Re: summarize all information again at bottom//reply: reply: [PATCH] mm: fix a race scenario in folio_isolate_lru

Zhaoyang Huang <huangzhaoyang@xxxxxxxxx> · Thu, 21 Mar 2024 16:25:07 +0800

On Tue, Mar 19, 2024 at 11:01 AM Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote:
>
> On Tue, Mar 19, 2024 at 08:48:42AM +0800, Zhaoyang Huang wrote:
> > BTW, damon_pa_pageout is a potential risk over this race
>
> No it isn't.
>
>                struct folio *folio = damon_get_folio(PHYS_PFN(addr));
>
>                 if (!folio)
>                         continue;
>
>                 if (damos_pa_filter_out(s, folio))
>                         goto put_folio;
>
>                 folio_clear_referenced(folio);
>                 folio_test_clear_young(folio);
>                 if (!folio_isolate_lru(folio))
>                         goto put_folio;
>                 if (folio_test_unevictable(folio))
>                         folio_putback_lru(folio);
>                 else
>                         list_add(&folio->lru, &folio_list);
> put_folio:
>                 folio_put(folio);
>
> It clearly has a folio reference when it calls folio_isolate_lru().

ok. Could the scenario below be suspicious on leaving an orphan folio
in step 7 and introduce the bug in step 8. In the scenario,
Thread_filemap behaves as a backdoor for Thread_madv by creating the
pte after Thread_truncate finishes cleaning all page tables.

0. Thread_bad gets the folio by folio_get_entry and stores it in its
local fbatch_bad and go to sleep

1. Thread_filemap get the folio via
filemap_map_pages->next_uptodate_folio->xas_next_entry and gets
preempted
    refcnt == 1(page_cache), PG_lru == true

2. Thread_truncate get the folio via
truncate_inode_pages_range->find_lock_entries
    refcnt == 2(fbatch_trunc, page_cache), PG_lru == true

3. Thread_truncate proceed to truncate_cleanup_folio
    refcnt == 2(fbatch_trunc, page_cache), PG_lru == true

4. Thread_truncate proceed to delete_from_page_cache_batch
    refcnt == 1(fbatch_trunc), PG_lru == true

5. Thread_filemap schedule back and proceed to setup a pte and have
folio->_mapcnt = 0 & folio->refcnt += 1
    refcnt == 2(pte, fbatch_temp), PG_lru == true

6. Thread_madv clear folio's PG_lru by
madvise_xxx_pte_range->folio_isolate_lru->folio_test_clear_lru
    refcnt == 2(pte,fbatch_temp), PG_lru == false

7. Thread_truncate call folio_fbatch_release and failed in freeing
folio as refcnt not reach 0
    refcnt == 1(pte), PG_lru == false
********folio becomes an orphan here which is not on the page cache
but on the task's VM**********

8. Thread_xxx scheduled back from 0 to do release_pages(fbatch_bad)
and have the folio introduce the bug.