From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jiang Biao <jiang.biao2@zte.com.cn>,
Huang Chong <huang.chong@zte.com.cn>,
"Michael S. Tsirkin" <mst@redhat.com>
Subject: [PATCH 4.9 28/32] virtio_balloon: fix another race between migration and ballooning
Date: Sat, 4 Aug 2018 11:01:18 +0200 [thread overview]
Message-ID: <20180804082651.320078604@linuxfoundation.org> (raw)
In-Reply-To: <20180804082649.908295462@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiang Biao <jiang.biao2@zte.com.cn>
commit 89da619bc18d79bca5304724c11d4ba3b67ce2c6 upstream.
Kernel panic when with high memory pressure, calltrace looks like,
PID: 21439 TASK: ffff881be3afedd0 CPU: 16 COMMAND: "java"
#0 [ffff881ec7ed7630] machine_kexec at ffffffff81059beb
#1 [ffff881ec7ed7690] __crash_kexec at ffffffff81105942
#2 [ffff881ec7ed7760] crash_kexec at ffffffff81105a30
#3 [ffff881ec7ed7778] oops_end at ffffffff816902c8
#4 [ffff881ec7ed77a0] no_context at ffffffff8167ff46
#5 [ffff881ec7ed77f0] __bad_area_nosemaphore at ffffffff8167ffdc
#6 [ffff881ec7ed7838] __node_set at ffffffff81680300
#7 [ffff881ec7ed7860] __do_page_fault at ffffffff8169320f
#8 [ffff881ec7ed78c0] do_page_fault at ffffffff816932b5
#9 [ffff881ec7ed78f0] page_fault at ffffffff8168f4c8
[exception RIP: _raw_spin_lock_irqsave+47]
RIP: ffffffff8168edef RSP: ffff881ec7ed79a8 RFLAGS: 00010046
RAX: 0000000000000246 RBX: ffffea0019740d00 RCX: ffff881ec7ed7fd8
RDX: 0000000000020000 RSI: 0000000000000016 RDI: 0000000000000008
RBP: ffff881ec7ed79a8 R8: 0000000000000246 R9: 000000000001a098
R10: ffff88107ffda000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000008 R14: ffff881ec7ed7a80 R15: ffff881be3afedd0
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
It happens in the pagefault and results in double pagefault
during compacting pages when memory allocation fails.
Analysed the vmcore, the page leads to second pagefault is corrupted
with _mapcount=-256, but private=0.
It's caused by the race between migration and ballooning, and lock
missing in virtballoon_migratepage() of virtio_balloon driver.
This patch fix the bug.
Fixes: e22504296d4f64f ("virtio_balloon: introduce migration primitives to balloon pages")
Cc: stable@vger.kernel.org
Signed-off-by: Jiang Biao <jiang.biao2@zte.com.cn>
Signed-off-by: Huang Chong <huang.chong@zte.com.cn>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/virtio/virtio_balloon.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -493,7 +493,9 @@ static int virtballoon_migratepage(struc
tell_host(vb, vb->inflate_vq);
/* balloon's page migration 2nd step -- deflate "page" */
+ spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
balloon_page_delete(page);
+ spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags);
vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE;
set_page_pfns(vb, vb->pfns, page);
tell_host(vb, vb->deflate_vq);
next prev parent reply other threads:[~2018-08-04 9:06 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-04 9:00 [PATCH 4.9 00/32] 4.9.118-stable review Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.9 01/32] ipv4: remove BUG_ON() from fib_compute_spec_dst Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.9 02/32] net: ena: Fix use of uninitialized DMA address bits field Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.9 03/32] net: fix amd-xgbe flow-control issue Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.9 04/32] net: lan78xx: fix rx handling before first packet is send Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.9 05/32] net: mdio-mux: bcm-iproc: fix wrong getter and setter pair Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.9 06/32] NET: stmmac: align DMA stuff to largest cache line length Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.9 07/32] tcp_bbr: fix bw probing to raise in-flight data for very small BDPs Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.9 08/32] xen-netfront: wait xenbus state change when load module manually Greg Kroah-Hartman
2018-08-04 9:00 ` [PATCH 4.9 09/32] netlink: Do not subscribe to non-existent groups Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 10/32] netlink: Dont shift with UB on nlk->ngroups Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 11/32] tcp: do not force quickack when receiving out-of-order packets Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 12/32] tcp: add max_quickacks param to tcp_incr_quickack and tcp_enter_quickack_mode Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 13/32] tcp: do not aggressively quick ack after ECN events Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 14/32] tcp: refactor tcp_ecn_check_ce to remove sk type cast Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 15/32] tcp: add one more quick ack after after ECN events Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 16/32] pinctrl: intel: Read back TX buffer state Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 17/32] sched/wait: Remove the lockless swait_active() check in swake_up*() Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 18/32] bonding: avoid lockdep confusion in bond_get_stats() Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 19/32] inet: frag: enforce memory limits earlier Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 20/32] ipv4: frags: handle possible skb truesize change Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 21/32] net: dsa: Do not suspend/resume closed slave_dev Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 22/32] netlink: Fix spectre v1 gadget in netlink_create() Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 23/32] net: stmmac: Fix WoL for PCI-based setups Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 24/32] squashfs: more metadata hardening Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 26/32] can: ems_usb: Fix memory leak on ems_usb_disconnect() Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 27/32] net: socket: fix potential spectre v1 gadget in socketcall Greg Kroah-Hartman
2018-08-04 9:01 ` Greg Kroah-Hartman [this message]
2018-08-04 9:01 ` [PATCH 4.9 29/32] kvm: x86: vmx: fix vpid leak Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 30/32] crypto: padlock-aes - Fix Nano workaround data corruption Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 31/32] drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats Greg Kroah-Hartman
2018-08-04 9:01 ` [PATCH 4.9 32/32] scsi: sg: fix minor memory leak in error path Greg Kroah-Hartman
2018-08-04 9:30 ` [PATCH 4.9 00/32] 4.9.118-stable review Nathan Chancellor
2018-08-04 12:44 ` Greg Kroah-Hartman
2018-08-04 14:47 ` Guenter Roeck
2018-08-05 11:53 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180804082651.320078604@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=huang.chong@zte.com.cn \
--cc=jiang.biao2@zte.com.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.