From: Mark Rutland <mark.rutland@arm.com>
To: Vlastimil Babka <vbabka@suse.cz>
Cc: Will Deacon <will.deacon@arm.com>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
akpm@linux-foundation.org, kirill.shutemov@linux.intel.com,
Punit.Agrawal@arm.com, mgorman@suse.de, steve.capper@arm.com
Subject: Re: [PATCH 1/3] mm: numa: avoid waiting on freed migrated pages
Date: Thu, 8 Jun 2017 11:31:47 +0100 [thread overview]
Message-ID: <20170608103147.GB5765@leverpostej> (raw)
In-Reply-To: <c7000523-7b2b-06ed-6273-886978efaab5@suse.cz>
On Thu, Jun 08, 2017 at 11:04:05AM +0200, Vlastimil Babka wrote:
> On 06/06/2017 07:58 PM, Will Deacon wrote:
> > From: Mark Rutland <mark.rutland@arm.com>
> >
> > In do_huge_pmd_numa_page(), we attempt to handle a migrating thp pmd by
> > waiting until the pmd is unlocked before we return and retry. However,
> > we can race with migrate_misplaced_transhuge_page():
> >
> > // do_huge_pmd_numa_page // migrate_misplaced_transhuge_page()
> > // Holds 0 refs on page // Holds 2 refs on page
> >
> > vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd);
> > /* ... */
> > if (pmd_trans_migrating(*vmf->pmd)) {
> > page = pmd_page(*vmf->pmd);
> > spin_unlock(vmf->ptl);
> > ptl = pmd_lock(mm, pmd);
> > if (page_count(page) != 2)) {
> > /* roll back */
> > }
> > /* ... */
> > mlock_migrate_page(new_page, page);
> > /* ... */
> > spin_unlock(ptl);
> > put_page(page);
> > put_page(page); // page freed here
> > wait_on_page_locked(page);
> > goto out;
> > }
> >
> > This can result in the freed page having its waiters flag set
> > unexpectedly, which trips the PAGE_FLAGS_CHECK_AT_PREP checks in the
> > page alloc/free functions. This has been observed on arm64 KVM guests.
> >
> > We can avoid this by having do_huge_pmd_numa_page() take a reference on
> > the page before dropping the pmd lock, mirroring what we do in
> > __migration_entry_wait().
> >
> > When we hit the race, migrate_misplaced_transhuge_page() will see the
> > reference and abort the migration, as it may do today in other cases.
> >
> > Acked-by: Steve Capper <steve.capper@arm.com>
> > Signed-off-by: Mark Rutland <mark.rutland@arm.com>
> > Signed-off-by: Will Deacon <will.deacon@arm.com>
>
> Nice catch! Stable candidate?
I think so, given I can hit this in practice.
> Fixes: the commit that added waiters flag?
I think we need:
Fixes: b8916634b77bffb2 ("mm: Prevent parallel splits during THP migration")
... which introduced the potential for the huge page to be freed (and
potentially reallocated) before we wait on it. The waiters flag issue is
a result of this, rather than the underlying issue.
> Assuming it was harmless before that?
I'm not entirely sure. I suspect that there are other issues that might
result, e.g. if the page were reallocated before we wait on it.
> Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cheers!
Mark.
> > ---
> > mm/huge_memory.c | 8 +++++++-
> > 1 file changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/mm/huge_memory.c b/mm/huge_memory.c
> > index a84909cf20d3..88c6167f194d 100644
> > --- a/mm/huge_memory.c
> > +++ b/mm/huge_memory.c
> > @@ -1426,8 +1426,11 @@ int do_huge_pmd_numa_page(struct vm_fault *vmf, pmd_t pmd)
> > */
> > if (unlikely(pmd_trans_migrating(*vmf->pmd))) {
> > page = pmd_page(*vmf->pmd);
> > + if (!get_page_unless_zero(page))
> > + goto out_unlock;
> > spin_unlock(vmf->ptl);
> > wait_on_page_locked(page);
> > + put_page(page);
> > goto out;
> > }
> >
> > @@ -1459,9 +1462,12 @@ int do_huge_pmd_numa_page(struct vm_fault *vmf, pmd_t pmd)
> >
> > /* Migration could have started since the pmd_trans_migrating check */
> > if (!page_locked) {
> > + page_nid = -1;
> > + if (!get_page_unless_zero(page))
> > + goto out_unlock;
> > spin_unlock(vmf->ptl);
> > wait_on_page_locked(page);
> > - page_nid = -1;
> > + put_page(page);
> > goto out;
> > }
> >
> >
>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2017-06-08 10:32 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-06 17:58 [PATCH 0/3] mm: huge pages: Misc fixes for issues found during fuzzing Will Deacon
2017-06-06 17:58 ` [PATCH 1/3] mm: numa: avoid waiting on freed migrated pages Will Deacon
2017-06-08 9:04 ` Vlastimil Babka
2017-06-08 10:31 ` Mark Rutland [this message]
2017-06-08 10:27 ` Kirill A. Shutemov
2017-06-06 17:58 ` [PATCH 2/3] mm/page_ref: Ensure page_ref_unfreeze is ordered against prior accesses Will Deacon
2017-06-08 9:38 ` Vlastimil Babka
2017-06-08 10:34 ` Will Deacon
2017-06-08 11:02 ` Vlastimil Babka
2017-06-08 10:40 ` Kirill A. Shutemov
2017-06-08 11:07 ` Vlastimil Babka
2017-06-08 11:24 ` Will Deacon
2017-06-08 12:16 ` Peter Zijlstra
2017-06-08 12:19 ` Peter Zijlstra
2017-06-08 12:50 ` Peter Zijlstra
2017-06-09 10:05 ` Will Deacon
2017-06-06 17:58 ` [PATCH 3/3] mm: migrate: Stabilise page count when migrating transparent hugepages Will Deacon
2017-06-08 10:47 ` Kirill A. Shutemov
2017-06-08 10:52 ` Vlastimil Babka
2017-06-08 12:07 ` Will Deacon
2017-06-09 8:25 ` zhong jiang
2017-06-09 9:16 ` zhong jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170608103147.GB5765@leverpostej \
--to=mark.rutland@arm.com \
--cc=Punit.Agrawal@arm.com \
--cc=akpm@linux-foundation.org \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mgorman@suse.de \
--cc=steve.capper@arm.com \
--cc=vbabka@suse.cz \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox