From nobody Mon Jun 8 09:48:00 2026 Received: from out-171.mta0.migadu.com (out-171.mta0.migadu.com [91.218.175.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8CCB534FF74 for ; Thu, 4 Jun 2026 10:15:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780568119; cv=none; b=uctMnJyHzPiurzyWfrmnKUbW3t8zdjzbhKD4LFjRSEIYQhhDcUyzjvIaZafYk2v12gfx0qeYrOV9y/mehsdMtrBJ4dd5KxenD+CkcYk/MriCUe37xcagl62S8KCoCAIBTj+k7jtFCQsYQ10e4gSYmDrFZhihMQzRmdCR2rs0vGU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780568119; c=relaxed/simple; bh=5sWaF3Kp9StiAOZ9oTQJYUPuU2F//t1D0FB2xiavHRA=; h=MIME-Version:Date:Content-Type:From:Message-ID:Subject:To:Cc: In-Reply-To:References; b=PNAVa6ij39pDptARipiAjMVpVFgZindzYoAbDG+NwBQt1Yi7KqqZ53+CMgclqOKQihx17HiC8h63icXuyXQEnZpZBuo8ILHVQASLHrrXmH3gYK1mZjS1t048hYlc95lMn8LLTcl9roUV5ld59lAa7CXCe6+6597BasLS5dYdI6o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=mjDQkYbP; arc=none smtp.client-ip=91.218.175.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="mjDQkYbP" Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1780568115; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1/eK1JWmIdEpDOFar9tPJ+EuVXYz4VWUnvo+5T0o2kw=; b=mjDQkYbP1JIGt8bh13BKfIe8BbWkKuF+ZRWSxIGjbW7i0twHqiAdQpj9DZXnPjcxC80+21 izHFyfhPug4leDjH8KjDk76VglF/Vgw1Ip818J/bnlB0ebbecdAhUV3RPgNEdB50KiOXAZ +qD2HAzxJYrfz4YHTETqTv3nhp2le9Q= Date: Thu, 04 Jun 2026 10:15:12 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: ilya.gladyshev@linux.dev Message-ID: <7c28d766b007345f5f31ba9a086a3bffe95a013d@linux.dev> TLS-Required: No Subject: [PATCH v3 1/2] mm: drop page refcount zero state semantics To: ilya.gladyshev@linux.dev Cc: ivgorbunov@me.com, Liam.Howlett@oracle.com, akpm@linux-foundation.org, apopple@nvidia.com, artem.kuzin@huawei.com, baolin.wang@linux.alibaba.com, david@kernel.org, foxido@foxido.dev, harry.yoo@oracle.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, lorenzo.stoakes@oracle.com, mhocko@suse.com, muchun.song@linux.dev, rppt@kernel.org, surenb@google.com, torvalds@linuxfoundation.org, vbabka@suse.cz, willy@infradead.org, yuzhao@google.com, ziy@nvidia.com, pfalcato@suse.de, kirill@shutemov.name In-Reply-To: <5dabf3a748fee0c7b142c74367e7586f5db1ed1e@linux.dev> References: <5dabf3a748fee0c7b142c74367e7586f5db1ed1e@linux.dev> X-Migadu-Flow: FLOW_OUT From: Gorbunov Ivan Some call sites manipulate page refcount directly via set_page_count() instead of using more direct API like set_frozen() / init_refcount(). This conflicts with the next patch, which will stop treating zeroed refcount as the indicator of a frozen page. To prepare for that change, this patch: - "Deprecates" the internal assumption that a frozen page has refcount=3D0 (and vice versa). Callers of page_ref_count() still see 0 for frozen pages. - Inserts VM_BUG_ON() checks in every refcount API function to prevent following errnous behaviour: page =3D alloc_frozen_page() // page is frozen page_ref_inc(page, 1) // BUG: Increment on frozen page instead of init - Renames _unless_zero() functions into _unless_frozen() Reviewed-by: Artem Kuzin Co-developed-by: Gladyshev Ilya Signed-off-by: Gladyshev Ilya Signed-off-by: Gorbunov Ivan Acked-by: Bjorn Helgaas # p2pdma.c --- drivers/pci/p2pdma.c | 4 ++-- include/linux/mm.h | 2 +- include/linux/page_ref.h | 31 +++++++++++++++++++++++------- kernel/liveupdate/kexec_handover.c | 6 +++--- lib/test_hmm.c | 4 ++-- mm/hugetlb.c | 2 +- mm/internal.h | 2 +- mm/memremap.c | 4 ++-- mm/mm_init.c | 6 +++--- mm/page_alloc.c | 4 ++-- 10 files changed, 41 insertions(+), 24 deletions(-) diff --git a/drivers/pci/p2pdma.c b/drivers/pci/p2pdma.c index 7c898542af8d..7aca5852dccc 100644 --- a/drivers/pci/p2pdma.c +++ b/drivers/pci/p2pdma.c @@ -148,7 +148,7 @@ static int p2pmem_alloc_mmap(struct file *filp, struct = kobject *kobj, * using it. */ VM_WARN_ON_ONCE_PAGE(page_ref_count(page), page); - set_page_count(page, 1); + init_page_count(page); ret =3D vm_insert_page(vma, vaddr, page); if (ret) { gen_pool_free(p2pdma->pool, (uintptr_t)kaddr, len); @@ -158,7 +158,7 @@ static int p2pmem_alloc_mmap(struct file *filp, struct = kobject *kobj, * because we don't want to trigger the * p2pdma_folio_free() path. */ - set_page_count(page, 0); + set_page_count_as_frozen(page); percpu_ref_put(ref); return ret; } diff --git a/include/linux/mm.h b/include/linux/mm.h index 06bbe9eba636..34f83c5c2d24 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -1780,7 +1780,7 @@ static inline int folio_put_testzero(struct folio *fo= lio) */ static inline bool get_page_unless_zero(struct page *page) { - return page_ref_add_unless_zero(page, 1); + return page_ref_add_unless_frozen(page, 1); } =20 static inline struct folio *folio_get_nontail_page(struct page *page) diff --git a/include/linux/page_ref.h b/include/linux/page_ref.h index 94d3f0e71c06..24b09c8fbb68 100644 --- a/include/linux/page_ref.h +++ b/include/linux/page_ref.h @@ -62,6 +62,11 @@ static inline void __page_ref_unfreeze(struct page *page= , int v) =20 #endif =20 +static inline bool __page_count_is_frozen(int count) +{ + return count =3D=3D 0; +} + static inline int page_ref_count(const struct page *page) { return atomic_read(&page->_refcount); @@ -101,9 +106,9 @@ static inline void set_page_count(struct page *page, in= t v) __page_ref_set(page, v); } =20 -static inline void folio_set_count(struct folio *folio, int v) +static inline void folio_init_count(struct folio *folio) { - set_page_count(&folio->page, v); + set_page_count(&folio->page, 1); } =20 /* @@ -115,8 +120,14 @@ static inline void init_page_count(struct page *page) set_page_count(page, 1); } =20 +static inline void set_page_count_as_frozen(struct page *page) +{ + set_page_count(page, 0); +} + static inline void page_ref_add(struct page *page, int nr) { + VM_BUG_ON(__page_count_is_frozen(page_count(page))); atomic_add(nr, &page->_refcount); if (page_ref_tracepoint_active(page_ref_mod)) __page_ref_mod(page, nr); @@ -129,6 +140,7 @@ static inline void folio_ref_add(struct folio *folio, i= nt nr) =20 static inline void page_ref_sub(struct page *page, int nr) { + VM_BUG_ON(__page_count_is_frozen(page_count(page))); atomic_sub(nr, &page->_refcount); if (page_ref_tracepoint_active(page_ref_mod)) __page_ref_mod(page, -nr); @@ -142,6 +154,7 @@ static inline void folio_ref_sub(struct folio *folio, i= nt nr) static inline int folio_ref_sub_return(struct folio *folio, int nr) { int ret =3D atomic_sub_return(nr, &folio->_refcount); + VM_BUG_ON(__page_count_is_frozen(ret + nr)); =20 if (page_ref_tracepoint_active(page_ref_mod_and_return)) __page_ref_mod_and_return(&folio->page, -nr, ret); @@ -150,6 +163,7 @@ static inline int folio_ref_sub_return(struct folio *fo= lio, int nr) =20 static inline void page_ref_inc(struct page *page) { + VM_BUG_ON(__page_count_is_frozen(page_count(page))); atomic_inc(&page->_refcount); if (page_ref_tracepoint_active(page_ref_mod)) __page_ref_mod(page, 1); @@ -162,6 +176,7 @@ static