← Back to team overview

kernel-packages team mailing list archive

[Bug 1598197] Re: deadlock on balloon deflation

 

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: linux-lts-trusty (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-trusty in Ubuntu.
https://bugs.launchpad.net/bugs/1598197

Title:
  deadlock on balloon deflation

Status in linux-lts-trusty package in Ubuntu:
  Confirmed

Bug description:
  Latest Ubuntu trusty with kernel 3.13.0-91-generic run in a KVM
  virtual machine with virtio_balloon hangs when the previously inflated
  balloon is deflated.

  The problem is in the recently committed backport:

  commit 838478a8496ef9677256f53710144abe2ea49625
  Author:     Konstantin Khlebnikov <k.khlebnikov@xxxxxxxxxxx>
  AuthorDate: Mon May 16 14:43:10 2016 +0800
  Commit:     Kamal Mostafa <kamal@xxxxxxxxxxxxx>
  CommitDate: Fri Jun 10 07:15:37 2016 -0700

      mm/balloon_compaction: redesign ballooned pages management
      
      BugLink: http://bugs.launchpad.net/bugs/1572562
      
      Sasha Levin reported KASAN splash inside isolate_migratepages_range().
      Problem is in the function __is_movable_balloon_page() which tests
      AS_BALLOON_MAP in page->mapping->flags.  This function has no protection
      against anonymous pages.  As result it tried to check address space flags
      inside struct anon_vma.
      
      Further investigation shows more problems in current implementation:
      
      * Special branch in __unmap_and_move() never works:
        balloon_page_movable() checks page flags and page_count.  In
        __unmap_and_move() page is locked, reference counter is elevated, thus
        balloon_page_movable() always fails.  As a result execution goes to the
        normal migration path.  virtballoon_migratepage() returns
        MIGRATEPAGE_BALLOON_SUCCESS instead of MIGRATEPAGE_SUCCESS,
        move_to_new_page() thinks this is an error code and assigns
        newpage->mapping to NULL.  Newly migrated page lose connectivity with
        balloon an all ability for further migration.
      
      * lru_lock erroneously required in isolate_migratepages_range() for
        isolation ballooned page.  This function releases lru_lock periodically,
        this makes migration mostly impossible for some pages.
      
      * balloon_page_dequeue have a tight race with balloon_page_isolate:
        balloon_page_isolate could be executed in parallel with dequeue between
        picking page from list and locking page_lock.  Race is rare because they
        use trylock_page() for locking.
      
      This patch fixes all of them.
      
      Instead of fake mapping with special flag this patch uses special state of
      page->_mapcount: PAGE_BALLOON_MAPCOUNT_VALUE = -256.  Buddy allocator uses
      PAGE_BUDDY_MAPCOUNT_VALUE = -128 for similar purpose.  Storing mark
      directly in struct page makes everything safer and easier.
      
      PagePrivate is used to mark pages present in page list (i.e.  not
      isolated, like PageLRU for normal pages).  It replaces special rules for
      reference counter and makes balloon migration similar to migration of
      normal pages.  This flag is protected by page_lock together with link to
      the balloon device.
      
      Signed-off-by: Konstantin Khlebnikov <k.khlebnikov@xxxxxxxxxxx>
      Reported-by: Sasha Levin <sasha.levin@xxxxxxxxxx>
      Link: http://lkml.kernel.org/p/53E6CEAA.9020105@xxxxxxxxxx
      Cc: Rafael Aquini <aquini@xxxxxxxxxx>
      Cc: Andrey Ryabinin <ryabinin.a.a@xxxxxxxxx>
      Cc: <stable@xxxxxxxxxxxxxxx>	[3.8+]
      Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
      (backported from commit d6d86c0a7f8ddc5b38cf089222cb1d9540762dc2)
      Signed-off-by: Gavin Guo <gavin.guo@xxxxxxxxxxxxx>
      
      Conflicts:
      	mm/balloon_compaction.c
      	mm/migrate.c
      
      Acked-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
      Signed-off-by: Kamal Mostafa <kamal@xxxxxxxxxxxxx>

  
  It was applied after another backport:

  commit 47618e32c2a729554bf56b8ee7b541b63aadad97
  Author:     Minchan Kim <minchan@xxxxxxxxxx>
  AuthorDate: Mon Dec 28 08:35:13 2015 +0900
  Commit:     Luis Henriques <luis.henriques@xxxxxxxxxxxxx>
  CommitDate: Mon Feb 22 19:31:53 2016 +0000

      virtio_balloon: fix race between migration and ballooning
      
      BugLink: http://bugs.launchpad.net/bugs/1542497
      
      commit 21ea9fb69e7c4b1b1559c3e410943d3ff248ffcb upstream.
      
