* Re: [patch 06/13] locking/bitspinlock: Clenaup PREEMPT_COUNT leftovers [not found] ` <20200914204441.579902354@linutronix.de> @ 2020-09-15 16:10 ` Will Deacon 0 siblings, 0 replies; 47+ messages in thread From: Will Deacon @ 2020-09-15 16:10 UTC (permalink / raw) To: Thomas Gleixner Cc: LKML, linux-arch, Linus Torvalds, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, linux-alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Andrew Morton, linux-mm, Ingo Molnar, Russell King, linux-arm-kernel, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, Daniel Vetter, intel-gfx, dri-devel, Paul E. McKenney, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, linux-kselftest On Mon, Sep 14, 2020 at 10:42:15PM +0200, Thomas Gleixner wrote: > CONFIG_PREEMPT_COUNT is now unconditionally enabled and will be > removed. Cleanup the leftovers before doing so. > > Signed-off-by: Thomas Gleixner <tglx@linutronix.de> > --- > include/linux/bit_spinlock.h | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > --- a/include/linux/bit_spinlock.h > +++ b/include/linux/bit_spinlock.h > @@ -90,10 +90,8 @@ static inline int bit_spin_is_locked(int > { > #if defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK) > return test_bit(bitnum, addr); > -#elif defined CONFIG_PREEMPT_COUNT > - return preempt_count(); > #else > - return 1; > + return preempt_count(); > #endif Acked-by: Will Deacon <will@kernel.org> Will ^ permalink raw reply [flat|nested] 47+ messages in thread
[parent not found: <20200914204441.375753691@linutronix.de>]
* Re: [patch 04/13] lockdep: Clenaup PREEMPT_COUNT leftovers [not found] ` <20200914204441.375753691@linutronix.de> @ 2020-09-15 16:11 ` Will Deacon 0 siblings, 0 replies; 47+ messages in thread From: Will Deacon @ 2020-09-15 16:11 UTC (permalink / raw) To: Thomas Gleixner Cc: LKML, linux-arch, Linus Torvalds, Sebastian Andrzej Siewior, Valentin Schneider, Peter Zijlstra, Ingo Molnar, Richard Henderson, Ivan Kokshaysky, Matt Turner, linux-alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Andrew Morton, linux-mm, Ingo Molnar, Russell King, linux-arm-kernel, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, Daniel Vetter, intel-gfx, dri-devel, Paul E. McKenney, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, linux-kselftest On Mon, Sep 14, 2020 at 10:42:13PM +0200, Thomas Gleixner wrote: > CONFIG_PREEMPT_COUNT is now unconditionally enabled and will be > removed. Cleanup the leftovers before doing so. > > Signed-off-by: Thomas Gleixner <tglx@linutronix.de> > Cc: Peter Zijlstra <peterz@infradead.org> > Cc: Ingo Molnar <mingo@kernel.org> > Cc: Will Deacon <will@kernel.org> > --- > include/linux/lockdep.h | 6 ++---- > lib/Kconfig.debug | 1 - > 2 files changed, 2 insertions(+), 5 deletions(-) > > --- a/include/linux/lockdep.h > +++ b/include/linux/lockdep.h > @@ -585,16 +585,14 @@ do { \ > > #define lockdep_assert_preemption_enabled() \ > do { \ > - WARN_ON_ONCE(IS_ENABLED(CONFIG_PREEMPT_COUNT) && \ > - debug_locks && \ > + WARN_ON_ONCE(debug_locks && \ > (preempt_count() != 0 || \ > !raw_cpu_read(hardirqs_enabled))); \ > } while (0) > > #define lockdep_assert_preemption_disabled() \ > do { \ > - WARN_ON_ONCE(IS_ENABLED(CONFIG_PREEMPT_COUNT) && \ > - debug_locks && \ > + WARN_ON_ONCE(debug_locks && \ > (preempt_count() == 0 && \ > raw_cpu_read(hardirqs_enabled))); \ > } while (0) > --- a/lib/Kconfig.debug > +++ b/lib/Kconfig.debug > @@ -1161,7 +1161,6 @@ config PROVE_LOCKING > select DEBUG_RWSEMS > select DEBUG_WW_MUTEX_SLOWPATH > select DEBUG_LOCK_ALLOC > - select PREEMPT_COUNT > select TRACE_IRQFLAGS > default n > help Acked-by: Will Deacon <will@kernel.org> Will ^ permalink raw reply [flat|nested] 47+ messages in thread
[parent not found: <CAHk-=win80rdof8Pb=5k6gT9j_v+hz-TQzKPVastZDvBe9RimQ@mail.gmail.com>]
