[Kernel-packages] [Bug 1598197] Re: deadlock on balloon deflation

[Joseph Salisbury]

** Tags removed: verification-needed-trusty
** Tags added: verification-done-trusty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1598197

Title:
  deadlock on balloon deflation

Status in linux package in Ubuntu:
  Triaged
Status in linux source package in Trusty:
  Fix Released

Bug description:
  Latest Ubuntu trusty with kernel 3.13.0-91-generic run in a KVM
  virtual machine with virtio_balloon hangs when the previously inflated
  balloon is deflated.

  The problem is in the recently committed backport:

  commit 838478a8496ef9677256f53710144abe2ea49625
  Author: Konstantin Khlebnikov 
  AuthorDate: Mon May 16 14:43:10 2016 +0800
  Commit: Kamal Mostafa 
  CommitDate: Fri Jun 10 07:15:37 2016 -0700

  mm/balloon_compaction: redesign ballooned pages management
  
  BugLink: http://bugs.launchpad.net/bugs/1572562
  
  Sasha Levin reported KASAN splash inside isolate_migratepages_range().
  Problem is in the function __is_movable_balloon_page() which tests
  AS_BALLOON_MAP in page->mapping->flags.  This function has no protection
  against anonymous pages.  As result it tried to check address space flags
  inside struct anon_vma.
  
  Further investigation shows more problems in current implementation:
  
  * Special branch in __unmap_and_move() never works:
balloon_page_movable() checks page flags and page_count.  In
__unmap_and_move() page is locked, reference counter is elevated, thus
balloon_page_movable() always fails.  As a result execution goes to the
normal migration path.  virtballoon_migratepage() returns
MIGRATEPAGE_BALLOON_SUCCESS instead of MIGRATEPAGE_SUCCESS,
move_to_new_page() thinks this is an error code and assigns
newpage->mapping to NULL.  Newly migrated page lose connectivity with
balloon an all ability for further migration.
  
  * lru_lock erroneously required in isolate_migratepages_range() for
isolation ballooned page.  This function releases lru_lock periodically,
this makes migration mostly impossible for some pages.
  
  * balloon_page_dequeue have a tight race with balloon_page_isolate:
balloon_page_isolate could be executed in parallel with dequeue between
picking page from list and locking page_lock.  Race is rare because they
use trylock_page() for locking.
  
  This patch fixes all of them.
  
  Instead of fake mapping with special flag this patch uses special state of
  page->_mapcount: PAGE_BALLOON_MAPCOUNT_VALUE = -256.  Buddy allocator uses
  PAGE_BUDDY_MAPCOUNT_VALUE = -128 for similar purpose.  Storing mark
  directly in struct page makes everything safer and easier.
  
  PagePrivate is used to mark pages present in page list (i.e.  not
  isolated, like PageLRU for normal pages).  It replaces special rules for
  reference counter and makes balloon migration similar to migration of
  normal pages.  This flag is protected by page_lock together with link to
  the balloon device.
  
  Signed-off-by: Konstantin Khlebnikov 
  Reported-by: Sasha Levin 
  Link: http://lkml.kernel.org/p/53e6ceaa.9020...@oracle.com
  Cc: Rafael Aquini 
  Cc: Andrey Ryabinin 
  Cc:   [3.8+]
  Signed-off-by: Andrew Morton 
  Signed-off-by: Linus Torvalds 
  (backported from commit d6d86c0a7f8ddc5b38cf089222cb1d9540762dc2)
  Signed-off-by: Gavin Guo 
  
  Conflicts:
mm/balloon_compaction.c
mm/migrate.c
  
  Acked-by: Stefan Bader 
  Signed-off-by: Kamal Mostafa 

  
  It was applied after another backport:

  commit 47618e32c2a729554bf56b8ee7b541b63aadad97
  Author: Minchan Kim 
  AuthorDate: Mon Dec 28 08:35:13 2015 +0900
  Commit: Luis Henriques 
  CommitDate: Mon Feb 22 19:31:53 2016 +

  virtio_balloon: fix race between migration and ballooning
  
  BugLink: http://bugs.launchpad.net/bugs/1542497
  
  commit 21ea9fb69e7c4b1b1559c3e410943d3ff248ffcb upstream.
  
  In balloon_page_dequeue, pages_lock should cover the loop
  (ie, list_for_each_entry_safe). Otherwise, the cursor page could
  be isolated by compaction and then list_del by isolation could
  poison the page->lru.{prev,next} so the loop finally could
  access wrong address like this. This patch fixes the bug.
  
  general protection fault:  [#1] SMP
  Dumping ftrace buffer:
 (ftrace buffer 

[Kernel-packages] [Bug 1598197] Re: deadlock on balloon deflation

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 3.13.0-93.140

---
linux (3.13.0-93.140) trusty; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
- LP: #1604134

  * Boot failure with EFI stub (LP: #1603476)
- x86/efi: Fix boot failure with EFI stub

  * CVE-2016-5243 (LP: #1589036)
- tipc: fix an infoleak in tipc_nl_compat_link_dump

  * qeth: delete napi struct when removing a qeth device (LP: #1601831)
- qeth: delete napi struct when removing a qeth device

  * deadlock on balloon deflation (LP: #1598197)
- SAUCE: mm/balloon_compaction: Fix Regression of LP#1572562

  * serial: 8250_pci: Add support for 16 port Exar boards (LP: #1447485)
- serial: 8250_pci: Add support for 16 port Exar boards
- serial: 8250_pci: Add support for 12 port Exar boards
- serial: 8250_pci: Correct uartclk for xr17v35x expansion chips

  * linux: Homogenize changelog format across releases (LP: #1599562)
- Revert "UBUNTU: [debian] BugLink: close LP: bugs only for Launchpad urls"
- [Debian] git-ubuntu-log -- switch to bug order
- [Debian] git-ubuntu-log -- fix empty section formatting
- [Debian] git-ubuntu-log -- output should be utf-8
- [Debian] git-ubuntu-log -- handle invalid or private bugs
- [Debian] git-ubuntu-log -- wrap long bug and commit titles
- [Debian] git-ubuntu-log -- ensure we get the last commit
- [Debian] git-ubuntu-log -- prevent bug references being split
- [Debian] git-ubuntu-log -- git log output is UTF-8

  * exercising ptys causes a kernel oops (LP: #1586418)
- devpts: fix null pointer dereference on failed memory allocation

  * Miscellaneous upstream changes
- KEYS: potential uninitialized variable

 -- Seth Forshee   Mon, 18 Jul 2016 15:05:56
-0500

** Changed in: linux (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-5243

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1598197

Title:
  deadlock on balloon deflation

Status in linux package in Ubuntu:
  Triaged
Status in linux source package in Trusty:
  Fix Released

Bug description:
  Latest Ubuntu trusty with kernel 3.13.0-91-generic run in a KVM
  virtual machine with virtio_balloon hangs when the previously inflated
  balloon is deflated.

  The problem is in the recently committed backport:

  commit 838478a8496ef9677256f53710144abe2ea49625
  Author: Konstantin Khlebnikov 
  AuthorDate: Mon May 16 14:43:10 2016 +0800
  Commit: Kamal Mostafa 
  CommitDate: Fri Jun 10 07:15:37 2016 -0700

  mm/balloon_compaction: redesign ballooned pages management
  
  BugLink: http://bugs.launchpad.net/bugs/1572562
  
  Sasha Levin reported KASAN splash inside isolate_migratepages_range().
  Problem is in the function __is_movable_balloon_page() which tests
  AS_BALLOON_MAP in page->mapping->flags.  This function has no protection
  against anonymous pages.  As result it tried to check address space flags
  inside struct anon_vma.
  
  Further investigation shows more problems in current implementation:
  
  * Special branch in __unmap_and_move() never works:
balloon_page_movable() checks page flags and page_count.  In
__unmap_and_move() page is locked, reference counter is elevated, thus
balloon_page_movable() always fails.  As a result execution goes to the
normal migration path.  virtballoon_migratepage() returns
MIGRATEPAGE_BALLOON_SUCCESS instead of MIGRATEPAGE_SUCCESS,
move_to_new_page() thinks this is an error code and assigns
newpage->mapping to NULL.  Newly migrated page lose connectivity with
balloon an all ability for further migration.
  
  * lru_lock erroneously required in isolate_migratepages_range() for
isolation ballooned page.  This function releases lru_lock periodically,
this makes migration mostly impossible for some pages.
  
  * balloon_page_dequeue have a tight race with balloon_page_isolate:
balloon_page_isolate could be executed in parallel with dequeue between
picking page from list and locking page_lock.  Race is rare because they
use trylock_page() for locking.
  
  This patch fixes all of them.
  
  Instead of fake mapping with special flag this patch uses special state of
  page->_mapcount: PAGE_BALLOON_MAPCOUNT_VALUE = -256.  Buddy allocator uses
  PAGE_BUDDY_MAPCOUNT_VALUE = -128 for similar purpose.  Storing mark
  directly in struct page makes everything safer and easier.
  
  PagePrivate is used to mark pages present in page list (i.e.  not
  isolated, like PageLRU for normal pages).  It replaces special rules for
  reference counter and makes balloon 

[Kernel-packages] [Bug 1598197] Re: deadlock on balloon deflation

[Seth Forshee]

This bug still needs verification that the kernel in -proposed fixes the
issue. Can someone please verify the fix?

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1598197

Title:
  deadlock on balloon deflation

Status in linux package in Ubuntu:
  Triaged
Status in linux source package in Trusty:
  Fix Committed

Bug description:
  Latest Ubuntu trusty with kernel 3.13.0-91-generic run in a KVM
  virtual machine with virtio_balloon hangs when the previously inflated
  balloon is deflated.

  The problem is in the recently committed backport:

  commit 838478a8496ef9677256f53710144abe2ea49625
  Author: Konstantin Khlebnikov 
  AuthorDate: Mon May 16 14:43:10 2016 +0800
  Commit: Kamal Mostafa 
  CommitDate: Fri Jun 10 07:15:37 2016 -0700

  mm/balloon_compaction: redesign ballooned pages management
  
  BugLink: http://bugs.launchpad.net/bugs/1572562
  
  Sasha Levin reported KASAN splash inside isolate_migratepages_range().
  Problem is in the function __is_movable_balloon_page() which tests
  AS_BALLOON_MAP in page->mapping->flags.  This function has no protection
  against anonymous pages.  As result it tried to check address space flags
  inside struct anon_vma.
  
  Further investigation shows more problems in current implementation:
  
  * Special branch in __unmap_and_move() never works:
balloon_page_movable() checks page flags and page_count.  In
__unmap_and_move() page is locked, reference counter is elevated, thus
balloon_page_movable() always fails.  As a result execution goes to the
normal migration path.  virtballoon_migratepage() returns
MIGRATEPAGE_BALLOON_SUCCESS instead of MIGRATEPAGE_SUCCESS,
move_to_new_page() thinks this is an error code and assigns
newpage->mapping to NULL.  Newly migrated page lose connectivity with
balloon an all ability for further migration.
  
  * lru_lock erroneously required in isolate_migratepages_range() for
isolation ballooned page.  This function releases lru_lock periodically,
this makes migration mostly impossible for some pages.
  
  * balloon_page_dequeue have a tight race with balloon_page_isolate:
balloon_page_isolate could be executed in parallel with dequeue between
picking page from list and locking page_lock.  Race is rare because they
use trylock_page() for locking.
  
  This patch fixes all of them.
  
  Instead of fake mapping with special flag this patch uses special state of
  page->_mapcount: PAGE_BALLOON_MAPCOUNT_VALUE = -256.  Buddy allocator uses
  PAGE_BUDDY_MAPCOUNT_VALUE = -128 for similar purpose.  Storing mark
  directly in struct page makes everything safer and easier.
  
  PagePrivate is used to mark pages present in page list (i.e.  not
  isolated, like PageLRU for normal pages).  It replaces special rules for
  reference counter and makes balloon migration similar to migration of
  normal pages.  This flag is protected by page_lock together with link to
  the balloon device.
  
  Signed-off-by: Konstantin Khlebnikov 
  Reported-by: Sasha Levin 
  Link: http://lkml.kernel.org/p/53e6ceaa.9020...@oracle.com
  Cc: Rafael Aquini 
  Cc: Andrey Ryabinin 
  Cc:   [3.8+]
  Signed-off-by: Andrew Morton 
  Signed-off-by: Linus Torvalds 
  (backported from commit d6d86c0a7f8ddc5b38cf089222cb1d9540762dc2)
  Signed-off-by: Gavin Guo 
  
  Conflicts:
mm/balloon_compaction.c
mm/migrate.c
  
  Acked-by: Stefan Bader 
  Signed-off-by: Kamal Mostafa 

  
  It was applied after another backport:

  commit 47618e32c2a729554bf56b8ee7b541b63aadad97
  Author: Minchan Kim 
  AuthorDate: Mon Dec 28 08:35:13 2015 +0900
  Commit: Luis Henriques 
  CommitDate: Mon Feb 22 19:31:53 2016 +

  virtio_balloon: fix race between migration and ballooning
  
  BugLink: http://bugs.launchpad.net/bugs/1542497
  
  commit 21ea9fb69e7c4b1b1559c3e410943d3ff248ffcb upstream.
  
  In balloon_page_dequeue, pages_lock should cover the loop
  (ie, list_for_each_entry_safe). Otherwise, the cursor page could
  be isolated by compaction and then list_del by isolation could
  poison the page->lru.{prev,next} so the loop finally could
  access wrong address like this. This patch fixes the bug.
  
  general protection fault:  [#1] SMP
  Dumping ftrace 

[Kernel-packages] [Bug 1598197] Re: deadlock on balloon deflation

[Seth Forshee]

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-trusty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1598197

Title:
  deadlock on balloon deflation

Status in linux package in Ubuntu:
  Triaged
Status in linux source package in Trusty:
  Fix Committed

Bug description:
  Latest Ubuntu trusty with kernel 3.13.0-91-generic run in a KVM
  virtual machine with virtio_balloon hangs when the previously inflated
  balloon is deflated.

  The problem is in the recently committed backport:

  commit 838478a8496ef9677256f53710144abe2ea49625
  Author: Konstantin Khlebnikov 
  AuthorDate: Mon May 16 14:43:10 2016 +0800
  Commit: Kamal Mostafa 
  CommitDate: Fri Jun 10 07:15:37 2016 -0700

  mm/balloon_compaction: redesign ballooned pages management
  
  BugLink: http://bugs.launchpad.net/bugs/1572562
  
  Sasha Levin reported KASAN splash inside isolate_migratepages_range().
  Problem is in the function __is_movable_balloon_page() which tests
  AS_BALLOON_MAP in page->mapping->flags.  This function has no protection
  against anonymous pages.  As result it tried to check address space flags
  inside struct anon_vma.
  
  Further investigation shows more problems in current implementation:
  
  * Special branch in __unmap_and_move() never works:
balloon_page_movable() checks page flags and page_count.  In
__unmap_and_move() page is locked, reference counter is elevated, thus
balloon_page_movable() always fails.  As a result execution goes to the
normal migration path.  virtballoon_migratepage() returns
MIGRATEPAGE_BALLOON_SUCCESS instead of MIGRATEPAGE_SUCCESS,
move_to_new_page() thinks this is an error code and assigns
newpage->mapping to NULL.  Newly migrated page lose connectivity with
balloon an all ability for further migration.
  
  * lru_lock erroneously required in isolate_migratepages_range() for
isolation ballooned page.  This function releases lru_lock periodically,
this makes migration mostly impossible for some pages.
  
  * balloon_page_dequeue have a tight race with balloon_page_isolate:
balloon_page_isolate could be executed in parallel with dequeue between
picking page from list and locking page_lock.  Race is rare because they
use trylock_page() for locking.
  
  This patch fixes all of them.
  
  Instead of fake mapping with special flag this patch uses special state of
  page->_mapcount: PAGE_BALLOON_MAPCOUNT_VALUE = -256.  Buddy allocator uses
  PAGE_BUDDY_MAPCOUNT_VALUE = -128 for similar purpose.  Storing mark
  directly in struct page makes everything safer and easier.
  
  PagePrivate is used to mark pages present in page list (i.e.  not
  isolated, like PageLRU for normal pages).  It replaces special rules for
  reference counter and makes balloon migration similar to migration of
  normal pages.  This flag is protected by page_lock together with link to
  the balloon device.
  
