Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp5961551rwb; Wed, 21 Sep 2022 15:19:27 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6X/4nEjd6AMt2pSj6WchweESJnVjtM2ZfKwzik5AvZvbEEZDhss8ZcFvH0WFAdvz/0/MNe X-Received: by 2002:a17:90b:3e8d:b0:203:1b6d:2112 with SMTP id rj13-20020a17090b3e8d00b002031b6d2112mr12017247pjb.6.1663798767430; Wed, 21 Sep 2022 15:19:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663798767; cv=none; d=google.com; s=arc-20160816; b=hKmP4vLr7O5MYGuHyjn6Sfri0IvWqxht9daiwM1kAg7BKFKQvn0gjpsQCYvglV6+6b ybPtJkdvp0z6xEbUHaRm98XSi1RNcG8i5Lcn446k0yUVGxEv2tKg2XZLJruhNzCYPBdw Dhu9C5WCi07yavWjYbTmuupVaPBV7XuCK+FNcZxQGVDWslwgkHw2p0h3iFdCKK6tnJsx A+dTHx5tIumAB/e9tREFzFcPTEb5CtXUUNyYWw7fLgjnFeEY14riBmDyEH/iG18fmmc/ rqTC9J0czpiAtdeSmE71HiuC8gBU4FEmB8z/5Tug8nMo2jSTi5SR7hMOU4iLefr/vJ21 P+Bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=XZ8SawVBQP9c/4EcyyIBa5NvaB6VMTc+tw7uBZhzZug=; b=cldCv7OT1rQMA1H1xQKxCyuTFW3mKCWO2o+ihjNPuIGqg/n43hFtjwOcXrECJWo/Xf +f8JPr6SEhmQmBJImIY3rrbj7iK21D9ySnrZqnTEsfvK0xkkvObYu3naTHHuTnmykPM8 cwh6L43yBxHTVoXQUFTIr3aFvRJxTzF+DILjrmv6QP/klXX78S5dh1VJk5shgeC56a34 tiaK3jWJkX8nmyHdcu57XJAeIKWsiPEWZ/LP/OK3byE42Xl8kXGA+tMa1/CCZcei1VpK LFi5aFbFAC9Ryffw2geH775TND1U89P7ESSTCBC3BzzTBst4+VDRpq7MQ1AgnLQtNWw7 ZAUQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u63-20020a638542000000b00439fb921f8fsi4266823pgd.460.2022.09.21.15.18.50; Wed, 21 Sep 2022 15:19:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230360AbiIUWOY (ORCPT + 99 others); Wed, 21 Sep 2022 18:14:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55810 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231138AbiIUWOW (ORCPT ); Wed, 21 Sep 2022 18:14:22 -0400 Received: from mail105.syd.optusnet.com.au (mail105.syd.optusnet.com.au [211.29.132.249]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 21C81A74FE; Wed, 21 Sep 2022 15:14:21 -0700 (PDT) Received: from dread.disaster.area (pa49-181-106-210.pa.nsw.optusnet.com.au [49.181.106.210]) by mail105.syd.optusnet.com.au (Postfix) with ESMTPS id 8CFEF11009AD; Thu, 22 Sep 2022 08:14:17 +1000 (AEST) Received: from dave by dread.disaster.area with local (Exim 4.92.3) (envelope-from ) id 1ob7yy-00AYcI-1G; Thu, 22 Sep 2022 08:14:16 +1000 Date: Thu, 22 Sep 2022 08:14:16 +1000 From: Dave Chinner To: Dan Williams Cc: akpm@linux-foundation.org, Matthew Wilcox , Jan Kara , "Darrick J. Wong" , Jason Gunthorpe , Christoph Hellwig , John Hubbard , linux-fsdevel@vger.kernel.org, nvdimm@lists.linux.dev, linux-xfs@vger.kernel.org, linux-mm@kvack.org, linux-ext4@vger.kernel.org Subject: Re: [PATCH v2 05/18] xfs: Add xfs_break_layouts() to the inode eviction path Message-ID: <20220921221416.GT3600936@dread.disaster.area> References: <166329930818.2786261.6086109734008025807.stgit@dwillia2-xfh.jf.intel.com> <166329933874.2786261.18236541386474985669.stgit@dwillia2-xfh.jf.intel.com> <20220918225731.GG3600936@dread.disaster.area> <632894c4738d8_2a6ded294a@dwillia2-xfh.jf.intel.com.notmuch> <20220919212959.GL3600936@dread.disaster.area> <6329ee04c9272_2a6ded294bf@dwillia2-xfh.jf.intel.com.notmuch> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6329ee04c9272_2a6ded294bf@dwillia2-xfh.jf.intel.com.notmuch> X-Optus-CM-Score: 0 X-Optus-CM-Analysis: v=2.4 cv=OJNEYQWB c=1 sm=1 tr=0 ts=632b8cbc a=j6JUzzrSC7wlfFge/rmVbg==:117 a=j6JUzzrSC7wlfFge/rmVbg==:17 a=kj9zAlcOel0A:10 a=xOM3xZuef0cA:10 a=7-415B0cAAAA:8 a=kcSw2F0C3OlGkMnRgwgA:9 a=CjuIK1q_8ugA:10 a=biEYGPWJfzWAr4FL6Ov7:22 X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Tue, Sep 20, 2022 at 09:44:52AM -0700, Dan Williams wrote: > Dave Chinner wrote: > > On Mon, Sep 19, 2022 at 09:11:48AM -0700, Dan Williams wrote: > > > Dave Chinner wrote: > > > > That all said, this really looks like a bit of a band-aid. > > > > > > It definitely is since DAX is in this transitory state between doing > > > some activities page-less and others with page metadata. If DAX was > > > fully committed to behaving like a typical page then > > > unmap_mapping_range() would have already satisfied this reference > > > counting situation. > > > > > > > I can't work out why would we we ever have an actual layout lease > > > > here that needs breaking given they are file based and active files > > > > hold a reference to the inode. If we ever break that, then I suspect > > > > this change will cause major problems for anyone using pNFS with XFS > > > > as xfs_break_layouts() can end up waiting for NFS delegation > > > > revocation. This is something we should never be doing in inode > > > > eviction/memory reclaim. > > > > > > > > Hence I have to ask why this lease break is being done > > > > unconditionally for all inodes, instead of only calling > > > > xfs_break_dax_layouts() directly on DAX enabled regular files? I > > > > also wonder what exciting new system deadlocks this will create > > > > because BREAK_UNMAP_FINAL can essentially block forever