Hi,
Another posting of the full swap over NFS series.
Andrew/Linus, could we start thinking of sticking this in -mm?
[ patches against 2.6.25-rc2-mm1, also to be found online at:
http://programming.kicks-ass.net/kernel-patches/vm_deadlock/v2.6.25-rc2-mm1/ ]
The patch-set can be split in roughtly 5 parts, for each of which I shall give
a description.
Part 1, patches 1-11
The problem with swap over network is the generic swap problem: needing memory
to free memory. Normally this is solved using mempools, as can be seen in the
BIO layer.
Swap over network has the problem that the network subsystem does not use fixed
sized allocations, but heavily relies on kmalloc(). This makes mempools
unusable.
This first part provides a generic reserve framework. This framework
could also be used to get rid of some of the __GFP_NOFAIL users.
Care is taken to only affect the slow paths - when we're low on memory.
Caveats: it currently doesn't do SLOB.
1 - mm: gfp_to_alloc_flags()
2 - mm: tag reseve pages
3 - mm: sl[au]b: add knowledge of reserve pages
4 - mm: kmem_estimate_pages()
5 - mm: allow PF_MEMALLOC from softirq context
6 - mm: serialize access to min_free_kbytes
7 - mm: emergency pool
8 - mm: system wide ALLOC_NO_WATERMARK
9 - mm: __GFP_MEMALLOC
10 - mm: memory reserve management
11 - selinux: tag avc cache alloc as non-critical
Part 2, patches 12-14
Provide some generic network infrastructure needed later on.
12 - net: wrap sk->sk_backlog_rcv()
13 - net: packet split receive api
14 - net: sk_allocation() - concentrate socket related allocations
Part 3, patches 15-21
Now that we have a generic memory reserve system, use it on the network stack.
The thing that makes this interesting is that, contrary to BIO, both the
transmit and receive path require memory allocations.
That is, in the BIO layer write back completion is usually just an ISR flipping
a bit and waking stuff up. A network write back completion involved receiving
packets, which when there is no memory, is rather hard. And even when there is
memory there is no guarantee that the required packet comes in in the window
that that memory buys us.
The solution to this problem is found in the fact that network is to be assumed
lossy. Even now, when there is no memory to receive packets the network card
will have to discard packets. What we do is move this into the network stack.
So we reserve a little pool to act as a receive buffer, this allows us to
inspect packets before tossing them. This way, we can filter out those packets
that ensure progress (writeback completion) and disregard the others (as would
have happened anyway). [ NOTE: this is a stable mode of operation with limited
memory usage, exactly the kind of thing we need ]
Again, care is taken to keep much of the overhead of this to only affect the
slow path. Only packets allocated from the reserves will suffer the extra
atomic overhead needed for accounting.
15 - netvm: network reserve infrastructure
16 - netvm: INET reserves.
17 - netvm: hook skb allocation to reserves
18 - netvm: filter emergency skbs.
19 - netvm: prevent a TCP specific deadlock
20 - netfilter: NF_QUEUE vs emergency skbs
21 - netvm: skb processing
Part 4, patches 22-23
Generic vm infrastructure to handle swapping to a filesystem instead of a block
device.
This provides new a_ops to handle swapcache pages and could be used to obsolete
the bmap usage for swapfiles.
22 - mm: add support for non block device backed swap files
23 - mm: methods for teaching filesystems about PG_swapcache pages
Part 5, patches 24-28
Finally, convert NFS to make use of the new network and vm infrastructure to
provide swap over NFS.
24 - nfs: remove mempools
25 - nfs: teach the NFS client how to treat PG_swapcache pages
26 - nfs: disable data cache revalidation for swapfiles
27 - nfs: enable swap on NFS
28 - nfs: fix various memory recursions possible with swap over NFS.
Changes since -v15:
- fwd port
- more SGE fragment drivers ported
- made the new swapfile logic unconditional
- various bug fixes and cleanups
On Wed, 20 Feb 2008 15:46:10 +0100 Peter Zijlstra <[email protected]> wrote:
> Another posting of the full swap over NFS series.
Well I looked. There's rather a lot of it and I wouldn't pretend to
understand it.
What is the NFS and net people's take on all of this?
On Saturday February 23, [email protected] wrote:
> On Wed, 20 Feb 2008 15:46:10 +0100 Peter Zijlstra <[email protected]> wrote:
>
> > Another posting of the full swap over NFS series.
>
> Well I looked. There's rather a lot of it and I wouldn't pretend to
> understand it.
But pretending is fun :-)
>
> What is the NFS and net people's take on all of this?
Well I'm only vaguely an NFS person, barely a net person, sporadically
an mm person, but I've had a look and it seems to mostly make sense.
We introduce a new "emergency" concept for page allocation.
The size of the emergency pool is set by various reservations by
different potential users.
If the number of free pages is below the "emergency" size, then only
users with a "MEMALLOC" flag get to allocate pages. Further, those
pages get a "reserve" flag set which propagates into slab/slub so
kmalloc/kmemalloc only return memory from those pages to MEMALLOC
users.
MEMALLOC users are those that set PF_MEMALLOC. A socket can get
SOCK_MEMALLOC set which will cause certain pieces of code to
temporarily set PF_MEMALLOC while working on that socket.
The upshot is that providing any MEMALLOC user reserves an appropriate
amount of emergency space, returns the emergency memory promptly, and
sets PF_MEMALLOC whenever allocating memory, it's memory allocations
should never fail.
As memory is requested is small units, but allocated as pages, there
needs to be a conversion from small-units to pages. One of the
patches does this and appears to err on the side of be over-generous,
which is the right thing to do.
Memory reservations are organised in a tree. I really don't
understand the tree. Is it just to make /proc/reserve_info look more
helpful?
Certainly all the individual reservations need to be recorded, and the
cumulative reservation needs also to be recorded (currently in the
root of the tree) but what are all the other levels used for?
Reservations are used for all the transient memory that might be used
by the network stack. This particularly includes the route cache and
skbs for incoming messages. I have no idea if there is anything else
that needs to be allowed for.
Filesystems can advertise (via address_space_operations) that files
may be used as swap file. They then provide swapout/swapin methods
which are like writepage/readpage but may behave differently and have
a different way to get credentials from a 'struct file'.
So in general, the patch set looks to have the right sort of shape. I
cannot be very authoritative on the details as there are a lot of
them, and they touch code that I'm not very familiar with.
Some specific comments on patches:
reserve-slub.patch
Please avoid irrelevant reformatting in patches. It makes them
harder to read. e.g.:
-static void setup_object(struct kmem_cache *s, struct page *page,
- void *object)
+static void setup_object(struct kmem_cache *s, struct page *page, void *object)
mm-kmem_estimate_pages.patch
This introduces
kestimate
kestimate_single
kmem_estimate_pages
The last obviously returns a number of pages. The contrast seems
to suggest the others don't. But they do...
I don't think the names are very good, but I concede that it is
hard to choose good names here. Maybe:
kmalloc_estimate_variable
kmalloc_estimate_fixed
kmem_alloc_estimate
???
mm-reserve.patch
I'm confused by __mem_reserve_add.
+ reserve = mem_reserve_root.pages;
+ __calc_reserve(res, pages, 0);
+ reserve = mem_reserve_root.pages - reserve;
__calc_reserve will always add 'pages' to mem_reserve_root.pages.
So this is a complex way of doing
reserve = pages;
__calc_reserve(res, pages, 0);
And as you can calculate reserve before calling __calc_reserve
(which seems odd when stated that way), the whole function looks
like it could become:
ret = adjust_memalloc_reserve(pages);
if (!ret)
__calc_reserve(res, pages, limit);
return ret;
What am I missing?
