[RFC] vmsplice() and ->steal()

[RFC] vmsplice() and ->steal()

[Al Viro]

	vmsplice() generates pipe_bufs with ->steal() set to
user_page_pipe_buf_steal().  What should happen when the source pages
had code from an mmapped area and why shouldn't their ->steal()
do what page_cache_pipe_buf_release() does in that case?

	As it is, e.g. fuse_dev_splice_write() getting fed that stuff could,
AFAICS, clear MappedToDisk on such a page, scream about weird pages
(upon noticing non-NULL ->mapping) and fall back to copying (thankfully).
We don't have that many ->steal() users (as the matter of fact, I've
discovered that while trying to debug the breakage in one I'd been
trying to add), but I really wonder about the intended semantics of
->steal().

	Comments?

Re: [RFC] vmsplice() and ->steal()

[Al Viro]

On Sat, Dec 10, 2016 at 02:38:49AM +0000, Al Viro wrote:
> 	vmsplice() generates pipe_bufs with ->steal() set to
> user_page_pipe_buf_steal().  What should happen when the source pages
> had code from an mmapped area and why shouldn't their ->steal()
> do what page_cache_pipe_buf_release() does in that case?
> 
> 	As it is, e.g. fuse_dev_splice_write() getting fed that stuff could,
> AFAICS, clear MappedToDisk on such a page, scream about weird pages
> (upon noticing non-NULL ->mapping) and fall back to copying (thankfully).
> We don't have that many ->steal() users (as the matter of fact, I've
> discovered that while trying to debug the breakage in one I'd been
> trying to add), but I really wonder about the intended semantics of
> ->steal().

	Hmm...  Nope, the source of breakage is different, and these
guys will simply fail ->steal() - pages present in page cache will
have refcount >= 2 due to the buf->page contributing to it.  My apologies...

	BTW, why doesn't page_cache_pipe_buf_steal() clear MappedToDisk
on its own in case of success?

Re: [RFC] vmsplice() and ->steal()

[Nicholas Piggin]

On Sat, 10 Dec 2016 03:03:54 +0000
Al Viro <viro@ZenIV.linux.org.uk> wrote:

> On Sat, Dec 10, 2016 at 02:38:49AM +0000, Al Viro wrote:
> > 	vmsplice() generates pipe_bufs with ->steal() set to
> > user_page_pipe_buf_steal().  What should happen when the source pages
> > had code from an mmapped area and why shouldn't their ->steal()
> > do what page_cache_pipe_buf_release() does in that case?
> > 
> > 	As it is, e.g. fuse_dev_splice_write() getting fed that stuff could,
> > AFAICS, clear MappedToDisk on such a page, scream about weird pages
> > (upon noticing non-NULL ->mapping) and fall back to copying (thankfully).
> > We don't have that many ->steal() users (as the matter of fact, I've
> > discovered that while trying to debug the breakage in one I'd been
> > trying to add), but I really wonder about the intended semantics of  
> > ->steal().  
> 
> 	Hmm...  Nope, the source of breakage is different, and these
> guys will simply fail ->steal() - pages present in page cache will
> have refcount >= 2 due to the buf->page contributing to it.  My apologies...
> 
> 	BTW, why doesn't page_cache_pipe_buf_steal() clear MappedToDisk
> on its own in case of success?

It probably should by the looks.

Off topic, but I would like to see MappedToDisk returned to an "owner
private" bit, and have filesystem ops do all the tests. Outside of the
buffer_head based mappings, it's never been used enough to justify
taking a pagecache-wide bit IMO.