From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.5 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,URIBL_BLOCKED,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1708C282C4 for ; Mon, 4 Feb 2019 09:42:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A0B37217D9 for ; Mon, 4 Feb 2019 09:42:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1549273369; bh=7isuG4KwEaF86x3/OgfFCxMdHxXzwwHfNbN44349XuU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=FZBOCbReIN+jjzGpDB8oyXPl/lzlSH1YA4epO/CI6+VGDarBIw+uRdnJrFJyfE5dc G93f1gTk70jbh8eTqPTpdfwOO1yzj6UCzAIa6FRMfz6GH8kv54TJ0kf8DiIPYZpIu8 TXj1bVuXNpJLgIcyrttMdV5OBD3BWUWlHVcyFQrI= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728194AbfBDJmt (ORCPT ); Mon, 4 Feb 2019 04:42:49 -0500 Received: from mail.kernel.org ([198.145.29.99]:54600 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726537AbfBDJmt (ORCPT ); Mon, 4 Feb 2019 04:42:49 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4EDA82147A; Mon, 4 Feb 2019 09:42:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1549273367; bh=7isuG4KwEaF86x3/OgfFCxMdHxXzwwHfNbN44349XuU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ta8zTbExy7Z+qYvino7ixzrEjkgVv3flb5xqpM6M8933n3B0CkirEZDmq6f7uJqYD oGTI6mXKrUjxpxx+LAsv5uZM9X5Dta/0pZab+V2OQPm5NLDL7faHOgbFCJbKoYqkFU mNkVfw+2OVUmMyfGunvGzjvC5DwJEoFIB2VVjVqc= Date: Mon, 4 Feb 2019 10:42:45 +0100 From: Greg KH To: David Hildenbrand Cc: Mel Gorman , "Kirill A. Shutemov" , Michal Hocko , Naoya Horiguchi , Jan Kara , Andrea Arcangeli , Dominik Brodowski , Matthew Wilcox , Vratislav Bendel , Rafael Aquini , Konstantin Khlebnikov , Minchan Kim , stable@vger.kernel.org, Andrew Morton , Linus Torvalds Subject: Re: [PATCH for-3.18-stable] mm: migrate: don't rely on __PageMovable() of newpage after unlocking it Message-ID: <20190204094245.GA3945@kroah.com> References: <154926015554253@kroah.com> <20190204092524.29829-1-david@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190204092524.29829-1-david@redhat.com> User-Agent: Mutt/1.11.3 (2019-02-01) Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org On Mon, Feb 04, 2019 at 10:25:24AM +0100, David Hildenbrand wrote: > commit e0a352fabce61f730341d119fbedf71ffdb8663f upstream. > > We had a race in the old balloon compaction code before b1123ea6d3b3 > ("mm: balloon: use general non-lru movable page feature") refactored it > that became visible after backporting 195a8c43e93d ("virtio-balloon: > deflate via a page list") without the refactoring. > > The bug existed from commit d6d86c0a7f8d ("mm/balloon_compaction: > redesign ballooned pages management") till b1123ea6d3b3 ("mm: balloon: > use general non-lru movable page feature"). d6d86c0a7f8d > ("mm/balloon_compaction: redesign ballooned pages management") was > backported to 3.12, so the broken kernels are stable kernels [3.12 - > 4.7]. > > There was a subtle race between dropping the page lock of the newpage in > __unmap_and_move() and checking for __is_movable_balloon_page(newpage). > > Just after dropping this page lock, virtio-balloon could go ahead and > deflate the newpage, effectively dequeueing it and clearing PageBalloon, > in turn making __is_movable_balloon_page(newpage) fail. > > This resulted in dropping the reference of the newpage via > putback_lru_page(newpage) instead of put_page(newpage), leading to > page->lru getting modified and a !LRU page ending up in the LRU lists. > With 195a8c43e93d ("virtio-balloon: deflate via a page list") > backported, one would suddenly get corrupted lists in > release_pages_balloon(): > > - WARNING: CPU: 13 PID: 6586 at lib/list_debug.c:59 __list_del_entry+0xa1/0xd0 > - list_del corruption. prev->next should be ffffe253961090a0, but was dead000000000100 > > Nowadays this race is no longer possible, but it is hidden behind very > ugly handling of __ClearPageMovable() and __PageMovable(). > > __ClearPageMovable() will not make __PageMovable() fail, only > PageMovable(). So the new check (__PageMovable(newpage)) will still > hold even after newpage was dequeued by virtio-balloon. > > If anybody would ever change that special handling, the BUG would be > introduced again. So instead, make it explicit and use the information > of the original isolated page before migration. > > This patch can be backported fairly easy to stable kernels (in contrast > to the refactoring). > > Link: http://lkml.kernel.org/r/20190129233217.10747-1-david@redhat.com > Fixes: d6d86c0a7f8d ("mm/balloon_compaction: redesign ballooned pages management") > Signed-off-by: David Hildenbrand > Reported-by: Vratislav Bendel > Acked-by: Michal Hocko > Acked-by: Rafael Aquini > Cc: Mel Gorman > Cc: "Kirill A. Shutemov" > Cc: Michal Hocko > Cc: Naoya Horiguchi > Cc: Jan Kara > Cc: Andrea Arcangeli > Cc: Dominik Brodowski > Cc: Matthew Wilcox > Cc: Vratislav Bendel > Cc: Rafael Aquini > Cc: Konstantin Khlebnikov > Cc: Minchan Kim > Cc: [3.12 - 4.7] > Signed-off-by: Andrew Morton > Signed-off-by: Linus Torvalds > Signed-off-by: David Hildenbrand > --- > mm/migrate.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) Now queued up, thanks. greg k-h