|
 |
e293be |
centosplus kernel patch [bug#15216]
|
|
|
e293be |
|
|
|
e293be |
commit 89da619bc18d79bca5304724c11d4ba3b67ce2c6
|
|
|
e293be |
Author: Jiang Biao <jiang.biao2@zte.com.cn>
|
|
|
e293be |
Date: Wed Jul 18 10:29:28 2018 +0800
|
|
|
e293be |
|
|
|
e293be |
virtio_balloon: fix another race between migration and ballooning
|
|
|
e293be |
|
|
|
e293be |
Kernel panic when with high memory pressure, calltrace looks like,
|
|
|
e293be |
|
|
|
e293be |
PID: 21439 TASK: ffff881be3afedd0 CPU: 16 COMMAND: "java"
|
|
|
e293be |
#0 [ffff881ec7ed7630] machine_kexec at ffffffff81059beb
|
|
|
e293be |
#1 [ffff881ec7ed7690] __crash_kexec at ffffffff81105942
|
|
|
e293be |
#2 [ffff881ec7ed7760] crash_kexec at ffffffff81105a30
|
|
|
e293be |
#3 [ffff881ec7ed7778] oops_end at ffffffff816902c8
|
|
|
e293be |
#4 [ffff881ec7ed77a0] no_context at ffffffff8167ff46
|
|
|
e293be |
#5 [ffff881ec7ed77f0] __bad_area_nosemaphore at ffffffff8167ffdc
|
|
|
e293be |
#6 [ffff881ec7ed7838] __node_set at ffffffff81680300
|
|
|
e293be |
#7 [ffff881ec7ed7860] __do_page_fault at ffffffff8169320f
|
|
|
e293be |
#8 [ffff881ec7ed78c0] do_page_fault at ffffffff816932b5
|
|
|
e293be |
#9 [ffff881ec7ed78f0] page_fault at ffffffff8168f4c8
|
|
|
e293be |
[exception RIP: _raw_spin_lock_irqsave+47]
|
|
|
e293be |
RIP: ffffffff8168edef RSP: ffff881ec7ed79a8 RFLAGS: 00010046
|
|
|
e293be |
RAX: 0000000000000246 RBX: ffffea0019740d00 RCX: ffff881ec7ed7fd8
|
|
|
e293be |
RDX: 0000000000020000 RSI: 0000000000000016 RDI: 0000000000000008
|
|
|
e293be |
RBP: ffff881ec7ed79a8 R8: 0000000000000246 R9: 000000000001a098
|
|
|
e293be |
R10: ffff88107ffda000 R11: 0000000000000000 R12: 0000000000000000
|
|
|
e293be |
R13: 0000000000000008 R14: ffff881ec7ed7a80 R15: ffff881be3afedd0
|
|
|
e293be |
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
|
|
|
e293be |
|
|
|
e293be |
It happens in the pagefault and results in double pagefault
|
|
|
e293be |
during compacting pages when memory allocation fails.
|
|
|
e293be |
|
|
|
e293be |
Analysed the vmcore, the page leads to second pagefault is corrupted
|
|
|
e293be |
with _mapcount=-256, but private=0.
|
|
|
e293be |
|
|
|
e293be |
It's caused by the race between migration and ballooning, and lock
|
|
|
e293be |
missing in virtballoon_migratepage() of virtio_balloon driver.
|
|
|
e293be |
This patch fix the bug.
|
|
|
e293be |
|
|
|
e293be |
Fixes: e22504296d4f64f ("virtio_balloon: introduce migration primitives to balloon pages")
|
|
|
e293be |
Cc: stable@vger.kernel.org
|
|
|
e293be |
Signed-off-by: Jiang Biao <jiang.biao2@zte.com.cn>
|
|
|
e293be |
Signed-off-by: Huang Chong <huang.chong@zte.com.cn>
|
|
|
e293be |
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
|
|
e293be |
|
|
|
e293be |
Applied-by: Akemi Yagi <toracat@centos.org>
|
|
|
e293be |
|
|
|
e293be |
diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c
|
|
|
e293be |
index 6b237e3..3988c09 100644
|
|
|
e293be |
--- a/drivers/virtio/virtio_balloon.c
|
|
|
e293be |
+++ b/drivers/virtio/virtio_balloon.c
|
|
|
e293be |
@@ -513,7 +513,9 @@ static int virtballoon_migratepage(struct balloon_dev_info *vb_dev_info,
|
|
|
e293be |
tell_host(vb, vb->inflate_vq);
|
|
|
e293be |
|
|
|
e293be |
/* balloon's page migration 2nd step -- deflate "page" */
|
|
|
e293be |
+ spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
|
|
|
e293be |
balloon_page_delete(page);
|
|
|
e293be |
+ spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags);
|
|
|
e293be |
vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE;
|
|
|
e293be |
set_page_pfns(vb, vb->pfns, page);
|
|
|
e293be |
tell_host(vb, vb->deflate_vq);
|