On 12/18/2013 04:43 PM, Andrew Morton wrote:
> On Wed, 18 Dec 2013 17:23:03 +0800 Wanpeng Li <[email protected]> wrote:
>
>>>> diff --git a/mm/rmap.c b/mm/rmap.c
>>>> index 55c8b8d..1e24813 100644
>>>> --- a/mm/rmap.c
>>>> +++ b/mm/rmap.c
>>>> @@ -1347,6 +1347,7 @@ static int try_to_unmap_cluster(unsigned long cursor, unsigned int *mapcount,
>>>> unsigned long end;
>>>> int ret = SWAP_AGAIN;
>>>> int locked_vma = 0;
>>>> + int we_locked = 0;
>>>>
>>>> address = (vma->vm_start + cursor) & CLUSTER_MASK;
>>>> end = address + CLUSTER_SIZE;
>>>> @@ -1385,9 +1386,15 @@ static int try_to_unmap_cluster(unsigned long cursor, unsigned int *mapcount,
>>>> BUG_ON(!page || PageAnon(page));
>>>>
>>>> if (locked_vma) {
>>>> - mlock_vma_page(page); /* no-op if already mlocked */
>>>> - if (page == check_page)
>>>> + if (page != check_page) {
>>>> + we_locked = trylock_page(page);
>>>
>>> If it's not us who has the page already locked, but somebody else, he
>>> might unlock it at this point and then the BUG_ON in mlock_vma_page()
>>> will trigger again.
>
> yes, this patch is pretty weak.
>
>> Any better idea is appreciated. ;-)
>
> Remove the BUG_ON() from mlock_vma_page()? Why was it added?
> isolate_lru_page() and putback_lru_page() and *might* require
> the page be locked, but I don't immediately see issues?
Ping? This BUG() is triggerable in 3.13-rc6 right now.
Thanks,
Sasha
On Fri, Jan 3, 2014 at 12:17 PM, Sasha Levin <[email protected]> wrote:
>
> Ping? This BUG() is triggerable in 3.13-rc6 right now.
So Andrew suggested just removing the BUG_ON(), but it's been there
for a *long* time.
And I detest the patch that was sent out that said "Should I check?"
Maybe we should just remove that mlock_vma_page() thing instead in
try_to_unmap_cluster()? Or maybe actually lock the page around calling
it?
Linus
On 01/03/2014 09:52 PM, Linus Torvalds wrote:
> On Fri, Jan 3, 2014 at 12:17 PM, Sasha Levin <[email protected]> wrote:
>>
>> Ping? This BUG() is triggerable in 3.13-rc6 right now.
>
> So Andrew suggested just removing the BUG_ON(), but it's been there
> for a *long* time.
Yes, Andrew also merged this patch for that:
http://ozlabs.org/~akpm/mmots/broken-out/mm-remove-bug_on-from-mlock_vma_page.patch
But there wasn't enough confidence in the fix to sent it to you yet, I guess.
The related thread: http://www.spinics.net/lists/linux-mm/msg66972.html
> And I detest the patch that was sent out that said "Should I check?"
>
> Maybe we should just remove that mlock_vma_page() thing instead in
You mean that it it's already undeterministic because it can be already skipped when
mmap_sem can't be acquired for read? I think the assumption for this case is that mmap_sem
is already held for write which means VM_LOCKED is unset anyway (per comments at
try_to_unmap_file(), which calls try_to_unmap_cluster()). I'm however not sure how it is
protected from somebody else holding the semaphore...
> try_to_unmap_cluster()? Or maybe actually lock the page around calling
> it?
check_page is already locked, see try_to_munlock() which calls try_to_unmap_file(). So
this might smell of potential deadlock?
I'm for going with the removal of BUG_ON. The TestSetPageMlocked should provide enough
race protection.
> Linus
>
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in
> the body to [email protected]. For more info on Linux MM,
> see: http://www.linux-mm.org/ .
> Don't email: <a href=mailto:"[email protected]"> [email protected] </a>
>
On Sat, 04 Jan 2014 00:36:18 +0100 Vlastimil Babka <[email protected]> wrote:
> On 01/03/2014 09:52 PM, Linus Torvalds wrote:
> > On Fri, Jan 3, 2014 at 12:17 PM, Sasha Levin <[email protected]> wrote:
> >>
> >> Ping? This BUG() is triggerable in 3.13-rc6 right now.
> >
> > So Andrew suggested just removing the BUG_ON(), but it's been there
> > for a *long* time.
>
> Yes, Andrew also merged this patch for that:
> http://ozlabs.org/~akpm/mmots/broken-out/mm-remove-bug_on-from-mlock_vma_page.patch
>
> But there wasn't enough confidence in the fix to sent it to you yet, I guess.
>
> The related thread: http://www.spinics.net/lists/linux-mm/msg66972.html
Yes, I'd taken the cowardly approach of scheduling it for 3.14, with a
3.13.x backport.
Nobody answered my question! Is this a new bug or is it a
five-year-old bug which we only just discovered?
I guess it doesn't matter much - we should fix it in 3.13. I'll
include it in the next for-3.13 batch.
On Fri, Jan 3, 2014 at 3:36 PM, Vlastimil Babka <[email protected]> wrote:
>
> I'm for going with the removal of BUG_ON. The TestSetPageMlocked should provide enough
> race protection.
Maybe. But dammit, that's subtle, and I don't think you're even right.
