search for: pages_lock

On Mon, Dec 28, 2015 at 08:35:13AM +0900, Minchan Kim wrote: > In balloon_page_dequeue, pages_lock should cover the loop > (ie, list_for_each_entry_safe). Otherwise, the cursor page could > be isolated by compaction and then list_del by isolation could > poison the page->lru.{prev,next} so the loop finally could > access wrong address like this. This patch fixes the bug. > &gt...

On Mon, Dec 28, 2015 at 08:35:13AM +0900, Minchan Kim wrote: > In balloon_page_dequeue, pages_lock should cover the loop > (ie, list_for_each_entry_safe). Otherwise, the cursor page could > be isolated by compaction and then list_del by isolation could > poison the page->lru.{prev,next} so the loop finally could > access wrong address like this. This patch fixes the bug. > &gt...

On Fri, Jan 08, 2016 at 02:56:14PM -0500, Rafael Aquini wrote: > On Fri, Jan 01, 2016 at 11:36:13AM +0200, Michael S. Tsirkin wrote: > > On Mon, Dec 28, 2015 at 08:35:13AM +0900, Minchan Kim wrote: > > > In balloon_page_dequeue, pages_lock should cover the loop > > > (ie, list_for_each_entry_safe). Otherwise, the cursor page could > > > be isolated by compaction and then list_del by isolation could > > > poison the page->lru.{prev,next} so the loop finally could > > > access wrong address like t...

On Fri, Jan 08, 2016 at 02:56:14PM -0500, Rafael Aquini wrote: > On Fri, Jan 01, 2016 at 11:36:13AM +0200, Michael S. Tsirkin wrote: > > On Mon, Dec 28, 2015 at 08:35:13AM +0900, Minchan Kim wrote: > > > In balloon_page_dequeue, pages_lock should cover the loop > > > (ie, list_for_each_entry_safe). Otherwise, the cursor page could > > > be isolated by compaction and then list_del by isolation could > > > poison the page->lru.{prev,next} so the loop finally could > > > access wrong address like t...

On Fri, Jan 01, 2016 at 11:36:13AM +0200, Michael S. Tsirkin wrote: > On Mon, Dec 28, 2015 at 08:35:13AM +0900, Minchan Kim wrote: > > In balloon_page_dequeue, pages_lock should cover the loop > > (ie, list_for_each_entry_safe). Otherwise, the cursor page could > > be isolated by compaction and then list_del by isolation could > > poison the page->lru.{prev,next} so the loop finally could > > access wrong address like this. This patch fixe...

On Fri, Jan 01, 2016 at 11:36:13AM +0200, Michael S. Tsirkin wrote: > On Mon, Dec 28, 2015 at 08:35:13AM +0900, Minchan Kim wrote: > > In balloon_page_dequeue, pages_lock should cover the loop > > (ie, list_for_each_entry_safe). Otherwise, the cursor page could > > be isolated by compaction and then list_del by isolation could > > poison the page->lru.{prev,next} so the loop finally could > > access wrong address like this. This patch fixe...

During my compaction-related stuff, I encountered a bug with ballooning. With repeated inflating and deflating cycle, guest memory( ie, cat /proc/meminfo | grep MemTotal) is decreased and couldn't be recovered. The reason is balloon_lock doesn't cover release_pages_balloon so struct virtio_balloon fields could be overwritten by race of fill_balloon(e,g, vb->*pfns could be critical).

During my compaction-related stuff, I encountered a bug with ballooning. With repeated inflating and deflating cycle, guest memory( ie, cat /proc/meminfo | grep MemTotal) is decreased and couldn't be recovered. The reason is balloon_lock doesn't cover release_pages_balloon so struct virtio_balloon fields could be overwritten by race of fill_balloon(e,g, vb->*pfns could be critical).

Minchan Kim noticed that balloon_page_dequeue walks the pages list without holding the pages_lock. This can race e.g. with isolation, which has been reported to cause list corruption and crashes in leak_balloon. Page can also in theory get freed before it's locked, corrupting memory. To fix, make sure list accesses are done under lock, and always take a page reference before trying to lock...

Minchan Kim noticed that balloon_page_dequeue walks the pages list without holding the pages_lock. This can race e.g. with isolation, which has been reported to cause list corruption and crashes in leak_balloon. Page can also in theory get freed before it's locked, corrupting memory. To fix, make sure list accesses are done under lock, and always take a page reference before trying to lock...

