Received: by 10.213.65.68 with SMTP id h4csp742262imn; Tue, 13 Mar 2018 21:03:47 -0700 (PDT) X-Google-Smtp-Source: AG47ELub9DgIFLgwG/fBtCpuzhoVi5gakY3yBRE3ApnjqI0iHNj8mtUvK0fpVjjmxXIxs7tSP2Zc X-Received: by 10.99.38.135 with SMTP id m129mr2469489pgm.2.1521000227014; Tue, 13 Mar 2018 21:03:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521000226; cv=none; d=google.com; s=arc-20160816; b=nv6E/72wudJZQ0wc8TIweIJja6WmW7iVJgsnbiEOVej6LDaxPffjdKwJzddIXO1MkW +tTvaRji7VXKwV4lPhJYsZBHj+C7hJoo3pbgoF+XPeap7HkI9/82RM3I9wsg/Y87/KPj mM3ytfVnDzkH8BTdM8DByN95OA6EN3zoYq2zbd6hhfZrBp83c2RWth6XXgGJx0kUzJaA t36Jy3LPrMGTauOV9pApbn948yaQvimaPIWMoQpABRN4FS8wNX+AMekR8ZJZ97GCgRsY 40T1QWwNtDE8K0Fc+caXlH/rnqa/8Lcrsgrefe/Fn+b4eTR0I90f8d0p8rHWNVEFSGcs sqGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-id:spamdiagnosticmetadata:spamdiagnosticoutput :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=/Z2xSemPiGYuBk5NIKjWEoNIzM83XJAQvSA2Oj/9gPs=; b=ANR9dOqVSirK+8nGlv11dliN3aG1L9UfpTraValRSZoR1jKlYZc2MFFo4x+kmmuMpl YCEqHw7jto2cWvCt7vj08POVHVkhBYeO5DMdvgha81UgEkViprqvl6GwdUtU4t7XWnTQ 7+ZinUhHstYx+xTNaLVGwC4u+nabQrwZxqhPJYt9quw+iAxC2mOhYAOJOZinNOEdVIFL DXk82a1QpSkU+1CC+LHuigno04QVo3lhPEYltj3VmxGMfU4VAYDyaQcOQ2XjkpxCj+Q1 SrPlFiUR1allxZMReIMkhfj62fH/0XdOVUN+1uJBN9FFaRt9ySyEblDBTTs/92QNxVE6 K84w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@onevmw.onmicrosoft.com header.s=selector1-vmware-com header.b=lEOVzZdW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t132si1218544pgc.238.2018.03.13.21.03.30; Tue, 13 Mar 2018 21:03:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@onevmw.onmicrosoft.com header.s=selector1-vmware-com header.b=lEOVzZdW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750931AbeCNECg (ORCPT + 99 others); Wed, 14 Mar 2018 00:02:36 -0400 Received: from mail-cys01nam02on0047.outbound.protection.outlook.com ([104.47.37.47]:25056 "EHLO NAM02-CY1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750737AbeCNECe (ORCPT ); Wed, 14 Mar 2018 00:02:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=onevmw.onmicrosoft.com; s=selector1-vmware-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/Z2xSemPiGYuBk5NIKjWEoNIzM83XJAQvSA2Oj/9gPs=; b=lEOVzZdW9L+YtenwAOzxmr1WD5sH4RGFCJvAST7Lo8wixCbuZclFbseHqIiDdHAnaNdQ8M4cIg3qaxD+Ig5ohKpAlofJ7kL6E105b327YYSJtJ2GcVcviBCjNOg/aLTl1x6oEHUbgm+Sh2db0+dRZJkPv6QjZ3RBfNWhYrQX7OU= Received: from SN2PR05MB2654.namprd05.prod.outlook.com (10.166.212.137) by SN2PR05MB2733.namprd05.prod.outlook.com (10.167.19.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.588.7; Wed, 14 Mar 2018 04:02:31 +0000 Received: from SN2PR05MB2654.namprd05.prod.outlook.com ([fe80::740a:82de:4e00:2810]) by SN2PR05MB2654.namprd05.prod.outlook.com ([fe80::740a:82de:4e00:2810%5]) with mapi id 15.20.0588.013; Wed, 14 Mar 2018 04:02:31 +0000 From: Nadav Amit To: Arnd Bergmann , Greg Kroah-Hartman , Oleksandr Natalenko CC: Xavier Deguillard , pv-drivers , LKML , Gil Kupfer , "stable@vger.kernel.org" Subject: Re: [PATCH v2] vmw_balloon: fixing double free when batching mode is off Thread-Topic: [PATCH v2] vmw_balloon: fixing double free when batching mode is off Thread-Index: AQHTujhdSIiXJAlj90GNO4oOVtEcZaPPHhoA Date: Wed, 14 Mar 2018 04:02:31 +0000 Message-ID: References: <20180312191917.21381-1-namit@vmware.com> <20180312192848.22104-1-namit@vmware.com> In-Reply-To: <20180312192848.22104-1-namit@vmware.