From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6D30BC00140 for ; Mon, 22 Aug 2022 03:18:52 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D88406B0073; Sun, 21 Aug 2022 23:18:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D37A0940007; Sun, 21 Aug 2022 23:18:51 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C4D576B0075; Sun, 21 Aug 2022 23:18:51 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id B66906B0073 for ; Sun, 21 Aug 2022 23:18:51 -0400 (EDT) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 864BFC03EE for ; Mon, 22 Aug 2022 03:18:51 +0000 (UTC) X-FDA: 79825771662.23.B44AF8D Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by imf23.hostedemail.com (Postfix) with ESMTP id CA2E214006F for ; Mon, 22 Aug 2022 03:13:43 +0000 (UTC) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.55]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4M9y6F00yGzlVhr; Mon, 22 Aug 2022 11:10:28 +0800 (CST) Received: from [10.174.177.76] (10.174.177.76) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Mon, 22 Aug 2022 11:13:39 +0800 Subject: Re: [bug report] mm/hugetlb: various bugs with avoid_reserve case in alloc_huge_page() To: Mike Kravetz CC: Andrew Morton , Muchun Song , Linux-MM , linux-kernel References: <5b1b60d6-e699-2330-0b6f-14c8dd5d78d4@huawei.com> From: Miaohe Lin Message-ID: Date: Mon, 22 Aug 2022 11:13:38 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.177.76] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1661138024; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UXh+w9ZW6pYu0aN/Rb5u2J+3OB9Z68ue/BC8IX0JhE4=; b=J01soe0YJ8h990QGOgX2U7NWIf8CPsYv4AImpMT70d3DrOoEUmtPVdDmyLHEFVaI30OBUt 8Xd338fSjRhvMIBpHNbwtJ6vUHE/jxn3hgwyV15hyXG0VwtDZF+0ZktdmACF0pZC+kye0B tTCMsfFEgvfVoFHbhMdqt65EJLKrUJA= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=none; spf=pass (imf23.hostedemail.com: domain of linmiaohe@huawei.com designates 45.249.212.188 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1661138024; a=rsa-sha256; cv=none; b=v4Aql+BlGW39RMPE7gYYrwfzV1NfMJx93yH7ZIjm6bqVbyMpoXZgMKuy886HXQc9ik89ca uQfR3sbXO9Y4B4Vsh2g6sZoadOrkWmjyAU89X0VMZZdCwwncz6EJ6YNS/BHgk6ys6S2ZLq 89PhCyzDH3G43VSJH4Z++57GnCW9JGM= Authentication-Results: imf23.hostedemail.com; dkim=none; spf=pass (imf23.hostedemail.com: domain of linmiaohe@huawei.com designates 45.249.212.188 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: CA2E214006F X-Stat-Signature: k31zp4qxr1mc7w1gdptfjfbyhyf1hf5j X-Rspam-User: X-HE-Tag: 1661138023-704169 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 2022/8/20 3:11, Mike Kravetz wrote: > On 08/19/22 15:20, Miaohe Lin wrote: >> On 2022/8/19 6:43, Mike Kravetz wrote: >>> On 08/17/22 16:31, Miaohe Lin wrote: >>>> Hi all: >>>> When I investigate the mm/hugetlb.c code again, I found there are a few possible issues >>>> with avoid_reserve case. (It's really hard to follow the relevant code for me.) Please take >>>> a look at the below analysis: >>> >>> Thank you for taking a close look at this code! >>> >>> I agree that the code is hard to follow. I have spent many hours/days/weeks >>> chasing down the cause of incorrect reservation counts. I imagine there could >>> be more issues, especially when you add the uncommon avoid_reserve and >>> MAP_NORESERVE processing. >> >> Many thanks for your time and reply, Mike! > > Well, hugetlb reservations interrupted my sleep again :) See below. Another day scratching my hair for hugetlb reservations. :) > >>> >>>> 1.avoid_reserve issue with h->resv_huge_pages in alloc_huge_page. >>> >>> Did you actually see this issue, or is it just based on code inspection? >> >> No, it's based on code inspection. ;) >> >>> I tried to recreate, but could not. When looking closer, this may not >>> even be possible. >>> >>>> Assume: >>>> h->free_huge_pages 60 >>>> h->resv_huge_pages 30 >>>> spool->rsv_hpages 30 >>> >>> OK. >>> >>>> >>>> When avoid_reserve is true, after alloc_huge_page(), we will have: >>> >>> Take a close look at the calling