Also, mem_reserve_disconnect really should be a "void" function.
Just put a BUG_ON(ret) and don't return anything.
Finally, I'll just repeat that the purpose of the tree structure
eludes me.
net-sk_allocation.patch
Why are the "GFP_KERNEL" call sites just changed to
"sk->sk_allocation" rather than "sk_allocation(sk, GFP_KERNEL)" ??
I assume there is a good reason, and seeing it in the change log
would educate me and make the patch more obviously correct.
netvm-reserve.patch
Function names again:
sk_adjust_memalloc
sk_set_memalloc
sound similar. Purpose is completely different.
mm-page_file_methods.patch
This makes page_offset and others more expensive by adding a
conditional jump to a function call that is not usually made.
Why do swap pages have a different index to everyone else?
nfs-swap_ops.patch
What happens if you have two swap files on the same NFS
filesystem?
I assume ->swapfile gets called twice. But it hasn't been written
to nest, so the first swapoff will disable swapping for both
files??
That's all for now :-)
NeilBrown
Hi Neil,
On Tue, 2008-02-26 at 17:03 +1100, Neil Brown wrote:
> On Saturday February 23, [email protected] wrote:
> > What is the NFS and net people's take on all of this?
>
> Well I'm only vaguely an NFS person, barely a net person, sporadically
> an mm person, but I've had a look and it seems to mostly make sense.
Thanks for taking a look, and giving such elaborate feedback. I'll try
and address these issues asap, but first let me reply to a few points
here.
> We introduce a new "emergency" concept for page allocation.
> The size of the emergency pool is set by various reservations by
> different potential users.
> If the number of free pages is below the "emergency" size, then only
> users with a "MEMALLOC" flag get to allocate pages. Further, those
> pages get a "reserve" flag set which propagates into slab/slub so
> kmalloc/kmemalloc only return memory from those pages to MEMALLOC
> users.
> MEMALLOC users are those that set PF_MEMALLOC. A socket can get
> SOCK_MEMALLOC set which will cause certain pieces of code to
> temporarily set PF_MEMALLOC while working on that socket.
Small detail, there is also __GFP_MEMALLOC, this is used for single
allocations to avoid setting and unsetting PF_MEMALLOC - like in the skb
alloc once we have determined we otherwise fail and still have room.
> The upshot is that providing any MEMALLOC user reserves an appropriate
> amount of emergency space, returns the emergency memory promptly, and
> sets PF_MEMALLOC whenever allocating memory, it's memory allocations
> should never fail.
>
> As memory is requested is small units, but allocated as pages, there
> needs to be a conversion from small-units to pages. One of the
> patches does this and appears to err on the side of be over-generous,
> which is the right thing to do.
>
>
> Memory reservations are organised in a tree. I really don't
> understand the tree. Is it just to make /proc/reserve_info look more
> helpful?
> Certainly all the individual reservations need to be recorded, and the
> cumulative reservation needs also to be recorded (currently in the
> root of the tree) but what are all the other levels used for?
Ah, there is a little trick there, I hint at that in the reserve.c
description comment:
+ * As long as a subtree has the same usage unit, an aggregate node can be used
+ * to charge against, instead of the leaf nodes. However, do be consistent with
+ * who is charged, resource usage is not propagated up the tree (for
+ * performance reasons).
And I actually use that, if we show a little of the tree (which andrew
rightly dislikes for not being machine parseable - will fix):
+ * localhost ~ # cat /proc/reserve_info
+ * total reserve 8156K (0/544817)
+ * total network reserve 8156K (0/544817)
+ * network TX reserve 196K (0/49)
+ * protocol TX pages 196K (0/49)
+ * network RX reserve 7960K (0/544768)
+ * IPv6 route cache 1372K (0/4096)
+ * IPv4 route cache 5468K (0/16384)
+ * SKB data reserve 1120K (0/524288)
+ * IPv6 fragment cache 560K (0/262144)
+ * IPv4 fragment cache 560K (0/262144)
We see that the 'SKB data reserve' is build up of the IPv4 and IPv6
fragment cache reserves.
I use the 'SKB data reserve' to charge memory against and account usage,
but use its children to grow/shrink the actual reserve.
This allows you to see the individual reserves, but still use an
aggregate.
The tree form is the simplest structure that allowed such things,
another nice thing is that you can easily detach whole sub-trees to stop
actually reserving the memory, but continue tracking its potential
needs.
This is done when there are no SOCK_MEMALLOC sockets around. The 'total
network reserve' is detached, reducing the 'total reserve' to 0
(assuming no other reserve trees) but the individual reserves are still
tracking their potential need for when it will be re-attached.
With only a single user this might seen a little too much, but I have
hopes for more users.
> Reservations are used for all the transient memory that might be used
> by the network stack. This particularly includes the route cache and
> skbs for incoming messages. I have no idea if there is anything else
> that needs to be allowed for.
This is something I'd like feedback on from the network guru's. In my
reading there weren't many other allocation sites, but hey, I'm not much
of a net person myself. (I did write some instrumentation to track
allocations, but I'm sure I didn't get full coverage of the stack with
my simple usage).
> Filesystems can advertise (via address_space_operations) that files
> may be used as swap file. They then provide swapout/swapin methods
> which are like writepage/readpage but may behave differently and have
> a different way to get credentials from a 'struct file'.
Yes, the added benefit is that even regular blockdev filesystem swap
files could move to this interface and we'd finally be able to remove
->bmap().
> So in general, the patch set looks to have the right sort of shape. I
> cannot be very authoritative on the details as there are a lot of
> them, and they touch code that I'm not very familiar with.
>
> Some specific comments on patches:
>
>
> reserve-slub.patch
>
> Please avoid irrelevant reformatting in patches. It makes them
> harder to read. e.g.:
>
> -static void setup_object(struct kmem_cache *s, struct page *page,
> - void *object)
> +static void setup_object(struct kmem_cache *s, struct page *page, void *object)
Right, I'll split out the cleanups and send those in separately.
> mm-kmem_estimate_pages.patch
>
> This introduces
> kestimate
> kestimate_single
> kmem_estimate_pages
>
> The last obviously returns a number of pages. The contrast seems
> to suggest the others don't. But they do...
> I don't think the names are very good, but I concede that it is
> hard to choose good names here. Maybe:
> kmalloc_estimate_variable
> kmalloc_estimate_fixed
> kmem_alloc_estimate
> ???
You caught me here (and further on), I'm one of those who needs a little
help when it comes to names :-). I'll try and improve the ones you
pointed out.
> mm-reserve.patch
>
> I'm confused by __mem_reserve_add.
>
> + reserve = mem_reserve_root.pages;
> + __calc_reserve(res, pages, 0);
> + reserve = mem_reserve_root.pages - reserve;
>
> __calc_reserve will always add 'pages' to mem_reserve_root.pages.
> So this is a complex way of doing
> reserve = pages;
> __calc_reserve(res, pages, 0);
>
> And as you can calculate reserve before calling __calc_reserve
> (which seems odd when stated that way), the whole function looks
> like it could become:
>
> ret = adjust_memalloc_reserve(pages);
> if (!ret)
> __calc_reserve(res, pages, limit);
> return ret;
>
> What am I missing?
Probably the horrible twist my brain has. Looking at it makes me doubt
my own sanity. I think you're right - it would also clean up
__calc_reserve() a little.
This is what review for :-)
> Also, mem_reserve_disconnect really should be a "void" function.
> Just put a BUG_ON(ret) and don't return anything.
Agreed, I was being over cautious here. I'll WARN_ON, as Andrew is
scared of BUGs :-)
> Finally, I'll just repeat that the purpose of the tree structure
> eludes me.
I hope to have cleared that up. It came from the desire of my users
(there are quite a few out there who use some form of this code) to see
what the reserve is made up of - to see what tunables to use, and their
effect.
The tree form was the easiest that allowed me to keep individual
reserves and work with aggregates. (Must confess, some nodes are purely
decoration).
> net-sk_allocation.patch
>
> Why are the "GFP_KERNEL" call sites just changed to
> "sk->sk_allocation" rather than "sk_allocation(sk, GFP_KERNEL)" ??
>
> I assume there is a good reason, and seeing it in the change log
> would educate me and make the patch more obviously correct.
Good point. I think because of legacy (with this patch-set) reasons. Its
not needed for my use of sk_allocation(), but that gives me no right to
deny other people more creative uses of this construct. I'll rectify
this.
> netvm-reserve.patch
>
> Function names again:
>
> sk_adjust_memalloc
> sk_set_memalloc
>
> sound similar. Purpose is completely different.
The naming thing,... I'll try and come up with better ones.
> mm-page_file_methods.patch
>
> This makes page_offset and others more expensive by adding a
> conditional jump to a function call that is not usually made.
>
> Why do swap pages have a different index to everyone else?
Because the page->index of an anonymous page is related to its (anon)vma
so that it satisfies the constraints for vm_normal_page().
The index in the swap file it totally unrelated and quite random. Hence
the swap-cache uses page->private to store it in.
Moving these functions inline (esp __page_file_index seems doable)
results in a horrible include hell.
> nfs-swap_ops.patch
>
> What happens if you have two swap files on the same NFS
> filesystem?
> I assume ->swapfile gets called twice. But it hasn't been written
> to nest, so the first swapoff will disable swapping for both
> files??
Hmm,.. you are quite right (again). I failed to consider this. Not sure
how to rectify this as xprt->swapper is but a single bit.
I'll think about this.
Thanks!
On Tue, 2008-02-26 at 11:50 +0100, Peter Zijlstra wrote:
> > mm-reserve.patch
> >
> > I'm confused by __mem_reserve_add.
> >
> > + reserve = mem_reserve_root.pages;
> > + __calc_reserve(res, pages, 0);
> > + reserve = mem_reserve_root.pages - reserve;
> >
> > __calc_reserve will always add 'pages' to mem_reserve_root.pages.
> > So this is a complex way of doing
> > reserve = pages;
> > __calc_reserve(res, pages, 0);
> >
> > And as you can calculate reserve before calling __calc_reserve
> > (which seems odd when stated that way), the whole function looks
> > like it could become:
> >
> > ret = adjust_memalloc_reserve(pages);
> > if (!ret)
> > __calc_reserve(res, pages, limit);
> > return ret;
> >
> > What am I missing?
>
> Probably the horrible twist my brain has. Looking at it makes me doubt
> my own sanity. I think you're right - it would also clean up
> __calc_reserve() a little.
>
> This is what review for :-)
Ah, you confused me. Well, I confused me - this does deserve a comment
its tricksy.
Its correct. The trick is, the mem_reserve in question (res) need not be
connected to mem_reserve_root.
In that case, mem_reserve_root.pages will not change, but we do
propagate the change as far up as possible, so that
mem_reserve_connect() can just observe the parent and child without
being bothered by the rest of the hierarchy.
> > mm-page_file_methods.patch
> >
> > This makes page_offset and others more expensive by adding a
> > conditional jump to a function call that is not usually made.
> >
> > Why do swap pages have a different index to everyone else?
>
> Because the page->index of an anonymous page is related to its (anon)vma
> so that it satisfies the constraints for vm_normal_page().
>
> The index in the swap file it totally unrelated and quite random. Hence
> the swap-cache uses page->private to store it in.
Yeah, and putting the condition into page_offset() will confuse code
which uses it for finding the offset in the VMA or in a tmpfs file.
So why not just have a separate page_swap_offset() function, used
exclusively by swap_in/out()?
Miklos
On Tue, 2008-02-26 at 16:29 +0100, Miklos Szeredi wrote:
> > > mm-page_file_methods.patch
> > >
> > > This makes page_offset and others more expensive by adding a
> > > conditional jump to a function call that is not usually made.
> > >
> > > Why do swap pages have a different index to everyone else?
> >
> > Because the page->index of an anonymous page is related to its (anon)vma
> > so that it satisfies the constraints for vm_normal_page().
> >
> > The index in the swap file it totally unrelated and quite random. Hence
> > the swap-cache uses page->private to store it in.
>
> Yeah, and putting the condition into page_offset() will confuse code
> which uses it for finding the offset in the VMA
Right, do we do that anywhere?
> or in a tmpfs file.
Good point. I really should go read tmpfs some day, its really a blind
spot for me.
> So why not just have a separate page_swap_offset() function, used
> exclusively by swap_in/out()?
That would require duplicating quite a lot of NFS code from what I can
see.
On Tue, 2008-02-26 at 16:29 +0100, Miklos Szeredi wrote:
> > > mm-page_file_methods.patch
> > >
> > > This makes page_offset and others more expensive by adding a
> > > conditional jump to a function call that is not usually made.
> > >
> > > Why do swap pages have a different index to everyone else?
> >
> > Because the page->index of an anonymous page is related to its (anon)vma
> > so that it satisfies the constraints for vm_normal_page().
> >
> > The index in the swap file it totally unrelated and quite random. Hence
> > the swap-cache uses page->private to store it in.
>
> Yeah, and putting the condition into page_offset() will confuse code
> which uses it for finding the offset in the VMA or in a tmpfs file.
>
> So why not just have a separate page_swap_offset() function, used
> exclusively by swap_in/out()?
Ah, we can do the page_file_offset() to match page_file_index() and
page_file_mapping(). And convert NFS to use page_file_offset() where
appropriate, as I already did for these others.
That would sort out the mess, right?
> > > > mm-page_file_methods.patch
> > > >
> > > > This makes page_offset and others more expensive by adding a
> > > > conditional jump to a function call that is not usually made.
> > > >
> > > > Why do swap pages have a different index to everyone else?
> > >
> > > Because the page->index of an anonymous page is related to its (anon)vma
> > > so that it satisfies the constraints for vm_normal_page().
> > >
> > > The index in the swap file it totally unrelated and quite random. Hence
> > > the swap-cache uses page->private to store it in.
> >
> > Yeah, and putting the condition into page_offset() will confuse code
> > which uses it for finding the offset in the VMA or in a tmpfs file.
> >
> > So why not just have a separate page_swap_offset() function, used
> > exclusively by swap_in/out()?
>
> Ah, we can do the page_file_offset() to match page_file_index() and
> page_file_mapping(). And convert NFS to use page_file_offset() where
> appropriate, as I already did for these others.
>
> That would sort out the mess, right?
Yes, that sounds perfect.
Miklos
On Tue, 26 Feb 2008 11:50:42 +0100 Peter Zijlstra <[email protected]> wrote:
> On Tue, 2008-02-26 at 17:03 +1100, Neil Brown wrote:
> > On Saturday February 23, [email protected] wrote:
>
> > > What is the NFS and net people's take on all of this?
> >
> > Well I'm only vaguely an NFS person, barely a net person, sporadically
> > an mm person, but I've had a look and it seems to mostly make sense.
>
> Thanks for taking a look, and giving such elaborate feedback. I'll try
> and address these issues asap, but first let me reply to a few points
> here.
Neil's overview of what-all-this-is and how-it-all-works is really good.
I'd suggest that you take it over, flesh it out and attach it firmly to the
patchset. It really helps.
Hi Peter,
On Tuesday February 26, [email protected] wrote:
> Hi Neil,
>
> Thanks for taking a look, and giving such elaborate feedback. I'll try
> and address these issues asap, but first let me reply to a few points
> here.
Thanks... the tree thing is starting to make sense, and I'm not
confused my __mem_reserve_add any more :-)
I've been having a closer read of some of the code that I skimmed over
before and I have some more questions.
1/ I note there is no way to tell if memory returned by kmalloc is
from the emergency reserve - which contrasts with alloc_page
which does make that information available through page->reserve.
This seems a slightly unfortunate aspect of the interface.
It seems to me that __alloc_skb could be simpler if this
information was available. It currently tries the allocation
normally, then if that fails it retries with __GFP_MEMALLOC set and
if that works it assume it was from the emergency pool ... which it
might not be, though the assumption is safe enough.
It would seem to be nicer if you could just make the one alloc call,
setting GFP_MEMALLOC if that might be appropriate. Then if the
memory came from the emergency reserve, flag it as an emergency skb.
However doing that would have issues with reservations.... the
mem_reserve would need to be passed to kmalloc :-(
2/ It doesn't appear to be possible to wait on a reservation. i.e. if
mem_reserve_*_charge fails, we might sometimes want to wait until
it will succeed. This feature is an integral part of how mempools
work and are used. If you want reservations to (be able to)
replace mempools, then waiting really is needed.
It seems that waiting would work best if it was done quite low down
inside kmalloc. That would require kmalloc to know which
'mem_reserve' you are using which it currently doesn't.
If it did, then it could choose to use emergency pages if the
mem_reserve allowed it more space, otherwise require a regular page.
And if __GFP_WAIT is set then each time around the loop it could
revise whether to use an emergency page or not, based on whether it
can successfully charge the reservation.
Of course, having a mem_reserve available for PF_MEMALLOC
allocations would require changing every kmalloc call in the
protected region, which might not be ideal, but might not be a
major hassle, and would ensure that you find all kmalloc calls that
might be made while in PF_MALLOC state.
3/ Thinking about the tree structure a bit more: Your motivation
seems to be that it allows you to make two separate reservations,
and then charge some memory usage again either-one-of-the-other.
This seems to go against a key attribute of reservations. I would
have thought that an important rule about reservations is that
no-one else can use memory reserved for a particular purpose.
So if IPv6 reserves some memory, and the IPv4 uses it, that doesn't
seem like something we want to encourage...
4/ __netdev_alloc_page is bothering me a bit.
This is used to allocate memory for incoming fragments in a
(potentially multi-fragment) packet. But we only rx_emergency_get
for each page as it arrives rather than all at once at the start.
So you could have a situation where two very large packets are
arriving at the same time and there is enough reserve to hold
either of them but not both. The current code will hand out that
reservation a little (well, one page) at a time to each packet and
will run out before either packet has been fully received. This
seems like a bad thing. Is it?
Is it possible to do the rx_emergency_get just once of the whole
packet I wonder?
NeilBrown
On Wed, 2008-02-27 at 16:51 +1100, Neil Brown wrote:
> Hi Peter,
>
> On Tuesday February 26, [email protected] wrote:
> > Hi Neil,
> >
> > Thanks for taking a look, and giving such elaborate feedback. I'll try
> > and address these issues asap, but first let me reply to a few points
> > here.
>
> Thanks... the tree thing is starting to make sense, and I'm not
> confused my __mem_reserve_add any more :-)
>
> I've been having a closer read of some of the code that I skimmed over
> before and I have some more questions.
>
> 1/ I note there is no way to tell if memory returned by kmalloc is
> from the emergency reserve - which contrasts with alloc_page
> which does make that information available through page->reserve.
> This seems a slightly unfortunate aspect of the interface.
Yes, but alas there is no room to store such information in kmalloc().
That is, in a sane way. I think it was Daniel Phillips who suggested
encoding it in the return pointer by flipping the low bit - but that is
just too ugly and breaks all current kmalloc sites to boot.
> It seems to me that __alloc_skb could be simpler if this
> information was available. It currently tries the allocation
> normally, then if that fails it retries with __GFP_MEMALLOC set and
> if that works it assume it was from the emergency pool ... which it
> might not be, though the assumption is safe enough.
>
> It would seem to be nicer if you could just make the one alloc call,
> setting GFP_MEMALLOC if that might be appropriate. Then if the
> memory came from the emergency reserve, flag it as an emergency skb.
>
> However doing that would have issues with reservations.... the
> mem_reserve would need to be passed to kmalloc :-(
Yes, it would require a massive overhaul of quite a few things. I agree,
it would all be nicer, but I think you see why I didn't do it.
> 2/ It doesn't appear to be possible to wait on a reservation. i.e. if
> mem_reserve_*_charge fails, we might sometimes want to wait until
> it will succeed. This feature is an integral part of how mempools
> work and are used. If you want reservations to (be able to)
> replace mempools, then waiting really is needed.
>
> It seems that waiting would work best if it was done quite low down
> inside kmalloc. That would require kmalloc to know which
> 'mem_reserve' you are using which it currently doesn't.
>
> If it did, then it could choose to use emergency pages if the
> mem_reserve allowed it more space, otherwise require a regular page.
> And if __GFP_WAIT is set then each time around the loop it could
> revise whether to use an emergency page or not, based on whether it
> can successfully charge the reservation.
Like mempools, we could add a wrapper with a mem_reserve and waitqueue
inside, strip __GFP_WAIT, try, see if the reservation allows, and wait
if not.
I haven't yet done such a wrapper because it wasn't needed. But it could
be done.
> Of course, having a mem_reserve available for PF_MEMALLOC
> allocations would require changing every kmalloc call in the
> protected region, which might not be ideal, but might not be a
> major hassle, and would ensure that you find all kmalloc calls that
> might be made while in PF_MALLOC state.
I assumed the current PF_MEMALLOC usage was good enough for the current
reserves - not quite true as its potentially unlimited, but it seems to
work in practise.
I did try to find all allocation sites in the paths I enabled
PF_MEMALLOC over.
> 3/ Thinking about the tree structure a bit more: Your motivation
> seems to be that it allows you to make two separate reservations,
> and then charge some memory usage again either-one-of-the-other.
> This seems to go against a key attribute of reservations. I would
> have thought that an important rule about reservations is that
> no-one else can use memory reserved for a particular purpose.
> So if IPv6 reserves some memory, and the IPv4 uses it, that doesn't
> seem like something we want to encourage...
Well, we only have one kind of skb, a network packet doesn't know if it
belongs to IPv4 or IPv6 (or yet a whole different address familiy) when
it comes in. So we grow the skb pool to overflow both defragment caches.
But yeah, its something where you need to know what you're doing - as
with so many other things in the kernel, hence I didn't worry too much.
> 4/ __netdev_alloc_page is bothering me a bit.
> This is used to allocate memory for incoming fragments in a
> (potentially multi-fragment) packet. But we only rx_emergency_get
> for each page as it arrives rather than all at once at the start.
> So you could have a situation where two very large packets are
> arriving at the same time and there is enough reserve to hold
> either of them but not both. The current code will hand out that
> reservation a little (well, one page) at a time to each packet and
> will run out before either packet has been fully received. This
> seems like a bad thing. Is it?
>
> Is it possible to do the rx_emergency_get just once of the whole
> packet I wonder?
I honestly don't know enough about network cards and drivers to answer
this. It was a great feat I managed this much :-)
Hi Peter,
On Wed, Feb 27, 2008 at 9:58 AM, Peter Zijlstra <[email protected]> wrote:
> > 1/ I note there is no way to tell if memory returned by kmalloc is
> > from the emergency reserve - which contrasts with alloc_page
> > which does make that information available through page->reserve.
> > This seems a slightly unfortunate aspect of the interface.
>
> Yes, but alas there is no room to store such information in kmalloc().
> That is, in a sane way. I think it was Daniel Phillips who suggested
> encoding it in the return pointer by flipping the low bit - but that is
> just too ugly and breaks all current kmalloc sites to boot.
Why can't you add a kmem_is_emergency() to SLUB that looks up the
cache/slab/page (whatever is the smallest unit of the emergency pool
here) for the object and use that?
On Wed, 2008-02-27 at 10:05 +0200, Pekka Enberg wrote:
> Hi Peter,
>
> On Wed, Feb 27, 2008 at 9:58 AM, Peter Zijlstra <[email protected]> wrote:
> > > 1/ I note there is no way to tell if memory returned by kmalloc is
> > > from the emergency reserve - which contrasts with alloc_page
> > > which does make that information available through page->reserve.
> > > This seems a slightly unfortunate aspect of the interface.
> >
> > Yes, but alas there is no room to store such information in kmalloc().
> > That is, in a sane way. I think it was Daniel Phillips who suggested
> > encoding it in the return pointer by flipping the low bit - but that is
> > just too ugly and breaks all current kmalloc sites to boot.
>
> Why can't you add a kmem_is_emergency() to SLUB that looks up the
> cache/slab/page (whatever is the smallest unit of the emergency pool
> here) for the object and use that?
There is an idea.. :-) It would mean preserving page->reserved, but SLUB
has plenty of page flags to pick from. Or maybe I should move the thing
to a page flag anyway. If we do that SLAB would allow something similar,
just look up the page for whatever address you get and look at PG_emerg
or something.
Having this would clean things up. I'll go work on this.
On Wed, 2008-02-27 at 09:14 +0100, Peter Zijlstra wrote:
> On Wed, 2008-02-27 at 10:05 +0200, Pekka Enberg wrote:
> > Hi Peter,
> >
> > On Wed, Feb 27, 2008 at 9:58 AM, Peter Zijlstra <[email protected]> wrote:
> > > > 1/ I note there is no way to tell if memory returned by kmalloc is
> > > > from the emergency reserve - which contrasts with alloc_page
> > > > which does make that information available through page->reserve.
> > > > This seems a slightly unfortunate aspect of the interface.
> > >
> > > Yes, but alas there is no room to store such information in kmalloc().
> > > That is, in a sane way. I think it was Daniel Phillips who suggested
> > > encoding it in the return pointer by flipping the low bit - but that is
> > > just too ugly and breaks all current kmalloc sites to boot.
> >
> > Why can't you add a kmem_is_emergency() to SLUB that looks up the
> > cache/slab/page (whatever is the smallest unit of the emergency pool
> > here) for the object and use that?
>
> There is an idea.. :-) It would mean preserving page->reserved, but SLUB
> has plenty of page flags to pick from. Or maybe I should move the thing
> to a page flag anyway. If we do that SLAB would allow something similar,
> just look up the page for whatever address you get and look at PG_emerg
> or something.
>
> Having this would clean things up. I'll go work on this.
Humm, and here I sit staring at the screen. Perhaps I should go get my
morning juice, but...
if (mem_reserve_kmalloc_charge(my_res, sizeof(*foo), 0)) {
foo = kmalloc(sizeof(*foo), gfp|__GFP_MEMALLOC)
if (!kmem_is_emergency(foo))
mem_reserve_kmalloc_charge(my_res, -sizeof(*foo), 0)
} else
foo = kmalloc(sizeof(*foo), gfp);
Just doesn't look too pretty..
And needing to always account the allocation seems wrong.. but I'll take
poison and see if that wakes up my mind.
On Wed, 27 Feb 2008, Peter Zijlstra wrote:
> Humm, and here I sit staring at the screen. Perhaps I should go get my
> morning juice, but...
>
> if (mem_reserve_kmalloc_charge(my_res, sizeof(*foo), 0)) {
> foo = kmalloc(sizeof(*foo), gfp|__GFP_MEMALLOC)
> if (!kmem_is_emergency(foo))
> mem_reserve_kmalloc_charge(my_res, -sizeof(*foo), 0)
> } else
> foo = kmalloc(sizeof(*foo), gfp);
>
> Just doesn't look too pretty..
>
> And needing to always account the allocation seems wrong.. but I'll take
> poison and see if that wakes up my mind.
Hmm, perhaps this is just hand-waving but why don't you have a
kmalloc_reserve() function in SLUB that does the accounting properly?
Pekka
So I've been pondering all this some more trying to find the pattern,
and things are beginning to crystalise (I hope).
One of the approaches I have been taking is to compare it to mempools
(which I think I understand) and work out what the important
differences are.
One difference is that you don't wait for memory to become available
(as I mentioned earlier). Rather you just try to get the memory and
if it isn't available, you drop the packet. This probably makes sense
for incoming packets as you rely on the packet being re-sent, and
hopefully various back-off algorithms will slow things down a bit so
that there is a good change that memory will be available next time...
For out going messages I'm less clear on exactly what is going on.
Maybe I haven't looked at that code properly yet, but I would expect
there would be a place for waiting for memory to become available
somewhere in the out-going path ??
But there is another important difference to mempools which I think is
worth exploring. With mempools, you are certain that the memory will
only be used to make forward progress in writing out dirty data. So
if you find that there isn't enough memory at the moment and you have
to wait, you can be sure someone else is making forward progress and
so waiting isn't such a bad thing.
With your reservations it isn't quite the same. Reserved memory can
be used for related purposes. In particular, any incoming packet can
use some reserved memory. Once the purpose of that packet is
discovered (i.e. that matching socket is found), the memory will be
freed again. But there is a period of time when memory is being used
for an inappropriate purpose. The consequences of this should be
clearly understood.
In particular, the memory that is reserved for the emergency pool
should include some overhead to acknowledge the fact that memory
might be used for short periods of time for unrelated purposes.
I think we can fit this acknowledgement into the current model quite
easily, and it makes the tree structure suddenly make lots of sense
(where as before I was still struggling with it).
A key observation in this design is "Sometimes we need to allocate
emergency memory without knowing exactly what it is going to be used
for". I think we should make that explicit in the implementation as
follows:
We have a tree of reservations (as you already do) where levels in
the tree correspond to more explicit knowledge of how the memory
will be used.
At the top level there is a generic 'page' reservation. Below that
to one side with have a 'SLUB/SLAB' reservation. I'm not sure yet
exactly what that will look like.
Also below the 'page' reservation is a reservation for pages to hold
incoming network fragments.
Below the SLxB reservation is a reservation for skbs, which is
parent to a reservation for IPv4 skbs and another for IPv6 skbs.
Each of these nodes has its own independent reservation - parents are
not simply the sum of the children.
The sum over the whole tree is given to the VM as the size of the
emergency pool to reserve for emergency allocations.
Now, every actual allocation from the emergency pool effectively comes
in at the top of the tree and moves down as its purpose is more fully
understood. Every emergency allocation is *always* charged to one
node in the tree, though which node may change.
e.g.
A network driver asks for a page to store a fragment.
netdev_alloc_page calls alloc_page with __GFP_MEMALLOC set.
If alloc_page needs to dive into the emergency pool, it first
charges the one page against the root for the reservation tree.
If this succeeds, it returns the page with ->reserve set. If the
reservation fails, it ignores the GFP_MEMALLOC and fails.
netdev_alloc_page notices that the page is a ->reserve page, and
knows that it has been changed to the top 'page' reservation, but it
should be changed to the network-page reservation. So it tried to
charge against the network-pages reservation, and reverses the
charge against 'pages'. If the network-pages reservation fails, the
page is freed and netdev_alloc_page fails.
As you can see, the charge moves down the tree as more information
becomes available.
Similarly a charge might move from 'pages' to 'SLxB' to 'net_skb' to
'ipv4_skb'.
At the bottom levels, the reservations says how much memory is
needed for that particular usage to be able to make sensible forward
progress.
At the higher levels, the reservation says how much overhead we need
to allow to ensure that transient invalid uses don't unduly limit
available emergency memory. As pages are likely to be immediately
re-charged lower down the tree, the reservation at the top level
would probably be proportional to the number of CPUs (probably one
page per CPU would be perfect). Lower down, different calculations
might suggest different intermediate reservations.
Of course, these things don't need to be explicitly structured as a
tree. There is no need for 'parent' or 'sibling' pointers. The code
implicitly knows where to move charges from and to.
You still need an explicit structure to allow groups of reservations
that are activated or de-activated as a whole. That can use your
current tree structure, or whatever else turns out to make sense.
This model, I think, captures the important "allocate before charging"
aspect of reservations that you need (particularly for incoming
network packets) and it makes that rule apply throughout the different
stages that an allocated chunk of memory goes through.
With this model, alloc_page could fail more often, as it now also
fails if the top level reservation is exhausted. This may seem
un-necessary, but I think it could be a good thing. It means that at
very busy times (when lots of requests are needing emergency memory)
we drop requests randomly and very early. If we are going to drop a
request eventually, dropping it early means we waste less time on it
which is probably a good thing.
So: Does this model help others with understanding how the
reservations work, or am I just over-engineering?
NeilBrown
On Fri, 2008-02-29 at 12:29 +1100, Neil Brown wrote:
> So I've been pondering all this some more trying to find the pattern,
> and things are beginning to crystalise (I hope).
>
> One of the approaches I have been taking is to compare it to mempools
> (which I think I understand) and work out what the important
> differences are.
>
> One difference is that you don't wait for memory to become available
> (as I mentioned earlier). Rather you just try to get the memory and
> if it isn't available, you drop the packet. This probably makes sense
> for incoming packets as you rely on the packet being re-sent, and
> hopefully various back-off algorithms will slow things down a bit so
> that there is a good change that memory will be available next time...
>
> For out going messages I'm less clear on exactly what is going on.
> Maybe I haven't looked at that code properly yet, but I would expect
> there would be a place for waiting for memory to become available
> somewhere in the out-going path ??
The tx path is a bit fuzzed. I assume it has an upper limit, take a stab
at that upper limit and leave it at that.
It should be full of holes, and there is some work on writeout
throttling to fill some of them - but I haven't seen any lockups in this
area for a long long while.
> But there is another important difference to mempools which I think is
> worth exploring. With mempools, you are certain that the memory will
> only be used to make forward progress in writing out dirty data. So
> if you find that there isn't enough memory at the moment and you have
> to wait, you can be sure someone else is making forward progress and
> so waiting isn't such a bad thing.
>
> With your reservations it isn't quite the same. Reserved memory can
> be used for related purposes. In particular, any incoming packet can
> use some reserved memory. Once the purpose of that packet is
> discovered (i.e. that matching socket is found), the memory will be
> freed again. But there is a period of time when memory is being used
> for an inappropriate purpose. The consequences of this should be
> clearly understood.
IIRC the route-cache is in this state. Entries there can be added before
we can decide to keep or toss the packet. So we reserve enough memory to
overflow the route-cache (route-cache reclaim keeps it in bounds).
> In particular, the memory that is reserved for the emergency pool
> should include some overhead to acknowledge the fact that memory
> might be used for short periods of time for unrelated purposes.
>
> I think we can fit this acknowledgement into the current model quite
> easily, and it makes the tree structure suddenly make lots of sense
> (where as before I was still struggling with it).
>
> A key observation in this design is "Sometimes we need to allocate
> emergency memory without knowing exactly what it is going to be used
> for". I think we should make that explicit in the implementation as
> follows:
>
> We have a tree of reservations (as you already do) where levels in
> the tree correspond to more explicit knowledge of how the memory
> will be used.
> At the top level there is a generic 'page' reservation. Below that
> to one side with have a 'SLUB/SLAB' reservation. I'm not sure yet
> exactly what that will look like.
> Also below the 'page' reservation is a reservation for pages to hold
> incoming network fragments.
> Below the SLxB reservation is a reservation for skbs, which is
> parent to a reservation for IPv4 skbs and another for IPv6 skbs.
>
> Each of these nodes has its own independent reservation - parents are
> not simply the sum of the children.
> The sum over the whole tree is given to the VM as the size of the
> emergency pool to reserve for emergency allocations.
>
> Now, every actual allocation from the emergency pool effectively comes
> in at the top of the tree and moves down as its purpose is more fully
> understood. Every emergency allocation is *always* charged to one
> node in the tree, though which node may change.
>
> e.g.
> A network driver asks for a page to store a fragment.
> netdev_alloc_page calls alloc_page with __GFP_MEMALLOC set.
> If alloc_page needs to dive into the emergency pool, it first
> charges the one page against the root for the reservation tree.
> If this succeeds, it returns the page with ->reserve set. If the
> reservation fails, it ignores the GFP_MEMALLOC and fails.
> netdev_alloc_page notices that the page is a ->reserve page, and
> knows that it has been changed to the top 'page' reservation, but it
> should be changed to the network-page reservation. So it tried to
> charge against the network-pages reservation, and reverses the
> charge against 'pages'. If the network-pages reservation fails, the
> page is freed and netdev_alloc_page fails.
> As you can see, the charge moves down the tree as more information
> becomes available.
>
> Similarly a charge might move from 'pages' to 'SLxB' to 'net_skb' to
> 'ipv4_skb'.
>
> At the bottom levels, the reservations says how much memory is
> needed for that particular usage to be able to make sensible forward
> progress.
> At the higher levels, the reservation says how much overhead we need
> to allow to ensure that transient invalid uses don't unduly limit
> available emergency memory. As pages are likely to be immediately
> re-charged lower down the tree, the reservation at the top level
> would probably be proportional to the number of CPUs (probably one
> page per CPU would be perfect). Lower down, different calculations
> might suggest different intermediate reservations.
>
> Of course, these things don't need to be explicitly structured as a
> tree. There is no need for 'parent' or 'sibling' pointers. The code
> implicitly knows where to move charges from and to.
> You still need an explicit structure to allow groups of reservations
> that are activated or de-activated as a whole. That can use your
> current tree structure, or whatever else turns out to make sense.
>
> This model, I think, captures the important "allocate before charging"
> aspect of reservations that you need (particularly for incoming
> network packets) and it makes that rule apply throughout the different
> stages that an allocated chunk of memory goes through.
I'm a bit confused here, the only way to keep the allocations bounded is
by accounting before allocation (well, another other way is to bound the
number of concurrent allocations).
Also, I try not to account when not needed, like with the route-cache.
We already know it has bounded memory usage because it maintains that
itself. So by just supplying enough memory to overflow the thing you're
home save.
While the model of moving the accounting down might work, I think it its
not needed. We don't need to know if its ipv4 or ipv6 or yet another
protocol, as long as we have enough skb room to overflow whatever caches
are in between incomming packets and socket de-multiplex.
> With this model, alloc_page could fail more often, as it now also
> fails if the top level reservation is exhausted. This may seem
> un-necessary, but I think it could be a good thing. It means that at
> very busy times (when lots of requests are needing emergency memory)
> we drop requests randomly and very early. If we are going to drop a
> request eventually, dropping it early means we waste less time on it
> which is probably a good thing.
But, might you not be dropping the few packets we do want, early as
well?
> So: Does this model help others with understanding how the
> reservations work, or am I just over-engineering?
Sounds like a bit of overkill to me.
On Wed, 2008-02-27 at 10:05 +0200, Pekka Enberg wrote:
> Hi Peter,
>
> On Wed, Feb 27, 2008 at 9:58 AM, Peter Zijlstra <[email protected]> wrote:
> > > 1/ I note there is no way to tell if memory returned by kmalloc is
> > > from the emergency reserve - which contrasts with alloc_page
> > > which does make that information available through page->reserve.
> > > This seems a slightly unfortunate aspect of the interface.
> >
> > Yes, but alas there is no room to store such information in kmalloc().
> > That is, in a sane way. I think it was Daniel Phillips who suggested
> > encoding it in the return pointer by flipping the low bit - but that is
> > just too ugly and breaks all current kmalloc sites to boot.
>
> Why can't you add a kmem_is_emergency() to SLUB that looks up the
> cache/slab/page (whatever is the smallest unit of the emergency pool
> here) for the object and use that?
I made page->reserve into PG_emergency and made that bit stick for the
lifetime of that page allocation. I then made kmem_is_emergency() look
up the head page backing that allocation's slab and return
PageEmergency().
This gives a consistent kmem_is_emergency() - that is if during the
lifetime of the kmem allocation it returns true once, it must return
true always.
You can then, using this properly, push the accounting into
kmalloc_reserve() and kfree_reserve() (and
kmem_cache_{alloc,free}_reserve).
Which yields very pretty code all round. (can make public if you like to
see..)
However...
This is a stricter model than I had before, and has one ramification I'm
not entirely sure I like.
It means the page remains a reserve page throughout its lifetime, which
means the slab remains a reserve slab throughout its lifetime. Therefore
it may never be used for !reserve allocations. Which in turn generates
complexities for the partial list.
In my previous model I had the reserve accounting external to the
allocation, which relaxed the strict need for consistency here, and I
dropped the reserve status once we were above the page limits again.
I managed to complicate the SLUB patch with this extra constraint, by
checking reserve against PageEmergency() when scanning the partial list,
but gave up on SLAB.
Does this sound like something I should pursuit? I feel it might
complicate the slab allocators too much..
Hi Peter,
On Fri, Feb 29, 2008 at 1:51 PM, Peter Zijlstra <[email protected]> wrote:
> I made page->reserve into PG_emergency and made that bit stick for the
> lifetime of that page allocation. I then made kmem_is_emergency() look
> up the head page backing that allocation's slab and return
> PageEmergency().
[snip]
On Fri, Feb 29, 2008 at 1:51 PM, Peter Zijlstra <[email protected]> wrote:
> This is a stricter model than I had before, and has one ramification I'm
> not entirely sure I like.
>
> It means the page remains a reserve page throughout its lifetime, which
> means the slab remains a reserve slab throughout its lifetime. Therefore
> it may never be used for !reserve allocations. Which in turn generates
> complexities for the partial list.
Hmm, so why don't we then clear the PG_emergency flag then and
allocate a new fresh page to the reserves?
On Fri, Feb 29, 2008 at 1:51 PM, Peter Zijlstra <[email protected]> wrote:
> Does this sound like something I should pursuit? I feel it might
> complicate the slab allocators too much..
I can't answer that question until I see the code ;-). But overall, I
think it's better to put that code in SLUB rather than trying to work
around it elsewhere. The fact is, as soon as you have some sort of
reservation for _objects_, you need help from the SLUB allocator.
Pekka
On Fri, 2008-02-29 at 13:58 +0200, Pekka Enberg wrote:
> Hi Peter,
>
> On Fri, Feb 29, 2008 at 1:51 PM, Peter Zijlstra <[email protected]> wrote:
> > I made page->reserve into PG_emergency and made that bit stick for the
> > lifetime of that page allocation. I then made kmem_is_emergency() look
> > up the head page backing that allocation's slab and return
> > PageEmergency().
>
> [snip]
>
> On Fri, Feb 29, 2008 at 1:51 PM, Peter Zijlstra <[email protected]> wrote:
> > This is a stricter model than I had before, and has one ramification I'm
> > not entirely sure I like.
> >
> > It means the page remains a reserve page throughout its lifetime, which
> > means the slab remains a reserve slab throughout its lifetime. Therefore
> > it may never be used for !reserve allocations. Which in turn generates
> > complexities for the partial list.
>
> Hmm, so why don't we then clear the PG_emergency flag then
Clearing PG_emergency would mean kmem_is_emergency() would return false
in kfree_reserve() and fail to un-charge the object.
Previously objects would track their account status themselves (when
needed) and freeing PG_emergency wouldn't be a problem.
> and allocate a new fresh page to the reserves?
Not sure I understand this properly. We would only do this once the page
watermarks are high enough, so the reserves are full again.
> On Fri, Feb 29, 2008 at 1:51 PM, Peter Zijlstra <[email protected]> wrote:
> > Does this sound like something I should pursuit? I feel it might
> > complicate the slab allocators too much..
>
> I can't answer that question until I see the code ;-). But overall, I
> think it's better to put that code in SLUB rather than trying to work
> around it elsewhere. The fact is, as soon as you have some sort of
> reservation for _objects_, you need help from the SLUB allocator.
Well, I agree with that consolidating it makes sense. And like I said,
it gives pretty code. However, it also puts the burden of this feature
on everyone and might affect performance - still its only the slow path,
but still.
On Fri, Feb 29, 2008 at 2:18 PM, Peter Zijlstra <[email protected]> wrote:
> Clearing PG_emergency would mean kmem_is_emergency() would return false
> in kfree_reserve() and fail to un-charge the object.
>
> Previously objects would track their account status themselves (when
> needed) and freeing PG_emergency wouldn't be a problem.
>
> > and allocate a new fresh page to the reserves?
>
> Not sure I understand this properly. We would only do this once the page
> watermarks are high enough, so the reserves are full again.
The problem with PG_emergency is that, once the watermarks are high
again, SLUB keeps holding to the emergency page and it cannot be used
for regular kmalloc allocations, right?
So the way to fix this is to batch uncharge the objects and clear
PG_emergency for the said SLUB pages thus freeing them for regular
allocations. And to compensate for the loss in the reserves, we ask
the page allocator to give a new one that SLUB knows nothing about.
If you don't do this, the reserve page can only contain few objects
making them unavailable for regular allocations. So we're might be
forced into "emergency mode" even though there's enough memory
available to satisfy the allocation.
Pekka
On Friday February 29, [email protected] wrote:
>
> The tx path is a bit fuzzed. I assume it has an upper limit, take a stab
> at that upper limit and leave it at that.
>
> It should be full of holes, and there is some work on writeout
> throttling to fill some of them - but I haven't seen any lockups in this
> area for a long long while.
I think this is very interesting and useful.
You seem to be saying that the write-throttling is enough to avoid any
starvation on the transmit path. i.e. the VM is limiting the amount
of dirty memory so that when we desperately need memory on the
writeout path we can always get it, without lots of careful
accounting.
So why doesn't this work on for the receive side? What - exactly - is
the difference.
I think the difference is that on the receive side we have to hand
out memory before we know how it will be used (i.e. whether it is for
a SK_MEMALLOC socket or not) and so emergency memory could get stuck
in some non-emergency usage.
So suppose we forgot about all the allocation tracking (that doesn't
seem to be needed on the send side so maybe isn't on the receive side)
and just focus on not letting emergency memory get used for the wrong
thing.
So: Have some global flag that says "we are into the emergency pool"
which gets set the first time an allocation has to dip below the low
water mark, and cleared when an allocation succeeds without needing to
dip that low.
Then whenever we have memory that might have been allocated from below
the watermark (i.e. an incoming packet) and we find out that it isn't
required for write-out (i.e. it gets attached to a socket for which
SK_MEMALLOC is not set) we test the global flag and if it is set, we
drop the packet and free the memory.
To clarify:
no new accounting
no new reservations
just "drop non-writeout packets when we are low on memory"
Is there any chance that could work reliably?
I call this the "Linus" approach because I remember reading somewhere
(that google cannot find for me) where Linus said he didn't think a
provably correct implementation was the way to go - just something
that made it very likely that we won't run out of memory at an awkward
time.
I guess my position is that any accounting that we do needs to have a
clear theoretical model underneath it so we can reason about it.
I cannot see the clear model in beneath the current code so I'm trying
to come up with models that seem to capture the important elements of
the code, and to explore them.
NeilBrown
On Mon, 2008-03-03 at 09:18 +1100, Neil Brown wrote:
> On Friday February 29, [email protected] wrote:
> >
> > The tx path is a bit fuzzed. I assume it has an upper limit, take a stab
> > at that upper limit and leave it at that.
> >
> > It should be full of holes, and there is some work on writeout
> > throttling to fill some of them - but I haven't seen any lockups in this
> > area for a long long while.
>
> I think this is very interesting and useful.
>
> You seem to be saying that the write-throttling is enough to avoid any
> starvation on the transmit path. i.e. the VM is limiting the amount
> of dirty memory so that when we desperately need memory on the
> writeout path we can always get it, without lots of careful
> accounting.
>
> So why doesn't this work on for the receive side? What - exactly - is
> the difference.
The TX path needs to be able to make progress in that it must be able to
send out at least one full request (page). The thing the TX path must
not do is tie up so much memory sending out pages that we can't receive
any incoming packets.
So, having a throttle on the amount of writes in progress, and
sufficient memory to back those, seem like a solid way here.
NFS has such a limit in its congestion logic. But I'm quite sure I'm
failing to allocate enough memory to back it, as I got confused by the
whole RPC code.
> I think the difference is that on the receive side we have to hand
> out memory before we know how it will be used (i.e. whether it is for
> a SK_MEMALLOC socket or not) and so emergency memory could get stuck
> in some non-emergency usage.
>
> So suppose we forgot about all the allocation tracking (that doesn't
> seem to be needed on the send side so maybe isn't on the receive side)
> and just focus on not letting emergency memory get used for the wrong
> thing.
>
> So: Have some global flag that says "we are into the emergency pool"
> which gets set the first time an allocation has to dip below the low
> water mark, and cleared when an allocation succeeds without needing to
> dip that low.
That is basically what the slub logic I added does. Except that global
flags in the vm make people very nervous, so its a little more complex.
> Then whenever we have memory that might have been allocated from below
> the watermark (i.e. an incoming packet)
Which is what I do in the skb_alloc() path.
> and we find out that it isn't
> required for write-out (i.e. it gets attached to a socket for which
> SK_MEMALLOC is not set) we test the global flag and if it is set, we
> drop the packet and free the memory.
Which is somewhat more complex than you make it sound, but that is
exactly what I do.
> To clarify:
> no new accounting
> no new reservations
> just "drop non-writeout packets when we are low on memory"
>
> Is there any chance that could work reliably?
You need to be able to overflow the ip fragement assembly cache, or we
could get stuck with all memory in fragments.
Same for other memory usage before we hit the socket de-multiplex, like
the route-cache.
I just refined those points here; you need to drop more that
non-writeout packets, you need to drop all packets not meant for
SK_MEMALLOC.
You also need to allow some writeout packets, because if you hit 'oom'
and need to write-out some pages to free up memory,...
I did the reservation because I wanted some guarantee we'd be able to
over-flow the caches mentioned. The alternative is working with the
variable ratio that the current reserve has.
The accounting makes the whole system more robust. I wanted to make the
state stable enough to survive a connection drop, or server reset for a
long while, and it does. During a swapping workload and heavy network
load, I can pull the network cable, or shut down the NFS server and
leave it down for over 30 minutes. When I bring it back up again, stuff
resumes.
> I call this the "Linus" approach because I remember reading somewhere
> (that google cannot find for me) where Linus said he didn't think a
> provably correct implementation was the way to go - just something
> that made it very likely that we won't run out of memory at an awkward
> time.
>
> I guess my position is that any accounting that we do needs to have a
> clear theoretical model underneath it so we can reason about it.
> I cannot see the clear model in beneath the current code so I'm trying
> to come up with models that seem to capture the important elements of
> the code, and to explore them.
>From my POV there is a model, and I've tried to convey it, but clearly
I'm failing horribly. Let me try again:
Create a stable state where you can receive an unlimited amount of
network packets awaiting the one packet you need to move forward.
To do so we need to distinguish needed from unneeded packets; we do this
by means of SK_MEMALLOC. So we need to be able to receive packets up to
that point.
The unlimited amount of packets means unlimited time; which means that
our state must not consume memory, merely use memory. That is, the
amount of memory used must not grow unbounded over time.
So we must guarantee that all memory allocated will be promptly freed
again, and never allocate more than available.
Because this state is not the normal state, we need a trigger to enter
this state (and consequently a trigger to leave this state). We do that
by detecting a low memory situation just like you propose. We enter this
state once normal memory allocations fail and leave this state once they
start succeeding again.
We need the accounting to ensure we never allocate more than is
available, but more importantly because we need to ensure progress for
those packets we already have allocated.
A packet is received, it can be a fragment, it will be placed in the
fragment cache for packet re-assembly.
We need to ensure we can overflow this fragment cache in order that
something will come out at the other end. If under a fragment attack,
the fragment cache limit will prune the oldest fragments, freeing up
memory to receive new ones.
Eventually we'd be able to receive either a whole packet, or enough
fragments to assemble one.
Next comes routing the packet; we need to know where to process the
packet; local or non-local. This potentially involves filling the
route-cache.
If at this point there is no memory available because we forgot to limit
the amount of memory available for skb allocation we again are stuck.
The route-cache, like the fragment assembly, is already accounted and
will prune old (unused) entries once the total memory usage exceeds a
pre-determined amount of memory.
Eventually we'll end up at socket demux, matching packets to sockets
which allows us to either toss the packet or consume it. Dropping
packets is allowed because network is assumed lossy, and we have not yet
acknowledged the receive.
Does this make sense?
Then we have TX, which like I said above needs to operate under certain
limits as well. We need to be able to send out packets when under
pressure in order to relieve said pressure.
We need to ensure doing so will not exhaust our reserves.
Writing out a page typically takes a little memory, you fudge some
packets with protocol info, mtu size etc.. send them out, and wait for
an acknowledge from the other end, and drop the stuff and go on writing
other pages.
So sending out pages does not consume memory if we're able to receive
ACKs. Being able to receive packets what what all the previous was
about.
Now of course there is some RPC concurrency, TCP windows and other
funnies going on, but I assumed - and I don't think that's a wrong
assumption - that sending out pages will consume endless amounts of
memory.
Nor will it keep on sending pages, once there is a certain amount of
packets outstanding (nfs congestion logic), it will wait, at which point
it should have no memory in use at all.
Anyway I did get lost in the RPC code, and I know I didn't fully account
everything, but under some (hopefully realistic) assumptions I think the
model is sound.
Does this make sense?