From: "Martin J. Bligh" <Martin.Bligh@us.ibm.com>
To: Andrew Morton <akpm@zip.com.au>
Cc: Dave Hansen <haveblue@us.ibm.com>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: truncate_list_pages() BUG and confusion
Date: Fri, 08 Mar 2002 16:04:04 -0800 [thread overview]
Message-ID: <67550000.1015632244@flay> (raw)
In-Reply-To: <3C8932CC.761C8829@zip.com.au>
In-Reply-To: <3C880EFF.A0789715@zip.com.au>, <3C8809BA.4070003@us.ibm.com> <3C880EFF.A0789715@zip.com.au> <17920000.1015622098@flay> <3C8932CC.761C8829@zip.com.au>
>> void page_cache_release(struct page *page)
>> {
>> if (!PageReserved(page) && put_page_testzero(page)) {
>> if (PageLRU(page))
>> lru_cache_del(page);
>> __free_pages_ok(page, 0);
>> }
>> }
>>
>> We enter page_cache_release with the supposedly locked, and its count
>> non-zero (we incremented it). put_page_testzero does atomic_dec_and_test
>> on count which says it returns true if the result is 0, or false for all other cases.
>>
>> So if nobody else was holding a reference to the page, we've decremented
>> it's count to 0, and put_page_testzero returns 1. We then try to free the page.
>> It's still locked. BUG.
>
> If the page_cache_release() in truncate_complete_page() is calling
> __free_pages_ok() then something really horrid has happened.
That's exactly what's happening.
> Yes, it could be that the page has had its refcount incorrectly
> decremented somewhere.
I don't see you need that to make this bug happen.
Say count is 0 when we enter truncate_list_pages. We increment it.
It's now 1 when we call page_cache_release.
put_page_testzero dec's it back to 0, and returns true.
We do a __free_pages_ok. Page is still locked. BUG.
No other process, nothing funky happening, no races, no other
refcount decrements. Or that's the way I read it.
> Or the page wasn't in the pagecache at all.
The only thing I can think of was the pagecount shouldn't have been 0
to start with (or the code path we're reading is wrong ;-) )
M.
next prev parent reply other threads:[~2002-03-09 0:04 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-03-08 0:45 truncate_list_pages() BUG and confusion Dave Hansen
2002-03-08 1:08 ` Andrew Morton
2002-03-08 2:54 ` Dave Hansen
2002-03-08 2:55 ` Martin J. Bligh
2002-03-08 3:02 ` Andrew Morton
2002-03-08 3:04 ` Dave Hansen
2002-03-08 21:14 ` Martin J. Bligh
2002-03-08 21:53 ` Andrew Morton
2002-03-08 22:13 ` Dave Hansen
2002-03-08 22:35 ` Andrew Morton
2002-03-09 0:04 ` Martin J. Bligh [this message]
2002-03-09 0:17 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=67550000.1015632244@flay \
--to=martin.bligh@us.ibm.com \
--cc=akpm@zip.com.au \
--cc=haveblue@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox