From: "Zi Yan" <ziy@nvidia.com>
To: <ilya.gladyshev@linux.dev>, "Andrew Morton" <akpm@linux-foundation.org>
Cc: <ivgorbunov@me.com>, <Liam.Howlett@oracle.com>,
<apopple@nvidia.com>, <artem.kuzin@huawei.com>,
<baolin.wang@linux.alibaba.com>, <david@kernel.org>,
<foxido@foxido.dev>, <harry.yoo@oracle.com>,
<linux-kernel@vger.kernel.org>, <linux-mm@kvack.org>,
<lorenzo.stoakes@oracle.com>, <mhocko@suse.com>,
<muchun.song@linux.dev>, <rppt@kernel.org>, <surenb@google.com>,
<torvalds@linuxfoundation.org>, <vbabka@suse.cz>,
<willy@infradead.org>, <yuzhao@google.com>, <pfalcato@suse.de>,
<kirill@shutemov.name>
Subject: Re: [PATCH v4 0/2] mm: improve folio refcount scalability
Date: Sat, 20 Jun 2026 21:40:32 -0400 [thread overview]
Message-ID: <DJECF2107V6T.23HGJJJ8ECKJ9@nvidia.com> (raw)
In-Reply-To: <fe53d9a75f776a5e002a3375d086c5714f558547@linux.dev>
On Sat Jun 20, 2026 at 2:19 PM EDT, wrote:
>>
>> >
>> > This patch optimizes small file read performance and overall folio refcount
>> > scalability by refactoring page_ref_add_unless [core of folio_try_get].
>> > This is alternative approach to previous attempts to fix small read
>> > performance by avoiding refcount bumps [1][2].
>> >
>> Thanks. Nice numbers.
>>
>> AI review had some things to say:
>> https://sashiko.dev/#/patchset/df26082871b4c65b2bd38d409026237c08572836@linux.dev
>
> Among some minor issues, it also pointed out a funny ABA race:
>
> ```
> T1/T2 work with pages of type X.
> T3 works with pages of type Y.
>
> T1: page_dec_and_test()
> T1: -> sub refcount [1 -> 0]
> T1: -> *interrupted* (very bad hypervisor, for example)
>
> T2: optimistic get() [0 -> 1]
How is this possible? folio_get() and folio_try_get() should prevent
getting a refcount-0 folio; get_page() uses folio_get(); try_get_page()
also checks refcount before ref_inc.
For your patch, is it because of the separation of refcount-0 and
frozen? The page goes refcount-0 before it is frozen? Will it work if
the page is frozen first then gets its refcount to 0? Basically, the
frozen state prevents anyone else messing up with your refcount.
> T2: put page back [1 -> 0]
> T2: calls dtor for type X, returns into the allocator
>
> T3: receives page of type Y, sets refcount to 1
> T3: page_dec_and_test()
> T3: -> sub refcount [1 -> 0]
>
> *T1 resumes execution*
>
> T1: -> CAS [0->LOCKED]
> T1: BUG: calls dtor of type X on page of type Y
> ```
>
> While this race seems unrealistic to me because of the full allocator
> cycle between the two atomic operations, I wasn't able to prove it at
> the first attempt. Maybe there is some synchronization in allocator
> that forbids at least X != Y, or something.
>
> I'll try to research fixes/proofs a little bit more, but I am afraid
> that unless someone wise with mm/ knowledge comes up with some fact that
> I missed, this patch indeed has a major (but unrealistic) flaw.
>
> --
> Sorry for the delay, grass was more touchable than ever
> Ilya Gladyshev
--
Best Regards,
Yan, Zi
next prev parent reply other threads:[~2026-06-21 2:14 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 21:53 [PATCH v4 0/2] mm: improve folio refcount scalability Gladyshev Ilya
2026-06-08 21:54 ` [PATCH v4 1/2] mm: drop page refcount zero state semantics ilya.gladyshev
2026-06-08 21:54 ` [PATCH v4 2/2] mm: implement page refcount locking via dedicated bit Gladyshev Ilya
2026-06-08 22:47 ` [PATCH v4 0/2] mm: improve folio refcount scalability Andrew Morton
2026-06-09 10:28 ` David Hildenbrand (Arm)
2026-06-09 19:02 ` Gladyshev Ilya
2026-06-09 21:02 ` Pedro Falcato
2026-06-20 18:19 ` ilya.gladyshev
2026-06-21 1:40 ` Zi Yan [this message]
2026-06-21 4:46 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJECF2107V6T.23HGJJJ8ECKJ9@nvidia.com \
--to=ziy@nvidia.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=apopple@nvidia.com \
--cc=artem.kuzin@huawei.com \
--cc=baolin.wang@linux.alibaba.com \
--cc=david@kernel.org \
--cc=foxido@foxido.dev \
--cc=harry.yoo@oracle.com \
--cc=ilya.gladyshev@linux.dev \
--cc=ivgorbunov@me.com \
--cc=kirill@shutemov.name \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mhocko@suse.com \
--cc=muchun.song@linux.dev \
--cc=pfalcato@suse.de \
--cc=rppt@kernel.org \
--cc=surenb@google.com \
--cc=torvalds@linuxfoundation.org \
--cc=vbabka@suse.cz \
--cc=willy@infradead.org \
--cc=yuzhao@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox