From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EFC17C3ABAA
	for <linux-mm@archiver.kernel.org>; Mon,  5 May 2025 14:55:38 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 402476B008A; Mon,  5 May 2025 10:55:37 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 3B0906B008C; Mon,  5 May 2025 10:55:37 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 252396B0092; Mon,  5 May 2025 10:55:37 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 080656B008A
	for <linux-mm@kvack.org>; Mon,  5 May 2025 10:55:37 -0400 (EDT)
Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay09.hostedemail.com (Postfix) with ESMTP id C27D980562
	for <linux-mm@kvack.org>; Mon,  5 May 2025 14:55:37 +0000 (UTC)
X-FDA: 83409153114.06.3844B4C
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])
	by imf17.hostedemail.com (Postfix) with ESMTP id 4769F40007
	for <linux-mm@kvack.org>; Mon,  5 May 2025 14:55:35 +0000 (UTC)
Authentication-Results: imf17.hostedemail.com;
	dkim=pass header.d=suse.cz header.s=susede2_rsa header.b="2VZIj1p/";
	dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=8NfBdIlJ;
	dkim=pass header.d=suse.cz header.s=susede2_rsa header.b="2VZIj1p/";
	dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=8NfBdIlJ;
	dmarc=none;
	spf=pass (imf17.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.131 as permitted sender) smtp.mailfrom=vbabka@suse.cz
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1746456935; a=rsa-sha256;
	cv=none;
	b=gcQ1wrmvxyj2+4jyp6Hf45rzr6ErMcwOaIY0gyUaw95FBCTi7GLbxw6t9PPS/UuTjeyf/I
	IGafUqZHb11G6nV2owGA1gFNOeL306+n9HNyyy0MeI/YEkvkFO0XJZCgGfGqCOtURA77z3
	MSElb8Avr+wqXAmrVthvjky0JMJ3wUM=
ARC-Authentication-Results: i=1;
	imf17.hostedemail.com;
	dkim=pass header.d=suse.cz header.s=susede2_rsa header.b="2VZIj1p/";
	dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=8NfBdIlJ;
	dkim=pass header.d=suse.cz header.s=susede2_rsa header.b="2VZIj1p/";
	dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=8NfBdIlJ;
	dmarc=none;
	spf=pass (imf17.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.131 as permitted sender) smtp.mailfrom=vbabka@suse.cz
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1746456935;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=jD0bkPmyM2A1kh39PQsBeO6AQfgRWdvpXNeMyu2NawA=;
	b=aYheHyZ+1TGPFsrnCtu57UZwU8Smc6DCorr46HzvtloyNfuQrbmNjhcPYlBJVIwngPKMty
	heOlUAsRPr5h8DsoDl4NZ6lXzOg4MtOq3SKnBmhEgOh7FsnGqTYdMc7Q7z0c7oAk67m4Nn
	x3xolcQ/nFCqpqoXolG1e/rB7Xa2i8M=
Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp-out2.suse.de (Postfix) with ESMTPS id 78C811F7A0;
	Mon,  5 May 2025 14:55:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa;
	t=1746456933; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=jD0bkPmyM2A1kh39PQsBeO6AQfgRWdvpXNeMyu2NawA=;
	b=2VZIj1p/DAV3qS3oAtfs82VnXVw89+ZVrek0+OgdyBXxwZag0kpoPQjwJNqjDnI7QRxZXc
	2/I8ggm+5Zq3qkGYDUyW5StrZ07UWW1XgxfcBU0zvpnMFdrqcZx2HrjrFpRaUM9tijF67n
	RRvp/n1wArfFuJIlGuN1KbbB95ONCX8=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz;
	s=susede2_ed25519; t=1746456933;
	h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=jD0bkPmyM2A1kh39PQsBeO6AQfgRWdvpXNeMyu2NawA=;
