Hi everyone,
This is a respin of Thomas' series [1] against v6.7-rc4. Largely it's
the same minus a slight change in percpu_counter.c for batch
percpu_counters and updating __percpu_counter_limited_add().
I don't think we reached an alternative resolution here so I can queue
this up and give it some soak time in for-next.
[1] https://lore.kernel.org/lkml/[email protected]/
Thanks,
Dennis
Dennis Zhou (2):
lib/percpu_counter: Fix CPU hotplug handling
cpu/hotplug: Get rid of cpu_dying_mask
Thomas Gleixner (1):
cpu/hotplug: Remove export of cpu_active_mask and cpu_dying_mask
include/linux/cpuhotplug.h | 2 +-
include/linux/cpumask.h | 21 ------------
kernel/cpu.c | 45 +++++++++++++++++++++-----
kernel/sched/core.c | 4 +--
kernel/smpboot.h | 2 ++
lib/percpu_counter.c | 65 ++++++++++++++++----------------------
6 files changed, 70 insertions(+), 69 deletions(-)
--
2.39.1
Commit 8b57b11cca88 ("pcpcntrs: fix dying cpu summation race") tried to
address a race condition between percpu_counter_sum() and a concurrent CPU
hotplug operation.
The race window is between the point where an un-plugged CPU removed itself
from the online_cpu_mask and the hotplug state callback which folds the per
CPU counters of the now dead CPU into the global count.
percpu_counter_sum() used for_each_online_cpu() to accumulate the per CPU
local counts, so during the race window it missed to account for the not
yet folded back local count of the offlined CPU.
The attempt to address this used the admittedly undocumented and
pointlessly public cpu_dying_mask by changing the loop iterator to take
both the cpu_online_mask and the cpu_dying_mask into account.
That works to some extent, but it is incorrect.
The cpu_dying_mask bits are sticky even after cpu_up()/cpu_down()
completes. That means that all offlined CPUs are always taken into
account. In the case of disabling SMT at boottime or runtime this results
in evaluating _all_ offlined SMT siblings counters forever. Depending on
system size, that's a massive amount of cache-lines to be touched forever.
It might be argued, that the cpu_dying_mask bit could be cleared when
cpu_down() completes, but that's not possible under all circumstances.
Especially with partial hotplug the bit must be sticky in order to keep the
initial user, i.e. the scheduler correct. Partial hotplug which allows
explicit state transitions also can create a situation where the race
window gets recreated:
cpu_down(target = CPUHP_PERCPU_CNT_DEAD + 1)
brings a CPU down to one state before the per CPU counter folding
callback. As this did not reach CPUHP_OFFLINE state the bit would stay set.
Now the next partial operation:
cpu_up(target = CPUHP_PERCPU_CNT_DEAD + 2)
has to clear the bit and the race window is open again.
There are two ways to solve this:
1) Maintain a local CPU mask in the per CPU counter code which
gets the bit set when a CPU comes online and removed in the
the CPUHP_PERCPU_CNT_DEAD state after folding.
This adds more code and complexity.
2) Move the folding hotplug state into the DYING callback section, which
runs on the outgoing CPU immediatedly after it cleared its online bit.
There is no concurrency vs. percpu_counter_sum() on another CPU
because all still online CPUs are waiting in stop_machine() for the
outgoing CPU to complete its shutdown. The raw spinlock held around
the CPU mask iteration prevents that an online CPU reaches the stop
machine thread while iterating, which implicitely prevents the
outgoing CPU from clearing its online bit.
This is way simpler than #1 and makes the hotplug calls symmetric for
the price of a slightly longer wait time in stop_machine(), which is
not the end of the world as CPU un-plug is already slow. The overall
time for a cpu_down() operation stays exactly the same.
Implement #2 and plug the race completely.
percpu_counter_sum() is still inherently racy against a concurrent
percpu_counter_add_batch() fastpath unless externally serialized. That's
completely independent of CPU hotplug though.
Fixes: 8b57b11cca88 ("pcpcntrs: fix dying cpu summation race")
Signed-off-by: Thomas Gleixner <[email protected]>
[Dennis: Ported to v6.7-rc4. Updated percpu_counter.c for batch
percpu_counter creation and _percpu_counter_limited_add().]