paths for alloc_huge_page when avoid_reserve >>> is true. There are only two such call paths. >>> 1) copy_hugetlb_page_range - We allocate pages in the 'early COW' processing. >>> In such cases, the pages are private and not associated with a file, or >>> filesystem or subpool (spool). Therefore, there should be no spool >>> modifications. >> >> Agree. >> >>> 2) hugetlb_wp (formerly called hugetlb_cow) - Again, we are allocating a >>> private page and should not be modifying spool. >> >> Agree. >> >>> >>> If the above is correct, then we will not modify spool->rsv_hpages which >>> leads to the inconsistent results. >> >> I missed to verify whether spool will be modified in avoid_reserve case. Sorry about that. >> > > That is how it SHOULD work. However, there is a problem with a MAP_PRIVATE > mapping of a hugetlb file. In this case, subpool_vma will return the > subpool associated with the file, and we will end up with a leaked reservation > as in your example. I have verified with test code. Thanks for your time and verification. > > The first thought I had is that something like the following should be added. > > diff --git a/mm/hugetlb.c b/mm/hugetlb.c > index 474bfbe9929e..5aa19574e890 100644 > --- a/mm/hugetlb.c > +++ b/mm/hugetlb.c > @@ -254,7 +258,9 @@ static inline struct hugepage_subpool *subpool_inode(struct inode *inode) > > static inline struct hugepage_subpool *subpool_vma(struct vm_area_struct *vma) > { > - return subpool_inode(file_inode(vma->vm_file)); > + if (vma->vm_flags & (VM_MAYSHARE | VM_SHARED)) Maybe checking for VM_MAYSHARE is enough? It seems VM_SHARED can't be set while VM_MAYSHARE isn't set. But this change looks good for me to fix the discussed issue. > + return subpool_inode(file_inode(vma->vm_file)); > + return NULL; /* no subpool for private mappings */ > } > > /* Helper that removes a struct file_region from the resv_map cache and returns > > > That certainly addresses the MAP_PRIVATE mapping of a hugetlb file issue. > I will collect up patches for issues we discover and submit together. Thanks for doing this. BTW: IIUC, If MAP_PRIVATE mapping never consumes reservation, issue 2 and 3 shouldn't be possible. > >>> It is confusing that MAP_NORESERVE does not imply avoid_reserve will be >>> passed to alloc_huge_page. >> >> It's introduced to guarantee that COW faults for a process that called mmap(MAP_PRIVATE) will succeed via commit >> 04f2cbe35699 ("hugetlb: guarantee that COW faults for a process that called mmap(MAP_PRIVATE) on hugetlbfs will succeed"). >> It seems it has nothing to do with MAP_NORESERVE. >> >>> >>>> spool->rsv_hpages 29 /* hugepage_subpool_get_pages decreases it. */ >>>> h->free_huge_pages 59 >>>> h->resv_huge_pages 30 /* rsv_hpages is used, but *h->resv_huge_pages is not modified accordingly*. */ >>>> >>>> If the hugetlb page is freed later, we will have: >>>> spool->rsv_hpages 30 /* hugepage_subpool_put_pages increases it. */ >>>> h->free_huge_pages 60 >>>> h->resv_huge_pages 31 /* *increased wrongly* due to hugepage_subpool_put_pages(spool, 1) == 0. */ >>>> ^^ >>>> >>> >>> I'll take a closer look at 2 and 3 when we determine if 1 is a possible >>> issue or not. >> >> I want to propose removing the avoid_reserve code. When called from above case 1) or 2), vma_needs_reservation() >> will always return 1 as there's no reservation for it. Also hugepage_subpool_get_pages() will always return 1 as >> it's not associated with a spool. So when avoid_reserve == true, map_chg and gbl_chg must be 1 and vma_has_reserves() >> will always return "false". As a result, passing in avoid_reserve == true will do nothing in fact. So it can be simply >> removed. Or am I miss something again? > > I will take a closer look. But, at a high level if avoid_reserve == true and > all pages are reserved we must fail the allocation or attempt dynamic > allocation if overcommit is allowed. So, it seems we at least need the > flag to make this decision. Yes, you're right. Thanks, Miaohe Lin