  Signed-off-by: Konstantin Khlebnikov 
  Reported-by: Sasha Levin 
  Link: http://lkml.kernel.org/p/53e6ceaa.9020...@oracle.com
  Cc: Rafael Aquini 
  Cc: Andrey Ryabinin 
  Cc:   [3.8+]
  Signed-off-by: Andrew Morton 
  Signed-off-by: Linus Torvalds 
  (backported from commit d6d86c0a7f8ddc5b38cf089222cb1d9540762dc2)
  Signed-off-by: Gavin Guo 
  
  Conflicts:
mm/balloon_compaction.c
mm/migrate.c
  
  Acked-by: Stefan Bader 
  Signed-off-by: Kamal Mostafa 

  
  It was applied after another backport:

  commit 47618e32c2a729554bf56b8ee7b541b63aadad97
  Author: Minchan Kim 
  AuthorDate: Mon Dec 28 08:35:13 2015 +0900
  Commit: Luis Henriques 
  CommitDate: Mon Feb 22 19:31:53 2016 +

  virtio_balloon: fix race between migration and ballooning
  
  BugLink: http://bugs.launchpad.net/bugs/1542497
  
  commit 21ea9fb69e7c4b1b1559c3e410943d3ff248ffcb 

[Kernel-packages] [Bug 1598197] Re: deadlock on balloon deflation

[Gavin Guo]

@Denis V.Lunev

Really sorry for the inconvenience. The patch has already been sent to the 
mailing list.
http://comments.gmane.org/gmane.linux.ubuntu.devel.kernel.general/78486

The fix will be included in the Ubuntu-3.13.0-93.140.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1598197

Title:
  deadlock on balloon deflation

Status in linux package in Ubuntu:
  Triaged
Status in linux source package in Trusty:
  Fix Committed

Bug description:
  Latest Ubuntu trusty with kernel 3.13.0-91-generic run in a KVM
  virtual machine with virtio_balloon hangs when the previously inflated
  balloon is deflated.

  The problem is in the recently committed backport:

  commit 838478a8496ef9677256f53710144abe2ea49625
  Author: Konstantin Khlebnikov 
  AuthorDate: Mon May 16 14:43:10 2016 +0800
  Commit: Kamal Mostafa 
  CommitDate: Fri Jun 10 07:15:37 2016 -0700

  mm/balloon_compaction: redesign ballooned pages management
  
  BugLink: http://bugs.launchpad.net/bugs/1572562
  
  Sasha Levin reported KASAN splash inside isolate_migratepages_range().
  Problem is in the function __is_movable_balloon_page() which tests
  AS_BALLOON_MAP in page->mapping->flags.  This function has no protection
  against anonymous pages.  As result it tried to check address space flags
  inside struct anon_vma.
  
  Further investigation shows more problems in current implementation:
  
  * Special branch in __unmap_and_move() never works:
balloon_page_movable() checks page flags and page_count.  In
__unmap_and_move() page is locked, reference counter is elevated, thus
balloon_page_movable() always fails.  As a result execution goes to the
normal migration path.  virtballoon_migratepage() returns
MIGRATEPAGE_BALLOON_SUCCESS instead of MIGRATEPAGE_SUCCESS,
move_to_new_page() thinks this is an error code and assigns
newpage->mapping to NULL.  Newly migrated page lose connectivity with
balloon an all ability for further migration.
  
  * lru_lock erroneously required in isolate_migratepages_range() for
isolation ballooned page.  This function releases lru_lock periodically,
this makes migration mostly impossible for some pages.
  
  * balloon_page_dequeue have a tight race with balloon_page_isolate:
balloon_page_isolate could be executed in parallel with dequeue between
picking page from list and locking page_lock.  Race is rare because they
use trylock_page() for locking.
  
  This patch fixes all of them.
  
  Instead of fake mapping with special flag this patch uses special state of
  page->_mapcount: PAGE_BALLOON_MAPCOUNT_VALUE = -256.  Buddy allocator uses
  PAGE_BUDDY_MAPCOUNT_VALUE = -128 for similar purpose.  Storing mark
  directly in struct page makes everything safer and easier.
  
  PagePrivate is used to mark pages present in page list (i.e.  not
  isolated, like PageLRU for normal pages).  It replaces special rules for
  reference counter and makes balloon migration similar to migration of
  normal pages.  This flag is protected by page_lock together with link to
  the balloon device.
  
  Signed-off-by: Konstantin Khlebnikov 
  Reported-by: Sasha Levin 
  Link: http://lkml.kernel.org/p/53e6ceaa.9020...@oracle.com
  Cc: Rafael Aquini 
  Cc: Andrey Ryabinin 
  Cc:   [3.8+]
  Signed-off-by: Andrew Morton 
  Signed-off-by: Linus Torvalds 
  (backported from commit d6d86c0a7f8ddc5b38cf089222cb1d9540762dc2)
  Signed-off-by: Gavin Guo 
  
  Conflicts:
mm/balloon_compaction.c
mm/migrate.c
  
  Acked-by: Stefan Bader 
  Signed-off-by: Kamal Mostafa 

  
  It was applied after another backport:

  commit 47618e32c2a729554bf56b8ee7b541b63aadad97
  Author: Minchan Kim 
  AuthorDate: Mon Dec 28 08:35:13 2015 +0900
  Commit: Luis Henriques 
  CommitDate: Mon Feb 22 19:31:53 2016 +

  virtio_balloon: fix race between migration and ballooning
  
  BugLink: http://bugs.launchpad.net/bugs/1542497
  
  commit 21ea9fb69e7c4b1b1559c3e410943d3ff248ffcb upstream.
  
  In balloon_page_dequeue, pages_lock should cover the loop
  (ie, list_for_each_entry_safe). Otherwise, the cursor page could
  be isolated by compaction and then list_del by isolation could
  poison the page->lru.{prev,next} so the loop finally could
  access wrong 

[Kernel-packages] [Bug 1598197] Re: deadlock on balloon deflation

[Denis V. Lunev]

Guys, can we know exact version of the kernel with the fix? Thank you.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1598197

Title:
  deadlock on balloon deflation

Status in linux package in Ubuntu:
  Triaged
Status in linux source package in Trusty:
  Fix Committed

Bug description:
  Latest Ubuntu trusty with kernel 3.13.0-91-generic run in a KVM
  virtual machine with virtio_balloon hangs when the previously inflated
  balloon is deflated.

