pdev->dev, "Version %ld not supported!\n", + vm_dev->version); +- return -ENXIO; ++ rc = -ENXIO; ++ goto free_vm_dev; + } + + vm_dev->vdev.id.device = readl(vm_dev->base + VIRTIO_MMIO_DEVICE_ID); +@@ -620,7 +624,8 @@ static int virtio_mmio_probe(struct plat + * virtio-mmio device with an ID 0 is a (dummy) placeholder + * with no function. End probing now with no error reported. + */ +- return -ENODEV; ++ rc = -ENODEV; ++ goto free_vm_dev; + } + vm_dev->vdev.id.vendor = readl(vm_dev->base + VIRTIO_MMIO_VENDOR_ID); + +@@ -650,6 +655,10 @@ static int virtio_mmio_probe(struct plat + put_device(&vm_dev->vdev.dev); + + return rc; ++ ++free_vm_dev: ++ kfree(vm_dev); ++ return rc; + } + + static int virtio_mmio_remove(struct platform_device *pdev) diff --git a/queue-5.15/virtio_balloon-fix-endless-deflation-and-inflation-on-arm64.patch b/queue-5.15/virtio_balloon-fix-endless-deflation-and-inflation-on-arm64.patch new file mode 100644 index 00000000000..895eb8fc2a6 --- /dev/null +++ b/queue-5.15/virtio_balloon-fix-endless-deflation-and-inflation-on-arm64.patch @@ -0,0 +1,97 @@ +From 07622bd415639e9709579f400afd19e7e9866e5e Mon Sep 17 00:00:00 2001 +From: Gavin Shan +Date: Thu, 31 Aug 2023 11:10:07 +1000 +Subject: virtio_balloon: Fix endless deflation and inflation on arm64 + +From: Gavin Shan + +commit 07622bd415639e9709579f400afd19e7e9866e5e upstream. + +The deflation request to the target, which isn't unaligned to the +guest page size causes endless deflation and inflation actions. For +example, we receive the flooding QMP events for the changes on memory +balloon's size after a deflation request to the unaligned target is +sent for the ARM64 guest, where we have 64KB base page size. + + /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \ + -accel kvm -machine virt,gic-version=host -cpu host \ + -smp maxcpus=8,cpus=8,sockets=2,clusters=2,cores=2,threads=1 \ + -m 1024M,slots=16,maxmem=64G \ + -object memory-backend-ram,id=mem0,size=512M \ + -object memory-backend-ram,id=mem1,size=512M \ + -numa node,nodeid=0,memdev=mem0,cpus=0-3 \ + -numa node,nodeid=1,memdev=mem1,cpus=4-7 \ + : \ + -device virtio-balloon-pci,id=balloon0,bus=pcie.10 + + { "execute" : "balloon", "arguments": { "value" : 1073672192 } } + {"return": {}} + {"timestamp": {"seconds": 1693272173, "microseconds": 88667}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272174, "microseconds": 89704}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272175, "microseconds": 90819}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272176, "microseconds": 91961}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272177, "microseconds": 93040}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} + {"timestamp": {"seconds": 1693272178, "microseconds": 94117}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} + {"timestamp": {"seconds": 1693272179, "microseconds": 95337}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272180, "microseconds": 96615}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} + {"timestamp": {"seconds": 1693272181, "microseconds": 97626}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272182, "microseconds": 98693}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} + {"timestamp": {"seconds": 1693272183, "microseconds": 99698}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272184, "microseconds": 100727}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272185, "microseconds": 90430}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272186, "microseconds": 102999}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} + : + + +Fix it by aligning the target up to the guest page size, 64KB in this +specific case. With this applied, no flooding QMP events are observed +and the memory balloon's size can be stablizied to 0x3ffe0000 soon +after the deflation request is sent. + + { "execute" : "balloon", "arguments": { "value" : 1073672192 } } + {"return": {}} + {"timestamp": {"seconds": 1693273328, "microseconds": 793075}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + { "execute" : "query-balloon" } + {"return": {"actual": 1073610752}} + +Cc: stable@vger.kernel.org +Signed-off-by: Gavin Shan +Tested-by: Zhenyu Zhang +Message-Id: <20230831011007.1032822-1-gshan@redhat.com> +Signed-off-by: Michael S. Tsirkin +Reviewed-by: David Hildenbrand +Signed-off-by: Greg Kroah-Hartman +--- + drivers/virtio/virtio_balloon.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -402,7 +402,11 @@ static inline s64 towards_target(struct + virtio_cread_le(vb->vdev, struct virtio_balloon_config, num_pages, + &num_pages); + +- target = num_pages; ++ /* ++ * Aligned up to guest page size to avoid inflating and deflating ++ * balloon endlessly. ++ */ ++ target = ALIGN(num_pages, VIRTIO_BALLOON_PAGES_PER_PAGE); + return target - vb->num_pages; + } +