From patchwork Mon Jun 19 09:19:23 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 105809 Delivered-To: patch@linaro.org Received: by 10.140.91.2 with SMTP id y2csp781963qgd; Mon, 19 Jun 2017 02:20:21 -0700 (PDT) X-Received: by 10.99.122.81 with SMTP id j17mr9195065pgn.97.1497864021066; Mon, 19 Jun 2017 02:20:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1497864021; cv=none; d=google.com; s=arc-20160816; b=CgHHrwuiqz8DJG6o5qplavhA8pPx2KZk7ubg9H9bnZK7Zoj1mx1HTHi6BK/MBewCaI TEpTomkh3q0IMfKTsljipyweiQ60i+tpBL98sSXuNLyQTgpPYiVF8NGkdgRjphMXQ7YK RMedX7iS2N9kfJ7othi3a+NQtR7oAOEJrrvhCQmL82+mBJ3JzR95XJA/x7WYBnCyN9WA frnUNw8os1N3Da5jXW0ZO7tnj/E6hISsn3HG+POXR5GFHZklV8on/bJFLJWb1tEXtXAT BlQF6FHSd43far4RHlSlZzSDxM/J0PRsCoHhk/fbis9T1Llb9CJEi6bdd+WZhJSLMual y8zw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=m86yyxR7ZUGq/pyNNmcBzqbDRF6Q8Al2R9z1srLTtDU=; b=eAPnZuNZtd7K3j0m7w6wOxB9hAiVK4gVIxana6Dk7EzP1Vo17BT+xFM7jq3Vl2tH3q SMYZVRQGPWzrX1aUZqibnmHA0dMYYyZvqJL9Str5GrxgIi9ZwPFQtTEQepJBFtv0Aro0 tH9djZc9eSPiJLZRp0k0prCkbogbCy2LKPfN4F07VlsywOof9gG5C1XGo6BNxh4Vbg86 qY3nTGQoD3nDn4+eYb1ER1z6advolG4+p6fh/ycFH8pLbCoeFaCKhymYU9E39Fe2PxzF ln7cyhocvet2MlnUCqMGjwbCwtOWUNzruLM352PsXWRJHq5iaR+ZPuhG1QHPPti5pGKl AfZw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d2si7235059plh.206.2017.06.19.02.20.20; Mon, 19 Jun 2017 02:20:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753789AbdFSJUO (ORCPT + 6 others); Mon, 19 Jun 2017 05:20:14 -0400 Received: from foss.arm.com ([217.140.101.70]:47402 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753620AbdFSJUO (ORCPT ); Mon, 19 Jun 2017 05:20:14 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 12809344; Mon, 19 Jun 2017 02:20:14 -0700 (PDT) Received: from leverpostej.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 87E113F587; Mon, 19 Jun 2017 02:20:13 -0700 (PDT) From: Mark Rutland To: stable@vger.kernel.org Cc: mark.rutland@arm.com Subject: [PATCH v3.18.y] mm: numa: avoid waiting on freed migrated pages Date: Mon, 19 Jun 2017 10:19:23 +0100 Message-Id: <1497863963-21414-1-git-send-email-mark.rutland@arm.com> X-Mailer: git-send-email 1.9.1 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org commit 3c226c637b69104f6b9f1c6ec5b08d7b741b3229 upstream. In do_huge_pmd_numa_page(), we attempt to handle a migrating thp pmd by waiting until the pmd is unlocked before we return and retry. However, we can race with migrate_misplaced_transhuge_page(): // do_huge_pmd_numa_page // migrate_misplaced_transhuge_page() // Holds 0 refs on page // Holds 2 refs on page vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); /* ... */ if (pmd_trans_migrating(*vmf->pmd)) { page = pmd_page(*vmf->pmd); spin_unlock(vmf->ptl); ptl = pmd_lock(mm, pmd); if (page_count(page) != 2)) { /* roll back */ } /* ... */ mlock_migrate_page(new_page, page); /* ... */ spin_unlock(ptl); put_page(page); put_page(page); // page freed here wait_on_page_locked(page); goto out; } This can result in the freed page having its waiters flag set unexpectedly, which trips the PAGE_FLAGS_CHECK_AT_PREP checks in the page alloc/free functions. This has been observed on arm64 KVM guests. We can avoid this by having do_huge_pmd_numa_page() take a reference on the page before dropping the pmd lock, mirroring what we do in __migration_entry_wait(). When we hit the race, migrate_misplaced_transhuge_page() will see the reference and abort the migration, as it may do today in other cases. Fixes: b8916634b77bffb2 ("mm: Prevent parallel splits during THP migration") Link: http://lkml.kernel.org/r/1497349722-6731-2-git-send-email-will.deacon@arm.com Signed-off-by: Mark Rutland Signed-off-by: Will Deacon Acked-by: Steve Capper Acked-by: Kirill A. Shutemov Acked-by: Vlastimil Babka Cc: Mel Gorman Cc: Signed-off-by: Andrew Morton --- mm/huge_memory.c | 7 +++++++ 1 file changed, 7 insertions(+) -- 1.9.1 diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 8c9cbd0..023a62b 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -1294,8 +1294,12 @@ int do_huge_pmd_numa_page(struct mm_struct *mm, struct vm_area_struct *vma, * check_same as the page may no longer be mapped. */ if (unlikely(pmd_trans_migrating(*pmdp))) { + page = pmd_page(*pmdp); + if (!get_page_unless_zero(page)) + goto out_unlock; spin_unlock(ptl); wait_migrate_huge_page(vma->anon_vma, pmdp); + put_page(page); goto out; } @@ -1331,8 +1335,11 @@ int do_huge_pmd_numa_page(struct mm_struct *mm, struct vm_area_struct *vma, /* Migration could have started since the pmd_trans_migrating check */ if (!page_locked) { + if (!get_page_unless_zero(page)) + goto out_unlock; spin_unlock(ptl); wait_on_page_locked(page); + put_page(page); page_nid = -1; goto out; }