Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S964823AbdHYWvh (ORCPT <rfc822;w@1wt.eu>);
        Fri, 25 Aug 2017 18:51:37 -0400
Received: from mail-sn1nam01on0047.outbound.protection.outlook.com ([104.47.32.47]:31520
        "EHLO NAM01-SN1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S964808AbdHYWvc (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 25 Aug 2017 18:51:32 -0400
From: Nadav Amit <namit@vmware.com>
To: Mike Kravetz <mike.kravetz@oracle.com>
CC: "ebiggers@google.com" <ebiggers@google.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Andrea Arcangeli <aarcange@redhat.com>,
        "Dmitry Vyukov" <dvyukov@google.com>, Hugh Dickins <hughd@google.com>,
        Minchan Kim <minchan@kernel.org>,
        "rientjes@google.com" <rientjes@google.com>,
        "stable@vger.kernel.org" <stable@vger.kernel.org>,
        "mm-commits@vger.kernel.org" <mm-commits@vger.kernel.org>,
        "open list:MEMORY MANAGEMENT" <linux-mm@kvack.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Michal Hocko <mhocko@kernel.org>,
        "nyc@holomorphy.com" <nyc@holomorphy.com>
Subject: Re: + mm-madvise-fix-freeing-of-locked-page-with-madv_free.patch
 added to -mm tree
Thread-Topic: + mm-madvise-fix-freeing-of-locked-page-with-madv_free.patch
 added to -mm tree
Thread-Index: AQHTHe3sx2Dzh3GK2U6IYLyYXvSwb6KVp+UAgAAFngA=
Date: Fri, 25 Aug 2017 22:51:28 +0000
Message-ID: <10E0D3D9-F7D4-4A0F-AD2F-9E40F3DE6CCC@vmware.com>
References: <599df681.NreP1dR3/HGSfpCe%akpm@linux-foundation.org>
 <20170824060957.GA29811@dhcp22.suse.cz>
 <81C11D6F-653D-4B14-A3A6-E6BB6FB5436D@vmware.com>
 <3452db57-d847-ec8e-c9be-7710f4ddd5d4@oracle.com>
In-Reply-To: <3452db57-d847-ec8e-c9be-7710f4ddd5d4@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=namit@vmware.com; 
x-originating-ip: [208.91.2.2]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BY2PR05MB967;20:5gHx8GLA1XOshsxBx7+ahp34/InpUiQFDaVemAt+SzpyfEJQ4NpEuQV0N32tSGdTpNhfL0pUjqmwRTCSUv0BtKVZCVsJb38Misj/+DSdrhkZEAlsL9GaoJV9kdnjN2wv9pQ6WSZ3YURSR+496HpOWSb9DenW2U+7GMxthqQPc7Y=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: b629fbeb-507e-4328-ba7b-08d4ec0bd2a8
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(300000502095)(300135100095)(22001)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:BY2PR05MB967;
x-ms-traffictypediagnostic: BY2PR05MB967:
x-exchange-antispam-report-test: UriScan:(211936372134217)(153496737603132)(146099531331640);
x-microsoft-antispam-prvs: <BY2PR05MB967E169AE6EBFD3C46DFC1AD09B0@BY2PR05MB967.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(100000703101)(100105400095)(10201501046)(93006095)(93001095)(920507026)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123558100)(20161123555025)(20161123564025)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BY2PR05MB967;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BY2PR05MB967;
x-forefront-prvs: 041032FF37
x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6009001)(39860400002)(51914003)(189002)(377454003)(24454002)(43784003)(377424004)(199003)(34040400001)(81166006)(101416001)(3846002)(102836003)(33656002)(6116002)(106356001)(68736007)(6436002)(6506006)(8936002)(36756003)(230783001)(6486002)(77096006)(14454004)(86362001)(105586002)(110136004)(6246003)(53936002)(54906002)(99286003)(93886005)(6512007)(305945005)(5660300001)(2950100002)(8676002)(6916009)(229853002)(4326008)(66066001)(7736002)(25786009)(53546010)(2906002)(97736004)(81156014)(3280700002)(3660700001)(478600001)(50986999)(76176999)(82746002)(54356999)(7416002)(83716003)(2900100001)(189998001);DIR:OUT;SFP:1101;SCL:1;SRVR:BY2PR05MB967;H:BY2PR05MB2215.namprd05.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <A3A524337E079043B9F619C836C35B0A@namprd05.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: vmware.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Aug 2017 22:51:28.7432
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR05MB967
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by nfs id v7PMpfm0000332
Content-Length: 2013
Lines: 55

Mike Kravetz <mike.kravetz@oracle.com> wrote:

> On 08/25/2017 03:02 PM, Nadav Amit wrote:
>> Michal Hocko <mhocko@kernel.org> wrote:
>> 
>>> Hmm, I do not see this neither in linux-mm nor LKML. Strange
>>> 
>>> On Wed 23-08-17 14:41:21, Andrew Morton wrote:
>>>> From: Eric Biggers <ebiggers@google.com>
>>>> Subject: mm/madvise.c: fix freeing of locked page with MADV_FREE
>>>> 
>>>> If madvise(..., MADV_FREE) split a transparent hugepage, it called
>>>> put_page() before unlock_page().  This was wrong because put_page() can
>>>> free the page, e.g.  if a concurrent madvise(..., MADV_DONTNEED) has
>>>> removed it from the memory mapping.  put_page() then rightfully complained
>>>> about freeing a locked page.
>>>> 
>>>> Fix this by moving the unlock_page() before put_page().
>> 
>> Quick grep shows that a similar flow (put_page() followed by an
>> unlock_page() ) also happens in hugetlbfs_fallocate(). Isn’t it a problem as
>> well?
> 
> I assume you are asking about this block of code?

Yes.

> 
>                /*
>                 * page_put due to reference from alloc_huge_page()
>                 * unlock_page because locked by add_to_page_cache()
>                 */
>                put_page(page);
>                unlock_page(page);
> 
> Well, there is a typo (page_put) in the comment. :(
> 
> However, in this case we have just added the huge page to a hugetlbfs
> file.  The put_page() is there just to drop the reference count on the
> page (taken when allocated).  It will still be non-zero as we have
> successfully added it to the page cache.  So, we are not freeing the
> page here, just dropping the reference count.
> 
> This should not cause a problem like that seen in madvise.

Thanks for the quick response.

I am not too familiar with this piece of code, so just for the matter of
understanding: what prevents the page from being removed from the page cache
shortly after it is added (even if it is highly unlikely)? The page lock? The
inode lock?

Thanks again,
Nadav