On Sat, Jul 10, 2021 at 12:44 AM Yunsheng Lin linyunsheng@huawei.com wrote: <snip>
@@ -419,6 +471,20 @@ static __always_inline struct page * __page_pool_put_page(struct page_pool *pool, struct page *page, unsigned int dma_sync_size, bool allow_direct) {
int bias = page_pool_get_pagecnt_bias(page);/* Handle the elevated refcnt case first */if (bias) {/* It is not the last user yet */if (!page_pool_bias_page_recyclable(page, bias))return NULL;if (likely(!page_is_pfmemalloc(page)))goto recyclable;elsegoto unrecyclable;}
So this part is still broken. Anything that takes a reference to the page and holds it while this is called will cause it to break. For example with the recent fixes we put in place all it would take is a skb_clone followed by pskb_expand_head and this starts leaking memory.
One of the key bits in order for pagecnt_bias to work is that you have to deduct the bias once there are no more parties using it. Otherwise you leave the reference count artificially inflated and the page will never be freed. It works fine for the single producer single consumer case but once you introduce multiple consumers this is going to fall apart.