Signed-off-by: Dennis Zhou <[email protected]>
---
include/linux/cpuhotplug.h | 2 +-
lib/percpu_counter.c | 65 ++++++++++++++++----------------------
2 files changed, 29 insertions(+), 38 deletions(-)
diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h
index efc0c0b07efb..1e11f3193398 100644
--- a/include/linux/cpuhotplug.h
+++ b/include/linux/cpuhotplug.h
@@ -90,7 +90,6 @@ enum cpuhp_state {
CPUHP_FS_BUFF_DEAD,
CPUHP_PRINTK_DEAD,
CPUHP_MM_MEMCQ_DEAD,
- CPUHP_PERCPU_CNT_DEAD,
CPUHP_RADIX_DEAD,
CPUHP_PAGE_ALLOC,
CPUHP_NET_DEV_DEAD,
@@ -198,6 +197,7 @@ enum cpuhp_state {
CPUHP_AP_HRTIMERS_DYING,
CPUHP_AP_X86_TBOOT_DYING,
CPUHP_AP_ARM_CACHE_B15_RAC_DYING,
+ CPUHP_AP_PERCPU_COUNTER_STARTING,
CPUHP_AP_ONLINE,
CPUHP_TEARDOWN_CPU,
diff --git a/lib/percpu_counter.c b/lib/percpu_counter.c
index 44dd133594d4..6a1354661378 100644
--- a/lib/percpu_counter.c
+++ b/lib/percpu_counter.c
@@ -12,7 +12,7 @@
#ifdef CONFIG_HOTPLUG_CPU
static LIST_HEAD(percpu_counters);
-static DEFINE_SPINLOCK(percpu_counters_lock);
+static DEFINE_RAW_SPINLOCK(percpu_counters_lock);
#endif
#ifdef CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER
@@ -126,13 +126,8 @@ EXPORT_SYMBOL(percpu_counter_sync);
* Add up all the per-cpu counts, return the result. This is a more accurate
* but much slower version of percpu_counter_read_positive().
*
- * We use the cpu mask of (cpu_online_mask | cpu_dying_mask) to capture sums
- * from CPUs that are in the process of being taken offline. Dying cpus have
- * been removed from the online mask, but may not have had the hotplug dead
- * notifier called to fold the percpu count back into the global counter sum.
- * By including dying CPUs in the iteration mask, we avoid this race condition
- * so __percpu_counter_sum() just does the right thing when CPUs are being taken
- * offline.
+ * Note: This function is inherently racy against the lockless fastpath of
+ * percpu_counter_add_batch() unless externaly serialized.
*/
s64 __percpu_counter_sum(struct percpu_counter *fbc)
{
@@ -142,10 +137,8 @@ s64 __percpu_counter_sum(struct percpu_counter *fbc)
raw_spin_lock_irqsave(&fbc->lock, flags);
ret = fbc->count;
- for_each_cpu_or(cpu, cpu_online_mask, cpu_dying_mask) {
- s32 *pcount = per_cpu_ptr(fbc->counters, cpu);
- ret += *pcount;
- }
+ for_each_online_cpu(cpu)
+ ret += *per_cpu_ptr(fbc->counters, cpu);
raw_spin_unlock_irqrestore(&fbc->lock, flags);
return ret;
}
@@ -181,10 +174,10 @@ int __percpu_counter_init_many(struct percpu_counter *fbc, s64 amount,
}
#ifdef CONFIG_HOTPLUG_CPU
- spin_lock_irqsave(&percpu_counters_lock, flags);
+ raw_spin_lock_irqsave(&percpu_counters_lock, flags);
for (i = 0; i < nr_counters; i++)
list_add(&fbc[i].list, &percpu_counters);
- spin_unlock_irqrestore(&percpu_counters_lock, flags);
+ raw_spin_unlock_irqrestore(&percpu_counters_lock, flags);
#endif
return 0;
}
@@ -205,10 +198,10 @@ void percpu_counter_destroy_many(struct percpu_counter *fbc, u32 nr_counters)
debug_percpu_counter_deactivate(&fbc[i]);
#ifdef CONFIG_HOTPLUG_CPU
- spin_lock_irqsave(&percpu_counters_lock, flags);
+ raw_spin_lock_irqsave(&percpu_counters_lock, flags);
for (i = 0; i < nr_counters; i++)
list_del(&fbc[i].list);
- spin_unlock_irqrestore(&percpu_counters_lock, flags);
+ raw_spin_unlock_irqrestore(&percpu_counters_lock, flags);
#endif
free_percpu(fbc[0].counters);
