Received: by 2002:ab2:6486:0:b0:1ef:eae8:a797 with SMTP id de6csp382220lqb;
        Sat, 16 Mar 2024 07:59:44 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCXrrw9QgMausSD+D9dnuFS70g10FsEZ6ZpOHCRkliQy/ULCRYOClP0NSeh4/V4+yn486EKHov97gtb1KuqKfEseVsuI9JRD1Lbm+nDMHA==
X-Google-Smtp-Source: AGHT+IG+SJLyrvfwLxzuYFyV/tkn1QF8vNJDds7sdb5Vue1JvRLt/8tyjAH6Mwv2y29SuE+jQxBv
X-Received: by 2002:a05:6a00:721c:b0:6e6:fcd4:4f44 with SMTP id lk28-20020a056a00721c00b006e6fcd44f44mr3765110pfb.16.1710601184383;
        Sat, 16 Mar 2024 07:59:44 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1710601184; cv=pass;
        d=google.com; s=arc-20160816;
        b=nptFo48mjFRAAtdIhugja9zIWWp0qAQ6UZtUetRB8N6mDFfQt1RB5RjX4PCBCi8G9A
         eg6xkqqTzBVqwLWF3Ufqn5T+wAZDRpuqEQ5dJr/Xf4aTNNt0bZZB6r32CZwlO/rMlL9j
         usYN63x6ZKz2+V/tDbeJNubzEGBQY8zAgCjTHMW6jPYAIUCNWBrHGCi+0cgvxH1Lt8Uj
         WQEBWxPj3geQ+jcXlb53xuErH6NlBrYs4ZwRCK6zkSZwsClGOweHMTffjz0Vo/rMthR9
         HWTZr/j5VAQ9fbgn71aTgx01Ia2bL37UN09c85FxfhxZEvRxZVDLHfK3E7LDV+zBjITb
         tHrQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=iKLiE9BwjTzP4t6SGnAORjeXAHz+HjoyGfvPRPIakTw=;
        fh=TLld1Q412t9S/orOK3RsaoQPfD9IBBaDKbvTHow21tU=;
        b=v9NNOrGe4L17W71oZDGDOiFsODR/X8z4cm3fjn8ijdtByg4oI2TTcu+VqWCgiAik5u
         sxBScvAbYBTwoTeB6X7I2AHikTWCTXL3WB47H63+r1zhpzA+jaMAqAwuU0EPdoCP+mjn
         HTH89blJe+3m5dg4MUpmpgkOqwdG6aqvc26+NJ3kvKAdOufoQhJySqq/KB2xFOBJUpOr
         NfVNnyP2INgI5yRXZ2jqbXhIpo0sQTAH98SSzIRMHIsA19QGSOlIVbvyvlVksMb099qa
         VKb+7LDCRPrv7KXUwsbkry++OiOXpHaCD93K+znqo2GYIhtMxmwwqKGP4jZ502x3MQqe
         584A==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=ggrXv090;
       arc=pass (i=1 dkim=pass dkdomain=infradead.org);
       spf=pass (google.com: domain of linux-kernel+bounces-105206-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-105206-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-105206-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id k2-20020aa79d02000000b006e6f6d9642asi3463971pfp.315.2024.03.16.07.59.44
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 16 Mar 2024 07:59:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-105206-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=ggrXv090;
       arc=pass (i=1 dkim=pass dkdomain=infradead.org);
       spf=pass (google.com: domain of linux-kernel+bounces-105206-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-105206-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id F21232817CF
	for <linux.lists.archive@gmail.com>; Sat, 16 Mar 2024 14:59:43 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id F11681B59A;
	Sat, 16 Mar 2024 14:59:39 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="ggrXv090"
Received: from casper.infradead.org (casper.infradead.org [90.155.50.34])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7530917BAF
	for <linux-kernel@vger.kernel.org>; Sat, 16 Mar 2024 14:59:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=90.155.50.34
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1710601177; cv=none; b=ZvqMDCrVDAEubOyl8/0hdGQ7AZJ//oxpl3AiGN8ltlROwruombgGLAB4RNfHckcxyvcAdkMSrtv7X1i+FT6NmN9oM/Gm53CaAGc0Aau/PQ832ed5mon79fUEgaAmiSjeeD0RUM9BMmSJRIFZaYf70KCFSrEUmxKZkEHivv2yTuI=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1710601177; c=relaxed/simple;
	bh=DKs5vf95fwSrcVB7tav+pGIufXiuij6EFgK8cxV0ums=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=XACqNaAuOcRlq1lAHaTCc6Kr4DLzgWLTB9Y4p2sPm/OhCUq38mDpamQ3WtbVEneyOZabk7zWqPZ6f0jYqV4fg4VXGlIA5yA8fRSo1a1plGalgRSFc1L2iTnGPPmpeFKGhidx3XvUMASpTpzVcBxUeTHFJfVHijaf8OQIAfrD3z8=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org; spf=none smtp.mailfrom=infradead.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b=ggrXv090; arc=none smtp.client-ip=90.155.50.34
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org
Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=infradead.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Transfer-Encoding:
	Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:
	Sender:Reply-To:Content-ID:Content-Description;
	bh=iKLiE9BwjTzP4t6SGnAORjeXAHz+HjoyGfvPRPIakTw=; b=ggrXv090/BWmzassxYCgEqKIZ8
	ryZZsHN7L9tmEIqXwbeJMsqrCqH53fdw4cC56qJNZoauy00szde4QM/9nxhrMC1hMvYDRu+w19JeH
	CuZxTAtrnsxCjobbmFBorfB/WQqbQrHivi/iHmLpuqKv3nZPwmuLzUQy3jUGFYD6vh8oREWn13rB3
	GjlS/+qsqivToYGqXOnxFBgaRR9ZpMS1bWGPpVpY1ZewKBqJDbDDWiMEl9qQmnUi7TSgPQDsDN/jB
	cE1LJyHJUreYH1Myfq4aZceqrXufrQ/r5M2QmqZu3XqOd2TsG4Q4ZGYuZmxLwSL2BKl3ypQcRp2Ss
	20tZ4tcA==;
Received: from willy by casper.infradead.org with local (Exim 4.97.1 #2 (Red Hat Linux))
	id 1rlVVE-0000000CiuI-1XfW;
	Sat, 16 Mar 2024 14:59:16 +0000
Date: Sat, 16 Mar 2024 14:59:16 +0000
From: Matthew Wilcox <willy@infradead.org>
To: Zhaoyang Huang <huangzhaoyang@gmail.com>
Cc: "zhaoyang.huang" <zhaoyang.huang@unisoc.com>,
	Andrew Morton <akpm@linux-foundation.org>, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org, steve.kang@unisoc.com
Subject: Re: [PATCH] mm: fix a race scenario in folio_isolate_lru
Message-ID: <ZfWzxOq7JupJtZtg@casper.infradead.org>
References: <20240314083921.1146937-1-zhaoyang.huang@unisoc.com>
 <ZfRDJTrFJq3KSbIB@casper.infradead.org>
 <CAGWkznGiVrqMs9fX2WGG9QsfTm72ffFj-cWXSUo3azrgeBOgAg@mail.gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAGWkznGiVrqMs9fX2WGG9QsfTm72ffFj-cWXSUo3azrgeBOgAg@mail.gmail.com>

