On Mon, Apr 19, 2021 at 01:22:04PM +0200, Jesper Dangaard Brouer wrote:

On Wed, 14 Apr 2021 13:09:47 -0700
Shakeel Butt [off-list ref] wrote:

quoted

On Wed, Apr 14, 2021 at 12:42 PM Jesper Dangaard Brouer
[off-list ref] wrote:

quoted

[...]

quoted

quoted

quoted

Can this page_pool be used for TCP RX zerocopy? If yes then PageType
can not be used.  

Yes it can, since it's going to be used as your default allocator for
payloads, which might end up on an SKB.  

I'm not sure we want or should "allow" page_pool be used for TCP RX
zerocopy.
For several reasons.

(1) This implies mapping these pages page to userspace, which AFAIK
means using page->mapping and page->index members (right?).
 

No, only page->_mapcount is used.

Good to know.
I will admit that I don't fully understand the usage of page->mapping
and page->index members.

That's fair.  It's not well-documented, and it's complicated.

For a page mapped into userspace, page->mapping is one of:
 - NULL
 - A pointer to a file's address_space
 - A pointer to an anonymous page's anon_vma
If a page isn't mapped into userspace, you can use the space in page->mapping
for anything you like (eg slab uses it)

page->index is only used for indicating pfmemalloc today (and I want to
move that indicator).  I think it can also be used to merge VMAs (if
some other conditions are also true), but failing to merge VMAs isn't
a big deal for this kind of situation.

quoted

quoted

(2) It feels wrong (security wise) to keep the DMA-mapping (for the
device) and also map this page into userspace.

I think this is already the case i.e pages still DMA-mapped and also
mapped into userspace.

True, other drivers are doing the same.

And the contents of this page already came from that device ... if it
wanted to write bad data, it could already have done so.

quoted

quoted

(3) The page_pool is optimized for refcnt==1 case, and AFAIK TCP-RX
zerocopy will bump the refcnt, which means the page_pool will not
recycle the page when it see the elevated refcnt (it will instead
release its DMA-mapping).  

Yes this is right but the userspace might have already consumed and
unmapped the page before the driver considers to recycle the page.

That is a good point.  So, there is a race window where it is possible
to gain recycling.

It seems my page_pool co-maintainer Ilias is interested in taking up the
challenge to get this working with TCP RX zerocopy.  So, lets see how
this is doable.

You could also check page_ref_count() - page_mapcount() instead of
just checking page_ref_count().  Assuming mapping/unmapping can't
race with recycling?