Hi,
I am getting up to speed with mainline THP code and was wondering
what's going on with reference counts within
__split_huge_page_refcount():
for (i = 1; i < HPAGE_PMD_NR; i++) {
struct page *page_tail = page + i;
/* tail_page->_count cannot change */
atomic_sub(atomic_read(&page_tail->_count), &page->_count);
BUG_ON(page_count(page) <= 0);
...
A look at get_page() gave a partial answer. First, the page refcount
is incremented, then, if this was a tail page, the head page is looked
up and its refcount is incremented too. __split_huge_page_refcount()
preserves the refcount of tail pages but substracts it from the head
page, as it'll be an independent page after the split. However this
comment lead to more head scratching:
/*
* This is safe only because
* __split_huge_page_refcount can't run under
* get_page().
*/
As I can see, follow_page() with a FOLL_GET flag is careful when it
encounters huge pages. It tests the _PAGE_SPLITTING bit in the pmd
(under protection of page_table_lock) to avoid racing with
__split_huge_page_refcount(). Then, it can safely call get_page() and
not worry about both refcounts updates being visible at once.
My question is this: After someone obtains a page reference using
get_user_pages(), what prevents them from getting additional
references with get_page() ? I always thought it was legal to
duplicate references that way, but now I don't see how it'd be safe
doing so on anon pages with THP enabled.
--
Michel "Walken" Lespinasse
A program is never fully debugged until the last user dies.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxxx For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>