diff --git a/config.yaml b/config.yaml index 1b9643c..e8ab04f 100644 --- a/config.yaml +++ b/config.yaml @@ -74,6 +74,8 @@ patches: - zone-amdgpu - patch: 0001-x86-CPU-AMD-avoid-printing-reset-reasons-on-Xen-domU.patch lower: '6.16' +- patch: 0001-xen-grant-table-cope-with-compounded-page-allocation.patch + lower: '6.1' images: - target: kernelsrc name: kernel-src diff --git a/patches/0001-xen-grant-table-cope-with-compounded-page-allocation.patch b/patches/0001-xen-grant-table-cope-with-compounded-page-allocation.patch new file mode 100644 index 0000000..cca0cc4 --- /dev/null +++ b/patches/0001-xen-grant-table-cope-with-compounded-page-allocation.patch @@ -0,0 +1,63 @@ +From 96ebf00fdf8474a7f994c3737612c41a18083726 Mon Sep 17 00:00:00 2001 +From: Ariadne Conill +Date: Thu, 4 Dec 2025 11:29:36 -0800 +Subject: [PATCH] xen/grant-table: cope with compounded page allocations + +As part of XSA-396, the 9p xen transport was changed to use +alloc_pages_exact() to allocate contiguous memory. These allocations +are compounded, but the grant-table driver had some design assumptions +that all page allocations are independent. + +Fixes: 5cadd4bb1d7 ("xen/9p: use alloc/free_pages_exact()") +Signed-off-by: Ariadne Conill +--- + drivers/xen/grant-table.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c +index 478d2ad725ac..c619dfd75ddf 100644 +--- a/drivers/xen/grant-table.c ++++ b/drivers/xen/grant-table.c +@@ -524,9 +524,10 @@ static void gnttab_handle_deferred(struct timer_list *unused) + + put_free_entry(entry->ref); + pr_debug("freeing g.e. %#x (pfn %#lx), %llu remaining\n", +- entry->ref, page_to_pfn(entry->page), ++ entry->ref, entry->page ? page_to_pfn(entry->page) : -1, + (unsigned long long)ret); +- put_page(entry->page); ++ if (entry->page) ++ put_page(entry->page); + freed++; + kfree(entry); + entry = NULL; +@@ -559,9 +560,25 @@ static void gnttab_add_deferred(grant_ref_t ref, struct page *page) + entry = kmalloc(sizeof(*entry), gfp); + if (!page) { + unsigned long gfn = gnttab_interface->read_frame(ref); ++ struct folio *folio; + + page = pfn_to_page(gfn_to_pfn(gfn)); +- get_page(page); ++ folio = page_folio(page); ++ ++ /* ++ * XSA-396 changed the allocation strategy to use a block of contiguous ++ * memory, but this creates a problem with deferred grants where individual ++ * pages may be compounded tail pages instead of independent allocations. ++ * ++ * In that case, trying to take a direct reference to the tail page will ++ * result in the kernel reporting a bug event as taking a direct reference ++ * to compounded tail pages is forbidden. ++ * ++ * To work around this, we try taking a reference to the page's folio ++ * instead, which is expected to fail if the page is a compounded tail. ++ */ ++ if (!folio_try_get(folio)) ++ page = NULL; + } + + if (entry) { +-- +2.52.0 +