From: Greg Kroah-Hartman Date: Fri, 27 Oct 2023 15:14:36 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.1.61~73 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cb49c950553ff2f24b85036361783172c6629e39;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: mm-page_alloc-correct-start-page-when-guard-page-debug-is-enabled.patch mmc-renesas_sdhi-use-custom-mask-for-tmio_mask_all.patch virtio-mmio-fix-memory-leak-of-vm_dev.patch virtio_balloon-fix-endless-deflation-and-inflation-on-arm64.patch --- diff --git a/queue-5.10/mm-page_alloc-correct-start-page-when-guard-page-debug-is-enabled.patch b/queue-5.10/mm-page_alloc-correct-start-page-when-guard-page-debug-is-enabled.patch new file mode 100644 index 00000000000..9925008e7a4 --- /dev/null +++ b/queue-5.10/mm-page_alloc-correct-start-page-when-guard-page-debug-is-enabled.patch @@ -0,0 +1,63 @@ +From 61e21cf2d2c3cc5e60e8d0a62a77e250fccda62c Mon Sep 17 00:00:00 2001 +From: Kemeng Shi +Date: Wed, 27 Sep 2023 17:44:01 +0800 +Subject: mm/page_alloc: correct start page when guard page debug is enabled + +From: Kemeng Shi + +commit 61e21cf2d2c3cc5e60e8d0a62a77e250fccda62c upstream. + +When guard page debug is enabled and set_page_guard returns success, we +miss to forward page to point to start of next split range and we will do +split unexpectedly in page range without target page. Move start page +update before set_page_guard to fix this. + +As we split to wrong target page, then splited pages are not able to merge +back to original order when target page is put back and splited pages +except target page is not usable. To be specific: + +Consider target page is the third page in buddy page with order 2. +| buddy-2 | Page | Target | Page | + +After break down to target page, we will only set first page to Guard +because of bug. +| Guard | Page | Target | Page | + +When we try put_page_back_buddy with target page, the buddy page of target +if neither guard nor buddy, Then it's not able to construct original page +with order 2 +| Guard | Page | buddy-0 | Page | + +All pages except target page is not in free list and is not usable. + +Link: https://lkml.kernel.org/r/20230927094401.68205-1-shikemeng@huaweicloud.com +Fixes: 06be6ff3d2ec ("mm,hwpoison: rework soft offline for free pages") +Signed-off-by: Kemeng Shi +Acked-by: Naoya Horiguchi +Cc: Matthew Wilcox (Oracle) +Cc: Oscar Salvador +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -8932,6 +8932,7 @@ static void break_down_buddy_pages(struc + next_page = page; + current_buddy = page + size; + } ++ page = next_page; + + if (set_page_guard(zone, current_buddy, high, migratetype)) + continue; +@@ -8939,7 +8940,6 @@ static void break_down_buddy_pages(struc + if (current_buddy != target) { + add_to_free_list(current_buddy, zone, high, migratetype); + set_buddy_order(current_buddy, high); +- page = next_page; + } + } + } diff --git a/queue-5.10/mmc-renesas_sdhi-use-custom-mask-for-tmio_mask_all.patch b/queue-5.10/mmc-renesas_sdhi-use-custom-mask-for-tmio_mask_all.patch new file mode 100644 index 00000000000..11770491129 --- /dev/null +++ b/queue-5.10/mmc-renesas_sdhi-use-custom-mask-for-tmio_mask_all.patch @@ -0,0 +1,57 @@ +From 9f12cac1bb88e3296990e760d867a98308d6b0ac Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Thu, 4 Mar 2021 10:29:03 +0100 +Subject: mmc: renesas_sdhi: use custom mask for TMIO_MASK_ALL + +From: Wolfram Sang + +commit 9f12cac1bb88e3296990e760d867a98308d6b0ac upstream. + +Populate the new member for custom mask values to make sure this value +is applied whenever needed. Also, rename the define holding the value +because this is not only about initialization anymore. + +Signed-off-by: Wolfram Sang +Reviewed-by: Yoshihiro Shimoda +Tested-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/20210304092903.8534-1-wsa+renesas@sang-engineering.com +Signed-off-by: Ulf Hansson +[geert: Backport to v5.10.199] +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/renesas_sdhi_core.c | 3 ++- + drivers/mmc/host/tmio_mmc.h | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/renesas_sdhi_core.c ++++ b/drivers/mmc/host/renesas_sdhi_core.c +@@ -571,7 +571,7 @@ static void renesas_sdhi_reset(struct tm + + if (host->pdata->flags & TMIO_MMC_MIN_RCAR2) + sd_ctrl_write32_as_16_and_16(host, CTL_IRQ_MASK, +- TMIO_MASK_INIT_RCAR2); ++ TMIO_MASK_ALL_RCAR2); + } + + #define SH_MOBILE_SDHI_MIN_TAP_ROW 3 +@@ -1012,6 +1012,7 @@ int renesas_sdhi_probe(struct platform_d + host->ops.start_signal_voltage_switch = + renesas_sdhi_start_signal_voltage_switch; + host->sdcard_irq_setbit_mask = TMIO_STAT_ALWAYS_SET_27; ++ host->sdcard_irq_mask_all = TMIO_MASK_ALL_RCAR2; + host->reset = renesas_sdhi_reset; + } else { + host->sdcard_irq_mask_all = TMIO_MASK_ALL; +--- a/drivers/mmc/host/tmio_mmc.h ++++ b/drivers/mmc/host/tmio_mmc.h +@@ -97,8 +97,8 @@ + + /* Define some IRQ masks */ + /* This is the mask used at reset by the chip */ +-#define TMIO_MASK_INIT_RCAR2 0x8b7f031d /* Initial value for R-Car Gen2+ */ + #define TMIO_MASK_ALL 0x837f031d ++#define TMIO_MASK_ALL_RCAR2 0x8b7f031d + #define TMIO_MASK_READOP (TMIO_STAT_RXRDY | TMIO_STAT_DATAEND) + #define TMIO_MASK_WRITEOP (TMIO_STAT_TXRQ | TMIO_STAT_DATAEND) + #define TMIO_MASK_CMD (TMIO_STAT_CMDRESPEND | TMIO_STAT_CMDTIMEOUT | \ diff --git a/queue-5.10/series b/queue-5.10/series index 99a03ee8336..d910bbe0015 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -1,3 +1,7 @@ selftests-ftrace-add-new-test-case-which-checks-non-.patch mcb-return-actual-parsed-size-when-reading-chameleon.patch mcb-lpc-reallocate-memory-region-to-avoid-memory-ove.patch +virtio_balloon-fix-endless-deflation-and-inflation-on-arm64.patch +virtio-mmio-fix-memory-leak-of-vm_dev.patch +mm-page_alloc-correct-start-page-when-guard-page-debug-is-enabled.patch +mmc-renesas_sdhi-use-custom-mask-for-tmio_mask_all.patch diff --git a/queue-5.10/virtio-mmio-fix-memory-leak-of-vm_dev.patch b/queue-5.10/virtio-mmio-fix-memory-leak-of-vm_dev.patch new file mode 100644 index 00000000000..03ab815d19f --- /dev/null +++ b/queue-5.10/virtio-mmio-fix-memory-leak-of-vm_dev.patch @@ -0,0 +1,86 @@ +From fab7f259227b8f70aa6d54e1de1a1f5f4729041c Mon Sep 17 00:00:00 2001 +From: Maximilian Heyne +Date: Mon, 11 Sep 2023 09:03:29 +0000 +Subject: virtio-mmio: fix memory leak of vm_dev + +From: Maximilian Heyne + +commit fab7f259227b8f70aa6d54e1de1a1f5f4729041c upstream. + +With the recent removal of vm_dev from devres its memory is only freed +via the callback virtio_mmio_release_dev. However, this only takes +effect after device_add is called by register_virtio_device. Until then +it's an unmanaged resource and must be explicitly freed on error exit. + +This bug was discovered and resolved using Coverity Static Analysis +Security Testing (SAST) by Synopsys, Inc. + +Cc: stable@vger.kernel.org +Fixes: 55c91fedd03d ("virtio-mmio: don't break lifecycle of vm_dev") +Signed-off-by: Maximilian Heyne +Reviewed-by: Catalin Marinas +Tested-by: Catalin Marinas +Reviewed-by: Xuan Zhuo +Signed-off-by: Greg Kroah-Hartman + +Message-Id: <20230911090328.40538-1-mheyne@amazon.de> +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Wolfram Sang +--- + drivers/virtio/virtio_mmio.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/virtio/virtio_mmio.c ++++ b/drivers/virtio/virtio_mmio.c +@@ -596,14 +596,17 @@ static int virtio_mmio_probe(struct plat + spin_lock_init(&vm_dev->lock); + + vm_dev->base = devm_platform_ioremap_resource(pdev, 0); +- if (IS_ERR(vm_dev->base)) +- return PTR_ERR(vm_dev->base); ++ if (IS_ERR(vm_dev->base)) { ++ rc = PTR_ERR(vm_dev->base); ++ goto free_vm_dev; ++ } + + /* Check magic value */ + magic = readl(vm_dev->base + VIRTIO_MMIO_MAGIC_VALUE); + if (magic != ('v' | 'i' << 8 | 'r' << 16 | 't' << 24)) { + dev_warn(&pdev->dev, "Wrong magic value 0x%08lx!\n", magic); +- return -ENODEV; ++ rc = -ENODEV; ++ goto free_vm_dev; + } + + /* Check device version */ +@@ -611,7 +614,8 @@ static int virtio_mmio_probe(struct plat + if (vm_dev->version < 1 || vm_dev->version > 2) { + dev_err(&pdev->dev, "Version %ld not supported!