On Tue, Oct 25, 2022 at 06:54:10PM +1100, Alistair Popple wrote: > > First we (locklessly) load the page table entry, then we grab a > > reference to the folio that contains it (which can fail if the > > refcount is zero, in that case we bail), then we recheck that the > > page table entry is still the same, and if it changed in between, > > we drop the folio reference and bail. > > This can, again, grab a reference to a folio after it has > > already been freed and reallocated. The reason why this is > > fine is that the metadata structure that holds this refcount, > > `struct folio` is never freed; even when a folio is > > freed and reallocated, the corresponding `struct folio` > > stays. > > I'm probably missing something obvious but how is that synchronised > against memory hotplug? AFAICT if it isn't couldn't the pages be freed > and memory removed? In that case the above would no longer hold because > (I think) the metadata structure could have been freed. Note, this scheme is older than memory hot-plug, so if anybody is to blame it's the memory hotplug code. Anyway, since all that is done with IRQs disabled, all the hotplug stuff needs to do is rcu_synchronize() in order to ensure all active IRQ-disabled regions are finshed (between ensuring the memory is unused and taking out the struct page).