inline void folio_ref_inc(struct folio *folio) =20 static inline void page_ref_dec(struct page *page) { + VM_BUG_ON(__page_count_is_frozen(page_count(page))); atomic_dec(&page->_refcount); if (page_ref_tracepoint_active(page_ref_mod)) __page_ref_mod(page, -1); @@ -189,6 +204,7 @@ static inline int folio_ref_sub_and_test(struct folio *= folio, int nr) static inline int page_ref_inc_return(struct page *page) { int ret =3D atomic_inc_return(&page->_refcount); + VM_BUG_ON(__page_count_is_frozen(ret - 1)); =20 if (page_ref_tracepoint_active(page_ref_mod_and_return)) __page_ref_mod_and_return(page, 1, ret); @@ -217,6 +233,7 @@ static inline int folio_ref_dec_and_test(struct folio *= folio) static inline int page_ref_dec_return(struct page *page) { int ret =3D atomic_dec_return(&page->_refcount); + VM_BUG_ON(__page_count_is_frozen(ret + 1)); =20 if (page_ref_tracepoint_active(page_ref_mod_and_return)) __page_ref_mod_and_return(page, -1, ret); @@ -228,7 +245,7 @@ static inline int folio_ref_dec_return(struct folio *fo= lio) return page_ref_dec_return(&folio->page); } =20 -static inline bool page_ref_add_unless_zero(struct page *page, int nr) +static inline bool page_ref_add_unless_frozen(struct page *page, int nr) { bool ret =3D atomic_add_unless(&page->_refcount, nr, 0); =20 @@ -237,9 +254,9 @@ static inline bool page_ref_add_unless_zero(struct page= *page, int nr) return ret; } =20 -static inline bool folio_ref_add_unless_zero(struct folio *folio, int nr) +static inline bool folio_ref_add_unless_frozen(struct folio *folio, int nr) { - return page_ref_add_unless_zero(&folio->page, nr); + return page_ref_add_unless_frozen(&folio->page, nr); } =20 /** @@ -255,12 +272,12 @@ static inline bool folio_ref_add_unless_zero(struct f= olio *folio, int nr) */ static inline bool folio_try_get(struct folio *folio) { - return folio_ref_add_unless_zero(folio, 1); + return folio_ref_add_unless_frozen(folio, 1); } =20 static inline bool folio_ref_try_add(struct folio *folio, int count) { - return folio_ref_add_unless_zero(folio, count); + return folio_ref_add_unless_frozen(folio, count); } =20 static inline int page_ref_freeze(struct page *page, int count) diff --git a/kernel/liveupdate/kexec_handover.c b/kernel/liveupdate/kexec_h= andover.c index 1b592d86dc48..b397bdb30461 100644 --- a/kernel/liveupdate/kexec_handover.c +++ b/kernel/liveupdate/kexec_handover.c @@ -361,7 +361,7 @@ EXPORT_SYMBOL_GPL(kho_radix_walk_tree); static void kho_init_pages(struct page *page, unsigned long nr_pages) { for (unsigned long i =3D 0; i < nr_pages; i++) { - set_page_count(page + i, 1); + init_page_count(page + i); /* Clear each page's codetag to avoid accounting mismatch. */ clear_page_tag_ref(page + i); } @@ -372,13 +372,13 @@ static void kho_init_folio(struct page *page, unsigne= d int order) unsigned long nr_pages =3D (1 << order); =20 /* Head page gets refcount of 1. */ - set_page_count(page, 1); + init_page_count(page); /* Clear head page's codetag to avoid accounting mismatch. */ clear_page_tag_ref(page); =20 /* For higher order folios, tail pages get a page count of zero. */ for (unsigned long i =3D 1; i < nr_pages; i++) - set_page_count(page + i, 0); + set_page_count_as_frozen(page + i); =20 if (order > 0) prep_compound_page(page, order); diff --git a/lib/test_hmm.c b/lib/test_hmm.c index 213504915737..0cbcf9da4911 100644 --- a/lib/test_hmm.c +++ b/lib/test_hmm.c @@ -1715,7 +1715,7 @@ static void dmirror_devmem_folio_split(struct