\n", + vm_dev->version); +- return -ENXIO; ++ rc = -ENXIO; ++ goto free_vm_dev; + } + + vm_dev->vdev.id.device = readl(vm_dev->base + VIRTIO_MMIO_DEVICE_ID); +@@ -620,7 +624,8 @@ static int virtio_mmio_probe(struct plat + * virtio-mmio device with an ID 0 is a (dummy) placeholder + * with no function. End probing now with no error reported. + */ +- return -ENODEV; ++ rc = -ENODEV; ++ goto free_vm_dev; + } + vm_dev->vdev.id.vendor = readl(vm_dev->base + VIRTIO_MMIO_VENDOR_ID); + +@@ -650,6 +655,10 @@ static int virtio_mmio_probe(struct plat + put_device(&vm_dev->vdev.dev); + + return rc; ++ ++free_vm_dev: ++ kfree(vm_dev); ++ return rc; + } + + static int virtio_mmio_remove(struct platform_device *pdev) diff --git a/queue-5.10/virtio_balloon-fix-endless-deflation-and-inflation-on-arm64.patch b/queue-5.10/virtio_balloon-fix-endless-deflation-and-inflation-on-arm64.patch new file mode 100644 index 00000000000..895eb8fc2a6 --- /dev/null +++ b/queue-5.10/virtio_balloon-fix-endless-deflation-and-inflation-on-arm64.patch @@ -0,0 +1,97 @@ +From 07622bd415639e9709579f400afd19e7e9866e5e Mon Sep 17 00:00:00 2001 +From: Gavin Shan +Date: Thu, 31 Aug 2023 11:10:07 +1000 +Subject: virtio_balloon: Fix endless deflation and inflation on arm64 + +From: Gavin Shan + +commit 07622bd415639e9709579f400afd19e7e9866e5e upstream. + +The deflation request to the target, which isn't unaligned to the +guest page size causes endless deflation and inflation actions. For +example, we receive the flooding QMP events for the changes on memory +balloon's size after a deflation request to the unaligned target is +sent for the ARM64 guest, where we have 64KB base page size. + + /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \ + -accel kvm -machine virt,gic-version=host -cpu host \ + -smp maxcpus=8,cpus=8,sockets=2,clusters=2,cores=2,threads=1 \ + -m 1024M,slots=16,maxmem=64G \ + -object memory-backend-ram,id=mem0,size=512M \ + -object memory-backend-ram,id=mem1,size=512M \ + -numa node,nodeid=0,memdev=mem0,cpus=0-3 \ + -numa node,nodeid=1,memdev=mem1,cpus=4-7 \ + : \ + -device virtio-balloon-pci,id=balloon0,bus=pcie.10 + + { "execute" : "balloon", "arguments": { "value" : 1073672192 } } + {"return": {}} + {"timestamp": {"seconds": 1693272173, "microseconds": 88667}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272174, "microseconds": 89704}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272175, "microseconds": 90819}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272176, "microseconds": 91961}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272177, "microseconds": 93040}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} + {"timestamp": {"seconds": 1693272178, "microseconds": 94117}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} + {"timestamp": {"seconds": 1693272179, "microseconds": 95337}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272180, "microseconds": 96615}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} + {"timestamp": {"seconds": 1693272181, "microseconds": 97626}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272182, "microseconds": 98693}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} + {"timestamp": {"seconds": 1693272183, "microseconds": 99698}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272184, "microseconds": 100727}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272185, "microseconds": 90430}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + {"timestamp": {"seconds": 1693272186, "microseconds": 102999}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} + : + + +Fix it by aligning the target up to the guest page size, 64KB in this +specific case. With this applied, no flooding QMP events are observed +and the memory balloon's size can be stablizied to 0x3ffe0000 soon +after the deflation request is sent. + + { "execute" : "balloon", "arguments": { "value" : 1073672192 } } + {"return": {}} + {"timestamp": {"seconds": 1693273328, "microseconds": 793075}, \ + "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} + { "execute" : "query-balloon" } + {"return": {"actual": 1073610752}} + +Cc: stable@vger.kernel.org +Signed-off-by: Gavin Shan +Tested-by: Zhenyu Zhang +Message-Id: <20230831011007.1032822-1-gshan@redhat.com> +Signed-off-by: Michael S. Tsirkin +Reviewed-by: David Hildenbrand +Signed-off-by: Greg Kroah-Hartman +--- + drivers/virtio/virtio_balloon.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -402,7 +402,11 @@ static inline s64 towards_target(struct + virtio_cread_le(vb->vdev, struct virtio_balloon_config, num_pages, + &num_pages); + +- target = num_pages; ++ /* ++ * Aligned up to guest page size to avoid inflating and deflating ++ * balloon endlessly. ++ */ ++ target = ALIGN(num_pages, VIRTIO_BALLOON_PAGES_PER_PAGE); + return target - vb->num_pages; + } +