Received: by 2002:ac0:8c9a:0:0:0:0:0 with SMTP id r26csp3649750ima; Mon, 4 Feb 2019 02:48:53 -0800 (PST) X-Google-Smtp-Source: ALg8bN6NAfbhYPmMVYQ5P8xVvAjowq+fRibx/pDHfw6HGw9021AdnHG0xdbz5Y8/V5eelp/Axm/A X-Received: by 2002:a62:6dc7:: with SMTP id i190mr50491670pfc.166.1549277333651; Mon, 04 Feb 2019 02:48:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549277333; cv=none; d=google.com; s=arc-20160816; b=PHEdnIQoykLfRh8Rapj+WkFvxgIzn1DNfHnZfFHUJJPI+EBhdrD8HoxGB0l+kAUXdN iNE336hBTBdgZSRxtymd/iyiQNu9HwIzZDNWbhXybGJgJgv2RclnTuiQKIL2HXrWQPA5 ODGis4WUj3wBbg2nar2vjCaHjyQ0olB0bqIlWQaNbZkUnZ1D1Y+TkRxfp3+KiZbJR6J7 s6P1ywcWUgd94br9kHMHn/l7Cz/+B7uhtBP+SIfNLR3zp8dkuUKlIWkIv6aYghqMuDg/ iVJ2Si6K6EfyTFad/1kR8TELH7yyTUkozUS69SIpEa7aUx+lf1XqpX32ub+4aV9mY0t9 ruUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=JihKqCesw7E+qbhEDpkk95rRzi5b2/K3HjHB04IrBPw=; b=oKPGMUqGpe9cQZgpKgSUueYgXG+VSo3LtDN0kdMGBQ/P6LuMcfxn3mvnY8MtViN4/q q8Svj+QXnGEVD5w/ukzb+SA6zDGRKPVGmgLZ2RtraSI08dquUm+JVVmOami03JJzK2Ao M7rJerLka64giESTkH9JP4ojdvHORw6+HKeARbux/+3GTNUSxSz8gCjY2ecElInhHt2P wtce3O7iCKuQBl6L6wSVXyTmI+CMxgIUoo/2AKQPFD8A+q9xmBu/k29/67VyRZYkHaf2 w48qLNXrV7uaomLV3YLl7AYuBQyma6N/bkCaXbIU/M+g/i5tPKTJK8BjjHDZ8EUY34rw WUUw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="Tl1iDWz/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y188si2119113pfb.59.2019.02.04.02.48.37; Mon, 04 Feb 2019 02:48:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="Tl1iDWz/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730969AbfBDKqa (ORCPT + 99 others); Mon, 4 Feb 2019 05:46:30 -0500 Received: from mail.kernel.org ([198.145.29.99]:44626 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731422AbfBDKq0 (ORCPT ); Mon, 4 Feb 2019 05:46:26 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 336F42070C; Mon, 4 Feb 2019 10:46:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1549277184; bh=EAaXIVEdOtUpiNDhaC6LVX+7YSegAbelVfwD3p4WXZg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Tl1iDWz/izTRPBFBbgPRsiuLE30H6i3ikytXE2TXNsSXzsCbXkQo2zZQY2rLIVRmT jpD+Sb8cjB8KKgSuazt/mpvEkCh9/wB5vFrQD8cBdcMlHTloL8Ut6s2GbiSH2+WtzW Hxja9JLCm8mWx0SdN1H1YO6hypbFdOGkxFNnlets= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Hildenbrand , Vratislav Bendel , Michal Hocko , Rafael Aquini , Mel Gorman , "Kirill A. Shutemov" , Naoya Horiguchi , Jan Kara , Andrea Arcangeli , Dominik Brodowski , Matthew Wilcox , Konstantin Khlebnikov , Minchan Kim , Andrew Morton , Linus Torvalds Subject: [PATCH 4.14 42/46] mm: migrate: dont rely on __PageMovable() of newpage after unlocking it Date: Mon, 4 Feb 2019 11:37:13 +0100 Message-Id: <20190204103616.073433492@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190204103608.651205056@linuxfoundation.org> References: <20190204103608.651205056@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: David Hildenbrand commit e0a352fabce61f730341d119fbedf71ffdb8663f upstream. We had a race in the old balloon compaction code before b1123ea6d3b3 ("mm: balloon: use general non-lru movable page feature") refactored it that became visible after backporting 195a8c43e93d ("virtio-balloon: deflate via a page list") without the refactoring. The bug existed from commit d6d86c0a7f8d ("mm/balloon_compaction: redesign ballooned pages management") till b1123ea6d3b3 ("mm: balloon: use general non-lru movable page feature"). d6d86c0a7f8d ("mm/balloon_compaction: redesign ballooned pages management") was backported to 3.12, so the broken kernels are stable kernels [3.12 - 4.7]. There was a subtle race between dropping the page lock of the newpage in __unmap_and_move() and checking for __is_movable_balloon_page(newpage). Just after dropping this page lock, virtio-balloon could go ahead and deflate the newpage, effectively dequeueing it and clearing PageBalloon, in turn making __is_movable_balloon_page(newpage) fail. This resulted in dropping the reference of the newpage via putback_lru_page(newpage) instead of put_page(newpage), leading to page->lru getting modified and a !LRU page ending up in the LRU lists. With 195a8c43e93d ("virtio-balloon: deflate via a page list") backported, one would suddenly get corrupted lists in release_pages_balloon(): - WARNING: CPU: 13 PID: 6586 at lib/list_debug.c:59 __list_del_entry+0xa1/0xd0 - list_del corruption. prev->next should be ffffe253961090a0, but was dead000000000100 Nowadays this race is no longer possible, but it is hidden behind very ugly handling of __ClearPageMovable() and __PageMovable(). __ClearPageMovable() will not make __PageMovable() fail, only PageMovable(). So the new check (__PageMovable(newpage)) will still hold even after newpage was dequeued by virtio-balloon. If anybody would ever change that special handling, the BUG would be introduced again. So instead, make it explicit and use the information of the original isolated page before migration. This patch can be backported fairly easy to stable kernels (in contrast to the refactoring). Link: http://lkml.kernel.org/r/20190129233217.10747-1-david@redhat.com Fixes: d6d86c0a7f8d ("mm/balloon_compaction: redesign ballooned pages management") Signed-off-by: David Hildenbrand Reported-by: Vratislav Bendel Acked-by: Michal Hocko Acked-by: Rafael Aquini Cc: Mel Gorman Cc: "Kirill A. Shutemov" Cc: Michal Hocko Cc: Naoya Horiguchi Cc: Jan Kara Cc: Andrea Arcangeli Cc: Dominik Brodowski Cc: Matthew Wilcox Cc: Vratislav Bendel Cc: Rafael Aquini Cc: Konstantin Khlebnikov Cc: Minchan Kim Cc: [3.12 - 4.7] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- mm/migrate.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/mm/migrate.c +++ b/mm/migrate.c @@ -1106,10 +1106,13 @@ out: * If migration is successful, decrease refcount of the newpage * which will not free the page because new page owner increased * refcounter. As well, if it is LRU page, add the page to LRU - * list in here. + * list in here. Use the old state of the isolated source page to + * determine if we migrated a LRU page. newpage was already unlocked + * and possibly modified by its owner - don't rely on the page + * state. */ if (rc == MIGRATEPAGE_SUCCESS) { - if (unlikely(__PageMovable(newpage))) + if (unlikely(!is_lru)) put_page(newpage); else putback_lru_page(newpage);