* Re: [patch 00/13] preempt: Make preempt count unconditional [not found] ` <CAHk-=win80rdof8Pb=5k6gT9j_v+hz-TQzKPVastZDvBe9RimQ@mail.gmail.com> @ 2020-09-15 17:25 ` Paul E. McKenney [not found] ` <871rj4owfn.fsf@nanos.tec.linutronix.de> 1 sibling, 0 replies; 47+ messages in thread From: Paul E. McKenney @ 2020-09-15 17:25 UTC (permalink / raw) To: Linus Torvalds Cc: Thomas Gleixner, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, Daniel Vetter, intel-gfx, dri-devel, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Mon, Sep 14, 2020 at 01:59:15PM -0700, Linus Torvalds wrote: > On Mon, Sep 14, 2020 at 1:45 PM Thomas Gleixner <tglx@linutronix.de> wrote: > > > > Recently merged code does: > > > > gfp = preemptible() ? GFP_KERNEL : GFP_ATOMIC; > > > > Looks obviously correct, except for the fact that preemptible() is > > unconditionally false for CONFIF_PREEMPT_COUNT=n, i.e. all allocations in > > that code use GFP_ATOMIC on such kernels. > > I don't think this is a good reason to entirely get rid of the no-preempt thing. > > The above is just garbage. It's bogus. You can't do it. > > Blaming the no-preempt code for this bug is extremely unfair, imho. > > And the no-preempt code does help make for much better code generation > for simple spinlocks. > > Where is that horribly buggy recent code? It's not in that exact > format, certainly, since 'grep' doesn't find it. It would be convenient for that "gfp =" code to work, as this would allow better cache locality while invoking RCU callbacks, and would further provide better robustness to callback floods. The full story is quite long, but here are alternatives have not yet been proven to be abject failures: 1. Use workqueues to do the allocations in a clean context. While waiting for the allocations, the callbacks are queued in the old cache-busting manner. This functions correctly, but in the meantime (which on busy systems can be some time) the cache locality and robustness are lost. 2. Provide the ability to allocate memory in raw atomic context. This is extremely effective, especially when used in combination with #1 above, but as you might suspect, the MM guys don't like it much. In contrast, with Thomas's patch series, call_rcu() and kvfree_rcu() could just look at preemptible() to see whether or not it was safe to allocate memory, even in !PREEMPT kernels -- and in the common case, it almost always would be safe. It is quite possible that this approach would work in isolation, or failing that, that adding #1 above would do the trick. I understand that this is all very hand-wavy, and I do apologize for that. If you really want the full sad story with performance numbers and the works, let me know! Thanx, Paul ^ permalink raw reply [flat|nested] 47+ messages in thread
[parent not found: <871rj4owfn.fsf@nanos.tec.linutronix.de>]
[parent not found: <CAHk-=wj0eUuVQ=hRFZv_nY7g5ZLt7Fy3K7SMJL0ZCzniPtsbbg@mail.gmail.com>]
[parent not found: <CAHk-=wjOV6f_ddg+QVCF6RUe+pXPhSR2WevnNyOs9oT+q2ihEA@mail.gmail.com>]
* [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally [not found] ` <CAHk-=wjOV6f_ddg+QVCF6RUe+pXPhSR2WevnNyOs9oT+q2ihEA@mail.gmail.com> @ 2020-09-15 3:30 ` Herbert Xu 2020-09-15 6:03 ` Ard Biesheuvel 2020-09-15 6:45 ` Linus Torvalds 2020-09-15 6:20 ` [patch 00/13] preempt: Make preempt count unconditional Ard Biesheuvel 1 sibling, 2 replies; 47+ messages in thread From: Herbert Xu @ 2020-09-15 3:30 UTC (permalink / raw) To: Linus Torvalds Cc: Thomas Gleixner, Ard Biesheuvel, LKML, Linux Crypto Mailing List I trimmed the cc as the mailing lists appear to be blocking this email because of it. On Mon, Sep 14, 2020 at 03:37:49PM -0700, Linus Torvalds wrote: > > So it _looks_ like this code started using kmap() - probably back when > kmap_atomic() was so cumbersome to use - and was then converted > (conditionally) to kmap_atomic() rather than just changed whole-sale. > Is there actually something that wants to use those sg_miter functions > and sleep? I dug up the old zinc patch