Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2026978pxa; Mon, 24 Aug 2020 03:01:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwW7TOJjftZHsLXqfud7KPWGBRK22FWUyXH+HVrxjuHvTRE5iYT0GPSmdA1eB6VnEY5/Z4V X-Received: by 2002:a17:906:43c9:: with SMTP id j9mr4671196ejn.542.1598263294259; Mon, 24 Aug 2020 03:01:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598263294; cv=none; d=google.com; s=arc-20160816; b=z41xYVmPaoZs0mk8T7B4sidaksaKBW8cpwEaalJzvVoi7e64+NSz33isP+UGC4VE+T Vt5pwa8QF1+Y8y+/pmttbUbChxS1BYUGisftYMuCqJ3/R9NI8yXLgQPGfCIzpdS6U41f ZuOJKY/FjNhSVMQ7ffcTIs6muk3xueaEMOmsX9ixeeOEcLnMCNVqO80lcL2AtW5G3l/g RGInuIImq5kM71MEYOTOR384P+IZ6bxOC8/Hd0eKi0xSPEqpdybngqqTvurzXYNPs/KS Ze1UW+JKfJonrfCKtYB0G8xPNNXBV3iEYOmTIPqP03XZu6T1oaUY8700G/pAYHPqHY4D mEcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=jE3F99hxrX676j3vPV/iWqePnnnF8GfPuCUsKlGmGhI=; b=z9HKHmWbRVOwrqlkJGXxMsRetnxMC9N+kbEb+9qhfRn1lETbtvRKeZYtkvQBY4NQD4 s8LUqVNjVHxL7yfaDjMYD9ezU8HIetf9saz5hS2cbP76XoJVSQKKRZFDTux4WSdM+Sqv upZULnqHDskyeW3ASFV4y75v2+abt8HeOXom64+6IsNP3PFNbbtuviOW714Z8gjY4AuW hG9Eun/BQeswbahOb8d/fd3lHTwKlHPpMvNLLiUykZMKEQ4wMy2gpWtWw7rOG/2uR5C5 o8xORm1mAbIWtTigpOwkK7h4bRq/pMy6KEJSw/GO+F7KK3Tyj5YXvpGQHd8zzFVm3WjL 32hw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zEJLW2kp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id co6si6721748edb.407.2020.08.24.03.01.10; Mon, 24 Aug 2020 03:01:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zEJLW2kp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727957AbgHXJ6Y (ORCPT + 99 others); Mon, 24 Aug 2020 05:58:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:42528 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727884AbgHXIeR (ORCPT ); Mon, 24 Aug 2020 04:34:17 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0E1BF206F0; Mon, 24 Aug 2020 08:34:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598258056; bh=zL6LKo2P1koAyupmQ6PvuVWQybcemZ5+MnGyBZXepzc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zEJLW2kpZOW4I23Yu9hu79PG3U4LI00POcbaZZcVTbXgWaavrjvFNNUid05jKVJQ5 i1EGyho6Th57eHV9tlBIXZc/0oJTLMS01tba21piewTk00lYWeIEAa7Vaq4MLvENXi osmQL36g+LBOppO6taNGCd9gA0cGfl6BNgdJ8m5I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Charan Teja Reddy , Andrew Morton , David Hildenbrand , David Rientjes , Michal Hocko , Vlastimil Babka , Vinayak Menon , Linus Torvalds Subject: [PATCH 5.8 019/148] mm, page_alloc: fix core hung in free_pcppages_bulk() Date: Mon, 24 Aug 2020 10:28:37 +0200 Message-Id: <20200824082414.888818988@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200824082413.900489417@linuxfoundation.org> References: <20200824082413.900489417@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Charan Teja Reddy commit 88e8ac11d2ea3acc003cf01bb5a38c8aa76c3cfd upstream. The following race is observed with the repeated online, offline and a delay between two successive online of memory blocks of movable zone. P1 P2 Online the first memory block in the movable zone. The pcp struct values are initialized to default values,i.e., pcp->high = 0 & pcp->batch = 1. Allocate the pages from the movable zone. Try to Online the second memory block in the movable zone thus it entered the online_pages() but yet to call zone_pcp_update(). This process is entered into the exit path thus it tries to release the order-0 pages to pcp lists through free_unref_page_commit(). As pcp->high = 0, pcp->count = 1 proceed to call the function free_pcppages_bulk(). Update the pcp values thus the new pcp values are like, say, pcp->high = 378, pcp->batch = 63. Read the pcp's batch value using READ_ONCE() and pass the same to free_pcppages_bulk(), pcp values passed here are, batch = 63, count = 1. Since num of pages in the pcp lists are less than ->batch, then it will stuck in while(list_empty(list)) loop with interrupts disabled thus a core hung. Avoid this by ensuring free_pcppages_bulk() is called with proper count of pcp list pages. The mentioned race is some what easily reproducible without [1] because pcp's are not updated for the first memory block online and thus there is a enough race window for P2 between alloc+free and pcp struct values update through onlining of second memory block. With [1], the race still exists but it is very narrow as we update the pcp struct values for the first memory block online itself. This is not limited to the movable zone, it could also happen in cases with the normal zone (e.g., hotplug to a node that only has DMA memory, or no other memory yet). [1]: https://patchwork.kernel.org/patch/11696389/ Fixes: 5f8dcc21211a ("page-allocator: split per-cpu list into one-list-per-migrate-type") Signed-off-by: Charan Teja Reddy Signed-off-by: Andrew Morton Acked-by: David Hildenbrand Acked-by: David Rientjes Acked-by: Michal Hocko Cc: Michal Hocko Cc: Vlastimil Babka Cc: Vinayak Menon Cc: [2.6+] Link: http://lkml.kernel.org/r/1597150703-19003-1-git-send-email-charante@codeaurora.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- mm/page_alloc.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -1306,6 +1306,11 @@ static void free_pcppages_bulk(struct zo struct page *page, *tmp; LIST_HEAD(head); + /* + * Ensure proper count is passed which otherwise would stuck in the + * below while (list_empty(list)) loop. + */ + count = min(pcp->count, count); while (count) { struct list_head *list;