On Tue, May 24, 2016 at 05:59:02AM -0700, Eric Dumazet wrote:
...
> > +static int anon_pipe_buf_steal(struct pipe_inode_info *pipe,
> > + struct pipe_buffer *buf)
> > +{
> > + struct page *page = buf->page;
> > +
> > + if (page_count(page) == 1) {
>
> This looks racy : some cpu could have temporarily elevated page count.
All pipe operations (pipe_buf_operations->get, ->release, ->steal) are
supposed to be called under pipe_lock. So, if we see a pipe_buffer->page
with refcount of 1 in ->steal, that means that we are the only its user
and it can't be spliced to another pipe.
In fact, I just copied the code from generic_pipe_buf_steal, adding
kmemcg related checks along the way, so it should be fine.
Thanks,
Vladimir
>
> > + if (memcg_kmem_enabled()) {
> > + memcg_kmem_uncharge(page, 0);
> > + __ClearPageKmemcg(page);
> > + }
> > + __SetPageLocked(page);
> > + return 0;
> > + }
> > + return 1;
> > +}