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [208.91.2.2] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;SN2PR05MB2733;7:S1BSxf3mjVbWacKyY1r4zIClUoLekmmQO3fFshiEdR9bIvzu/IZUq1/PvTH7Fn5kXv8aq/bc9XsWQ0f3DiGS+s46RRLiNOMKD4pI8DODGOBWT8/MiYjdzltRdutNJntsmKsZa0CVZkPTMCU1BfEgS93obEx6wjcsqthz+XnnxEw1Ol2WzodD0SQDe3GAMa18e1MPe1Jt6SeEAMaIKIruxQlUJSKVv3MMPXAu1+v3wMSTtXBI8CGcp/MK0gneqtbw;20:U4QrwFImPUXzfBM7DYAos7uFC0+1hXDGhm0Gl89Lm2rKb8vlO/EcJOiJeY2J07vClP7laR/9iY9nY0JBt+Uc3swfhbl4CDbLuCZe31fEWFWS/CYCat6kXJv8QAO7p4tVi7xvcwchxdqk4sgiDKLWe2eG/juz8O2YGe91AnpdbJo= x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-correlation-id: 1925ebd1-149d-4563-eb7a-08d589606940 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020);SRVR:SN2PR05MB2733; x-ms-traffictypediagnostic: SN2PR05MB2733: authentication-results: spf=none (sender IP is ) smtp.mailfrom=namit@vmware.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(61668805478150)(85827821059158); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231221)(944501244)(52105095)(3002001)(93006095)(93001095)(10201501046)(6041310)(20161123558120)(20161123564045)(20161123560045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011);SRVR:SN2PR05MB2733;BCL:0;PCL:0;RULEID:;SRVR:SN2PR05MB2733; x-forefront-prvs: 0611A21987 x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(979002)(376002)(39380400002)(366004)(39860400002)(346002)(396003)(189003)(199004)(7736002)(54906003)(110136005)(97736004)(53936002)(105586002)(5660300001)(33656002)(6246003)(2900100001)(83716003)(86362001)(3660700001)(2906002)(3280700002)(5250100002)(82746002)(68736007)(305945005)(99286004)(25786009)(316002)(39060400002)(6116002)(3846002)(106356001)(229853002)(66066001)(478600001)(4326008)(2950100002)(36756003)(6486002)(8936002)(6512007)(81156014)(81166006)(8676002)(102836004)(6436002)(14454004)(59450400001)(186003)(26005)(76176011)(6506007)(969003)(989001)(999001)(1009001)(1019001);DIR:OUT;SFP:1101;SCL:1;SRVR:SN2PR05MB2733;H:SN2PR05MB2654.namprd05.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; received-spf: None (protection.outlook.com: vmware.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: K5ljAl05pej0ZhD1qSEgViyH6TcA1n/CyWiIbbgKVgiEYasMNMURsDnJxtVz/ZQxGamcU5k3CJ/jN7C/+fAP4jmo+6lUOZu81G4iKDtPFD1Lx9uYGij9usq84S7gjTqp68kJ1M+8b/ZTd4veFi3vAziqg2EuWqUZv25OBr8VC2rWBD6Icntu+ON4bG5cWVvs9FxDXcwATozFufJ7eGKk2TjYuQwGPbI3Kb7rXxYglnqE4HA+GLHH+GoqlRUi7y4io3JwIJ678itW/tyYGKPUk8Xh28JIEg8sxN02dKV9wwqE1TPVz132+/as+M867IBPjXwDfEW+1EJDoLkdgUifdA== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-ID: <52B8D4737E2E27448218BF1CD24AD0E2@namprd05.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: vmware.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1925ebd1-149d-4563-eb7a-08d589606940 X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Mar 2018 04:02:31.6958 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR05MB2733 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Nadav Amit wrote: > From: Gil Kupfer >=20 > The balloon.page field is used for two different purposes if batching is > on or off. If batching is on, the field point to the page which is used > to communicate with with the hypervisor. If it is off, balloon.page > points to the page that is about to be (un)locked. >=20 > Unfortunately, this dual-purpose of the field introduced a bug: when the > balloon is popped (e.g., when the machine is reset or the balloon driver > is explicitly removed), the balloon driver frees, unconditionally, the > page that is held in balloon.page. As a result, if batching is > disabled, this leads to double freeing the last page that is sent to the > hypervisor. Oleksandr, if you can confirm that it fixes the bug you encountered, it would be great. Greg, Arnd, on your free time, please let me know if there is any issue with the patch, and whether you can incorporate it, preferably in 4.16, since it is a bug-fix that was encountered by Red-Hat customers. Thanks, Nadav