submissions and this wasn't present at all in the original. The original zinc code used blkcipher_walk which unconditinoally does kmap_atomic. So it's only the SG miter conversion that introduced this change, which appears to be a simple oversight (I think Ard was working on latency issues at that time, perhaps he was worried about keeping preemption off unnecessarily). ---8<--- There is no reason for the chacha20poly1305 SG miter code to use kmap instead of kmap_atomic as the critical section doesn't sleep anyway. So we can simply get rid of the preemptible check and set SG_MITER_ATOMIC unconditionally. Even if we need to reenable preemption to lower latency we should be doing that by interrupting the SG miter walk rather than using kmap. Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> diff --git a/lib/crypto/chacha20poly1305.c b/lib/crypto/chacha20poly1305.c index 431e04280332..5850f3b87359 100644 --- a/lib/crypto/chacha20poly1305.c +++ b/lib/crypto/chacha20poly1305.c @@ -251,9 +251,7 @@ bool chacha20poly1305_crypt_sg_inplace(struct scatterlist *src, poly1305_update(&poly1305_state, pad0, 0x10 - (ad_len & 0xf)); } - flags = SG_MITER_TO_SG; - if (!preemptible()) - flags |= SG_MITER_ATOMIC; + flags = SG_MITER_TO_SG | SG_MITER_ATOMIC; sg_miter_start(&miter, src, sg_nents(src), flags); -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply related [flat|nested] 47+ messages in thread
* Re: [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally 2020-09-15 3:30 ` [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally Herbert Xu @ 2020-09-15 6:03 ` Ard Biesheuvel 2020-09-15 6:40 ` Herbert Xu 2020-09-15 6:45 ` Linus Torvalds 1 sibling, 1 reply; 47+ messages in thread From: Ard Biesheuvel @ 2020-09-15 6:03 UTC (permalink / raw) To: Herbert Xu, Jason A. Donenfeld Cc: Linus Torvalds, Thomas Gleixner, LKML, Linux Crypto Mailing List (+ Jason) On Tue, 15 Sep 2020 at 06:30, Herbert Xu <herbert@gondor.apana.org.au> wrote: > > I trimmed the cc as the mailing lists appear to be blocking this > email because of it. > > On Mon, Sep 14, 2020 at 03:37:49PM -0700, Linus Torvalds wrote: > > > > So it _looks_ like this code started using kmap() - probably back when > > kmap_atomic() was so cumbersome to use - and was then converted > > (conditionally) to kmap_atomic() rather than just changed whole-sale. > > Is there actually something that wants to use those sg_miter functions > > and sleep? > > I dug up the old zinc patch submissions and this wasn't present at > all in the original. The original zinc code used blkcipher_walk > which unconditinoally does kmap_atomic. > Remember that the Zinc patchset was very vocal about not relying on the Linux crypto API, yet it [ab]used the crypto blkcipher_walk API (which was already deprecated at that point) in a rather horrid way, by going around the blkcipher API itself, and creating some mock objects that the blkcipher scatterlist walker would expect to exist. So instead, I opted to rewrite this code using the SG miter API so that: - src == dst, and so we only need to traverse (and kmap) a single scatterlist instead of two in parallel (as Wireguard has no need for the latter) - no elaborate handling of the scatterlist elements when they are not a multiple of the cipher chunk size (which is not needed for a stream cipher liker ChaCha) - no need to use scatterwalk_map_and_copy() (and do another kmap()) to access the tag if it was covered by the last scatterlist element. > So it's only the SG miter conversion that introduced this change, > which appears to be a simple oversight (I think Ard was working on > latency issues at that time, perhaps he was worried about keeping > preemption off unnecessarily). > No, the problem with using kmap_atomic() is that it disables preemption even on !HIGHMEM architectures. So using it unconditionally here means that all chacha/poly processing will execute with preemption