  The problem is in the recently committed backport:

  commit 838478a8496ef9677256f53710144abe2ea49625
  Author: Konstantin Khlebnikov 
  AuthorDate: Mon May 16 14:43:10 2016 +0800
  Commit: Kamal Mostafa 
  CommitDate: Fri Jun 10 07:15:37 2016 -0700

  mm/balloon_compaction: redesign ballooned pages management
  
  BugLink: http://bugs.launchpad.net/bugs/1572562
  
  Sasha Levin reported KASAN splash inside isolate_migratepages_range().
  Problem is in the function __is_movable_balloon_page() which tests
  AS_BALLOON_MAP in page->mapping->flags.  This function has no protection
  against anonymous pages.  As result it tried to check address space flags
  inside struct anon_vma.
  
  Further investigation shows more problems in current implementation:
  
  * Special branch in __unmap_and_move() never works:
balloon_page_movable() checks page flags and page_count.  In
__unmap_and_move() page is locked, reference counter is elevated, thus
balloon_page_movable() always fails.  As a result execution goes to the
normal migration path.  virtballoon_migratepage() returns
MIGRATEPAGE_BALLOON_SUCCESS instead of MIGRATEPAGE_SUCCESS,
move_to_new_page() thinks this is an error code and assigns
newpage->mapping to NULL.  Newly migrated page lose connectivity with
balloon an all ability for further migration.
  
  * lru_lock erroneously required in isolate_migratepages_range() for
isolation ballooned page.  This function releases lru_lock periodically,
this makes migration mostly impossible for some pages.
  
  * balloon_page_dequeue have a tight race with balloon_page_isolate:
balloon_page_isolate could be executed in parallel with dequeue between
picking page from list and locking page_lock.  Race is rare because they
use trylock_page() for locking.
  
  This patch fixes all of them.
  
  Instead of fake mapping with special flag this patch uses special state of
  page->_mapcount: PAGE_BALLOON_MAPCOUNT_VALUE = -256.  Buddy allocator uses
  PAGE_BUDDY_MAPCOUNT_VALUE = -128 for similar purpose.  Storing mark
  directly in struct page makes everything safer and easier.
  
  PagePrivate is used to mark pages present in page list (i.e.  not
  isolated, like PageLRU for normal pages).  It replaces special rules for
  reference counter and makes balloon migration similar to migration of
  normal pages.  This flag is protected by page_lock together with link to
  the balloon device.
  
  Signed-off-by: Konstantin Khlebnikov 
  Reported-by: Sasha Levin 
  Link: http://lkml.kernel.org/p/53e6ceaa.9020...@oracle.com
  Cc: Rafael Aquini 
  Cc: Andrey Ryabinin 
  Cc:   [3.8+]
  Signed-off-by: Andrew Morton 
  Signed-off-by: Linus Torvalds 
  (backported from commit d6d86c0a7f8ddc5b38cf089222cb1d9540762dc2)
  Signed-off-by: Gavin Guo 
  
  Conflicts:
mm/balloon_compaction.c
mm/migrate.c
  
  Acked-by: Stefan Bader 
  Signed-off-by: Kamal Mostafa 

  
  It was applied after another backport:

  commit 47618e32c2a729554bf56b8ee7b541b63aadad97
  Author: Minchan Kim 
  AuthorDate: Mon Dec 28 08:35:13 2015 +0900
  Commit: Luis Henriques 
  CommitDate: Mon Feb 22 19:31:53 2016 +

  virtio_balloon: fix race between migration and ballooning
  
  BugLink: http://bugs.launchpad.net/bugs/1542497
  
  commit 21ea9fb69e7c4b1b1559c3e410943d3ff248ffcb upstream.
  
  In balloon_page_dequeue, pages_lock should cover the loop
  (ie, list_for_each_entry_safe). Otherwise, the cursor page could
  be isolated by compaction and then list_del by isolation could
  poison the page->lru.{prev,next} so the loop finally could
  access wrong address like this. This patch fixes the bug.
  
  general protection fault:  [#1] SMP
  Dumping ftrace buffer:
 (ftrace buffer empty)
  

[Kernel-packages] [Bug 1598197] Re: deadlock on balloon deflation

[Kamal Mostafa]

** Changed in: linux (Ubuntu Trusty)
   Status: Triaged => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1598197

Title:
  deadlock on balloon deflation

Status in linux package in Ubuntu:
  Triaged
Status in linux source package in Trusty:
  Fix Committed

Bug description:
  Latest Ubuntu trusty with kernel 3.13.0-91-generic run in a KVM
  virtual machine with virtio_balloon hangs when the previously inflated
  balloon is deflated.

  The problem is in the recently committed backport:

  commit 838478a8496ef9677256f53710144abe2ea49625
  Author: Konstantin Khlebnikov 
  AuthorDate: Mon May 16 14:43:10 2016 +0800
  Commit: Kamal Mostafa 
  CommitDate: Fri Jun 10 07:15:37 2016 -0700

  mm/balloon_compaction: redesign ballooned pages management
  
  BugLink: http://bugs.launchpad.net/bugs/1572562
  
  Sasha Levin reported KASAN splash inside isolate_migratepages_range().
  Problem is in the function __is_movable_balloon_page() which tests
  AS_BALLOON_MAP in page->mapping->flags.  This function has no protection
  against anonymous pages.  As result it tried to check address space flags
  inside struct anon_vma.
  
