From: Jesper Dangaard Brouer <jbrouer@redhat.com>
To: "Toke Høiland-Jørgensen" <toke@redhat.com>,
"Ilias Apalodimas" <ilias.apalodimas@linaro.org>,
netdev@vger.kernel.org, "Eric Dumazet" <eric.dumazet@gmail.com>,
linux-mm@kvack.org, "Mel Gorman" <mgorman@techsingularity.net>
Cc: brouer@redhat.com, lorenzo@kernel.org, linyunsheng@huawei.com,
bpf@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
willy@infradead.org
Subject: Re: [PATCH RFC net-next/mm V2 1/2] page_pool: Remove workqueue in new shutdown scheme
Date: Fri, 28 Apr 2023 17:46:46 +0200 [thread overview]
Message-ID: <bc65340d-99cf-2971-3e4e-738d220b68de@redhat.com> (raw)
In-Reply-To: <871qk582tn.fsf@toke.dk>
On 27/04/2023 22.53, Toke Høiland-Jørgensen wrote:
>> @@ -868,11 +890,13 @@ void page_pool_destroy(struct page_pool *pool)
>> if (!page_pool_release(pool))
>> return;
>>
>> - pool->defer_start = jiffies;
>> - pool->defer_warn = jiffies + DEFER_WARN_INTERVAL;
>> + /* PP have pages inflight, thus cannot immediately release memory.
>> + * Enter into shutdown phase.
>> + */
>> + pool->p.flags |= PP_FLAG_SHUTDOWN;
>
> I think there's another race here: once the flag is set in this line
> (does this need a memory barrier, BTW?), another CPU can return the last
> outstanding page, read the flag and call page_pool_empty_ring(). If this
> happens before the call to page_pool_empty_ring() below, you'll get a
> use-after-free.
>
> To avoid this, we could artificially bump the pool->hold_cnt *before*
> setting the flag above; that way we know that the page_pool_empty_ring()
> won't trigger a release, because inflight pages will never go below 1.
> And then, below the page_pool_empty_ring() call below, we can add an
> artificial bump of the release_cnt as well, which means we'll get proper
> atomic semantics on the counters and only ever release once. I.e.,:
>
>> - INIT_DELAYED_WORK(&pool->release_dw, page_pool_release_retry);
>> - schedule_delayed_work(&pool->release_dw, DEFER_TIME);
>> + /* Concurrent CPUs could have returned last pages into ptr_ring */
>> + page_pool_empty_ring(pool);
> release_cnt = atomic_inc_return(&pool->pages_state_release_cnt);
> page_pool_free_attempt(pool, release_cnt);
>
I agree and I've implemented this solution (see V3 soon).
I've used smp_store_release() instead of WRITE_ONCE(), because AFAIK
smp_store_release() adds the memory barriers.
--Jesper
next prev parent reply other threads:[~2023-04-28 15:47 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-27 19:25 [PATCH RFC net-next/mm V2 0/2] page_pool: new approach for leak detection and shutdown phase Jesper Dangaard Brouer
2023-04-27 19:25 ` [PATCH RFC net-next/mm V2 1/2] page_pool: Remove workqueue in new shutdown scheme Jesper Dangaard Brouer
2023-04-27 20:53 ` Toke Høiland-Jørgensen
2023-04-28 10:42 ` Jesper Dangaard Brouer
2023-04-28 10:52 ` Toke Høiland-Jørgensen
2023-04-28 13:48 ` Jesper Dangaard Brouer
2023-04-28 15:46 ` Jesper Dangaard Brouer [this message]
2023-04-27 21:29 ` kernel test robot
2023-04-27 23:33 ` kernel test robot
2023-04-27 19:25 ` [PATCH RFC net-next/mm V2 2/2] mm/page_pool: catch page_pool memory leaks Jesper Dangaard Brouer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bc65340d-99cf-2971-3e4e-738d220b68de@redhat.com \
--to=jbrouer@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=bpf@vger.kernel.org \
--cc=brouer@redhat.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=ilias.apalodimas@linaro.org \
--cc=kuba@kernel.org \
--cc=linux-mm@kvack.org \
--cc=linyunsheng@huawei.com \
--cc=lorenzo@kernel.org \
--cc=mgorman@techsingularity.net \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=toke@redhat.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.