Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.18.2 2018-07-03T10:58:23+00:00 2018-07-03T10:58:23+00:00 Nadav Amit namit@vmware.com 2018-07-03T02:27:13+00:00 urn:sha1:90d72ce079791399ac255c75728f3c9e747b093d Embarrassingly, the recent fix introduced worse problem than it solved, causing the balloon not to inflate. The VM informed the hypervisor that the pages for lock/unlock are sitting in the wrong address, as it used the page that is used the uninitialized page variable. Fixes: b23220fe054e9 ("vmw_balloon: fixing double free when batching mode is off") Cc: stable@vger.kernel.org Reviewed-by: Xavier Deguillard <xdeguillard@vmware.com> Signed-off-by: Nadav Amit <namit@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-06-02T17:34:13+00:00 Gil Kupfer gilkup@gmail.com 2018-06-01T07:47:47+00:00 urn:sha1:b23220fe054e92f616b82450fae8cd3ab176cc60 The balloon.page field is used for two different purposes if batching is on or off. If batching is on, the field point to the page which is used to communicate with with the hypervisor. If it is off, balloon.page points to the page that is about to be (un)locked. Unfortunately, this dual-purpose of the field introduced a bug: when the balloon is popped (e.g., when the machine is reset or the balloon driver is explicitly removed), the balloon driver frees, unconditionally, the page that is held in balloon.page. As a result, if batching is disabled, this leads to double freeing the last page that is sent to the hypervisor. The following error occurs during rmmod when kernel checkers are on, and the balloon is not empty: [ 42.307653] ------------[ cut here ]------------ [ 42.307657] Kernel BUG at ffffffffba1e4b28 [verbose debug info unavailable] [ 42.307720] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC [ 42.312512] Modules linked in: vmw_vsock_vmci_transport vsock ppdev joydev vmw_balloon(-) input_leds serio_raw vmw_vmci parport_pc shpchp parport i2c_piix4 nfit mac_hid autofs4 vmwgfx drm_kms_helper hid_generic syscopyarea sysfillrect usbhid sysimgblt fb_sys_fops hid ttm mptspi scsi_transport_spi ahci mptscsih drm psmouse vmxnet3 libahci mptbase pata_acpi [ 42.312766] CPU: 10 PID: 1527 Comm: rmmod Not tainted 4.12.0+ #5 [ 42.312803] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 09/30/2016 [ 42.313042] task: ffff9bf9680f8000 task.stack: ffffbfefc1638000 [ 42.313290] RIP: 0010:__free_pages+0x38/0x40 [ 42.313510] RSP: 0018:ffffbfefc163be98 EFLAGS: 00010246 [ 42.313731] RAX: 000000000000003e RBX: ffffffffc02b9720 RCX: 0000000000000006 [ 42.313972] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9bf97e08e0a0 [ 42.314201] RBP: ffffbfefc163be98 R08: 0000000000000000 R09: 0000000000000000 [ 42.314435] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffc02b97e4 [ 42.314505] R13: ffffffffc02b9748 R14: ffffffffc02b9728 R15: 0000000000000200 [ 42.314550] FS: 00007f3af5fec700(0000) GS:ffff9bf97e080000(0000) knlGS:0000000000000000 [ 42.314599] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 42.314635] CR2: 00007f44f6f4ab24 CR3: 00000003a7d12000 CR4: 00000000000006e0 [ 42.314864] Call Trace: [ 42.315774] vmballoon_pop+0x102/0x130 [vmw_balloon] [ 42.315816] vmballoon_exit+0x42/0xd64 [vmw_balloon] [ 42.315853] SyS_delete_module+0x1e2/0x250 [ 42.315891] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 42.315924] RIP: 0033:0x7f3af5b0e8e7 [ 42.315949] RSP: 002b:00007fffe6ce0148 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 42.315996] RAX: ffffffffffffffda RBX: 000055be676401e0 RCX: 00007f3af5b0e8e7 [ 42.316951] RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055be67640248 [ 