@@ -221,22 +214,29 @@ EXPORT_SYMBOL(percpu_counter_destroy_many);
int percpu_counter_batch __read_mostly = 32;
EXPORT_SYMBOL(percpu_counter_batch);
-static int compute_batch_value(unsigned int cpu)
+static void compute_batch_value(int offs)
{
- int nr = num_online_cpus();
+ int nr = num_online_cpus() + offs;
- percpu_counter_batch = max(32, nr*2);
+ percpu_counter_batch = max(32, nr * 2);
+}
+
+static int percpu_counter_cpu_starting(unsigned int cpu)
+{
+ /* If invoked during hotplug @cpu is not yet marked online. */
+ compute_batch_value(cpu_online(cpu) ? 0 : 1);
return 0;
}
-static int percpu_counter_cpu_dead(unsigned int cpu)
+static int percpu_counter_cpu_dying(unsigned int cpu)
{
#ifdef CONFIG_HOTPLUG_CPU
struct percpu_counter *fbc;
+ unsigned long flags;
- compute_batch_value(cpu);
+ compute_batch_value(0);
- spin_lock_irq(&percpu_counters_lock);
+ raw_spin_lock_irqsave(&percpu_counters_lock, flags);
list_for_each_entry(fbc, &percpu_counters, list) {
s32 *pcount;
@@ -246,7 +246,7 @@ static int percpu_counter_cpu_dead(unsigned int cpu)
*pcount = 0;
raw_spin_unlock(&fbc->lock);
}
- spin_unlock_irq(&percpu_counters_lock);
+ raw_spin_unlock_irqrestore(&percpu_counters_lock, flags);
#endif
return 0;
}
@@ -331,13 +331,11 @@ bool __percpu_counter_limited_add(struct percpu_counter *fbc,
}
if (!good) {
- s32 *pcount;
int cpu;
- for_each_cpu_or(cpu, cpu_online_mask, cpu_dying_mask) {
- pcount = per_cpu_ptr(fbc->counters, cpu);
- count += *pcount;
- }
+ for_each_online_cpu(cpu)
+ count += *per_cpu_ptr(fbc->counters, cpu);
+
if (amount > 0) {
if (count > limit)
goto out;
@@ -359,15 +357,8 @@ bool __percpu_counter_limited_add(struct percpu_counter *fbc,
static int __init percpu_counter_startup(void)
{
- int ret;
-
- ret = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "lib/percpu_cnt:online",
- compute_batch_value, NULL);
- WARN_ON(ret < 0);
- ret = cpuhp_setup_state_nocalls(CPUHP_PERCPU_CNT_DEAD,
- "lib/percpu_cnt:dead", NULL,
- percpu_counter_cpu_dead);
- WARN_ON(ret < 0);
+ WARN_ON(cpuhp_setup_state(CPUHP_AP_PERCPU_COUNTER_STARTING, "lib/percpu_counter:starting",
+ percpu_counter_cpu_starting, percpu_counter_cpu_dying));
return 0;
}
module_init(percpu_counter_startup);
--
2.39.1
From: Thomas Gleixner <[email protected]>
No module users and no module should ever care.
Signed-off-by: Thomas Gleixner <[email protected]>
Reviewed-by: Valentin Schneider <[email protected]>
[Dennis: applied cleanly]
Signed-off-by: Dennis Zhou <[email protected]>
---
kernel/cpu.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/kernel/cpu.c b/kernel/cpu.c
index a86972a91991..c4929e9cd9be 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -3126,10 +3126,8 @@ struct cpumask __cpu_present_mask __read_mostly;
EXPORT_SYMBOL(__cpu_present_mask);
struct cpumask __cpu_active_mask __read_mostly;
-EXPORT_SYMBOL(__cpu_active_mask);
struct cpumask __cpu_dying_mask __read_mostly;
-EXPORT_SYMBOL(__cpu_dying_mask);
atomic_t __num_online_cpus __read_mostly;
EXPORT_SYMBOL(__num_online_cpus);
--
2.39.1
The cpu_dying_mask is not only undocumented but also to some extent a
misnomer. It's purpose is to capture the last direction of a cpu_up() or
cpu_down() operation taking eventual rollback operations into account. The
name and the lack of documentation lured already someone to use it in the
wrong way.
