On Thu, May 26, 2016 at 04:04:55PM +0900, Minchan Kim wrote: > On Wed, May 25, 2016 at 01:30:11PM +0300, Vladimir Davydov wrote: > > On Tue, May 24, 2016 at 01:04:33PM -0700, Eric Dumazet wrote: > > > On Tue, 2016-05-24 at 19:13 +0300, Vladimir Davydov wrote: > > > > On Tue, May 24, 2016 at 05:59:02AM -0700, Eric Dumazet wrote: > > > > ... > > > > > > +static int anon_pipe_buf_steal(struct pipe_inode_info *pipe, > > > > > > + struct pipe_buffer *buf) > > > > > > +{ > > > > > > + struct page *page = buf->page; > > > > > > + > > > > > > + if (page_count(page) == 1) { > > > > > > > > > > This looks racy : some cpu could have temporarily elevated page count. > > > > > > > > All pipe operations (pipe_buf_operations->get, ->release, ->steal) are > > > > supposed to be called under pipe_lock. So, if we see a pipe_buffer->page > > > > with refcount of 1 in ->steal, that means that we are the only its user > > > > and it can't be spliced to another pipe. > > > > > > > > In fact, I just copied the code from generic_pipe_buf_steal, adding > > > > kmemcg related checks along the way, so it should be fine. > > > > > > So you guarantee that no other cpu might have done > > > get_page_unless_zero() right before this test ? > > > > Each pipe_buffer holds a reference to its page. If we find page's > > refcount to be 1 here, then it can be referenced only by our > > pipe_buffer. And the refcount cannot be increased by a parallel thread, > > because we hold pipe_lock, which rules out splice, and otherwise it's > > impossible to reach the page as it is not on lru. That said, I think I > > guarantee that this should be safe. > > I don't know kmemcg internal and pipe stuff so my comment might be > totally crap. > > No one cannot guarantee any CPU cannot held a reference of a page. > Look at get_page_unless_zero usecases. > > 1. balloon_page_isolate > > It can hold a reference in random page and then verify the page > is balloon page. Otherwise, just put. > > 2. page_idle_get_page > > It has PageLRU check but it's racy so it can hold a reference > of randome page and then verify within zone->lru_lock. If it's > not LRU page, just put. Well, I see your concern now - even if a page is not on lru and we locked all structs pointing to it, it can always get accessed by pfn in a completely unrelated thread, like in examples you gave above. That's a fair point. However, I still think that it's OK in case of pipe buffers. What can happen if somebody takes a transient reference to a pipe buffer page? At worst, we'll see page_count > 1 due to temporary ref and abort stealing, falling back on copying instead. That's OK, because stealing is not guaranteed. Can a function that takes a transient ref to page by pfn mistakenly assume that this is a page it's interested in? I don't think so, because this page has no marks on it except special _mapcount value, which should only be set on kmemcg pages. Thanks, Vladimir -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>