42.317887] RBP: 0000000000000003 R08: 0000000000000000 R09: 1999999999999999 [ 42.318845] R10: 0000000000000883 R11: 0000000000000206 R12: 00007fffe6cdf130 [ 42.319755] R13: 0000000000000000 R14: 0000000000000000 R15: 000055be676401e0 [ 42.320606] Code: c0 74 1c f0 ff 4f 1c 74 02 5d c3 85 f6 74 07 e8 0f d8 ff ff 5d c3 31 f6 e8 c6 fb ff ff 5d c3 48 c7 c6 c8 0f c5 ba e8 58 be 02 00 <0f> 0b 66 0f 1f 44 00 00 66 66 66 66 90 48 85 ff 75 01 c3 55 48 [ 42.323462] RIP: __free_pages+0x38/0x40 RSP: ffffbfefc163be98 [ 42.325735] ---[ end trace 872e008e33f81508 ]--- To solve the bug, we eliminate the dual purpose of balloon.page. Fixes: f220a80f0c2e ("VMware balloon: add batching to the vmw_balloon.") Cc: stable@vger.kernel.org Reported-by: Oleksandr Natalenko <onatalen@redhat.com> Signed-off-by: Gil Kupfer <gilkup@gmail.com> Signed-off-by: Nadav Amit <namit@vmware.com> Reviewed-by: Xavier Deguillard <xdeguillard@vmware.com> Tested-by: Oleksandr Natalenko <oleksandr@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-11-10T09:03:12+00:00 Juergen Gross jgross@suse.com 2017-11-09T13:27:36+00:00 urn:sha1:03b2a320b19f1424e9ac9c21696be9c60b6d0d93 The x86_hyper pointer is only used for checking whether a virtual device is supporting the hypervisor the system is running on. Use an enum for that purpose instead and drop the x86_hyper pointer. Signed-off-by: Juergen Gross <jgross@suse.com> Acked-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Xavier Deguillard <xdeguillard@vmware.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: akataria@vmware.com Cc: arnd@arndb.de Cc: boris.ostrovsky@oracle.com Cc: devel@linuxdriverproject.org Cc: dmitry.torokhov@gmail.com Cc: gregkh@linuxfoundation.org Cc: haiyangz@microsoft.com Cc: kvm@vger.kernel.org Cc: kys@microsoft.com Cc: linux-graphics-maintainer@vmware.com Cc: linux-input@vger.kernel.org Cc: moltmann@vmware.com Cc: pbonzini@redhat.com Cc: pv-drivers@vmware.com Cc: rkrcmar@redhat.com Cc: sthemmin@microsoft.com Cc: virtualization@lists.linux-foundation.org Cc: xen-devel@lists.xenproject.org Link: http://lkml.kernel.org/r/20171109132739.23465-3-jgross@suse.com Signed-off-by: Ingo Molnar <mingo@kernel.org> 2015-11-07T01:50:42+00:00 Mel Gorman mgorman@techsingularity.net 2015-11-07T00:28:28+00:00 urn:sha1:71baba4b92dc1fa1bc461742c6ab1942ec6034e9 __GFP_WAIT was used to signal that the caller was in atomic context and could not sleep. Now it is possible to distinguish between true atomic context and callers that are not willing to sleep. The latter should clear __GFP_DIRECT_RECLAIM so kswapd will still wake. As clearing __GFP_WAIT behaves differently, there is a risk that people will clear the wrong flags. This patch renames __GFP_WAIT to __GFP_RECLAIM to clearly indicate what it does -- setting it allows all reclaim activity, clearing them prevents it. [akpm@linux-foundation.org: fix build] [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Mel Gorman <mgorman@techsingularity.net> Acked-by: Michal Hocko <mhocko@suse.com> Acked-by: Vlastimil Babka <vbabka@suse.cz> Acked-by: Johannes Weiner <hannes@cmpxchg.org> Cc: Christoph Lameter <cl@linux.com> Acked-by: David Rientjes <rientjes@google.com> Cc: Vitaly Wool <vitalywool@gmail.com> Cc: Rik van Riel <riel@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2015-10-04T11:59:11+00:00 Philip P. Moltmann moltmann@vmware.com 2015-08-06T22:18:01+00:00 urn:sha1:48e3d668b7902cca3c61e9e2098e7f76b5646c28 Get notified immediately when a balloon target is set, instead of waiting for up to one second. The up-to 1 second gap could be long enough to cause swapping inside of