folio *= head, struct folio *tail) if (tail =3D=3D NULL) { folio_reset_order(rfolio); rfolio->mapping =3D NULL; - folio_set_count(rfolio, 1); + folio_init_count(rfolio); return; } =20 @@ -1729,7 +1729,7 @@ static void dmirror_devmem_folio_split(struct folio *= head, struct folio *tail) =20 folio_page(tail, 0)->mapping =3D folio_page(head, 0)->mapping; tail->pgmap =3D head->pgmap; - folio_set_count(page_folio(rpage_tail), 1); + folio_init_count(page_folio(rpage_tail)); } =20 static const struct dev_pagemap_ops dmirror_devmem_ops =3D { diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 4b80b167cc9c..9a5ecdc71c44 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -3130,7 +3130,7 @@ static void __init hugetlb_folio_init_tail_vmemmap(st= ruct folio *folio, for (pfn =3D head_pfn + start_page_number; pfn < end_pfn; page++, pfn++) { __init_single_page(page, pfn, zone, nid); prep_compound_tail(page, &folio->page, order); - set_page_count(page, 0); + set_page_count_as_frozen(page); } } =20 diff --git a/mm/internal.h b/mm/internal.h index 5a2ddcf68e0b..3f2a91de8a80 100644 --- a/mm/internal.h +++ b/mm/internal.h @@ -595,7 +595,7 @@ static inline void set_page_refcounted(struct page *pag= e) { VM_BUG_ON_PAGE(PageTail(page), page); VM_BUG_ON_PAGE(page_ref_count(page), page); - set_page_count(page, 1); + init_page_count(page); } =20 static inline void set_pages_refcounted(struct page *page, unsigned long n= r_pages) diff --git a/mm/memremap.c b/mm/memremap.c index 053842d45cb1..8025cc27b408 100644 --- a/mm/memremap.c +++ b/mm/memremap.c @@ -462,7 +462,7 @@ void free_zone_device_folio(struct folio *folio) * Reset the refcount to 1 to prepare for handing out the page * again. */ - folio_set_count(folio, 1); + folio_init_count(folio); break; =20 case MEMORY_DEVICE_FS_DAX: @@ -519,7 +519,7 @@ void zone_device_page_init(struct page *page, struct de= v_pagemap *pgmap, * memunmap_pages(). */ WARN_ON_ONCE(!percpu_ref_tryget_many(&page_pgmap(page)->ref, 1 << order)); - set_page_count(page, 1); + init_page_count(page); lock_page(page); =20 if (order) diff --git a/mm/mm_init.c b/mm/mm_init.c index f9f8e1af921c..cb40f63084bc 100644 --- a/mm/mm_init.c +++ b/mm/mm_init.c @@ -1040,7 +1040,7 @@ static void __ref __init_zone_device_page(struct page= *page, unsigned long pfn, case MEMORY_DEVICE_PRIVATE: case MEMORY_DEVICE_COHERENT: case MEMORY_DEVICE_PCI_P2PDMA: - set_page_count(page, 0); + set_page_count_as_frozen(page); break; =20 case MEMORY_DEVICE_GENERIC: @@ -1086,7 +1086,7 @@ static void __ref memmap_init_compound(struct page *h= ead, =20 __init_zone_device_page(page, pfn, zone_idx, nid, pgmap); prep_compound_tail(page, head, order); - set_page_count(page, 0); + set_page_count_as_frozen(page); } prep_compound_head(head, order); } @@ -2224,7 +2224,7 @@ void __init init_cma_reserved_pageblock(struct page *= page) =20 do { __ClearPageReserved(p); - set_page_count(p, 0); + set_page_count_as_frozen(p); } while (++p, --i); =20 init_pageblock_migratetype(page, MIGRATE_CMA, false); diff --git a/mm/page_alloc.c b/mm/page_alloc.c index d49c254174da..617937e42b2e 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -1599,14 +1599,14 @@ void __meminit __free_pages_core(struct page *page,= unsigned int order, for (loop =3D 0; loop < nr_pages; loop++, p++) { VM_WARN_ON_ONCE(PageReserved(p)); __ClearPageOffline(p); - set_page_count(p, 0); + set_page_count_as_frozen(p); } =20 adjust_managed_page_count(page, nr_pages); } else { for (loop =3D 0; loop < nr_pages; loop++, p++) { __ClearPageReserved(p); - set_page_count(p, 0); + set_page_count_as_frozen(p); } =20 /* memblock adjusts totalram_pages() manually. */ --=20 2.43.0 From nobody Mon Jun 8 09:48:00 2026 Received: from out-186.mta1.migadu.com (out-186.mta1.migadu.com [95.215.58.