  Further investigation shows more problems in current implementation:
  
  * Special branch in __unmap_and_move() never works:
balloon_page_movable() checks page flags and page_count.  In
__unmap_and_move() page is locked, reference counter is elevated, thus
balloon_page_movable() always fails.  As a result execution goes to the
normal migration path.  virtballoon_migratepage() returns
MIGRATEPAGE_BALLOON_SUCCESS instead of MIGRATEPAGE_SUCCESS,
move_to_new_page() thinks this is an error code and assigns
newpage->mapping to NULL.  Newly migrated page lose connectivity with
balloon an all ability for further migration.
  
  * lru_lock erroneously required in isolate_migratepages_range() for
isolation ballooned page.  This function releases lru_lock periodically,
this makes migration mostly impossible for some pages.
  
  * balloon_page_dequeue have a tight race with balloon_page_isolate:
balloon_page_isolate could be executed in parallel with dequeue between
picking page from list and locking page_lock.  Race is rare because they
use trylock_page() for locking.
  
  This patch fixes all of them.
  
  Instead of fake mapping with special flag this patch uses special state of
  page->_mapcount: PAGE_BALLOON_MAPCOUNT_VALUE = -256.  Buddy allocator uses
  PAGE_BUDDY_MAPCOUNT_VALUE = -128 for similar purpose.  Storing mark
  directly in struct page makes everything safer and easier.
  
  PagePrivate is used to mark pages present in page list (i.e.  not
  isolated, like PageLRU for normal pages).  It replaces special rules for
  reference counter and makes balloon migration similar to migration of
  normal pages.  This flag is protected by page_lock together with link to
  the balloon device.
  
  Signed-off-by: Konstantin Khlebnikov 
  Reported-by: Sasha Levin 
  Link: http://lkml.kernel.org/p/53e6ceaa.9020...@oracle.com
  Cc: Rafael Aquini 
  Cc: Andrey Ryabinin 
  Cc:   [3.8+]
  Signed-off-by: Andrew Morton 
  Signed-off-by: Linus Torvalds 
  (backported from commit d6d86c0a7f8ddc5b38cf089222cb1d9540762dc2)
  Signed-off-by: Gavin Guo 
  
  Conflicts:
mm/balloon_compaction.c
mm/migrate.c
  
  Acked-by: Stefan Bader 
  Signed-off-by: Kamal Mostafa 

  
  It was applied after another backport:

  commit 47618e32c2a729554bf56b8ee7b541b63aadad97
  Author: Minchan Kim 
  AuthorDate: Mon Dec 28 08:35:13 2015 +0900
  Commit: Luis Henriques 
  CommitDate: Mon Feb 22 19:31:53 2016 +

  virtio_balloon: fix race between migration and ballooning
  
  BugLink: http://bugs.launchpad.net/bugs/1542497
  
  commit 21ea9fb69e7c4b1b1559c3e410943d3ff248ffcb upstream.
  
  In balloon_page_dequeue, pages_lock should cover the loop
  (ie, list_for_each_entry_safe). Otherwise, the cursor page could
  be isolated by compaction and then list_del by isolation could
  poison the page->lru.{prev,next} so the loop finally could
  access wrong address like this. This patch fixes the bug.
  
  general protection fault:  [#1] SMP
  Dumping ftrace buffer:
 (ftrace buffer empty)

[Kernel-packages] [Bug 1598197] Re: deadlock on balloon deflation

[Gavin Guo]

** Changed in: linux (Ubuntu Trusty)
 Assignee: (unassigned) => Gavin Guo (mimi0213kimo)

** Changed in: linux (Ubuntu)
 Assignee: (unassigned) => Gavin Guo (mimi0213kimo)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1598197

Title:
  deadlock on balloon deflation

Status in linux package in Ubuntu:
  Triaged
Status in linux source package in Trusty:
  Triaged

Bug description:
  Latest Ubuntu trusty with kernel 3.13.0-91-generic run in a KVM
  virtual machine with virtio_balloon hangs when the previously inflated
  balloon is deflated.

  The problem is in the recently committed backport:

  commit 838478a8496ef9677256f53710144abe2ea49625
  Author: Konstantin Khlebnikov 
  AuthorDate: Mon May 16 14:43:10 2016 +0800
  Commit: Kamal Mostafa 
  CommitDate: Fri Jun 10 07:15:37 2016 -0700

  mm/balloon_compaction: redesign ballooned pages management
  
  BugLink: http://bugs.launchpad.net/bugs/1572562
  
  Sasha Levin reported KASAN splash inside isolate_migratepages_range().
  Problem is in the function __is_movable_balloon_page() which tests
  AS_BALLOON_MAP in page->mapping->flags.  This function has no protection
  against anonymous pages.  As result it tried to check address space flags
  inside struct anon_vma.
  
  Further investigation shows more problems in current implementation:
  
  * Special branch in __unmap_and_move() never works:
balloon_page_movable() checks page flags and page_count.  In
__unmap_and_move() page is locked, reference counter is elevated, thus
balloon_page_movable() always fails.  As a result execution goes to the
normal migration path.  virtballoon_migratepage() returns
MIGRATEPAGE_BALLOON_SUCCESS instead of MIGRATEPAGE_SUCCESS,
move_to_new_page() thinks this is an error code and assigns
newpage->mapping to NULL.  Newly migrated page lose connectivity with
balloon an all ability for further migration.
  
  * lru_lock erroneously required in isolate_migratepages_range() for
isolation ballooned page.  This function releases lru_lock periodically,
this makes migration mostly impossible for some pages.
  
  * balloon_page_dequeue have a tight race with balloon_page_isolate:
balloon_page_isolate could be executed in parallel with dequeue between
picking page from list and locking page_lock.  Race is rare because they
use trylock_page() for locking.
  
