From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7CA4C48BE5 for ; Tue, 15 Jun 2021 12:40:52 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 5DAD661463 for ; Tue, 15 Jun 2021 12:40:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5DAD661463 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id C193F6B0036; Tue, 15 Jun 2021 08:40:50 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id BC91C6B006E; Tue, 15 Jun 2021 08:40:50 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A6A036B0070; Tue, 15 Jun 2021 08:40:50 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0038.hostedemail.com [216.40.44.38]) by kanga.kvack.org (Postfix) with ESMTP id 6F4E56B0036 for ; Tue, 15 Jun 2021 08:40:50 -0400 (EDT) Received: from smtpin25.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 08CA7B7A4 for ; Tue, 15 Jun 2021 12:40:50 +0000 (UTC) X-FDA: 78255917460.25.0EAA349 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf02.hostedemail.com (Postfix) with ESMTP id 7969140002E4 for ; Tue, 15 Jun 2021 12:40:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=xxwRxDnh0VFVSsnf3fNZemBZlcC0v4L/I7gFw2Rsxr0=; b=qQpMlxK0xqbmG70o+ix3Upt+LC EHUJjQSjaPIiCOLPWNUqdZS+rtwxovhVzx7paeOOsEQdTI5dGoP9e2ygWsBC05Pf9QQhYRoj3uIE+ nUkpQYqLikGOMhnf6NvhhJYXl0DzCVcC6492Vg6L5bCVmrweD9zKRzUxQpuctsDSf4Qj3/9VTU42/ mAFpDRxIm3Yzxrugdu0fqowsCbhU8HsTmAgi66hQAcQi11B1p9/WRUiJwH0FtN1TpLRPpSfUCinuA qEIb5nYGxBqxI1SGzzW2kzHRDFTTp0bhnBzx7B3FudymDsHOHaq/yPMA+WxV7E7asgLYh87WJCPKS R8dgPQ4w==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1lt8Mm-006lyA-PL; Tue, 15 Jun 2021 12:40:32 +0000 Date: Tue, 15 Jun 2021 13:40:28 +0100 From: Matthew Wilcox To: Jann Horn Cc: Linux-MM , kernel list , Youquan Song , Andrea Arcangeli , Jan Kara , Mike Kravetz , John Hubbard , "Kirill A. Shutemov" Subject: Re: page refcount race between prep_compound_gigantic_page() and __page_cache_add_speculative()? Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 7969140002E4 Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=qQpMlxK0; spf=none (imf02.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none X-Stat-Signature: kork8t8hnc5zs793371y3xtzca3g8jjc X-HE-Tag: 1623760843-461770 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Jun 15, 2021 at 01:03:53PM +0200, Jann Horn wrote: > The messier path, as the original commit describes, is "gigantic" page > allocation. In that case, we'll go through the following path (if we > ignore CMA): > > alloc_fresh_huge_page(): > alloc_gigantic_page() > alloc_contig_pages() > __alloc_contig_pages() > alloc_contig_range() > isolate_freepages_range() > split_map_pages() > post_alloc_hook() [FOR EVERY PAGE] > set_page_refcounted() > set_page_count(page, 1) > prep_compound_gigantic_page() > set_page_count(p, 0) [FOR EVERY TAIL PAGE] > > so all the tail pages are initially allocated with refcount 1 by the > page allocator, and then we overwrite those refcounts with zeroes. > > > Luckily, the only non-__init codepath that can get here is > __nr_hugepages_store_common(), which is only invoked from privileged > writes to sysfs/sysctls. Argh. What if we passed __GFP_COMP into alloc_contig_pages()? The current callers of alloc_contig_range() do not pass __GFP_COMP, so it's no behaviour change for them, and __GFP_COMP implies this kind of behaviour. I think that would imply _not_ calling split_map_pages(), which implies not calling post_alloc_hook(), which means we probably need to do a lot of the parts of post_alloc_hook() in alloc_gigantic_page(). Yuck.