Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp17781952rwd; Tue, 27 Jun 2023 07:31:31 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5dJJliRnbQvAySjGXrNKrRafvMy1Faz66sjTliBVIbTrGKAez4X3F4sBfLWcm/EjqkzpdS X-Received: by 2002:a05:6808:2393:b0:397:fbe7:a0fb with SMTP id bp19-20020a056808239300b00397fbe7a0fbmr43150990oib.18.1687876291609; Tue, 27 Jun 2023 07:31:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687876291; cv=none; d=google.com; s=arc-20160816; b=yjrjZ2ambn42Umf0LgTkn6Wrnkrt2d5uSQ7rira6V50vdKAU1FQfgzPbUdpQvm+17n q96flllOAw7fhfhp2g6P98/Eu7rnjb9TwZjo3MOQgpLeyFjoXfNf+IBGTLBRmwIowPaA k55wcMW9VLwYqtpnzNnQ/XjRBLHwzfX6TN8LNX1PYugXOBInPbmzo1CQxKu3SZFkcxzP dmccZHXWs5d+fvODzrfhoMHmnXJ/H2ClX6Syll33N2hy6lpGtmceNCb4kW2g+iTe4J0Q 6JAEXpjw/6JZ8VjWquqjZp8QDOGkItVOiWMza3WqnCSGi6ZG4cgCi1Dr++740RC5Kika mccg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=K6TZQqfTC0phvzBA5+w9u6YZyNkINgqRSZTxEAYxUCk=; fh=3eCWZ6nEm+MEY5aH64x0uVLv0DMIa80d6j9x0m2L6g0=; b=g17Pvu3Qjvz5Tx7UbN25enoFbwZx7dMR8GY0lekUb6Dazx7RKryndcUROFJgqJ+dei mmcDSWeV/zgvWSNAxKyImcwlb96jO8FXm5qlL0ufr2tNCvfgqNwiTYzFI1yzqCdztneg 6QXJtw9Q6OranyHetdhVZM7Zhm9P1PZ/ZTW6O1KHPvOzjIh8daT2kIPjb3s+g+p0TUOm +HBOnGXCM8Na7sBEZkD59Yr7p8TfYeRaethFrzqvjIL8O/9MTE1Pq6kGb/fBsOawxaNR Tf0ty6uGEbvgCQQbVqxDx4/GCWyscUonaG7t2vGeyapfrKRup6RNBFU86qKxIUpBS4z2 T6Sg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=WTxcbKg3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bs62-20020a632841000000b00542ad648fbasi7456082pgb.188.2023.06.27.07.31.18; Tue, 27 Jun 2023 07:31:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=WTxcbKg3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230161AbjF0ORp (ORCPT + 99 others); Tue, 27 Jun 2023 10:17:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57818 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229664AbjF0ORo (ORCPT ); Tue, 27 Jun 2023 10:17:44 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2001:67c:2178:6::1d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EEC82AB for ; Tue, 27 Jun 2023 07:17:42 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 97F8F1F459; Tue, 27 Jun 2023 14:17:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1687875461; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=K6TZQqfTC0phvzBA5+w9u6YZyNkINgqRSZTxEAYxUCk=; b=WTxcbKg3Ypgtl9LOZmsm2ItRA90Vd1ORSw9Ivf7jTlzkgPaptz7wItfYE+Dz/SfMjvjH31 lIQqlz0QKwsH5NWri+NopPqZDsRN4Wi5RLm2S6AXqD0qZG5D+ZEYqgKxCamb6RoIDC43rY SdRxu5mtAVIp26G25JhQWYBB91Il/0c= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 7C2FB13462; Tue, 27 Jun 2023 14:17:41 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id cLbtG4XvmmRmBwAAMHmgww (envelope-from ); Tue, 27 Jun 2023 14:17:41 +0000 Date: Tue, 27 Jun 2023 16:17:40 +0200 From: Michal Hocko To: David Hildenbrand Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, virtualization@lists.linux-foundation.org, Andrew Morton , "Michael S. Tsirkin" , John Hubbard , Oscar Salvador , Jason Wang , Xuan Zhuo Subject: Re: [PATCH v1 3/5] mm/memory_hotplug: make offline_and_remove_memory() timeout instead of failing on fatal signals Message-ID: References: <20230627112220.229240-1-david@redhat.com> <20230627112220.229240-4-david@redhat.com> <74cbbdd3-5a05-25b1-3f81-2fd47e089ac3@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <74cbbdd3-5a05-25b1-3f81-2fd47e089ac3@redhat.com> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue 27-06-23 15:14:11, David Hildenbrand wrote: > On 27.06.23 14:40, Michal Hocko wrote: > > On Tue 27-06-23 13:22:18, David Hildenbrand wrote: > > > John Hubbard writes [1]: > > > > > > Some device drivers add memory to the system via memory hotplug. > > > When the driver is unloaded, that memory is hot-unplugged. > > > > > > However, memory hot unplug can fail. And these days, it fails a > > > little too easily, with respect to the above case. Specifically, if > > > a signal is pending on the process, hot unplug fails. > > > > > > [...] > > > > > > So in this case, other things (unmovable pages, un-splittable huge > > > pages) can also cause the above problem. However, those are > > > demonstrably less common than simply having a pending signal. I've > > > got bug reports from users who can trivially reproduce this by > > > killing their process with a "kill -9", for example. > > > > This looks like a bug of the said driver no? If the tear down process is > > killed it could very well happen right before offlining so you end up in > > the very same state. Or what am I missing? > > IIUC (John can correct me if I am wrong): > > 1) The process holds the device node open > 2) The process gets killed or quits > 3) As the process gets torn down, it closes the device node > 4) Closing the device node results in the driver removing the device and > calling offline_and_remove_memory() > > So it's not a "tear down process" that triggers that offlining_removal > somehow explicitly, it's just a side-product of it letting go of the device > node as the process gets torn down. Isn't that just fragile? The operation might fail for other reasons. Why cannot there be a hold on the resource to control the tear down explicitly? > > > Especially with ZONE_MOVABLE, offlining is supposed to work in most > > > cases when offlining actually hotplugged (not boot) memory, and only fail > > > in rare corner cases (e.g., some driver holds a reference to a page in > > > ZONE_MOVABLE, turning it unmovable). > > > > > > In these corner cases we really don't want to be stuck forever in > > > offline_and_remove_memory(). But in the general cases, we really want to > > > do our best to make memory offlining succeed -- in a reasonable > > > timeframe. > > > > > > Reliably failing in the described case when there is a fatal signal pending > > > is sub-optimal. The pending signal check is mostly only relevant when user > > > space explicitly triggers offlining of memory using sysfs device attributes > > > ("state" or "online" attribute), but not when coming via > > > offline_and_remove_memory(). > > > > > > So let's use a timer instead and ignore fatal signals, because they are > > > not really expressive for offline_and_remove_memory() users. Let's default > > > to 30 seconds if no timeout was specified, and limit the timeout to 120 > > > seconds. > > > > I really hate having timeouts back. They just proven to be hard to get > > right and it is essentially a policy implemented in the kernel. They > > simply do not belong to the kernel space IMHO. > > As much as I agree with you in terms of offlining triggered from user space > (e.g., write "state" or "online" attribute) where user-space is actually in > charge and can do something reasonable (timeout, retry, whatever), in these > the offline_and_remove_memory() case it's the driver that wants a > best-effort memory offlining+removal. > > If it times out, virtio-mem will simply try another block or retry later. > Right now, it could get stuck forever in offline_and_remove_memory(), which > is obviously "not great". Fortunately, for virtio-mem it's configurable and > we use the alloc_contig_range()-method for now as default. It seems that offline_and_remove_memory is using a wrong operation then. If it wants an opportunistic offlining with some sort of policy. Timeout might be just one policy to use but failure mode or a retry count might be a better fit for some users. So rather than (ab)using offline_pages, would be make more sense to extract basic offlining steps and allow drivers like virtio-mem to reuse them and define their own policy? > If it would time out for John's driver, we most certainly don't want to be > stuck in offline_and_remove_memory(), blocking device/driver unloading (and > even a reboot IIRC) possibly forever. Now I am confused. John driver wants to tear down the device now? There is no way to release that memory otherwise AFAIU from the initial problem description. -- Michal Hocko SUSE Labs