It basically depends on mlock_vma_page() and munlock_vma_page() being
able to run CONCURRENTLY on the same page. In particular, you could
have a mlock_vma_page() set the bit on one CPU, and munlock_vma_page()
immediately clearing it on another, and then the rest of those
functions could run with a totally arbitrary interleaving when working
with the exact same page.
They both do basically
if (!isolate_lru_page(page))
putback_lru_page(page);
but one or the other would randomly win the race (it's internally
protected by the lru lock), and *if* the munlock_vma_page() wins it,
it would also do
try_to_munlock(page);
but if mlock_vma_page() wins it, that wouldn't happen. That looks
entirely broken - you end up with the PageMlocked bit clear, but
try_to_munlock() was never called on that page, because
mlock_vma_page() got to the page isolation before the "subsequent"
munlock_vma_page().
And this is very much what the page lock serialization would prevent.
So no, the PageMlocked in *no* way gives serialization. It's an atomic
bit op, yes, but that only "serializes" in one direction, not when you
can have a mix of bit setting and clearing.
So quite frankly, I think you're wrong. The BUG_ON() is correct, or at
least enforces some kind of ordering. And try_to_unmap_cluster() is
just broken in calling that without the page being locked. That's my
opinion. There may be some *other* reason why it all happens to work,
but no, "TestSetPageMlocked should provide enough race protection" is
simply not true, and even if it were, it's way too subtle and odd to
be a good rule.
So I really object to just removing the BUG_ON(). Not with a *lot*
more explanation as to why these kinds of issues wouldn't matter.
Linus
On 01/03/2014 06:56 PM, Andrew Morton wrote:
> Nobody answered my question! Is this a new bug or is it a
> five-year-old bug which we only just discovered?
I've rolled trinity back and was unable to reproduce this issue anymore. This
seems to be a 5 year old bug.
Thanks,
Sasha
On 01/04/2014 04:52 AM, Linus Torvalds wrote:
> On Fri, Jan 3, 2014 at 12:17 PM, Sasha Levin <[email protected]> wrote:
>>
>> Ping? This BUG() is triggerable in 3.13-rc6 right now.
>
> So Andrew suggested just removing the BUG_ON(), but it's been there
> for a *long* time.
>
> And I detest the patch that was sent out that said "Should I check?"
>
> Maybe we should just remove that mlock_vma_page() thing instead in
> try_to_unmap_cluster()? Or maybe actually lock the page around calling
I didn't get the reason why we have to call mlock_vma_page() in
try_to_unmap_cluster() and I agree to just remove it.
> it?
>
> Linus
>
--
Regards,
-Bob
On 01/04/2014 01:18 AM, Linus Torvalds wrote:
> On Fri, Jan 3, 2014 at 3:36 PM, Vlastimil Babka <[email protected]> wrote:
>>
>> I'm for going with the removal of BUG_ON. The TestSetPageMlocked should provide enough
>> race protection.
>
> Maybe. But dammit, that's subtle, and I don't think you're even right.
>
> It basically depends on mlock_vma_page() and munlock_vma_page() being
> able to run CONCURRENTLY on the same page. In particular, you could
> have a mlock_vma_page() set the bit on one CPU, and munlock_vma_page()
> immediately clearing it on another, and then the rest of those
> functions could run with a totally arbitrary interleaving when working
> with the exact same page.
>
> They both do basically
>
> if (!isolate_lru_page(page))
> putback_lru_page(page);
>
> but one or the other would randomly win the race (it's internally
> protected by the lru lock), and *if* the munlock_vma_page() wins it,
> it would also do
>
> try_to_munlock(page);
>
> but if mlock_vma_page() wins it, that wouldn't happen. That looks
> entirely broken - you end up with the PageMlocked bit clear, but
> try_to_munlock() was never called on that page, because
> mlock_vma_page() got to the page isolation before the "subsequent"
> munlock_vma_page().
I got the impression (see e.g. munlock_vma_page() comments) that the
whole thing is designed with this possibility in mind. isolate_lru_page()
may fail (presumably also in other scenarios than this) and if
try_to_munlock() was not called here, then yes the page might lose the
PageMlocked bit and go to LRU instead of inevictable list, but
try_to_unmap() should catch and fix this. That would also explain why
mlock_vma_page() is called from try_to_unmap_cluster().
So if I understand correctly, PageMlocked bit is not something that has
to be correctly set 100% of the time, but when it's set correctly most
of the time, then most of these pages will go to inevictable list and spare
vmscan's time.
> And this is very much what the page lock serialization would prevent.
> So no, the PageMlocked in *no* way gives serialization. It's an atomic
> bit op, yes, but that only "serializes" in one direction, not when you
> can have a mix of bit setting and clearing.
>
> So quite frankly, I think you're wrong. The BUG_ON() is correct, or at
> least enforces some kind of ordering. And try_to_unmap_cluster() is
> just broken in calling that without the page being locked. That's my
> opinion. There may be some *other* reason why it all happens to work,
> but no, "TestSetPageMlocked should provide enough race protection" is
> simply not true, and even if it were, it's way too subtle and odd to
> be a good rule.
Right, it was stupid of me to write such strong statement without any
details. I wanted to review that patch when back at work next week, but
since it came up now, I just wanted to point out that it's in the pipeline
for this bug.
> So I really object to just removing the BUG_ON(). Not with a *lot*
> more explanation as to why these kinds of issues wouldn't matter.
>
> Linus
>