Received: by 2002:a05:6a10:6006:0:0:0:0 with SMTP id w6csp403077pxa; Thu, 27 Aug 2020 05:47:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx0dCjmUpfRamciCTEkR+tVwZhdwBXOh8elRGnUls2n7xXMfiQuogWRBCjMffgGMIoSMEwh X-Received: by 2002:a50:fa94:: with SMTP id w20mr20485331edr.82.1598532429582; Thu, 27 Aug 2020 05:47:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598532429; cv=none; d=google.com; s=arc-20160816; b=X215Qrg1XqYyFQnl1niZxV/OTkM5JLnmgZRC0fA6q0Is1Io4cz9kZ+7F4q2VaImJE0 NgWPOcKF60FkN11sTzOkDR6fArjN695VaVMbdQcBcF9uiRwzO1szYQzs/37GyY6XLbYF ezxE2+ZYMDhjEoHYOi6UOAWWIQHdONGQpo0hV/o25w0lWRZTOvzPShjsmS2Yb4W2bbT0 ddA2zdSxbmrg1yNXDDlmQilCiSzD8/fkTMSVGOQJYw2UwYW3zSssg1LaWvuXGuJX2Yzb g54E52WMpEEon0/tpAZg9GPKM142XOBTZEbjt0zj9FhybtyPrSDHiuJiXL8fH9oy0+M3 LZ+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=WR0JbwYpcKbUOXFKigJtskF/5Rf4W2AfrlUuN1W+bsM=; b=maCbMYaLTLbr2u7L9Av9BXh7u5A071uEF8BfPpb6GqhASOdj8/O8d7Mbp8FBJcftQD J90qaD59ZhNasOsLvw8pATp53jAM6l+WpxoN0pghwa8a0zfgamB6iHCeBp63j9Gi1+X2 9ucf4Rz41RqX/v3geifHp6wgrsyUI1Q2cFhg5fGn+26Gk6RQpbS/iIoYX5sVcZkNoGGX IN+d8sNh9G44oOes1lYnck5L7t9IaauxxxdLFKkkVxkY1yifcsK7mDeB/sEFggnSydY7 PWJhYMxJR2KELEzwngl1lbCVPj82hU5PegpErxg1dkvF3WmpsfQMhyL3kjV3HZQ2TULd 35MA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=casper.20170209 header.b=H+uXV9mP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g14si1310692ejr.420.2020.08.27.05.46.45; Thu, 27 Aug 2020 05:47:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=casper.20170209 header.b=H+uXV9mP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728953AbgH0Mpp (ORCPT + 99 others); Thu, 27 Aug 2020 08:45:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38812 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728986AbgH0M05 (ORCPT ); Thu, 27 Aug 2020 08:26:57 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A5928C061234 for ; Thu, 27 Aug 2020 05:20:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=WR0JbwYpcKbUOXFKigJtskF/5Rf4W2AfrlUuN1W+bsM=; b=H+uXV9mPRYjsGIq94MPTzLDOHg AhABlz1ms+kupgpq6eu6blxwpVJHiBxNdDdF7DDdfGVnbfURALdJc0roZONNxy7U0tFsG6mtyFbDv tJZQoIFzewHaBFfia7THTczhceUNnACC2J88y+Hct9uiQ/Jhp549tEpYeW1hHjLcteIdX6E3jp2k6 Ze/qeVOM+252nE2Tl6kvMsuEAOHf9mjTjPShX8wnLqHLDbtVG5p1RG1P27Sg8IWYJfUBtisxYr3WQ YLMqfxxlm9x43PkLVQYD6UpYWveA+A3c7ZVI20iEk4D/XJ9xekJIQMtfCOznX9Gzf9hr0s9I+QTvR VGdXosvQ==; Received: from willy by casper.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kBGt9-0001qR-2P; Thu, 27 Aug 2020 12:20:19 +0000 Date: Thu, 27 Aug 2020 13:20:19 +0100 From: Matthew Wilcox To: Hugh Dickins Cc: Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, kirill@shutemov.name, Nicholas Piggin Subject: Race between freeing and waking page Message-ID: <20200827122019.GC14765@casper.infradead.org> References: <1598273705-69124-1-git-send-email-alex.shi@linux.alibaba.com> <20200824114204.cc796ca182db95809dd70a47@linux-foundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 27, 2020 at 12:01:00AM -0700, Hugh Dickins wrote: > It was a crash from checking PageWaiters on a Tail in wake_up_page(), > called from end_page_writeback(), from ext4_finish_bio(): yet the > page a tail of a shmem huge page. Linus's wake_up_page_bit() changes? > No, I don't think so. It seems to me that once end_page_writeback() > has done its test_clear_page_writeback(), it has no further hold on > the struct page, which could be reused as part of a compound page > by the time of wake_up_page()'s PageWaiters check. But I probably > need to muse on that for longer. I think you're right. Example: truncate_inode_pages_range() pagevec_lookup_entries() lock_page() --- ctx switch --- ext4_finish_bio() end_page_writeback() test_clear_page_writeback() --- ctx switch --- wait_on_page_writeback() <- noop truncate_inode_page() unlock_page() pagevec_release() ... page can now be allocated --- ctx switch --- wake_up_page() PageWaiters then has that check for PageTail. This isn't unique to ext4; the iomap completion path behaves the exact same way. The thing is, this is a harmless race. It seems unnecessary for anybody here to incur the overhead of adding a page ref to be sure the page isn't reallocated. We don't want to wake up the waiters before clearing the bit in question. I'm tempted to suggest this: static void wake_up_page(struct page *page, int bit) { - if (!PageWaiters(page)) + if (PageTail(page) || !PageWaiters(page)) return; wake_up_page_bit(page, bit); which only adds an extra read to the struct page that we were going to access anyway. Even that seems unnecessary though; PageWaiters is going to be clear. Maybe we can just change the PF policy from PF_ONLY_HEAD to PF_ANY. I don't think it's critical that we have this check. Nick?