Skip to content

chore: add compounded page allocation workaround patch #135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
kaniini wants to merge 1 commit into from
Closed

chore: add compounded page allocation workaround patch #135

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,8 @@ patches:
- zone-amdgpu
- patch: 0001-x86-CPU-AMD-avoid-printing-reset-reasons-on-Xen-domU.patch
lower: '6.16'
- patch: 0001-xen-grant-table-cope-with-compounded-page-allocation.patch
lower: '6.1'
images:
- target: kernelsrc
name: kernel-src
Expand Down
63 changes: 63 additions & 0 deletions patches/0001-xen-grant-table-cope-with-compounded-page-allocation.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
From 96ebf00fdf8474a7f994c3737612c41a18083726 Mon Sep 17 00:00:00 2001
From: Ariadne Conill <[email protected]>
Date: Thu, 4 Dec 2025 11:29:36 -0800
Subject: [PATCH] xen/grant-table: cope with compounded page allocations

As part of XSA-396, the 9p xen transport was changed to use
alloc_pages_exact() to allocate contiguous memory. These allocations
are compounded, but the grant-table driver had some design assumptions
that all page allocations are independent.

Fixes: 5cadd4bb1d7 ("xen/9p: use alloc/free_pages_exact()")
Signed-off-by: Ariadne Conill <[email protected]>
---
drivers/xen/grant-table.c | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
index 478d2ad725ac..c619dfd75ddf 100644
--- a/drivers/xen/grant-table.c
+++ b/drivers/xen/grant-table.c
@@ -524,9 +524,10 @@ static void gnttab_handle_deferred(struct timer_list *unused)

put_free_entry(entry->ref);
pr_debug("freeing g.e. %#x (pfn %#lx), %llu remaining\n",
- entry->ref, page_to_pfn(entry->page),
+ entry->ref, entry->page ? page_to_pfn(entry->page) : -1,
(unsigned long long)ret);
- put_page(entry->page);
+ if (entry->page)
+ put_page(entry->page);
freed++;
kfree(entry);
entry = NULL;
@@ -559,9 +560,25 @@ static void gnttab_add_deferred(grant_ref_t ref, struct page *page)
entry = kmalloc(sizeof(*entry), gfp);
if (!page) {
unsigned long gfn = gnttab_interface->read_frame(ref);
+ struct folio *folio;

page = pfn_to_page(gfn_to_pfn(gfn));
- get_page(page);
+ folio = page_folio(page);
+
+ /*
+ * XSA-396 changed the allocation strategy to use a block of contiguous
+ * memory, but this creates a problem with deferred grants where individual
+ * pages may be compounded tail pages instead of independent allocations.
+ *
+ * In that case, trying to take a direct reference to the tail page will
+ * result in the kernel reporting a bug event as taking a direct reference
+ * to compounded tail pages is forbidden.
+ *
+ * To work around this, we try taking a reference to the page's folio
+ * instead, which is expected to fail if the page is a compounded tail.
+ */
+ if (!folio_try_get(folio))
+ page = NULL;
}

if (entry) {
--
2.52.0

Loading