On Sat, Mar 16, 2024 at 04:53:09PM +0800, Zhaoyang Huang wrote:
> On Fri, Mar 15, 2024 at 8:46 PM Matthew Wilcox <willy@infradead.org> wrote:
> >
> > On Thu, Mar 14, 2024 at 04:39:21PM +0800, zhaoyang.huang wrote:
> > > From: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
> > >
> > > Panic[1] reported which is caused by lruvec->list break. Fix the race
> > > between folio_isolate_lru and release_pages.
> > >
> > > race condition:
> > > release_pages could meet a non-refered folio which escaped from being
> > > deleted from LRU but add to another list_head
> >
> > I don't think the bug is in folio_isolate_lru() but rather in its
> > caller.
> >
> >  * Context:
> >  *
> >  * (1) Must be called with an elevated refcount on the folio. This is a
> >  *     fundamental difference from isolate_lru_folios() (which is called
> >  *     without a stable reference).
> >
> > So when release_pages() runs, it must not see a refcount decremented to
> > zero, because the caller of folio_isolate_lru() is supposed to hold one.
> >
> > Your stack trace is for the thread which is calling release_pages(), not
> > the one calling folio_isolate_lru(), so I can't help you debug further.
> Thanks for the comments.  According to my understanding,
> folio_put_testzero does the decrement before test which makes it
> possible to have release_pages see refcnt equal zero and proceed
> further(folio_get in folio_isolate_lru has not run yet).

No, that's not possible.

In the scenario below, at entry to folio_isolate_lru(), the folio has
refcount 2.  It has one refcount from thread 0 (because it must own one
before calling folio_isolate_lru()) and it has one refcount from thread 1
(because it's about to call release_pages()).  If release_pages() were
not running, the folio would have refcount 3 when folio_isolate_lru()
returned.

>    #0 folio_isolate_lru          #1 release_pages
> BUG_ON(!folio_refcnt)
>                                          if (folio_put_testzero())
>    folio_get(folio)
>    if (folio_test_clear_lru())