The initial user is the scheduler code which needs to keep the decision
correct whether to schedule tasks on a CPU, which is between the
CPUHP_ONLINE and the CPUHP_ACTIVE state and has the balance_push() hook
installed.
cpu_dying mask is not really useful for general consumption. The
cpu_dying_mask bits are sticky even after cpu_up() or cpu_down()
completes.
It might be argued, that the cpu_dying_mask bit could be cleared when
cpu_down() completes, but that's not possible under all circumstances.
Especially not with partial hotplug operations. In that case the bit must
be sticky in order to keep the initial user, i.e. the scheduler correct.
Replace the cpumask completely by:
- recording the direction internally in the CPU hotplug core state
- exposing that state via a documented function to the scheduler
After that cpu_dying_mask is not longer in use and removed before the next
user trips over it.
Signed-off-by: Thomas Gleixner <[email protected]>
[Dennis: ported to v6.7-rc4, delete in cpumask.h didn't apply cleanly]
Signed-off-by: Dennis Zhou <[email protected]>
---
include/linux/cpumask.h | 21 --------------------
kernel/cpu.c | 43 +++++++++++++++++++++++++++++++++++------
kernel/sched/core.c | 4 ++--
kernel/smpboot.h | 2 ++
4 files changed, 41 insertions(+), 29 deletions(-)
diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h
index cfb545841a2c..b19b6fd29a0d 100644
--- a/include/linux/cpumask.h
+++ b/include/linux/cpumask.h
@@ -126,12 +126,10 @@ extern struct cpumask __cpu_possible_mask;
extern struct cpumask __cpu_online_mask;
extern struct cpumask __cpu_present_mask;
extern struct cpumask __cpu_active_mask;
-extern struct cpumask __cpu_dying_mask;
#define cpu_possible_mask ((const struct cpumask *)&__cpu_possible_mask)
#define cpu_online_mask ((const struct cpumask *)&__cpu_online_mask)
#define cpu_present_mask ((const struct cpumask *)&__cpu_present_mask)
#define cpu_active_mask ((const struct cpumask *)&__cpu_active_mask)
-#define cpu_dying_mask ((const struct cpumask *)&__cpu_dying_mask)
extern atomic_t __num_online_cpus;
@@ -1035,15 +1033,6 @@ set_cpu_active(unsigned int cpu, bool active)
cpumask_clear_cpu(cpu, &__cpu_active_mask);
}
-static inline void
-set_cpu_dying(unsigned int cpu, bool dying)
-{
- if (dying)
- cpumask_set_cpu(cpu, &__cpu_dying_mask);
- else
- cpumask_clear_cpu(cpu, &__cpu_dying_mask);
-}
-
/**
* to_cpumask - convert a NR_CPUS bitmap to a struct cpumask *
* @bitmap: the bitmap
@@ -1119,11 +1108,6 @@ static inline bool cpu_active(unsigned int cpu)
return cpumask_test_cpu(cpu, cpu_active_mask);
}
-static inline bool cpu_dying(unsigned int cpu)
-{
- return cpumask_test_cpu(cpu, cpu_dying_mask);
-}
-
#else
#define num_online_cpus() 1U
@@ -1151,11 +1135,6 @@ static inline bool cpu_active(unsigned int cpu)
return cpu == 0;
}
-static inline bool cpu_dying(unsigned int cpu)
-{
- return false;
-}
-
#endif /* NR_CPUS > 1 */
#define cpu_is_offline(cpu) unlikely(!cpu_online(cpu))
diff --git a/kernel/cpu.c b/kernel/cpu.c
index c4929e9cd9be..ce78757b7535 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -54,6 +54,9 @@
* @rollback: Perform a rollback
* @single: Single callback invocation
* @bringup: Single callback bringup or teardown selector
+ * @goes_down: Indicator for direction of cpu_up()/cpu_down() operations
+ * including eventual rollbacks. Not affected by state or
+ * instance add/remove operations. See cpuhp_cpu_goes_down().
* @cpu: CPU number
* @node: Remote CPU node; for multi-instance, do a
* single entry callback for install/remove
@@ -74,6 +77,7 @@ struct cpuhp_cpu_state {
bool rollback;
bool single;
bool bringup;
+ bool goes_down;
struct hlist_node *node;
struct hlist_node *last;
enum cpuhp_state cb_state;
@@ -474,6 +478,37 @@ void cpu_maps_update_done(void)
mutex_unlock(&cpu_add_remove_lock);
}
+/**
+ * cpuhp_cpu_goes_down - Query the current/last CPU hotplug direction of a CPU
+ * @cpu: The CPU to query
+ *
+ * The direction indicator is modified by the hotplug core on
+ * cpu_up()/cpu_down() operations including eventual rollback operations.
+ * The indicator is not affected by state or instance install/remove
+ * operations.
+ *
+ * The indicator is sticky after the hotplug operation completes, whether
+ * the operation was a full up/down or just a partial bringup/teardown.
+ *
+ * goes_down
+ * cpu_up(target) enter -> False
+ * rollback on fail -> True
+ * cpu_up(target) exit Last state
+ *
+ * cpu_down(target) enter -> True
+ * rollback on fail -> False
+ * cpu_down(target) exit Last state
+ *
+ * The return value is a racy snapshot and not protected against concurrent
+ * CPU hotplug operations which modify the indicator.
+ *
+ * Returns: True if cached direction is down, false otherwise
+ */
+bool cpuhp_cpu_goes_down(unsigned int cpu)
+{
+ return data_race(per_cpu(cpuhp_state.goes_down, cpu));
+}
+
/*
* If set, cpu_up and cpu_down will return -EBUSY and do nothing.
* Should always be manipulated under cpu_add_remove_lock
@@ -708,8 +743,7 @@ cpuhp_set_state(int cpu, struct cpuhp_cpu_state *st, enum cpuhp_state target)
st->target = target;
st->single = false;
st->bringup = bringup;
- if (cpu_dying(cpu) != !bringup)
- set_cpu_dying(cpu, !bringup);
+ st->goes_down = !bringup;
return prev_state;
}
@@ -743,8 +777,7 @@ cpuhp_reset_state(int cpu, struct cpuhp_cpu_state *st,
}
st->bringup = bringup;
- if (cpu_dying(cpu) != !bringup)
- set_cpu_dying(cpu, !bringup);
+ st->goes_down = !bringup;
}
/* Regular hotplug invocation of the AP hotplug thread */
@@ -3127,8 +3160,6 @@ EXPORT_SYMBOL(__cpu_present_mask);
struct cpumask __cpu_active_mask __read_mostly;
-struct cpumask __cpu_dying_mask __read_mostly;
-
atomic_t __num_online_cpus __read_mostly;
EXPORT_SYMBOL(__num_online_cpus);
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index a708d225c28e..6d4f0cdad446 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -2468,7 +2468,7 @@ static inline bool is_cpu_allowed(struct task_struct *p, int cpu)
return cpu_online(cpu);
/* Regular kernel threads don't get to stay during offline. */
- if (cpu_dying(cpu))
+ if (cpuhp_cpu_goes_down(cpu))
return false;
/* But are allowed during online. */
@@ -9434,7 +9434,7 @@ static void balance_push(struct rq *rq)
* Only active while going offline and when invoked on the outgoing
* CPU.
*/
- if (!cpu_dying(rq->cpu) || rq != this_rq())
+ if (!cpuhp_cpu_goes_down(rq->cpu) || rq != this_rq())
return;
/*
diff --git a/kernel/smpboot.h b/kernel/smpboot.h
index 34dd3d7ba40b..9d3b4d554411 100644
--- a/kernel/smpboot.h
+++ b/kernel/smpboot.h
@@ -20,4 +20,6 @@ int smpboot_unpark_threads(unsigned int cpu);
void __init cpuhp_threads_init(void);
+bool cpuhp_cpu_goes_down(unsigned int cpu);
+
#endif
--
2.39.1