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E6FAD33B6F8 for ; Thu, 4 Jun 2026 10:16:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.186 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780568163; cv=none; b=MiLmjjv7YAYXkxJ1f+Sp+xl0qSMk/PqMGrzPYRikwN0ISg3mZ2b/dtXJ9a9nQqpzr8SH1maQGFDwHUfDDicBaiZSIeyMa/J/1fuyLh8wFzak6LqF4pF4g9SOjhYkwq0TMGFPrQKuX4l2+66OfpzbPRlheZ2tfnqGh+0gOlsAhPI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780568163; c=relaxed/simple; bh=siuAzUXcLQBUINSgZzKqOl96sv/vstahT0IzRhmAKtw=; h=MIME-Version:Date:Content-Type:From:Message-ID:Subject:To:Cc: In-Reply-To:References; b=WjZCgw5h+azLxXpWzb5n1kOLKK8TtkBvPfRYZIiMsNFNF7q3bmlk8V/zOJGlWhmWYt1FmyJ3HO4GccrWkpWLyUNMHuQAdTdJwdBe7UpT7apa9jJZGSAGUWbZOBcLP4L5zJjHuquZYWB0BPp0qLuvPtxSL7XTqQBdBSh/INld0Zo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=UyD3Flju; arc=none smtp.client-ip=95.215.58.186 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="UyD3Flju" Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1780568159; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0qNmtiXuwb0Ppur00DNdkJYZlOVI0uDXAYEOqp9/VNI=; b=UyD3Flju98zCYaKYt0PMZvHaHTND8cObc7KPKeG04gx7OvuAlpb1obDbKZcDnfGQtQNkSW APR8ElbuCra1w33GDt14lKRvgoVruHwlHm3OBxG5BP0Vfd8zVEnoMa3mdbkyLL2cKMwSfU Qsow44k1KDyZEt181NxxZiRFBpagmbE= Date: Thu, 04 Jun 2026 10:15:55 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: ilya.gladyshev@linux.dev Message-ID: <9c0605c782299a2bb3ab6a8e73da26bafddea52f@linux.dev> TLS-Required: No Subject: [PATCH v3 2/2] mm: implement page refcount locking via dedicated bit To: ilya.gladyshev@linux.dev Cc: ivgorbunov@me.com, Liam.Howlett@oracle.com, akpm@linux-foundation.org, apopple@nvidia.com, artem.kuzin@huawei.com, baolin.wang@linux.alibaba.com, david@kernel.org, foxido@foxido.dev, harry.yoo@oracle.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, lorenzo.stoakes@oracle.com, mhocko@suse.com, muchun.song@linux.dev, rppt@kernel.org, surenb@google.com, torvalds@linuxfoundation.org, vbabka@suse.cz, willy@infradead.org, yuzhao@google.com, ziy@nvidia.com, pfalcato@suse.de, kirill@shutemov.name In-Reply-To: <5dabf3a748fee0c7b142c74367e7586f5db1ed1e@linux.dev> References: <5dabf3a748fee0c7b142c74367e7586f5db1ed1e@linux.dev> X-Migadu-Flow: FLOW_OUT The current atomic-based page refcount implementation treats zero counter as dead and requires a compare-and-swap loop in folio_try_get() to prevent incrementing a dead refcount. This CAS loop acts as a serialization point and can become a significant bottleneck during high-frequency file read operations. This patch introduces PAGEREF_FROZEN_BIT to distinguish between a (temporary) zero refcount and a locked (dead/frozen) state. Because now incrementing counter doesn't affect it's locked/unlocked state, it is possible to use an optimistic atomic_add_return() in page_ref_add_unless_zero() that operates independently of the locked bit. The locked state is handled after the increment attempt, eliminating the need for the CAS loop. If locked state is detected after atomic_add(), pageref counter will be reset with CAS loop, eliminating theoretical possibility of overflow. Reviewed-by: Artem