waiting on > > > > dax mappings going away. If that DAX mapping reclaim requires memory > > > > allocations..... > > > > > > There should be no memory allocations in the DAX mapping reclaim path. > > > Also, the page pins it waits for are precluded from being GUP_LONGTERM. > > > > So if the task that holds the pin needs memory allocation before it > > can unpin the page to allow direct inode reclaim to make progress? > > No, it couldn't, and I realize now that GUP_LONGTERM has nothing to do > with this hang since any GFP_KERNEL in a path that took a DAX page pin > path could run afoul of this need to wait. > > So, this has me looking at invalidate_inodes() and iput_final(), where I > did not see the reclaim entanglement, and thinking DAX has the unique > requirement to make sure that no access to a page outlives the hosting > inode. > > Not that I need to tell you, but to get my own thinking straight, > compare that to typical page cache as the pinner can keep a pinned > page-cache page as long as it wants even after it has been truncated. Right, because the page pin prevents the page from being freed after the page references the page cache keeps have been released. But page cache page != DAX page. The DAX page is a direct reference to the storage media, not a generic reference counted kernel page that the kernel will keep alive as long as there is a reference to it. Hence for a DAX page, we have to revoke all access to the page before the controlling owner context is torn down, otherwise we have a use-after-free scenario at the storage media level. For a FSDAX file data page, that owner context is the inode... > DAX needs to make sure that truncate_inode_pages() ceases all access to > the page synchronous with the truncate. Yes, exactly. > > The typical page-cache will > ensure that the next mapping of the file will get a new page if the page > previously pinned for that offset is still in use, DAX can not offer > that as the same page that was previously pinned is always used. Yes, because the new DAX ipage lookup will return the original page in the storage media, not a newly instantiated page cache page. > So I think this means something like this: > > diff --git a/fs/inode.c b/fs/inode.c > index 6462276dfdf0..ab16772b9a8d 100644 > --- a/fs/inode.c > +++ b/fs/inode.c > @@ -784,6 +784,11 @@ int invalidate_inodes(struct super_block *sb, bool kill_dirty) > continue; > } > > + if (dax_inode_busy(inode)) { > + busy = 1; > + continue; > + } That this does more than a check (i.e. it runs whatever dax_zap_pages() does) means it cannot be run under the inode spinlock. As this is called from the block device code when a bdev is being removed (i.e. will only find a superblock and inodes to invalidate on hot-unplug), shouldn't this DAX mapping invalidation actually be handled by the pmem failure notification infrastructure we've just added for reflink? > + > inode->i_state |= I_FREEING; > inode_lru_list_del(inode); > spin_unlock(&inode->i_lock); > @@ -1733,6 +1738,8 @@ static void iput_final(struct inode *inode) > spin_unlock(&inode->i_lock); > > write_inode_now(inode, 1); > + if (IS_DAX(inode)) > + dax_break_layouts(inode); > > spin_lock(&inode->i_lock); > state = inode->i_state; > diff --git a/include/linux/fs.h b/include/linux/fs.h > index 9eced4cc286e..e4a74ab310b5 100644 > --- a/include/linux/fs.h > +++ b/include/linux/fs.h > @@ -3028,8 +3028,20 @@ extern struct inode * igrab(struct inode *); > extern ino_t iunique(struct super_block *, ino_t); > extern int inode_needs_sync(struct inode *inode); > extern int generic_delete_inode(struct inode *inode); > + > +static inline bool dax_inode_busy(struct inode *inode) > +{ > + if (!IS_DAX(inode)) > + return false; > + > + return dax_zap_pages(inode) != NULL; > +} > + > static inline int generic_drop_inode(struct inode *inode) > { > + if (dax_inode_busy(inode)) > + return 0; > + > return !inode->i_nlink || inode_unhashed(inode); > } I don't think that's valid. This can result in unreferenced unlinked inodes that should be torn down immediately being placed in the LRU and cached in memory and potentially not processed until there is future memory pressure or an unmount.... i.e. dropping the final reference on an unlinked inode needs to reclaim the inode immediately and allow the filesystem to free the inode, regardless of any other factor. Nothing should have an active reference to the inode or inode related data/metadata at this point in time. Honestly, this still seems like a band-aid because it doesn't appear to address that something has pinned the storage media without having an active reference to the object that arbitrates access to that storage media (i.e. the inode and, by proxy, then filesystem). Where are these DAX page pins that don't require the pin holder to also hold active references to the filesystem objects coming from? Cheers, Dave. -- Dave Chinner david@fromorbit.com