Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Date:   Sun, 24 May 2020 12:12:35 -0700 (PDT)
From:   Hugh Dickins <hughd@google.com>
To:     Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
cc:     Hugh Dickins <hughd@google.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Vlastimil Babka <vbabka@suse.cz>,
        David Rientjes <rientjes@google.com>,
        "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
        linux-kernel@vger.kernel.org, linux-mm@kvack.org
Subject: Re: [PATCH] mm/compaction: avoid VM_BUG_ON(PageSlab()) in
 page_mapcount()
In-Reply-To: <63fe94c7-78d1-ae03-00da-ba0e6d207a70@yandex-team.ru>
Message-ID: <alpine.LSU.2.11.2005241150250.3059@eggly.anvils>
References: <158937872515.474360.5066096871639561424.stgit@buzz> <alpine.LSU.2.11.2005231650070.1171@eggly.anvils> <63fe94c7-78d1-ae03-00da-ba0e6d207a70@yandex-team.ru>
User-Agent: Alpine 2.11 (LSU 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On Sun, 24 May 2020, Konstantin Khlebnikov wrote:
> On 24/05/2020 04.01, Hugh Dickins wrote:
> > On Wed, 13 May 2020, Konstantin Khlebnikov wrote:
> > 
> > > Function isolate_migratepages_block() runs some checks out of lru_lock
> > > when choose pages for migration. After checking PageLRU() it checks extra
> > > page references by comparing page_count() and page_mapcount(). Between
> > > these two checks page could be removed from lru, freed and taken by slab.
> > > 
> > > As a result this race triggers VM_BUG_ON(PageSlab()) in page_mapcount().
> > > Race window is tiny. For certain workload this happens around once a
> > > year.
> > 
> > Around once a year, that was my guess too. I have no record of us ever
> > hitting this, but yes it could happen when you have CONFIG_DEBUG_VM=y
> > (which I too like to run with, but would not recommend for users).
> 
> Yep, but for large cluster and pinpointed workload this happens surprisingly
> frequently =) I've believed into this race only after seeing statistics for
> count of compactions and how it correlates with incidents.
> 
> Probably the key component is a slab allocation from network irq/bh context
> which interrupts compaction exactly at this spot.

Yes, I bet you're right.

> 
> > 
> > > 
> > > 
> > >   page:ffffea0105ca9380 count:1 mapcount:0 mapping:ffff88ff7712c180
> > > index:0x0 compound_mapcount: 0
> > >   flags: 0x500000000008100(slab|head)
> > >   raw: 0500000000008100 dead000000000100 dead000000000200
> > > ffff88ff7712c180
> > >   raw: 0000000000000000 0000000080200020 00000001ffffffff
> > > 0000000000000000
> > >   page dumped because: VM_BUG_ON_PAGE(PageSlab(page))
> > >   ------------[ cut here ]------------
> > >   kernel BUG at ./include/linux/mm.h:628!
> > >   invalid opcode: 0000 [#1] SMP NOPTI
> > >   CPU: 77 PID: 504 Comm: kcompactd1 Tainted: G        W
> > > 4.19.109-27 #1
> > >   Hardware name: Yandex T175-N41-Y3N/MY81-EX0-Y3N, BIOS R05 06/20/2019
> > >   RIP: 0010:isolate_migratepages_block+0x986/0x9b0
> > > 
> > > 
> > > To fix just opencode page_mapcount() in racy check for 0-order case and
> > > recheck carefully under lru_lock when page cannot escape from lru.
> > > 
> > > Also add checking extra references for file pages and swap cache.
> > > 
> > > Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
> > > Fixes: 119d6d59dcc0 ("mm, compaction: avoid isolating pinned pages")
> > 
> > Not really, that commit was correct at the time it went in.
> > 
> > > Fixes: 1d148e218a0d ("mm: add VM_BUG_ON_PAGE() to page_mapcount()")
> > 
> > Exactly, that commit was well-intentioned, but did not allow for this
> > (admittedly very exceptional) usage.  How many developers actually
> > make the mistake of applying page_mapcount() to their slab pages?
> > None, I expect.  That VM_BUG_ON_PAGE() is there for documentation,
> > and could just be replaced by a comment - and Linus would be happy
> > with that.
> 
> Ok, I'll redo the fix in this way.

Thanks.

> 
> > 
> > > ---
> > >   mm/compaction.c |   17 +++++++++++++----
> > >   1 file changed, 13 insertions(+), 4 deletions(-)
> > > 
> > > diff --git a/mm/compaction.c b/mm/compaction.c
> > > index 46f0fcc93081..91bb87fd9420 100644
> > > --- a/mm/compaction.c
> > > +++ b/mm/compaction.c
> > > @@ -935,12 +935,16 @@ isolate_migratepages_block(struct compact_control
> > > *cc, unsigned long low_pfn,
> > >   		}
> > >     		/*
> > > -		 * Migration will fail if an anonymous page is pinned in
> > > memory,
> > > +		 * Migration will fail if an page is pinned in memory,
> > >   		 * so avoid taking lru_lock and isolating it unnecessarily in
> > > an
> > > -		 * admittedly racy check.
> > > +		 * admittedly racy check simplest case for 0-order pages.
> > > +		 *
> > > +		 * Open code page_mapcount() to avoid
> > > VM_BUG_ON(PageSlab(page)).
> > 
> > But open coding page_mapcount() is not all that you did.  You have
> > (understandably) chosen to avoid calling page_mapping(page), but...
> > 
> > > +		 * Page could have extra reference from mapping or swap
> > > cache.
> > >   		 */
> > > -		if (!page_mapping(page) &&
> > > -		    page_count(page) > page_mapcount(page))
> > > +		if (!PageCompound(page) &&
> > > +		    page_count(page) > atomic_read(&page->_mapcount) + 1 +
> > > +				(!PageAnon(page) || PageSwapCache(page)))
> > >   			goto isolate_fail;
> > 
> > Isn't that test going to send all the file cache pages with buffer heads
> > in page->private, off to isolate_fail when they're actually great
> > candidates for migration?
> 
> Yes. What a shame. Adding page_has_private() could fix that?
> 
> Kind of
> 
> page_count(page) > page_mapcount(page) +
> (PageAnon(page) ? PageSwapCache(page) : (1 + page_has_private(page)))

Certainly it was fixable, but I'm too lazy to want to think through
the correct answer; and though I'm often out of sympathy with helper
functions (why do people want an inline bool function for every simple
flag test?!?!), here is a place that cries out for a helper, if you
complicate it beyond page_count > page_mapcount (especially when
driven into that detail of adding 1 to _mapcount).

> 
> or probably something like this:
> 
> page_count(page) > page_mapcount(page) +
> (PageAnon(page) ? PageSwapCache(page) : GUP_PIN_COUNTING_BIAS)
> 
> I.e. skip only file pages pinned by dma or something slower.
> I see some movements in this direction in recent changes.
> 
> of course that's independent matter.

Yes, once the gup/pin conversion is widespread, I expect that it will
allow a better implementation of this compaction test, one not limited
to the anonymous pages.  (We do internally use a patch extending the
current test to file pages, which in practice has saved a lot of time
wasted on failing compactions: but, last I looked anyway, it gets some
cases wrong - cases we happen not to care about ourselves, but would
be unacceptable upstream.  So I hope the distinction of pinned pages
will work out well here later.)

Hugh