xen: let alloc_xenballooned_pages() fail if not enough memory free

Instead of trying to allocate pages with GFP_USER in
add_ballooned_pages() check the available free memory via
si_mem_available(). GFP_USER is far less limiting memory exhaustion
than the test via si_mem_available().

This will avoid dom0 running out of memory due to excessive foreign
page mappings especially on ARM and on x86 in PVH mode, as those don't
have a pre-ballooned area which can be used for foreign mappings.

As the normal ballooning suffers from the same problem don't balloon
down more than si_mem_available() pages in one iteration. At the same
time limit the default maximum number of retries.

This is part of XSA-300.

Signed-off-by: Juergen Gross <jgross@suse.com>
(cherry picked from commit a1078e821b605813b63bf6bca414a85f804d5c66)

Orabug: 30073695

CVE has not been assigned yet.

Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Jack Vogel <jack.vogel@oracle.com>
Reviewed-by: John Haxby <john.haxby@oracle.com>
Reviewed-by: Patrick Colp <patrick.colp@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>

diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
index 7edb76c9c09f5d6f57a4560599a8406c29f6e4e7..399d8807380080875f2f2f9b5a453c2d5f8014d0 100644 (file)
--- a/drivers/xen/balloon.c
+++ b/drivers/xen/balloon.c
@@ -581,8 +581,15 @@ static void balloon_process(struct work_struct *work)
                                state = reserve_additional_memory();
                }
 
-               if (credit < 0)
-                       state = decrease_reservation(-credit, GFP_BALLOON);
+               if (credit < 0) {
+                       long n_pages;
+
+                       n_pages = min(-credit, si_mem_available());
+                       state = decrease_reservation(n_pages, GFP_BALLOON);
+                       if (state == BP_DONE && n_pages != -credit &&
+                           n_pages < totalreserve_pages)
+                               state = BP_EAGAIN;
+               }
 
                state = update_schedule(state);
 
@@ -621,6 +628,9 @@ static int add_ballooned_pages(int nr_pages)
                }
        }
 
+       if (si_mem_available() < nr_pages)
+               return -ENOMEM;
+
        st = decrease_reservation(nr_pages, GFP_USER);
        if (st != BP_DONE)
                return -ENOMEM;
@@ -744,7 +754,7 @@ static int __init balloon_init(void)
        balloon_stats.schedule_delay = 1;
        balloon_stats.max_schedule_delay = 32;
        balloon_stats.retry_count = 1;
-       balloon_stats.max_retry_count = RETRY_UNLIMITED;
+       balloon_stats.max_retry_count = 4;
 
 #ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG
        set_online_page_callback(&xen_online_page);