	b=8NfBdIlJCLI6dDk3yHivHqh/nIw5Wv1TYV7G93GxMlkD/Ek8u4QlzjGQoAQDGEuIBhb24J
	F6sP0u90Xl7MbsCA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa;
	t=1746456933; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=jD0bkPmyM2A1kh39PQsBeO6AQfgRWdvpXNeMyu2NawA=;
	b=2VZIj1p/DAV3qS3oAtfs82VnXVw89+ZVrek0+OgdyBXxwZag0kpoPQjwJNqjDnI7QRxZXc
	2/I8ggm+5Zq3qkGYDUyW5StrZ07UWW1XgxfcBU0zvpnMFdrqcZx2HrjrFpRaUM9tijF67n
	RRvp/n1wArfFuJIlGuN1KbbB95ONCX8=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz;
	s=susede2_ed25519; t=1746456933;
	h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=jD0bkPmyM2A1kh39PQsBeO6AQfgRWdvpXNeMyu2NawA=;
	b=8NfBdIlJCLI6dDk3yHivHqh/nIw5Wv1TYV7G93GxMlkD/Ek8u4QlzjGQoAQDGEuIBhb24J
	F6sP0u90Xl7MbsCA==
Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 542C31372E;
	Mon,  5 May 2025 14:55:33 +0000 (UTC)
Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])
	by imap1.dmz-prg2.suse.org with ESMTPSA
	id VQo0FGXRGGhVUgAAD6G6ig
	(envelope-from <vbabka@suse.cz>); Mon, 05 May 2025 14:55:33 +0000
Message-ID: <0feb4309-431f-4b74-83bf-e16198798c30@suse.cz>
Date: Mon, 5 May 2025 16:55:33 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH] mm/codetag: sub in advance when free non-compound high
 order pages
Content-Language: en-US
To: David Wang <00107082@163.com>
Cc: akpm@linux-foundation.org, surenb@google.com, mhocko@suse.com,
 jackmanb@google.com, hannes@cmpxchg.org, ziy@nvidia.com, linux-mm@kvack.org,
 linux-kernel@vger.kernel.org, Shakeel Butt <shakeel.butt@linux.dev>
References: <20250504061923.66914-1-00107082@163.com>
 <8edbd2be-d495-4bfc-a9f3-6eaae7a66d91@suse.cz>
 <1da43908.3afc.196a0db7dc3.Coremail.00107082@163.com>
From: Vlastimil Babka <vbabka@suse.cz>
In-Reply-To: <1da43908.3afc.196a0db7dc3.Coremail.00107082@163.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Rspamd-Action: no action
X-Rspam-User: 
X-Rspamd-Queue-Id: 4769F40007
X-Rspamd-Server: rspam04
X-Stat-Signature: 1hwjumdky7qwa8qjwbdb7nnoq5ukiufa
X-HE-Tag: 1746456935-142175
X-HE-Meta: U2FsdGVkX1/D9rKMgyKeXjnTE0iRlRuAQotj0XNEi+whQ8gfyBI3mGs08bZbBqlQArYcqQAbqSnlTSKvmyeHHDUtpSoE0EdXXnpiqbWWxsGNjJdlsNFyNS70SUfXv/SjMvgUZrJK7RpSTnKQGRqJqCRiw5q3NL607d3nSo0k0m2DK9HKWbiDU3XlxjOlSWiITIJNna4oViwZYj6aeCpizSno3Pt63/STZDzmtnI5dJUWCE+uCgMj8wP8cvAOTzmg22TzDxGL4g7JR6krY575rEYYgPgIQFxkdXrLLgbjpVq7hND8Ol5T9Uw87SbS8qMZn5AZyzxQNLEKXdYeEVndD9gplMwsMS1jtbOYLpSWdewfHyP0D2sBNGMbSSAnh7wPruFGM8/OfxqLVuKRJvbCIVmHtzDImWjiz7XruMu7AgaVRXowiFZT28OLCiWpVdpVmG+NCca8F5mRYWpAtnTsFEmZk4gs50inH6VNVbZt7RYf44x6mpV5Osnyvr5ZQE9t5xcxiJiOBUamJjfJ9Y9WusQ60SYoaFGCkeJp533WVctCcK0QSGiQVIZ7cDTmI6vmP2sjR60l6gXrt1XkoiFS31FaDIaj2l3JJ+bCAPVe4utiSxBrVozprMMeWn3cCiu8+ov3o1DRexcdWArzdD9a2IAIkDFqt05fny9UET6e3dstaM4o1J6DQkH0SzUTarCpHsNGZsSoXHsvU/K7CTYLxTfbuJph3O44HNzbKdzHzYQqGkLxHNA7J50nIvJ0XNJ1EbGve/gzoleAP83bbvDuOVGLUKwciytBWrHPECffMgJt2lz0R7/rqECp+/WBwaY2HX/sbDu4Bm9hIggbRozBuP9DNjjp/UmxTDw7xUgtHl3GU/KGm/0O4/XYcpeRcMR1WUXpj0Vsnmc2tSs3ilp99xdZPiuiXDi9xndPIVMMSPHKB3guzgX8hwv6RFHcloc5kKOpS/izuQQCVDjIwGR
 n23I631O
 xjZW//HIprZbMHi8EakQSdZak6torVTRHKuO2xfX5Oxaq5P4dO6OCcuXuwSEfvd7mGPHOulUcVgfI8Lf63LuyvKYLUUcGeAGz7axySVqmHPNr8hmTIQqIFiEbZfFgsPRSXcgSrx8OoLz8sqgTAS3jq4pQ8DegKDh2GHHzjOBZh7sHAwbIDVejE7A/R6WY2Z3/oB9v6it32WyEES1Inad1oWVu4jR9H27mDvobEvKo4smlupIAd/PZiTUvzVO558hsACLtmNNdWy5po9H+ScZjRvUi1qeRe4QPbTV1i3I5qNy/7tOkTQDE7KlYH94C8tHbXxSFQR5Tz8Dd8IuytHNhJwT8BTjVDx6j1LnJ+gvTzgm/Q58D/+F/CxlXFmTWXvRk4F/eiRRP1hFHIns=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On 5/5/25 16:31, David Wang wrote:
> 
> 
> At 2025-05-05 21:12:55, "Vlastimil Babka" <vbabka@suse.cz> wrote:
>>On 5/4/25 08:19, David Wang wrote:
>>> When page is non-compound, page[0] could be released by other
>>> thread right after put_page_testzero failed in current thread,
>>> pgalloc_tag_sub_pages afterwards would manipulate an invalid
>>> page for accounting remaining pages:
>>> 
>>> [timeline]   [thread1]                     [thread2]
>>>   |          alloc_page non-compound
>>>   V
>>>   |                                        get_page, rf counter inc
>>>   V
>>>   |          in ___free_pages
>>>   |          put_page_testzero fails
>>>   V
>>>   |                                        put_page, page released
>>>   V
>>>   |          in ___free_pages,
>>>   |          pgalloc_tag_sub_pages
>>>   |          manipulate an invalid page
>>>   V
>>>   V
>>> 
>>> Move the tag page accounting ahead, and only account remaining pages
>>> for non-compound pages with non-zero order.
>>> 
>>> Signed-off-by: David Wang <00107082@163.com>
>>
>>Hmm, I think the problem was introduced by 51ff4d7486f0 ("mm: avoid extra
>>mem_alloc_profiling_enabled() checks"). Previously we'd get the tag pointer
>>upfront and avoid the page use-after-free.
> 
> 
> Oh, you're right. I forgot to check history......
> 
> 
>>
>>It would likely be nicer to fix it by going back to that approach for
>>___free_pages(), while hopefully keeping the optimisations of 51ff4d7486f0
>>for the other call sites where it applies?
> 
> After checking that commit, I kind of feels the changes in __free_pages are
>  the major optimization of the commit....

We could have both pgalloc_tag_get() to use in __free_page() as before
51ff4d7486f0, and keep __pgalloc_tag_get() to use in pgalloc_tag_split() and
pgalloc_tag_swap().

I think __free_page() didn't benefit from the stated purpose of "avoiding
mem_alloc_profiling_enabled() ... which is often called after that check was
already done"

> What about revert that commit and make optimization by condition checks,
> similar to what this patch did?

The downside of the condition checks is they make the code more complex and
might actually increase overhead when mem_alloc_profiling_enabled() is
false, as those checks add non-static branches outside of the static branch
that's mem_alloc_profiling_enabled().

I think __free_pages() before 51ff4d7486f0 was quite ok.

- pgalloc_tag_get() is done unconditionally, but its code is all inside the
mem_alloc_profiling_enabled() static branch so that's a no-op when profiling
is not enabled

- pgalloc_tag_sub_pages() is also all behind the static branch inside. Also
it's a very rare path anyway, most freeing should go through the
put_page_testzero() being true.

> David
>