From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753789AbcARGx1 (ORCPT <rfc822;w@1wt.eu>);
	Mon, 18 Jan 2016 01:53:27 -0500
Received: from mail-pa0-f67.google.com ([209.85.220.67]:34524 "EHLO
	mail-pa0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752001AbcARGxY (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 18 Jan 2016 01:53:24 -0500
Date: Mon, 18 Jan 2016 15:54:34 +0900
From: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
To: Minchan Kim <minchan@kernel.org>
Cc: Junil Lee <junil0814.lee@lge.com>, ngupta@vflare.org,
        sergey.senozhatsky.work@gmail.com, akpm@linux-foundation.org,
        linux-mm@kvack.org, linux-kernel@vger.kernel.org, vbabka@suse.cz
Subject: Re: [PATCH v3] zsmalloc: fix migrate_zspage-zs_free race condition
Message-ID: <20160118065434.GB459@swordfish>
References: <1453095596-44055-1-git-send-email-junil0814.lee@lge.com>
 <20160118063611.GC7453@bbox>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160118063611.GC7453@bbox>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On (01/18/16 15:36), Minchan Kim wrote:
[..]
> > --- a/mm/zsmalloc.c
> > +++ b/mm/zsmalloc.c
> > @@ -1635,8 +1635,8 @@ static int migrate_zspage(struct zs_pool *pool, struct size_class *class,
> >  		free_obj = obj_malloc(d_page, class, handle);
> >  		zs_object_copy(free_obj, used_obj, class);
> >  		index++;
> > +		/* This also effectively unpins the handle */
> 
> As reply of Vlastimil, I relied that I guess it doesn't work.
> We shouldn't omit unpin_tag and we should add WRITE_ONCE in
> record_obj.
> 
> As well, it's worth to dobule check with locking guys.
> I will send updated version.

but would WRITE_ONCE() tell the compiler that there is a dependency?
__write_once_size() does not even issue a barrier for sizes <= 8 (our
case).

include/linux/compiler.h

static __always_inline void __write_once_size(volatile void *p, void *res, int size)
{
	switch (size) {
	case 1: *(volatile __u8 *)p = *(__u8 *)res; break;
	case 2: *(volatile __u16 *)p = *(__u16 *)res; break;
	case 4: *(volatile __u32 *)p = *(__u32 *)res; break;
	case 8: *(volatile __u64 *)p = *(__u64 *)res; break;
	default:
		barrier();
		__builtin_memcpy((void *)p, (const void *)res, size);
		barrier();
	}
}

#define WRITE_ONCE(x, val) \
({							\
	union { typeof(x) __val; char __c[1]; } __u =	\
		{ .__val = (__force typeof(x)) (val) }; \
	__write_once_size(&(x), __u.__c, sizeof(x));	\
	__u.__val;					\
})


so, even if clear_bit_unlock/test_and_set_bit_lock do smp_mb or
barrier(), there is no corresponding barrier from record_obj()->WRITE_ONCE().
so I don't think WRITE_ONCE() will help the compiler, or am I missing
something?

.... add a barrier() to record_obj()?

	-ss