Re: summarize all information again at bottom//reply: reply: [PATCH] mm: fix a race scenario in folio_isolate_lru

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Matthew Wilcox <willy@infradead.org>
To: Zhaoyang Huang <huangzhaoyang@gmail.com>
Cc: "黄朝阳 (Zhaoyang Huang)" <zhaoyang.huang@unisoc.com>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"linux-mm@kvack.org" <linux-mm@kvack.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"康纪滨 (Steve Kang)" <Steve.Kang@unisoc.com>
Subject: Re: summarize all information again at bottom//reply: reply: [PATCH] mm: fix a race scenario in folio_isolate_lru
Date: Wed, 27 Mar 2024 12:31:49 +0000	[thread overview]
Message-ID: <ZgQRtQ60mrvOUKXo@casper.infradead.org> (raw)
In-Reply-To: <CAGWkznGLySzLE17+rCe=UoA26vx=iM375o2zkruKM9ssG05QzA@mail.gmail.com>

On Wed, Mar 27, 2024 at 09:25:59AM +0800, Zhaoyang Huang wrote:
> > Ignoring any other thread, you're basically saying that there's a
> > refcount imbalance here.  Which means we'd hit an assert (that folio
> > refcount went below zero) in the normal case where another thread wasn't
> > simultaneously trying to do anything.
> Theoretically Yes but it is rare in practice as aops->readahead will
> launch all pages to IO under most scenarios.

Rare, but this path has been tested.

> read_pages
>     aops->readahead[1]
> ...
>     while (folio = readahead_folio)[2]
>         filemap_remove_folio
> 
> IMO, according to the comments of readahead_page, the refcnt
> represents page cache dropped in [1] makes sense for two reasons, '1.
> The folio is going to do IO and is locked until IO done;2. The refcnt
> will be added back when found again from the page cache and then serve
> for PTE or vfs' while it doesn't make sense in [2] as the refcnt of
> page cache will be dropped in filemap_remove_folio
> 
>  * Context: The page is locked and has an elevated refcount.  The caller
>  * should decreases the refcount once the page has been submitted for I/O
>  * and unlock the page once all I/O to that page has completed.
>  * Return: A pointer to the next page, or %NULL if we are done.

Follow the refcount through.

In page_cache_ra_unbounded():

                folio = filemap_alloc_folio(gfp_mask, 0);
(folio has refcount 1)
                ret = filemap_add_folio(mapping, folio, index + i, gfp_mask);
(folio has refcount 2)

Then we call read_pages()
First we call ->readahead() which for some reason stops early.
Then we call readahead_folio() which calls folio_put()
(folio has refcount 1)
Then we call folio_get()
(folio has refcount 2)
Then we call filemap_remove_folio()
(folio has refcount 1)
Then we call folio_unlock()
Then we call folio_put()
(folio has refcount 0 and is freed)

Yes, other things can happen in there to increment the refcount, so this
folio_put() might not be the last put, but we hold the folio locked the
entire time, so many things which might be attempted will block on the
folio lock.  In particular, nobody can remove it from the page cache,
so its refcount cannot reach 0 until the last folio_put() of the
sequence.

next prev parent reply	other threads:[~2024-03-27 12:31 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-18  9:32 summarize all information again at bottom//reply: reply: [PATCH] mm: fix a race scenario in folio_isolate_lru 黄朝阳 (Zhaoyang Huang)
2024-03-18 12:32 ` Matthew Wilcox
2024-03-19  0:48   ` Zhaoyang Huang
2024-03-19  3:01     ` Matthew Wilcox
2024-03-21  8:25       ` Zhaoyang Huang
2024-03-21 12:36         ` Matthew Wilcox
2024-03-22  1:52           ` Zhaoyang Huang
2024-03-22  3:20             ` Matthew Wilcox
2024-03-24 11:14               ` Zhaoyang Huang
2024-03-25  3:22                 ` Matthew Wilcox
2024-03-26  9:06                   ` Zhaoyang Huang
2024-03-26 12:21                     ` Matthew Wilcox
2024-03-27  1:25                       ` Zhaoyang Huang
2024-03-27 12:31                         ` Matthew Wilcox [this message]
2024-03-28  1:27                           ` Zhaoyang Huang
2024-03-28  3:18                             ` Matthew Wilcox
2024-03-28  4:03                               ` Zhaoyang Huang
2024-03-28 14:12                                 ` Matthew Wilcox
2024-03-29  5:49                                   ` Zhaoyang Huang
2024-03-29 12:19                                     ` Matthew Wilcox

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZgQRtQ60mrvOUKXo@casper.infradead.org \
    --to=willy@infradead.org \
    --cc=Steve.Kang@unisoc.com \
    --cc=akpm@linux-foundation.org \
    --cc=huangzhaoyang@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=zhaoyang.huang@unisoc.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).