+ mm-migrate-dont-rely-on-__pagemovable-of-newpage-after-unlocking-it.patch added to -mm tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The patch titled
     Subject: mm: migrate: don't rely on __PageMovable() of newpage after unlocking it
has been added to the -mm tree.  Its filename is
     mm-migrate-dont-rely-on-__pagemovable-of-newpage-after-unlocking-it.patch

This patch should soon appear at
    http://ozlabs.org/~akpm/mmots/broken-out/mm-migrate-dont-rely-on-__pagemovable-of-newpage-after-unlocking-it.patch
and later at
    http://ozlabs.org/~akpm/mmotm/broken-out/mm-migrate-dont-rely-on-__pagemovable-of-newpage-after-unlocking-it.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: David Hildenbrand <david@xxxxxxxxxx>
Subject: mm: migrate: don't rely on __PageMovable() of newpage after unlocking it

We had a race in the old balloon compaction code before b1123ea6d3b3 ("mm:
balloon: use general non-lru movable page feature") refactored it that
became visible after backporting 195a8c43e93d ("virtio-balloon: deflate
via a page list") without the refactoring.

The bug existed from commit d6d86c0a7f8d ("mm/balloon_compaction: redesign
ballooned pages management") till b1123ea6d3b3 ("mm: balloon: use general
non-lru movable page feature").  d6d86c0a7f8d ("mm/balloon_compaction:
redesign ballooned pages management") was backported to 3.12, so the
broken kernels are stable kernels [3.12 - 4.7].

There was a subtle race between dropping the page lock of the newpage
in __unmap_and_move() and checking for
__is_movable_balloon_page(newpage).

Just after dropping this page lock, virtio-balloon could go ahead and
deflate the newpage, effectively dequeueing it and clearing PageBalloon,
in turn making __is_movable_balloon_page(newpage) fail.

This resulted in dropping the reference of the newpage via
putback_lru_page(newpage) instead of put_page(newpage), leading to
page->lru getting modified and a !LRU page ending up in the LRU lists. 
With 195a8c43e93d ("virtio-balloon: deflate via a page list") backported,
one would suddenly get corrupted lists in release_pages_balloon():

- WARNING: CPU: 13 PID: 6586 at lib/list_debug.c:59 __list_del_entry+0xa1/0xd0
- list_del corruption. prev->next should be ffffe253961090a0, but was dead000000000100

Nowadays this race is no longer possible, but it is hidden behind very
ugly handling of __ClearPageMovable() and __PageMovable().

__ClearPageMovable() will not make __PageMovable() fail, only
PageMovable().  So the new check (__PageMovable(newpage)) will still hold
even after newpage was dequeued by virtio-balloon.

If anybody would ever change that special handling, the BUG would be
introduced again.  So instead, make it explicit and use the information of
the original isolated page before migration.

This patch can be backported fairly easy to stable kernels (in contrast to
the refactoring).

Link: http://lkml.kernel.org/r/20190129233217.10747-1-david@xxxxxxxxxx
Fixes: d6d86c0a7f8d ("mm/balloon_compaction: redesign ballooned pages management")
Signed-off-by: David Hildenbrand <david@xxxxxxxxxx>
Reported-by: Vratislav Bendel <vbendel@xxxxxxxxxx>
Acked-by: Michal Hocko <mhocko@xxxxxxxx>
Acked-by: Rafael Aquini <aquini@xxxxxxxxxx>
Cc: Mel Gorman <mgorman@xxxxxxxxxxxxxxxxxxx>
Cc: "Kirill A. Shutemov" <kirill.shutemov@xxxxxxxxxxxxxxx>
Cc: Michal Hocko <mhocko@xxxxxxxx>
Cc: Naoya Horiguchi <n-horiguchi@xxxxxxxxxxxxx>
Cc: Jan Kara <jack@xxxxxxx>
Cc: Andrea Arcangeli <aarcange@xxxxxxxxxx>
Cc: Dominik Brodowski <linux@xxxxxxxxxxxxxxxxxxxx>
Cc: Matthew Wilcox <willy@xxxxxxxxxxxxx>
Cc: Vratislav Bendel <vbendel@xxxxxxxxxx>
Cc: Rafael Aquini <aquini@xxxxxxxxxx>
Cc: Konstantin Khlebnikov <k.khlebnikov@xxxxxxxxxxx>
Cc: Minchan Kim <minchan@xxxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>	[3.12 - 4.7]
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 mm/migrate.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/mm/migrate.c~mm-migrate-dont-rely-on-__pagemovable-of-newpage-after-unlocking-it
+++ a/mm/migrate.c
@@ -1130,10 +1130,13 @@ out:
 	 * If migration is successful, decrease refcount of the newpage
 	 * which will not free the page because new page owner increased
 	 * refcounter. As well, if it is LRU page, add the page to LRU
-	 * list in here.
+	 * list in here. Use the old state of the isolated source page to
+	 * determine if we migrated a LRU page. newpage was already unlocked
+	 * and possibly modified by its owner - don't rely on the page
+	 * state.
 	 */
 	if (rc == MIGRATEPAGE_SUCCESS) {
-		if (unlikely(__PageMovable(newpage)))
+		if (unlikely(!is_lru))
 			put_page(newpage);
 		else
 			putback_lru_page(newpage);
_

Patches currently in -mm which might be from david@xxxxxxxxxx are

mm-migrate-dont-rely-on-__pagemovable-of-newpage-after-unlocking-it.patch
mm-balloon-update-comment-about-isolation-migration-compaction.patch
mm-convert-pg_balloon-to-pg_offline.patch
kexec-export-pg_offline-to-vmcoreinfo.patch
xen-balloon-mark-inflated-pages-pg_offline.patch
hv_balloon-mark-inflated-pages-pg_offline.patch
vmw_balloon-mark-inflated-pages-pg_offline.patch
vmw_balloon-mark-inflated-pages-pg_offline-v2.patch
pm-hibernate-use-pfn_to_online_page.patch
pm-hibernate-exclude-all-pageoffline-pages.patch
pm-hibernate-exclude-all-pageoffline-pages-v2.patch
agp-efficeon-no-need-to-set-pg_reserved-on-gatt-tables.patch
s390-vdso-dont-clear-pg_reserved.patch
powerpc-vdso-dont-clear-pg_reserved.patch
riscv-vdso-dont-clear-pg_reserved.patch
m68k-mm-use-__clearpagereserved.patch
arm64-kexec-no-need-to-clearpagereserved.patch
arm64-kdump-no-need-to-mark-crashkernel-pages-manually-pg_reserved.patch
ia64-perfmon-dont-mark-buffer-pages-as-pg_reserved.patch
mm-better-document-pg_reserved.patch




[Index of Archives]     [Kernel Archive]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]

  Powered by Linux