the VM that receives the VM. Acked-by: Andy King <acking@vmware.com> Signed-off-by: Xavier Deguillard <xdeguillard@vmware.com> Tested-by: Siva Sankar Reddy B <sankars@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-10-04T11:59:11+00:00 Philip P. Moltmann moltmann@vmware.com 2015-08-06T22:18:01+00:00 urn:sha1:d7568c130d0d0ff1fc5b364fc879b91f108a3d54 Unify the behavior of the first start of the balloon and a reset. Also on unload, declare that the balloon driver does not have any capabilities anymore. Acked-by: Andy King <acking@vmware.com> Signed-off-by: Xavier Deguillard <xdeguillard@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-10-04T11:59:11+00:00 Philip P. Moltmann moltmann@vmware.com 2015-08-06T22:18:01+00:00 urn:sha1:365bd7ef7ec8eb9c2e081cd970a5cdfa237dc243 2m ballooning significantly reduces the hypervisor side (and guest side) overhead of ballooning and unballooning. hypervisor only: balloon unballoon 4 KB 2 GB/s 2.6 GB/s 2 MB 54 GB/s 767 GB/s Use 2 MB pages as the hypervisor is alwys 64bit and 2 MB is the smallest supported super-page size. The code has to run on older versions of ESX and old balloon drivers run on newer version of ESX. Hence match the capabilities with the host before 2m page ballooning could be enabled. Signed-off-by: Xavier Deguillard <xdeguillard@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-10-04T11:59:11+00:00 Philip P. Moltmann moltmann@vmware.com 2015-08-06T22:18:01+00:00 urn:sha1:33d268ed00190e8bc642508f9eb2f3f9ac0a1569 When VMware's hypervisor requests a VM to reclaim memory this is preferrably done via ballooning. If the balloon driver does not return memory fast enough, more drastic methods, such as hypervisor-level swapping are needed. These other methods cause performance issues, e.g. hypervisor-level swapping requires the hypervisor to swap in a page syncronously while the virtual CPU is blocked. Hence it is in the interest of the VM to balloon memory as fast as possible. The problem with doing this is that the VM might end up doing nothing else than ballooning and the user might notice that the VM is stalled, esp. when the VM has only a single virtual CPU. This is less of a problem if the VM and the hypervisor perform balloon operations faster. Also the balloon driver yields regularly, hence on a single virtual CPU the Linux scheduler should be able to properly time-slice between ballooning and other tasks. Testing Done: quickly ballooned a lot of pages while wathing if there are any perceived hickups (periods of non-responsiveness) in the execution of the linux VM. No such hickups were seen. Signed-off-by: Xavier Deguillard <xdeguillard@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-10-04T11:59:11+00:00 Philip P. Moltmann moltmann@vmware.com 2015-08-06T22:18:00+00:00 urn:sha1:b36e89da86022c04fa5e7c32f0d55c1ba23c1ab8 This helps with debugging vmw_balloon behavior, as it is clear what functionality is enabled. Acked-by: Andy King <acking@vmware.com> Signed-off-by: Xavier Deguillard <xdeguillard@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-10-04T11:59:11+00:00 Xavier Deguillard xdeguillard@vmware.com 2015-08-06T22:17:59+00:00 urn:sha1:4670de4d7fe9532c8c7c7fe2d0c297b319086854 Instead of waiting for the next GET_TARGET command, we can react faster by exploiting the fact that each hypervisor call also returns the balloon target. Signed-off-by: Xavier Deguillard <xdeguillard@vmware.com> Acked-by: Dmitry Torokhov <dtor@vmware.com> Signed-off-by: Philip P. Moltmann <moltmann@vmware.com> Acked-by: Andy King <acking@vmware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>