      In balloon_page_dequeue, pages_lock should cover the loop
      (ie, list_for_each_entry_safe). Otherwise, the cursor page could
      be isolated by compaction and then list_del by isolation could
      poison the page->lru.{prev,next} so the loop finally could
      access wrong address like this. This patch fixes the bug.
      
      general protection fault: 0000 [#1] SMP
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 2 PID: 82 Comm: vballoon Not tainted 4.4.0-rc5-mm1-access_bit+ #1906
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      task: ffff8800a7ff0000 ti: ffff8800a7fec000 task.ti: ffff8800a7fec000
      RIP: 0010:[<ffffffff8115e754>]  [<ffffffff8115e754>] balloon_page_dequeue+0x54/0x130
      RSP: 0018:ffff8800a7fefdc0  EFLAGS: 00010246
      RAX: ffff88013fff9a70 RBX: ffffea000056fe00 RCX: 0000000000002b7d
      RDX: ffff88013fff9a70 RSI: ffffea000056fe00 RDI: ffff88013fff9a68
      RBP: ffff8800a7fefde8 R08: ffffea000056fda0 R09: 0000000000000000
      R10: ffff8800a7fefd90 R11: 0000000000000001 R12: dead0000000000e0
      R13: ffffea000056fe20 R14: ffff880138809070 R15: ffff880138809060
      FS:  0000000000000000(0000) GS:ffff88013fc40000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 00007f229c10e000 CR3: 00000000b8b53000 CR4: 00000000000006a0
      Stack:
       0000000000000100 ffff880138809088 ffff880138809000 ffff880138809060
       0000000000000046 ffff8800a7fefe28 ffffffff812c86d3 ffff880138809020
       ffff880138809000 fffffffffff91900 0000000000000100 ffff880138809060
      Call Trace:
       [<ffffffff812c86d3>] leak_balloon+0x93/0x1a0
       [<ffffffff812c8bc7>] balloon+0x217/0x2a0
       [<ffffffff8143739e>] ? __schedule+0x31e/0x8b0
       [<ffffffff81078160>] ? abort_exclusive_wait+0xb0/0xb0
       [<ffffffff812c89b0>] ? update_balloon_stats+0xf0/0xf0
       [<ffffffff8105b6e9>] kthread+0xc9/0xe0
       [<ffffffff8105b620>] ? kthread_park+0x60/0x60
       [<ffffffff8143b4af>] ret_from_fork+0x3f/0x70
       [<ffffffff8105b620>] ? kthread_park+0x60/0x60
      Code: 8d 60 e0 0f 84 af 00 00 00 48 8b 43 20 a8 01 75 3b 48 89 d8 f0 0f ba 28 00 72 10 48 8b 03 f6 c4 08 75 2f 48 89 df e8 8c 83 f9 ff <49> 8b 44 24 20 4d 8d 6c 24 20 48 83 e8 20 4d 39 f5 74 7a 4c 89
      RIP  [<ffffffff8115e754>] balloon_page_dequeue+0x54/0x130
       RSP <ffff8800a7fefdc0>
      ---[ end trace 43cf28060d708d5f ]---
      Kernel panic - not syncing: Fatal exception
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Kernel Offset: disabled
      
      Signed-off-by: Minchan Kim <minchan@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Rafael Aquini <aquini@xxxxxxxxxx>
      Signed-off-by: Kamal Mostafa <kamal@xxxxxxxxxxxxx>


  This resulted in the following code:

   82 struct page *balloon_page_dequeue(struct balloon_dev_info *b_dev_info)
   83 {
   84         struct page *page, *tmp;
   85         unsigned long flags;
   86         bool dequeued_page;
   87
   88         dequeued_page = false;
   89         spin_lock_irqsave(&b_dev_info->pages_lock, flags);
   90         list_for_each_entry_safe(page, tmp, &b_dev_info->pages, lru) {
   91                 /*
   92                  * Block others from accessing the 'page' while we get around
   93                  * establishing additional references and preparing the 'page'
   94                  * to be released by the balloon driver.
   95                  */
   96                 if (trylock_page(page)) {
   97 #ifdef CONFIG_BALLOON_COMPACTION
   98                         if (!PagePrivate(page)) {
   99                                 /* raced with isolation */
  100                                 unlock_page(page);
  101                                 continue;
  102                         }
  103 #endif
  104                         spin_lock_irqsave(&b_dev_info->pages_lock, flags);
  105                         balloon_page_delete(page);
  106                         spin_unlock_irqrestore(&b_dev_info->pages_lock, flags);
  107                         unlock_page(page);
  108                         dequeued_page = true;
  109                         break;
  110                 }
  111         }
  112         spin_unlock_irqrestore(&b_dev_info->pages_lock, flags);

  Note the line 104 takes the spinlock already taken in line 89.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-lts-trusty/+bug/1598197/+subscriptions


References