  This patch fixes all of them.
  
  Instead of fake mapping with special flag this patch uses special state of
  page->_mapcount: PAGE_BALLOON_MAPCOUNT_VALUE = -256.  Buddy allocator uses
  PAGE_BUDDY_MAPCOUNT_VALUE = -128 for similar purpose.  Storing mark
  directly in struct page makes everything safer and easier.
  
  PagePrivate is used to mark pages present in page list (i.e.  not
  isolated, like PageLRU for normal pages).  It replaces special rules for
  reference counter and makes balloon migration similar to migration of
  normal pages.  This flag is protected by page_lock together with link to
  the balloon device.
  
  Signed-off-by: Konstantin Khlebnikov 
  Reported-by: Sasha Levin 
  Link: http://lkml.kernel.org/p/53e6ceaa.9020...@oracle.com
  Cc: Rafael Aquini 
  Cc: Andrey Ryabinin 
  Cc:   [3.8+]
  Signed-off-by: Andrew Morton 
  Signed-off-by: Linus Torvalds 
  (backported from commit d6d86c0a7f8ddc5b38cf089222cb1d9540762dc2)
  Signed-off-by: Gavin Guo 
  
  Conflicts:
mm/balloon_compaction.c
mm/migrate.c
  
  Acked-by: Stefan Bader 
  Signed-off-by: Kamal Mostafa 

  
  It was applied after another backport:

  commit 47618e32c2a729554bf56b8ee7b541b63aadad97
  Author: Minchan Kim 
  AuthorDate: Mon Dec 28 08:35:13 2015 +0900
  Commit: Luis Henriques 
  CommitDate: Mon Feb 22 19:31:53 2016 +

  virtio_balloon: fix race between migration and ballooning
  
  BugLink: http://bugs.launchpad.net/bugs/1542497
  
  commit 21ea9fb69e7c4b1b1559c3e410943d3ff248ffcb upstream.
  
  In balloon_page_dequeue, pages_lock should cover the loop
  (ie, list_for_each_entry_safe). Otherwise, the cursor page could
  be isolated by compaction and then list_del by isolation could
  poison the page->lru.{prev,next} so the loop finally could
  access wrong address like this. This patch fixes the bug.
  
  

[Kernel-packages] [Bug 1598197] Re: deadlock on balloon deflation

[Joseph Salisbury]

** Tags added: kernel-da-key

** Changed in: linux-lts-trusty (Ubuntu)
   Importance: Undecided => High

** Package changed: linux-lts-trusty (Ubuntu) => linux (Ubuntu)

** Also affects: linux (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: linux (Ubuntu Trusty)
   Status: New => Triaged

** Changed in: linux (Ubuntu)
   Status: Confirmed => Triaged

** Changed in: linux (Ubuntu Trusty)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-trusty in Ubuntu.
https://bugs.launchpad.net/bugs/1598197

Title:
  deadlock on balloon deflation

Status in linux package in Ubuntu:
  Triaged
Status in linux source package in Trusty:
  Triaged

Bug description:
  Latest Ubuntu trusty with kernel 3.13.0-91-generic run in a KVM
  virtual machine with virtio_balloon hangs when the previously inflated
  balloon is deflated.

  The problem is in the recently committed backport:

  commit 838478a8496ef9677256f53710144abe2ea49625
  Author: Konstantin Khlebnikov 
  AuthorDate: Mon May 16 14:43:10 2016 +0800
  Commit: Kamal Mostafa 
  CommitDate: Fri Jun 10 07:15:37 2016 -0700

  mm/balloon_compaction: redesign ballooned pages management
  
  BugLink: http://bugs.launchpad.net/bugs/1572562
  
  Sasha Levin reported KASAN splash inside isolate_migratepages_range().
  Problem is in the function __is_movable_balloon_page() which tests
  AS_BALLOON_MAP in page->mapping->flags.  This function has no protection
  against anonymous pages.  As result it tried to check address space flags
  inside struct anon_vma.
  
  Further investigation shows more problems in current implementation:
  
  * Special branch in __unmap_and_move() never works:
balloon_page_movable() checks page flags and page_count.  In
__unmap_and_move() page is locked, reference counter is elevated, thus
balloon_page_movable() always fails.  As a result execution goes to the
normal migration path.  virtballoon_migratepage() returns
MIGRATEPAGE_BALLOON_SUCCESS instead of MIGRATEPAGE_SUCCESS,
move_to_new_page() thinks this is an error code and assigns
newpage->mapping to NULL.  Newly migrated page lose connectivity with
balloon an all ability for further migration.
  
  * lru_lock erroneously required in isolate_migratepages_range() for
isolation ballooned page.  This function releases lru_lock periodically,
this makes migration mostly impossible for some pages.
  
  * balloon_page_dequeue have a tight race with balloon_page_isolate:
balloon_page_isolate could be executed in parallel with dequeue between
picking page from list and locking page_lock.  Race is rare because they
use trylock_page() for locking.
  
  This patch fixes all of them.
  
  Instead of fake mapping with special flag this patch uses special state of
  page->_mapcount: PAGE_BALLOON_MAPCOUNT_VALUE = -256.  Buddy allocator uses
  PAGE_BUDDY_MAPCOUNT_VALUE = -128 for similar purpose.  Storing mark
  directly in struct page makes everything safer and easier.
  
  PagePrivate is used to mark pages present in page list (i.e.  not
  isolated, like PageLRU for normal pages).  It replaces special rules for
  reference counter and makes balloon migration similar to migration of
  normal pages.  This flag is protected by page_lock together with link to
  the balloon device.
  
