pin_user_pages*() occasionally fails due to migrate_pages() failures
that, in turn, are due to temporarily elevated folio refcounts. This
happens because a few years ago, pin_user_pages*() APIs were upgraded to
automatically migrate pages away from ZONE_MOVABLE, but the callers were
not upgraded to handle any migration failures. And in fact, they can't
easily do so anyway, because the migration return code was filtered out:
-EAGAIN failures from migration are squashed, along with any other
failure, into -ENOMEM, thus hiding details from the upper layer callers.
One failure case that we ran into recently looks like this:
pin_user_pages_fast()
internal_get_user_pages_fast()
__gup_longterm_locked()
check_and_migrate_movable_pages()
migrate_longterm_unpinnable_pages()
migrate_pages()
migrate_pages_batch(..., NR_MAX_MIGRATE_PAGES_RETRY==10)
migrate_folio_move()
move_to_new_folio()
migrate_folio()
migrate_folio_extra()
folio_migrate_mapping()
if (folio_ref_count(folio) != expected_count)
return -EAGAIN;
// ...and migrate_longterm_unpinnable_pages()
// translates -EAGAIN to -ENOMEM
Although so far I have not pinpointed the cause of such transient
refcount increases, these are sufficiently common (and expected by the
entire design) that I think we have enough information to proceed
directly to a fix. This patch shows my preferred solution, which does
the following:
a) Restore the -EAGAIN return code: pass it unchanged all the way back
to pin_user_pages*() callers.
b) Then, retry pin_user_pages_fast() from ib_umem_get(), because that IB
driver is displaying real failures in the field, and we've confirmed
that a retry at this location will fix those failures. Retrying at this
higher level (as compared to the pre-existing, low-level retry in
migrate_pages_batch()) allows more things to happen, and more time to
elapse, between retries.
Cc: Mike Marciniszyn <[email protected]>
Cc: Leon Romanovsky <[email protected]>
Cc: Artemy Kovalyov <[email protected]>
Cc: Michael Guralnik <[email protected]>
Cc: Alistair Popple <[email protected]>
Cc: Pak Markthub <[email protected]>
Cc: Jason Gunthorpe <[email protected]>
Signed-off-by: John Hubbard <[email protected]>
---
drivers/infiniband/core/umem.c | 33 ++++++++++++++++++++++++++-------
mm/gup.c | 14 +++++++++++---
2 files changed, 37 insertions(+), 10 deletions(-)
diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index 07c571c7b699..7c691faacc8a 100644
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -210,15 +210,34 @@ struct ib_umem *ib_umem_get(struct ib_device *device, unsigned long addr,
while (npages) {
cond_resched();
- pinned = pin_user_pages_fast(cur_base,
- min_t(unsigned long, npages,
- PAGE_SIZE /
- sizeof(struct page *)),
- gup_flags, page_list);
- if (pinned < 0) {
+ pinned = -ENOMEM;
+ int attempts = 0;
+ /*
+ * pin_user_pages_fast() can return -EAGAIN, due to falling back
+ * to gup-slow and then failing to migrate pages out of
+ * ZONE_MOVABLE due to a transient elevated page refcount.
+ *
+ * One retry is enough to avoid this problem, so far, but let's
+ * use a slightly higher retry count just in case even larger
+ * systems have a longer-lasting transient refcount problem.
+ *
+ */
+ static const int MAX_ATTEMPTS = 3;
+
+ while (pinned == -EAGAIN && attempts < MAX_ATTEMPTS) {
+ pinned = pin_user_pages_fast(cur_base,
+ min_t(unsigned long,
+ npages, PAGE_SIZE /
+ sizeof(struct page *)),
+ gup_flags, page_list);
ret = pinned;
- goto umem_release;
+ attempts++;
+
+ if (pinned == -EAGAIN)
+ continue;
}
+ if (pinned < 0)
+ goto umem_release;
cur_base += pinned * PAGE_SIZE;
npages -= pinned;
diff --git a/mm/gup.c b/mm/gup.c
index 1611e73b1121..edb069f937cb 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -2141,15 +2141,23 @@ static int migrate_longterm_unpinnable_pages(
}
if (!list_empty(movable_page_list)) {
+ int rc;
struct migration_target_control mtc = {
.nid = NUMA_NO_NODE,
.gfp_mask = GFP_USER | __GFP_NOWARN,
};
- if (migrate_pages(movable_page_list, alloc_migration_target,
+ rc = migrate_pages(movable_page_list, alloc_migration_target,
NULL, (unsigned long)&mtc, MIGRATE_SYNC,
- MR_LONGTERM_PIN, NULL)) {
- ret = -ENOMEM;
+ MR_LONGTERM_PIN, NULL);
+ if (rc) {
+ /*
+ * Report any failure *except* -EAGAIN as "not enough
+ * memory". -EAGAIN is valuable because callers further
+ * up the call stack can benefit from a retry.
+ */
+ if (rc != -EAGAIN)
+ ret = -ENOMEM;
goto err;
}
}
base-commit: 18daea77cca626f590fb140fc11e3a43c5d41354
--
2.45.0
> + pinned = -ENOMEM;
> + int attempts = 0;
> + /*
> + * pin_user_pages_fast() can return -EAGAIN, due to falling back
> + * to gup-slow and then failing to migrate pages out of
> + * ZONE_MOVABLE due to a transient elevated page refcount.
> + *
> + * One retry is enough to avoid this problem, so far, but let's
> + * use a slightly higher retry count just in case even larger
> + * systems have a longer-lasting transient refcount problem.
> + *
> + */
> + static const int MAX_ATTEMPTS = 3;
> +
> + while (pinned == -EAGAIN && attempts < MAX_ATTEMPTS) {
> + pinned = pin_user_pages_fast(cur_base,
> + min_t(unsigned long,
> + npages, PAGE_SIZE /
> + sizeof(struct page *)),
> + gup_flags, page_list);
> ret = pinned;
> - goto umem_release;
> + attempts++;
> +
> + if (pinned == -EAGAIN)
> + continue;
> }
> + if (pinned < 0)
> + goto umem_release;
This doesn't make sense. IFF a blind retry is all that is needed it
should be done in the core functionality. I fear it's not that easy,
though.
On Tue, Apr 30, 2024 at 10:10:43PM -0700, Christoph Hellwig wrote:
> > + pinned = -ENOMEM;
> > + int attempts = 0;
> > + /*
> > + * pin_user_pages_fast() can return -EAGAIN, due to falling back
> > + * to gup-slow and then failing to migrate pages out of
> > + * ZONE_MOVABLE due to a transient elevated page refcount.
> > + *
> > + * One retry is enough to avoid this problem, so far, but let's
> > + * use a slightly higher retry count just in case even larger
> > + * systems have a longer-lasting transient refcount problem.
> > + *
> > + */
> > + static const int MAX_ATTEMPTS = 3;
> > +
> > + while (pinned == -EAGAIN && attempts < MAX_ATTEMPTS) {
> > + pinned = pin_user_pages_fast(cur_base,
> > + min_t(unsigned long,
> > + npages, PAGE_SIZE /
> > + sizeof(struct page *)),
> > + gup_flags, page_list);
> > ret = pinned;
> > - goto umem_release;
> > + attempts++;
> > +
> > + if (pinned == -EAGAIN)
> > + continue;
> > }
> > + if (pinned < 0)
> > + goto umem_release;
>
> This doesn't make sense. IFF a blind retry is all that is needed it
> should be done in the core functionality. I fear it's not that easy,
> though.
+1
This migration retry weirdness is a GUP issue, it needs to be solved
in the mm not exposed to every pin_user_pages caller.
If it turns out ZONE_MOVEABLE pages can't actually be reliably moved
then it is pretty broken..
Jason
Jason Gunthorpe <[email protected]> writes:
> On Tue, Apr 30, 2024 at 10:10:43PM -0700, Christoph Hellwig wrote:
>> > + pinned = -ENOMEM;
>> > + int attempts = 0;
>> > + /*
>> > + * pin_user_pages_fast() can return -EAGAIN, due to falling back
>> > + * to gup-slow and then failing to migrate pages out of
>> > + * ZONE_MOVABLE due to a transient elevated page refcount.
>> > + *
>> > + * One retry is enough to avoid this problem, so far, but let's
>> > + * use a slightly higher retry count just in case even larger
>> > + * systems have a longer-lasting transient refcount problem.
>> > + *
>> > + */
>> > + static const int MAX_ATTEMPTS = 3;
>> > +
>> > + while (pinned == -EAGAIN && attempts < MAX_ATTEMPTS) {
>> > + pinned = pin_user_pages_fast(cur_base,
>> > + min_t(unsigned long,
>> > + npages, PAGE_SIZE /
>> > + sizeof(struct page *)),
>> > + gup_flags, page_list);
>> > ret = pinned;
>> > - goto umem_release;
>> > + attempts++;
>> > +
>> > + if (pinned == -EAGAIN)
>> > + continue;
>> > }
>> > + if (pinned < 0)
>> > + goto umem_release;
>>
>> This doesn't make sense. IFF a blind retry is all that is needed it
>> should be done in the core functionality. I fear it's not that easy,
>> though.
>
> +1
>
> This migration retry weirdness is a GUP issue, it needs to be solved
> in the mm not exposed to every pin_user_pages caller.
>
> If it turns out ZONE_MOVEABLE pages can't actually be reliably moved
> then it is pretty broken..
I wonder if we should remove the arbitrary retry limit in
migrate_pages() entirely for ZONE_MOVEABLE pages and just loop until
they migrate? By definition there should only be transient references on
these pages so why do we need to limit the number of retries in the
first place?
- Alistair
> Jason
On 02.05.24 03:05, Alistair Popple wrote:
>
> Jason Gunthorpe <[email protected]> writes:
>
>> On Tue, Apr 30, 2024 at 10:10:43PM -0700, Christoph Hellwig wrote:
>>>> + pinned = -ENOMEM;
>>>> + int attempts = 0;
>>>> + /*
>>>> + * pin_user_pages_fast() can return -EAGAIN, due to falling back
>>>> + * to gup-slow and then failing to migrate pages out of
>>>> + * ZONE_MOVABLE due to a transient elevated page refcount.
>>>> + *
>>>> + * One retry is enough to avoid this problem, so far, but let's
>>>> + * use a slightly higher retry count just in case even larger
>>>> + * systems have a longer-lasting transient refcount problem.
>>>> + *
>>>> + */
>>>> + static const int MAX_ATTEMPTS = 3;
>>>> +
>>>> + while (pinned == -EAGAIN && attempts < MAX_ATTEMPTS) {
>>>> + pinned = pin_user_pages_fast(cur_base,
>>>> + min_t(unsigned long,
>>>> + npages, PAGE_SIZE /
>>>> + sizeof(struct page *)),
>>>> + gup_flags, page_list);
>>>> ret = pinned;
>>>> - goto umem_release;
>>>> + attempts++;
>>>> +
>>>> + if (pinned == -EAGAIN)
>>>> + continue;
>>>> }
>>>> + if (pinned < 0)
>>>> + goto umem_release;
>>>
>>> This doesn't make sense. IFF a blind retry is all that is needed it
>>> should be done in the core functionality. I fear it's not that easy,
>>> though.
>>
>> +1
>>
>> This migration retry weirdness is a GUP issue, it needs to be solved
>> in the mm not exposed to every pin_user_pages caller.
>>
>> If it turns out ZONE_MOVEABLE pages can't actually be reliably moved
>> then it is pretty broken..
>
> I wonder if we should remove the arbitrary retry limit in
> migrate_pages() entirely for ZONE_MOVEABLE pages and just loop until
> they migrate? By definition there should only be transient references on
> these pages so why do we need to limit the number of retries in the
> first place?
There are some weird things that still needs fixing: vmsplice() is the
example that doesn't use FOLL_LONGTERM.
--
Cheers,
David / dhildenb
On Thu, May 02, 2024 at 11:10:05AM -0700, John Hubbard wrote:
> On 5/1/24 11:56 PM, David Hildenbrand wrote:
> > On 02.05.24 03:05, Alistair Popple wrote:
> > > Jason Gunthorpe <[email protected]> writes:
> ...
> > > > > This doesn't make sense. IFF a blind retry is all that is needed it
> > > > > should be done in the core functionality. I fear it's not that easy,
> > > > > though.
> > > >
> > > > +1
> > > >
> > > > This migration retry weirdness is a GUP issue, it needs to be solved
> > > > in the mm not exposed to every pin_user_pages caller.
> > > >
> > > > If it turns out ZONE_MOVEABLE pages can't actually be reliably moved
> > > > then it is pretty broken..
> > >
> > > I wonder if we should remove the arbitrary retry limit in
> > > migrate_pages() entirely for ZONE_MOVEABLE pages and just loop until
> > > they migrate? By definition there should only be transient references on
> > > these pages so why do we need to limit the number of retries in the
> > > first place?
> >
> > There are some weird things that still needs fixing: vmsplice() is the
> > example that doesn't use FOLL_LONGTERM.
> >
>
> Hi David!
>
> Do you have any other call sites in mind? It sounds like one way forward
> is to fix each call site...
>
> This is an unhappy story right now: the pin_user_pages*() APIs are
> significantly worse than before the "migrate pages away automatically"
> upgrade, from a user point of view. Because now, the APIs fail
> intermittently for callers who follow the rules--because
> pin_user_pages() is not fully working yet, basically.
>
> Other ideas, large or small, about how to approach a fix?
IMHO pin_user_pages() should sleep and spin in an interruptable sleep
until we get all the migrations done. Not sure how hard it would be to
add some kind of proper waiting event sleep?
If userspace has got itself into knots then pin_user_pages() will
block in the kernel and ctrl-c will rescue it.
Even the temporary pins for something like O_DIRECT are long enough
that we wouldn't want to just spin the CPU.
Jason
On Thu, May 02, 2024 at 03:34:08PM -0300, Jason Gunthorpe wrote:
> IMHO pin_user_pages() should sleep and spin in an interruptable sleep
killable, not interruptible. Otherwise SIGWINCH and SIGALRM can
result an early return.
> until we get all the migrations done. Not sure how hard it would be to
> add some kind of proper waiting event sleep?
ummmmm. We have a "has waiters" bit in the folio. So on every call to
folio_put(), we could check that bit and wake up any waiters. I need to
think about that; right now, we only use it for unlock and end_writeback.
Making folio_put() heavier is, well, quite a lot of call-sites.
On 02.05.24 20:10, John Hubbard wrote:
> On 5/1/24 11:56 PM, David Hildenbrand wrote:
>> On 02.05.24 03:05, Alistair Popple wrote:
>>> Jason Gunthorpe <[email protected]> writes:
> ...
>>>>> This doesn't make sense. IFF a blind retry is all that is needed it
>>>>> should be done in the core functionality. I fear it's not that easy,
>>>>> though.
>>>>
>>>> +1
>>>>
>>>> This migration retry weirdness is a GUP issue, it needs to be solved
>>>> in the mm not exposed to every pin_user_pages caller.
>>>>
>>>> If it turns out ZONE_MOVEABLE pages can't actually be reliably moved
>>>> then it is pretty broken..
>>>
>>> I wonder if we should remove the arbitrary retry limit in
>>> migrate_pages() entirely for ZONE_MOVEABLE pages and just loop until
>>> they migrate? By definition there should only be transient references on
>>> these pages so why do we need to limit the number of retries in the
>>> first place?
>>
>> There are some weird things that still needs fixing: vmsplice() is the
>> example that doesn't use FOLL_LONGTERM.
>>
>
> Hi David!
>
Sorry for the late reply!
> Do you have any other call sites in mind? It sounds like one way forward
> is to fix each call site...
We also have udmabuf, that is currently getting fixed [1] similarly to
how we handle GUP. Could you and/or Jason also have a look at the
GUP-related bits? I acked it but the patch set does not seem to make
progress.
https://lkml.kernel.org/r/[email protected]
The sad story is:
(a) vmsplice() is harder to fix (identify all put_page() and replace
them by unpin_user_page()), but will get fixed at some point.
(b) even !longterm DMA can take double-digit seconds
(c) other wrong code is likely to exist or to appear again and it's
rather hard to identify+prevent reliably
IMHO we should expect migration to take a longer time and maybe never
happening in some cases.
Memory offlining (e.g., echo "offline" >
sys/devices/system/memory/memory0/state) currently tries forever to
migrate pages and can be killed if started from user space using a fatal
signal. If memory offlining happens from kernel context (unplugging
DIMM, ACPI code triggers offlining), we'd much rather want to fail at
some point instead of looping forever, but it hasn't really popped up as
a problem so far.
virtio-mem uses alloc_contig_range() for best-effort allocation and will
skip such temporarily unmovable ranges to try again later. Here, we
really don't want to loop forever in migration code but rather fail
earlier and try unplug of another memory block.
So as long as page pinning is triggered from user context where the user
can simply abort the process (e.g., kill the process), sleep+retry on
ZONE_MOVABLE + MIGRATE_CMA sounds reasonable.
>
> This is an unhappy story right now: the pin_user_pages*() APIs are
> significantly worse than before the "migrate pages away automatically"
> upgrade, from a user point of view. Because now, the APIs fail
> intermittently for callers who follow the rules--because
> pin_user_pages() is not fully working yet, basically.
>
> Other ideas, large or small, about how to approach a fix?
What Jason says makes sense to me: sleep+retry. My only concern is when
pin_user_pages_*() is called from non-killable context where failing at
some point might be more reasonable. But maybe that use case doesn't
really exist?
--
Cheers,
David / dhildenb