Question: "Bare" set_page_dirty_lock() call in vhost.c

From: John Hubbard <jhubbard@nvidia.com>
To: Jan Kara <jack@suse.cz>, Linux-MM <linux-mm@kvack.org>,
	<linux-fsdevel@vger.kernel.org>
Cc: Alex Williamson <alex.williamson@redhat.com>
Subject: Question: "Bare" set_page_dirty_lock() call in vhost.c
Date: Thu, 28 May 2020 17:59:30 -0700	[thread overview]
Message-ID: <3b2db4da-9e4e-05d1-bf89-a261f0eb6de0@nvidia.com> (raw)

Hi,

While trying to figure out which things to convert from
get_user_pages*() to put_user_pages*(), I came across an interesting use
of set_page_dirty_lock(), and wanted to ask about it.

Is it safe to call set_page_dirty_lock() like this (for the case
when this is file-backed memory):

// drivers/vhost/vhost.c:1757:
static int set_bit_to_user(int nr, void __user *addr)
{
	unsigned long log = (unsigned long)addr;
	struct page *page;
	void *base;
	int bit = nr + (log % PAGE_SIZE) * 8;
	int r;

	r = get_user_pages_fast(log, 1, FOLL_WRITE, &page);
	if (r < 0)
		return r;
	BUG_ON(r != 1);
	base = kmap_atomic(page);
	set_bit(bit, base);
	kunmap_atomic(base);
	set_page_dirty_lock(page);
	put_page(page);
	return 0;
}

  ?

That is, after the page is unmapped, but before unpinning it?
Specifically, I'd expect that the writeback and reclaim code code can end
up calling drop_buffers() (because the set_bit() call actually did
dirty the pte), after the kunmap_atomic() call. So then when
set_page_dirty_lock() runs, it could bug check on ext4_writepage()'s
attempt to buffer heads:

ext4_writepage()
	page_bufs = page_buffers(page);
         #define page_buffers(page)					\
         	({							\
         		BUG_ON(!PagePrivate(page));			\
         		((struct buffer_head *)page_private(page));	\
         	})

...which actually is the the case that pin_user_pages*() is ultimately
helping to avoid, btw. But in this case, it's all code that runs on a
CPU, so no DMA or DIO is involved. But still, the "bare" use of
set_page_dirty_lock() seems like a problem here.

thanks,
-- 
John Hubbard
NVIDIA