  Signed-off-by: Konstantin Khlebnikov 
  Reported-by: Sasha Levin 
  Link: http://lkml.kernel.org/p/53e6ceaa.9020...@oracle.com
  Cc: Rafael Aquini 
  Cc: Andrey Ryabinin 
  Cc:   [3.8+]
  Signed-off-by: Andrew Morton 
  Signed-off-by: Linus Torvalds 
  (backported from commit d6d86c0a7f8ddc5b38cf089222cb1d9540762dc2)
  Signed-off-by: Gavin Guo 
  
  Conflicts:
mm/balloon_compaction.c
mm/migrate.c
  
  Acked-by: Stefan Bader 
  Signed-off-by: Kamal Mostafa 

  
  It was applied after another backport:

  commit 47618e32c2a729554bf56b8ee7b541b63aadad97
  Author: Minchan Kim 
  AuthorDate: Mon Dec 28 08:35:13 2015 +0900
  Commit: Luis Henriques 
  CommitDate: Mon Feb 22 19:31:53 2016 +

  virtio_balloon: fix race between migration and ballooning
  
  BugLink: http://bugs.launchpad.net/bugs/1542497
  
  commit 21ea9fb69e7c4b1b1559c3e410943d3ff248ffcb upstream.
  
  In balloon_page_dequeue, pages_lock should cover the 

[Kernel-packages] [Bug 1598197] Re: deadlock on balloon deflation

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: linux-lts-trusty (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-trusty in Ubuntu.
https://bugs.launchpad.net/bugs/1598197

Title:
  deadlock on balloon deflation

Status in linux-lts-trusty package in Ubuntu:
  Confirmed

Bug description:
  Latest Ubuntu trusty with kernel 3.13.0-91-generic run in a KVM
  virtual machine with virtio_balloon hangs when the previously inflated
  balloon is deflated.

  The problem is in the recently committed backport:

  commit 838478a8496ef9677256f53710144abe2ea49625
  Author: Konstantin Khlebnikov 
  AuthorDate: Mon May 16 14:43:10 2016 +0800
  Commit: Kamal Mostafa 
  CommitDate: Fri Jun 10 07:15:37 2016 -0700

  mm/balloon_compaction: redesign ballooned pages management
  
  BugLink: http://bugs.launchpad.net/bugs/1572562
  
  Sasha Levin reported KASAN splash inside isolate_migratepages_range().
  Problem is in the function __is_movable_balloon_page() which tests
  AS_BALLOON_MAP in page->mapping->flags.  This function has no protection
  against anonymous pages.  As result it tried to check address space flags
  inside struct anon_vma.
  
  Further investigation shows more problems in current implementation:
  
  * Special branch in __unmap_and_move() never works:
balloon_page_movable() checks page flags and page_count.  In
__unmap_and_move() page is locked, reference counter is elevated, thus
balloon_page_movable() always fails.  As a result execution goes to the
normal migration path.  virtballoon_migratepage() returns
MIGRATEPAGE_BALLOON_SUCCESS instead of MIGRATEPAGE_SUCCESS,
move_to_new_page() thinks this is an error code and assigns
newpage->mapping to NULL.  Newly migrated page lose connectivity with
balloon an all ability for further migration.
  
  * lru_lock erroneously required in isolate_migratepages_range() for
isolation ballooned page.  This function releases lru_lock periodically,
this makes migration mostly impossible for some pages.
  
  * balloon_page_dequeue have a tight race with balloon_page_isolate:
balloon_page_isolate could be executed in parallel with dequeue between
picking page from list and locking page_lock.  Race is rare because they
use trylock_page() for locking.
  
  This patch fixes all of them.
  
  Instead of fake mapping with special flag this patch uses special state of
  page->_mapcount: PAGE_BALLOON_MAPCOUNT_VALUE = -256.  Buddy allocator uses
  PAGE_BUDDY_MAPCOUNT_VALUE = -128 for similar purpose.  Storing mark
  directly in struct page makes everything safer and easier.
  
  PagePrivate is used to mark pages present in page list (i.e.  not
  isolated, like PageLRU for normal pages).  It replaces special rules for
  reference counter and makes balloon migration similar to migration of
  normal pages.  This flag is protected by page_lock together with link to
  the balloon device.
  
  Signed-off-by: Konstantin Khlebnikov 
  Reported-by: Sasha Levin 
  Link: http://lkml.kernel.org/p/53e6ceaa.9020...@oracle.com
  Cc: Rafael Aquini 
  Cc: Andrey Ryabinin 
  Cc:   [3.8+]
  Signed-off-by: Andrew Morton 
  Signed-off-by: Linus Torvalds 
  (backported from commit d6d86c0a7f8ddc5b38cf089222cb1d9540762dc2)
  Signed-off-by: Gavin Guo 
  
  Conflicts:
mm/balloon_compaction.c
mm/migrate.c
  
  Acked-by: Stefan Bader 
  Signed-off-by: Kamal Mostafa 

  
  It was applied after another backport:

  commit 47618e32c2a729554bf56b8ee7b541b63aadad97
  Author: Minchan Kim 
  AuthorDate: Mon Dec 28 08:35:13 2015 +0900
  Commit: Luis Henriques 
  CommitDate: Mon Feb 22 19:31:53 2016 +

  virtio_balloon: fix race between migration and ballooning
  
  BugLink: http://bugs.launchpad.net/bugs/1542497
  
  commit 21ea9fb69e7c4b1b1559c3e410943d3ff248ffcb upstream.
  
  In balloon_page_dequeue, pages_lock should cover the loop
  (ie, list_for_each_entry_safe). Otherwise, the cursor page could
  be isolated by compaction and then list_del by isolation could
  poison the page->lru.{prev,next} so the loop finally could
  access wrong address like this. This patch fixes the bug.
  
  general protection fault:  [#1] SMP
  Dumping ftrace buffer: