Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp1644890ybe;
        Tue, 3 Sep 2019 01:09:33 -0700 (PDT)
X-Google-Smtp-Source: APXvYqysFjrzcCvq1t5efd4Syzc2Tw+yNQtT6XQqViEP9VRX0ZB3Tbzarb8X3b28/Rhjy05dbC5b
X-Received: by 2002:a17:902:142:: with SMTP id 60mr34278059plb.155.1567498173902;
        Tue, 03 Sep 2019 01:09:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1567498173; cv=none;
        d=google.com; s=arc-20160816;
        b=mCL/YRnLQV3yJU4mF4q+TTMMz9bDKbBfEkjawMEGVfTv6e8vcpC/zSi6TKzaMdgJVO
         C/wuu8ixa1eHmmwqCSHANGiYEBWNm8tDl4nENGUhVzmmh5HlqkohD20fh7CA4pShYbPz
         twNeTlnNQ9YHmAr86PCMOOFSIbMmcti9eZ264VZtjFLFH9la2sJ4tJxC1V4phjIDobBM
         kbHHQfRerYXLF1jkG0W2MonsXN7VvZcSY/09yNTP4mBeERKAA1IWTQm3GLUDWRY2Gc6X
         grjkGhhodb8qQq0hhzXfd9T3h8MCBlKDwwjB6K8dtHhwSd9dRLulaUjiswfbmr3lB5iX
         Joyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:date:subject:cc
         :to:from;
        bh=+QkTYEk+EidAmisxjGaCu33KXjeJGX9LFnlxFYO/CaY=;
        b=A2d6M948HTxrPNJg1YeE/diVIRfq5jDgfzYzcC5woIUnxz8lTjntYlNgB2mv4THYuM
         UmBk/VOCF1Qlg6+cZtrCE6Zjle73lzzdyuTQzg4U/3wrjpYXHGY7OJDueruNP9ME3HXJ
         2daYV2y7X7CxWDUGix/6NBayOoIEsajlDKT/qp2dOWgHZoOIkoVmeI0wuaADgJ0GsA9+
         2RWkVsfpzO1bb9uYxxzkNVHA5PtA9eafUeROPmEoX/wLOF0WE1bHDJomecIyIGvLxady
         qJLojsRDcD4riwrFloQLyOhmzQNM7gbamoMsmwAzQOPbx/2ikBwfCjfH+CgR0d31W4B8
         cTfw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y3si12409025pfe.179.2019.09.03.01.09.17;
        Tue, 03 Sep 2019 01:09:33 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727894AbfICIIY (ORCPT <rfc822;chauncqc@gmail.com> + 99 others);
        Tue, 3 Sep 2019 04:08:24 -0400
Received: from szxga07-in.huawei.com ([45.249.212.35]:54140 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1725878AbfICIIY (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Sep 2019 04:08:24 -0400
Received: from DGGEMS413-HUB.china.huawei.com (unknown [172.30.72.59])
        by Forcepoint Email with ESMTP id 1114868C325B8D4E5E53;
        Tue,  3 Sep 2019 16:08:23 +0800 (CST)
Received: from huawei.com (10.175.124.28) by DGGEMS413-HUB.china.huawei.com
 (10.3.19.213) with Microsoft SMTP Server id 14.3.439.0; Tue, 3 Sep 2019
 16:08:15 +0800
From:   sunqiuyang <sunqiuyang@huawei.com>
To:     <linux-kernel@vger.kernel.org>, <linux-mm@kvack.org>
CC:     <sunqiuyang@huawei.com>
Subject: [PATCH 1/1] mm/migrate: fix list corruption in migration of non-LRU movable pages
Date:   Tue, 3 Sep 2019 16:27:46 +0800
Message-ID: <20190903082746.20736-1-sunqiuyang@huawei.com>
X-Mailer: git-send-email 2.17.2
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.175.124.28]
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Qiuyang Sun <sunqiuyang@huawei.com>

Currently, after a page is migrated, it
1) has its PG_isolated flag cleared in move_to_new_page(), and
2) is deleted from its LRU list (cc->migratepages) in unmap_and_move().
However, between steps 1) and 2), the page could be isolated by another
thread in isolate_movable_page(), and added to another LRU list, leading
to list_del corruption later.

This patch fixes the bug by moving list_del into the critical section
protected by lock_page(), so that a page will not be isolated again before
it has been deleted from its LRU list.

Signed-off-by: Qiuyang Sun <sunqiuyang@huawei.com>
---
 mm/migrate.c | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/mm/migrate.c b/mm/migrate.c
index a42858d..c58a606 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -1124,6 +1124,8 @@ static int __unmap_and_move(struct page *page, struct page *newpage,
 	/* Drop an anon_vma reference if we took one */
 	if (anon_vma)
 		put_anon_vma(anon_vma);
+	if (rc != -EAGAIN)
+		list_del(&page->lru);
 	unlock_page(page);
 out:
 	/*
@@ -1190,6 +1192,7 @@ static ICE_noinline int unmap_and_move(new_page_t get_new_page,
 			put_new_page(newpage, private);
 		else
 			put_page(newpage);
+		list_del(&page->lru);
 		goto out;
 	}
 
@@ -1200,14 +1203,6 @@ static ICE_noinline int unmap_and_move(new_page_t get_new_page,
 out:
 	if (rc != -EAGAIN) {
 		/*
-		 * A page that has been migrated has all references
-		 * removed and will be freed. A page that has not been
-		 * migrated will have kepts its references and be
-		 * restored.
-		 */
-		list_del(&page->lru);
-
-		/*
 		 * Compaction can migrate also non-LRU pages which are
 		 * not accounted to NR_ISOLATED_*. They can be recognized
 		 * as __PageMovable
-- 
1.8.3.1