...r of pages that were enqueued. > + */ > +size_t balloon_page_list_enqueue(struct balloon_dev_info *b_dev_info, > + struct list_head *pages) > +{ > + struct page *page, *tmp; > + unsigned long flags; > + size_t n_pages = 0; > + > + spin_lock_irqsave(&b_dev_info->pages_lock, flags); > + list_for_each_entry_safe(page, tmp, pages, lru) { > + balloon_page_enqueue_one(b_dev_info, page); > + n_pages++; > + } > + spin_unlock_irqrestore(&b_dev_info->pages_lock, flags); > + return n_pages; > +} > +EXPORT_SYMBOL_GPL(balloon_page_list_enqueue);...

...from the guest system. + * + * Return: number of pages that were enqueued. + */ +size_t balloon_page_list_enqueue(struct balloon_dev_info *b_dev_info, + struct list_head *pages) +{ + struct page *page, *tmp; + unsigned long flags; + size_t n_pages = 0; + + spin_lock_irqsave(&b_dev_info->pages_lock, flags); + list_for_each_entry_safe(page, tmp, pages, lru) { + balloon_page_enqueue_one(b_dev_info, page); + n_pages++; + } + spin_unlock_irqrestore(&b_dev_info->pages_lock, flags); + return n_pages; +} +EXPORT_SYMBOL_GPL(balloon_page_list_enqueue); + +/** + * balloon_page_list_dequeue() -...

...from the guest system. + * + * Return: number of pages that were enqueued. + */ +size_t balloon_page_list_enqueue(struct balloon_dev_info *b_dev_info, + struct list_head *pages) +{ + struct page *page, *tmp; + unsigned long flags; + size_t n_pages = 0; + + spin_lock_irqsave(&b_dev_info->pages_lock, flags); + list_for_each_entry_safe(page, tmp, pages, lru) { + balloon_page_enqueue_one(b_dev_info, page); + n_pages++; + } + spin_unlock_irqrestore(&b_dev_info->pages_lock, flags); + return n_pages; +} +EXPORT_SYMBOL_GPL(balloon_page_list_enqueue); + +/** + * balloon_page_list_dequeue() -...

...finitively > + * removing it from the guest system. > + */ > +void balloon_page_list_enqueue(struct balloon_dev_info *b_dev_info, > + struct list_head *pages) > +{ > + struct page *page, *tmp; > + unsigned long flags; > + > + spin_lock_irqsave(&b_dev_info->pages_lock, flags); > + list_for_each_entry_safe(page, tmp, pages, lru) > + balloon_page_enqueue_one(b_dev_info, page); > + spin_unlock_irqrestore(&b_dev_info->pages_lock, flags); As this is scanning pages one by one anyway, it will be useful to have this return the # of pages enqueued. &gt...

VMware balloon enhancements: adding support for memory compaction, memory shrinker (to prevent OOM) and splitting of refused pages to prevent recurring inflations. Patches 1-2: Support for compaction Patch 3: Support for memory shrinker - disabled by default Patch 4: Split refused pages to improve performance v2->v3: * Fixing wrong argument type (int->size_t) [Michael] * Fixing a comment

...pages that were enqueued. > + */ > +size_t balloon_page_list_enqueue(struct balloon_dev_info *b_dev_info, > + struct list_head *pages) > +{ > + struct page *page, *tmp; > + unsigned long flags; > + size_t n_pages = 0; > + > + spin_lock_irqsave(&b_dev_info->pages_lock, flags); > + list_for_each_entry_safe(page, tmp, pages, lru) { > + balloon_page_enqueue_one(b_dev_info, page); Do we want to do something about an error here? > + n_pages++; > + } > + spin_unlock_irqrestore(&b_dev_info->pages_lock, flags); > + return n_pages; > +} &g...

In balloon_page_dequeue, pages_lock should cover the loop (ie, list_for_each_entry_safe). Otherwise, the cursor page could be isolated by compaction and then list_del by isolation could poison the page->lru.{prev,next} so the loop finally could access wrong address like this. This patch fixes the bug. general protection fault: 00...

On Mon, Dec 28, 2015 at 08:35:13AM +0900, Minchan Kim wrote: > In balloon_page_dequeue, pages_lock should cover the loop > (ie, list_for_each_entry_safe). Otherwise, the cursor page could > be isolated by compaction and then list_del by isolation could > poison the page->lru.{prev,next} so the loop finally could > access wrong address like this. This patch fixes the bug. > &gt...

Memory fragmentation introduced by ballooning might reduce significantly the number of 2MB contiguous memory blocks that can be used within a guest, thus imposing performance penalties associated with the reduced number of transparent huge pages that could be used by the guest workload. This patch-set follows the main idea discussed at 2012 LSFMMS session: "Ballooning for transparent huge

Memory fragmentation introduced by ballooning might reduce significantly the number of 2MB contiguous memory blocks that can be used within a guest, thus imposing performance penalties associated with the reduced number of transparent huge pages that could be used by the guest workload. This patch-set follows the main idea discussed at 2012 LSFMMS session: "Ballooning for transparent huge