Kuzin Co-developed-by: Gorbunov Ivan Signed-off-by: Gorbunov Ivan Signed-off-by: Gladyshev Ilya Acked-by: Linus Torvalds --- include/linux/page-flags.h | 13 +++++++++++++ include/linux/page_ref.h | 28 ++++++++++++++++++++++++---- 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h index 7223f6f4e2b4..ea9904a67334 100644 --- a/include/linux/page-flags.h +++ b/include/linux/page-flags.h @@ -196,6 +196,19 @@ enum pageflags { =20 #define PAGEFLAGS_MASK ((1UL << NR_PAGEFLAGS) - 1) =20 +/* Most significant bit in page refcount */ +#define PAGEREF_FROZEN_BIT BIT(31) + +/* Page reference counter can be in 4 logical states, + * which are described below with their value representation + * state | value + * (1) safe with owners | 1...INT_MAX + * (2) safe with no owners | 0 + * (3) frozen | INT_MIN....-1 + * + * State (2) can be only temporally inside dec_and_test. + */ + #ifndef __GENERATING_BOUNDS_H =20 /* diff --git a/include/linux/page_ref.h b/include/linux/page_ref.h index 24b09c8fbb68..b041894b6659 100644 --- a/include/linux/page_ref.h +++ b/include/linux/page_ref.h @@ -64,12 +64,17 @@ static inline void __page_ref_unfreeze(struct page *pag= e, int v) =20 static inline bool __page_count_is_frozen(int count) { - return count =3D=3D 0; + return count & PAGEREF_FROZEN_BIT; } =20 static inline int page_ref_count(const struct page *page) { - return atomic_read(&page->_refcount); + int val =3D atomic_read(&page->_refcount); + + if (unlikely(val & PAGEREF_FROZEN_BIT)) + return 0; + + return val; } =20 /** @@ -191,6 +196,9 @@ static inline int page_ref_sub_and_test(struct page *pa= ge, int nr) { int ret =3D atomic_sub_and_test(nr, &page->_refcount); =20 + if (ret) + ret =3D !atomic_cmpxchg_relaxed(&page->_refcount, 0, PAGEREF_FROZEN_BIT); + if (page_ref_tracepoint_active(page_ref_mod_and_test)) __page_ref_mod_and_test(page, -nr, ret); return ret; @@ -220,6 +228,9 @@ static inline int page_ref_dec_and_test(struct page *pa= ge) { int ret =3D atomic_dec_and_test(&page->_refcount); =20 + if (ret) + ret =3D !atomic_cmpxchg_relaxed(&page->_refcount, 0, PAGEREF_FROZEN_BIT); + if (page_ref_tracepoint_active(page_ref_mod_and_test)) __page_ref_mod_and_test(page, -1, ret); return ret; @@ -245,9 +256,18 @@ static inline int folio_ref_dec_return(struct folio *f= olio) return page_ref_dec_return(&folio->page); } =20 +#define _PAGEREF_FROZEN_LIMIT ((1 << 30) | PAGEREF_FROZEN_BIT) + static inline bool page_ref_add_unless_frozen(struct page *page, int nr) { - bool ret =3D atomic_add_unless(&page->_refcount, nr, 0); + bool ret =3D false; + int val =3D atomic_add_return(nr, &page->_refcount); + // See PAGEREF_FROZEN_BIT declaration in page-flags.h for details + ret =3D !(val & PAGEREF_FROZEN_BIT); + + /* Undo atomic_add() if counter is locked and scary big */ + while (unlikely((unsigned int)val >=3D _PAGEREF_FROZEN_LIMIT)) + val =3D atomic_cmpxchg_relaxed(&page->_refcount, val, PAGEREF_FROZEN_BIT= ); =20 if (page_ref_tracepoint_active(page_ref_mod_unless)) __page_ref_mod_unless(page, nr, ret); @@ -282,7 +302,7 @@ static inline bool folio_ref_try_add(struct folio *foli= o, int count) =20 static inline int page_ref_freeze(struct page *page, int count) { - int ret =3D likely(atomic_cmpxchg(&page->_refcount, count, 0) =3D=3D coun= t); + int ret =3D likely(atomic_cmpxchg(&page->_refcount, count, PAGEREF_FROZEN= _BIT) =3D=3D count); =20 if (page_ref_tracepoint_active(page_ref_freeze)) __page_ref_freeze(page, count, ret); --=20 2.43.0