Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp676197ybz; Wed, 29 Apr 2020 07:28:58 -0700 (PDT) X-Google-Smtp-Source: APiQypKxL2/Q5KT5EDyXSt0TsEnb9JVx4Yzm9CrkyMuLWc1CuApHERe3G/YIyLYdOJhTujXMVtfZ X-Received: by 2002:aa7:d4d3:: with SMTP id t19mr2649092edr.144.1588170538622; Wed, 29 Apr 2020 07:28:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588170538; cv=none; d=google.com; s=arc-20160816; b=THXAEetTKqjwW9XjBBHXVpy1yjp2eXFVsm3t4KRFgg5z6TgMcxoVbNAleRMZVZH3od YEI2SKhXCSMR412m/Ir3WLSAKupgonUyTrnDJVox/xdkBvEGAuDVxYGMJNNJ3s4fl4H3 PdBtPKS7oD+rJi9NiD0GkP+COL+LamcVNETR55hNNwjQPmMJWAo/yp+OjXl0CZt2Vv40 yLh1qMSaizSUPVpSgM2nyHOLWJRxQhFSZ57dlpeUOagjgqNbKTfXBOgnAknCZ4egHwG8 y5q6WxQtSr44Bq4tI5CVESk1jm2z/6AdA/LVJqZN8+ggMQm8+JKW25qYEjQ0/D+0fiA5 QOcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=aWtaTTSNTzK+8VtJHmNxXi4ve7kZo3n6KV5SYDQbS9I=; b=RcAt7/XlevvuL7DzPpOlZdYzUxdg75IcPPoub5xn7GOQe337oX12l2I54unWhY8o4M pnqIU03IABbrYNtGk7u2VxD3Wmay/uqqs/+ctApuVYgiOTj9Co4GX4+N+i9qjinJukgo 6Bl4C86N2Jctiqm1/U7fuW9sEQszkrdq2kskvqKy0YAWGpfCisXCrZxjfgtYQjGb+921 UF71UJTR5Wqmi9LrWncwOGXuip4DswpDKTBjLuXA7kJxFAhLnvV1yzT2fOOgzXeGzk+g ef6V1Hz3F1GKoE0H6jX/OQ3I1S3IKxbxEgegugETI+6CrNWTGGsb+FwG4WeMqwkIHbSb yumg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cmpxchg-org.20150623.gappssmtp.com header.s=20150623 header.b=ndIkV6Qf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=cmpxchg.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n1si3558243edo.354.2020.04.29.07.28.35; Wed, 29 Apr 2020 07:28:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@cmpxchg-org.20150623.gappssmtp.com header.s=20150623 header.b=ndIkV6Qf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=cmpxchg.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726739AbgD2O1L (ORCPT + 99 others); Wed, 29 Apr 2020 10:27:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60952 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1726355AbgD2O1K (ORCPT ); Wed, 29 Apr 2020 10:27:10 -0400 Received: from mail-qk1-x741.google.com (mail-qk1-x741.google.com [IPv6:2607:f8b0:4864:20::741]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 360F6C03C1AD for ; Wed, 29 Apr 2020 07:27:10 -0700 (PDT) Received: by mail-qk1-x741.google.com with SMTP id o135so2113622qke.6 for ; Wed, 29 Apr 2020 07:27:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cmpxchg-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=aWtaTTSNTzK+8VtJHmNxXi4ve7kZo3n6KV5SYDQbS9I=; b=ndIkV6QfmD4PZV4Z0gk7BymE8uvcokLZlAam1EshLYJTdQtA2p0eUPC+Hmx9hBfXvN hZ50Ak/UHf9Fra322cv86xXt0zYopr1qPtueLJGLTrAmwLgQLEDW2tpuZp9xuCg3UYeb 1pRV5GpAbKffqyU5Nb7kexzabW+dXiIZIOaSixhmNuh/LuudbFkn4dDzWbloJuphK4SW K7NazNpTDV5jO+391IEE/olFqy3szjBdunZlILubAuzJjMyEnYkCf6SjhVa48kEaHLCy CZeLpzlFOuGPaybdZhd0YNmq43ykaEt7GiZJbsLKyAVQpCusw266ZIQntmf9f7oBI4a0 dg1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=aWtaTTSNTzK+8VtJHmNxXi4ve7kZo3n6KV5SYDQbS9I=; b=PVlztWG8+p81HAIxcgOG3gN1ejOgn3WR7rtoSAEikuDcmo89K/uSfQvUir8w4XDJLI h4YhSWXKyOQoZu3VzYqoSA2oF5eYuY88kzz4MMqQIaz2vZAzDOYYAEER9u0J39hmt4Aw aPzOHbUe0e0BoWjMQYWBhwpWf5laQpZmdLZ9aXiay0xP4DaT0LeZrbwtDYzMCgYh/Uey ktBanXlzLl+CRfVueX9XWPD/x0IWBOZCaNxdXPE1znASyrtlW1VxowYcOjOSia+aw3wy JPlQ4zrhonol2YDqowKN55o3CSjXB0w57oBNJ1OfP/nRR5wYbtUSw8mC0dp6wWSmzbLm 43UQ== X-Gm-Message-State: AGi0PuZSYX5PguHQWLdw9lNpOdauLiPcnn6oCD7WqX8ZPy+0uQ1zh+xd yLTNGXFInTUDBYNmMGUxYqjhwg== X-Received: by 2002:a37:7786:: with SMTP id s128mr33937820qkc.497.1588170429291; Wed, 29 Apr 2020 07:27:09 -0700 (PDT) Received: from localhost (70.44.39.90.res-cmts.bus.ptd.net. [70.44.39.90]) by smtp.gmail.com with ESMTPSA id i6sm15584097qkk.123.2020.04.29.07.27.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Apr 2020 07:27:08 -0700 (PDT) Date: Wed, 29 Apr 2020 10:27:07 -0400 From: Johannes Weiner To: Yafang Shao Cc: Michal Hocko , Chris Down , Andrew Morton , Roman Gushchin , Linux MM , Cgroups , LKML Subject: Re: [PATCH 1/2] mm, memcg: Avoid stale protection values when cgroup is above protection Message-ID: <20200429142707.GC5054@cmpxchg.org> References: <20200429101510.GA28637@dhcp22.suse.cz> <20200429140330.GA5054@cmpxchg.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 29, 2020 at 10:17:21PM +0800, Yafang Shao wrote: > On Wed, Apr 29, 2020 at 10:03 PM Johannes Weiner wrote: > > > > On Wed, Apr 29, 2020 at 12:15:10PM +0200, Michal Hocko wrote: > > > On Tue 28-04-20 19:26:47, Chris Down wrote: > > > > From: Yafang Shao > > > > > > > > A cgroup can have both memory protection and a memory limit to isolate > > > > it from its siblings in both directions - for example, to prevent it > > > > from being shrunk below 2G under high pressure from outside, but also > > > > from growing beyond 4G under low pressure. > > > > > > > > Commit 9783aa9917f8 ("mm, memcg: proportional memory.{low,min} reclaim") > > > > implemented proportional scan pressure so that multiple siblings in > > > > excess of their protection settings don't get reclaimed equally but > > > > instead in accordance to their unprotected portion. > > > > > > > > During limit reclaim, this proportionality shouldn't apply of course: > > > > there is no competition, all pressure is from within the cgroup and > > > > should be applied as such. Reclaim should operate at full efficiency. > > > > > > > > However, mem_cgroup_protected() never expected anybody to look at the > > > > effective protection values when it indicated that the cgroup is above > > > > its protection. As a result, a query during limit reclaim may return > > > > stale protection values that were calculated by a previous reclaim cycle > > > > in which the cgroup did have siblings. > > > > > > > > When this happens, reclaim is unnecessarily hesitant and potentially > > > > slow to meet the desired limit. In theory this could lead to premature > > > > OOM kills, although it's not obvious this has occurred in practice. > > > > > > Thanks this describes the underlying problem. I would be also explicit > > > that the issue should be visible only on tail memcgs which have both > > > max/high and protection configured and the effect depends on the > > > difference between the two (the smaller it is the largrger the effect). > > > > > > There is no mention about the fix. The patch resets effective values for > > > the reclaim root and I've had some concerns about that > > > http://lkml.kernel.org/r/20200424162103.GK11591@dhcp22.suse.cz. > > > Johannes has argued that other races are possible and I didn't get to > > > think about it thoroughly. But this patch is introducing a new > > > possibility of breaking protection. If we want to have a quick and > > > simple fix that would be easier to backport to older kernels then I > > > would feel much better if we simply workedaround the problem as > > > suggested earlier http://lkml.kernel.org/r/20200423061629.24185-1-laoar.shao@gmail.com > > > We can rework the effective values calculation to be more robust against > > > races on top of that because this is likely a more tricky thing to do. > > > > Well, can you please *do* think more thoroughly about what I wrote, > > instead of pushing for an alternative patch on gut feeling alone? > > > > Especially when you imply that this should be a stable patch. > > > > Not only does your alternative patch not protect against the race you > > are worried about, the race itself doesn't matter. Racing reclaimers > > will write their competing views of the world into the shared state on > > all other levels anyway. > > > > And that's okay. If the configuration and memory usage is such that > > there is at least one reclaimer that scans without any protection > > (like a limit reclaimer), it's not a problem when a second reclaimer > > that meant to do protected global reclaim will also do one iteration > > without protection. It's no different than if a second thread had > > entered limit reclaim through another internal allocation. > > > > There is no semantical violation with the race in your patch or the > > race in this patch. Any effective protection that becomes visible is > > 1) permitted by the configuration, but 2) also triggered *right now* > > by an acute need to reclaim memory with these parameters. > > > > The *right now* part is important. That's what's broken before either > > patch, and that's what we're fixing: to see really, really *old* stale > > that might not be representative of the config semantics anymore. > > > > Since you haven't linked to my email, here is my counter argument to > > the alternative patch "fixing" this race somehow. > > > > A reclaim: > > > > root > > `- A (low=2G, max=3G -> elow=0) > > `- A1 (low=0G -> elow=0) > > > > Global reclaim: > > > > root > > `- A (low=2G, max=3G -> elow=2G) > > `- A1 (low=0G -> elow=2G) > > > > During global reclaim, A1 is supposed to have 2G effective low > > protection. If A limit reclaim races, it can set A1's elow to > > 0. > > Before the commit 8a931f801340c2be ("mm: memcontrol: recursive > memory.low protection"), the A1's elow should be 0, while after this > commit A1's elow is 2G. > That is a behavior change. Yes, that was an intentional change around the inheritance rules. And your alternative patch doesn't fix the race you are (wrongly) worried about under these rules. What's your point, exactly? > Then this case gives us another example why accessing emin and elow in > the very deap reclaiming code (get_scan_count) is the root of ALL > EVIL. You must be confusing this software engineering list with a witch doctor conference.