On 2021/7/16 8:01, John Hubbard wrote: > On 7/15/21 4:30 AM, Miaohe Lin wrote: > ... >>>>> So, it seems lockless GUP can redirty the MADV_FREE page. But is it ok to just release >>>>> a redirtied MADV_FREE pages? Because we hold the last reference here and the page will >>>>> be freed anyway... >>>> >>>> I don't see how lockless GUP can redirty the page. It can grab the >>>> refcount, thus making the refcount here two. Then the call to freeze >>>> here fails and the page stays on the list. But the lockless GUP checks >>>> the page is still in the page table (and discovers it isn't, so releases >>>> the reference count). Am I missing a path that lets lockless GUP dirty >>>> the page? >>>> >>> >>> If a device driver pins some pages using gup, and the device then uses dma >>> to write to those pages, then you could get there. That story is part of the >>> reasoning that led to creating pin_user_pages(), which btw does not yet >>> fully solve that case. >> >> Many thanks for your explanation. >> So the similar scenario that is clarified in the __remove_mapping() is possible: > > I probably should have added that the scenario I was describing is broken even > before any patches that you might apply here. I was just trying to ensure that > the complete list of scenarios was known. > Many thanks for doing this! :) > > > thanks,
