From patchwork Tue Jun 6 17:58:34 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Will Deacon X-Patchwork-Id: 103187 Delivered-To: patch@linaro.org Received: by 10.182.29.35 with SMTP id g3csp1387609obh; Tue, 6 Jun 2017 10:59:13 -0700 (PDT) X-Received: by 10.84.169.3 with SMTP id g3mr22811008plb.37.1496771953855; Tue, 06 Jun 2017 10:59:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1496771953; cv=none; d=google.com; s=arc-20160816; b=GngPYkDHPQOEsO44V33cb/kVO9bNguNP+L2mUMbWjuEZND/Cr1One4hMslx1PSXvlE iIEvu25RADvG68Dh4vWTfuKDYkXpelvv4emzhfGeQRpZ4kWbKt62IOpafzOvQlTJ4n/8 iYmjnYPjYoDE1S1dmv1oA9B/fm9I1H3FGmMEVYMw93Rz0/1icVth8lUvIwtd0a5Wl9Eg BpDtuSMfFLQWrjcm4YU4pSI/ZMfGlYqpkdbHr3Y2ZmvdV/UwjchOMj77ZyGg5TWVS0w0 AH0kB/b1tvOGzEwYrBra5qb70h535dTBvnlx4b5FPLtA5MFAK0YNbU/XjjLbp69t0NzD NGtA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=xfxARnJZ8QEPLX3cREtjkYR8HAATF+du7RmZ4Y7H4dc=; b=BWAUg9zMj94KWT0tblHqxVTGCdYu+CjcO8AXTPIJmAnXdcRvqrRRuxQ7X0rFMrEs/d pihm6eeObwhnUD1e+lO2svkXI3TiG2DWfLUG/PUq8jFZfV0gvclJqnPqrEFyaytvp2uH z5LoHKySVZDTe9NxYMJPYE2pzf5U+pfr/pdcvfZ+yTECjWG3yVMTLKCZbXM/JrYEzVno +rPyGQ0mBCOP8dbGpScgAteLWwxxY9cvVr9GtCEKOM91Z2ZWs7b3IT31xlYTAi4jhjCx 7u3hXe/diSvqxsPJEmSeEIp3W2H8ADguMqqUG8wUpuTH6jW0vhPzkqGdFxQ1z+UpXA5w Tu1g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k83si3138925pfh.135.2017.06.06.10.59.13; Tue, 06 Jun 2017 10:59:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751744AbdFFR7H (ORCPT + 25 others); Tue, 6 Jun 2017 13:59:07 -0400 Received: from foss.arm.com ([217.140.101.70]:50624 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751523AbdFFR6a (ORCPT ); Tue, 6 Jun 2017 13:58:30 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 6FF3215A2; Tue, 6 Jun 2017 10:58:29 -0700 (PDT) Received: from edgewater-inn.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 40EAC3F589; Tue, 6 Jun 2017 10:58:29 -0700 (PDT) Received: by edgewater-inn.cambridge.arm.com (Postfix, from userid 1000) id D7B081AE07AE; Tue, 6 Jun 2017 18:58:36 +0100 (BST) From: Will Deacon To: linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: mark.rutland@arm.com, akpm@linux-foundation.org, kirill.shutemov@linux.intel.com, Punit.Agrawal@arm.com, mgorman@suse.de, steve.capper@arm.com, Will Deacon Subject: [PATCH 1/3] mm: numa: avoid waiting on freed migrated pages Date: Tue, 6 Jun 2017 18:58:34 +0100 Message-Id: <1496771916-28203-2-git-send-email-will.deacon@arm.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1496771916-28203-1-git-send-email-will.deacon@arm.com> References: <1496771916-28203-1-git-send-email-will.deacon@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mark Rutland In do_huge_pmd_numa_page(), we attempt to handle a migrating thp pmd by waiting until the pmd is unlocked before we return and retry. However, we can race with migrate_misplaced_transhuge_page(): // do_huge_pmd_numa_page // migrate_misplaced_transhuge_page() // Holds 0 refs on page // Holds 2 refs on page vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); /* ... */ if (pmd_trans_migrating(*vmf->pmd)) { page = pmd_page(*vmf->pmd); spin_unlock(vmf->ptl); ptl = pmd_lock(mm, pmd); if (page_count(page) != 2)) { /* roll back */ } /* ... */ mlock_migrate_page(new_page, page); /* ... */ spin_unlock(ptl); put_page(page); put_page(page); // page freed here wait_on_page_locked(page); goto out; } This can result in the freed page having its waiters flag set unexpectedly, which trips the PAGE_FLAGS_CHECK_AT_PREP checks in the page alloc/free functions. This has been observed on arm64 KVM guests. We can avoid this by having do_huge_pmd_numa_page() take a reference on the page before dropping the pmd lock, mirroring what we do in __migration_entry_wait(). When we hit the race, migrate_misplaced_transhuge_page() will see the reference and abort the migration, as it may do today in other cases. Acked-by: Steve Capper Signed-off-by: Mark Rutland Signed-off-by: Will Deacon --- mm/huge_memory.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) -- 2.1.4 Acked-by: Vlastimil Babka Acked-by: Kirill A. Shutemov diff --git a/mm/huge_memory.c b/mm/huge_memory.c index a84909cf20d3..88c6167f194d 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -1426,8 +1426,11 @@ int do_huge_pmd_numa_page(struct vm_fault *vmf, pmd_t pmd) */ if (unlikely(pmd_trans_migrating(*vmf->pmd))) { page = pmd_page(*vmf->pmd); + if (!get_page_unless_zero(page)) + goto out_unlock; spin_unlock(vmf->ptl); wait_on_page_locked(page); + put_page(page); goto out; } @@ -1459,9 +1462,12 @@ int do_huge_pmd_numa_page(struct vm_fault *vmf, pmd_t pmd) /* Migration could have started since the pmd_trans_migrating check */ if (!page_locked) { + page_nid = -1; + if (!get_page_unless_zero(page)) + goto out_unlock; spin_unlock(vmf->ptl); wait_on_page_locked(page); - page_nid = -1; + put_page(page); goto out; }