disabled on 64-bit architectures as well. This means that, even if you avoid the SIMD accelerated ciphers for latency reasons (as they disable preemption as well), you are still running the bulk of the WireGuard processing with preemption disabled. > ---8<--- > There is no reason for the chacha20poly1305 SG miter code to use > kmap instead of kmap_atomic as the critical section doesn't sleep > anyway. So we can simply get rid of the preemptible check and > set SG_MITER_ATOMIC unconditionally. > > Even if we need to reenable preemption to lower latency we should > be doing that by interrupting the SG miter walk rather than using > kmap. > AIUI, the common case is that the entire packet is covered by a single scatterlist element, so there is no room for latency reduction here. The problem is really that kmap_atomic() is not simply a no-op on !HIGHMEM architectures. If we can fix that, I have no objections to this patch. > Reported-by: Linus Torvalds <torvalds@linux-foundation.org> > Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> > > diff --git a/lib/crypto/chacha20poly1305.c b/lib/crypto/chacha20poly1305.c > index 431e04280332..5850f3b87359 100644 > --- a/lib/crypto/chacha20poly1305.c > +++ b/lib/crypto/chacha20poly1305.c > @@ -251,9 +251,7 @@ bool chacha20poly1305_crypt_sg_inplace(struct scatterlist *src, > poly1305_update(&poly1305_state, pad0, 0x10 - (ad_len & 0xf)); > } > > - flags = SG_MITER_TO_SG; > - if (!preemptible()) > - flags |= SG_MITER_ATOMIC; > + flags = SG_MITER_TO_SG | SG_MITER_ATOMIC; > > sg_miter_start(&miter, src, sg_nents(src), flags); > > -- > Email: Herbert Xu <herbert@gondor.apana.org.au> > Home Page: http://gondor.apana.org.au/~herbert/ > PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally 2020-09-15 6:03 ` Ard Biesheuvel @ 2020-09-15 6:40 ` Herbert Xu 0 siblings, 0 replies; 47+ messages in thread From: Herbert Xu @ 2020-09-15 6:40 UTC (permalink / raw) To: Ard Biesheuvel Cc: Jason A. Donenfeld, Linus Torvalds, Thomas Gleixner, LKML, Linux Crypto Mailing List On Tue, Sep 15, 2020 at 09:03:46AM +0300, Ard Biesheuvel wrote: > > The problem is really that kmap_atomic() is not simply a no-op on > !HIGHMEM architectures. If we can fix that, I have no objections to > this patch. Yes we should definitely fix that. However, doing so will involve manually checking every instance of kmap_atomic. Cheers, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally 2020-09-15 3:30 ` [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally Herbert Xu 2020-09-15 6:03 ` Ard Biesheuvel @ 2020-09-15 6:45 ` Linus Torvalds 2020-09-15 6:55 ` Linus Torvalds 1 sibling, 1 reply; 47+ messages in thread From: Linus Torvalds @ 2020-09-15 6:45 UTC (permalink / raw) To: Herbert Xu Cc: Thomas Gleixner, Ard Biesheuvel, LKML, Linux Crypto Mailing List On Mon, Sep 14, 2020 at 8:30 PM Herbert Xu <herbert@gondor.apana.org.au> wrote: > > There is no reason for the chacha20poly1305 SG miter code to use > kmap instead of kmap_atomic as the critical section doesn't sleep > anyway. So we can simply get rid of the preemptible check and > set SG_MITER_ATOMIC unconditionally. So I'd prefer to make SG_MITER_ATOMIC go away entirely, and just remove the non-atomic case.. A quick grep seems to imply that just about all users set the ATOMIC bit anyway. I didn't look at everything, but every case I _did_ look at did seem to set the ATOMIC bit. So it really did seem like there isn't a lot of reason to have the non-atomic case, and this flag could go away - not by virtue of the atomic case going away, but by virtue of the atomic case being the only actual case. I mean, I did find one case that didn't set it (cb710-mmc.c), but pattern-matching to the other mmc cases, that one looks like it _should_ have set the atomic flag like everybody else did. Did I miss something? Linus ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally 2020-09-15 6:45 ` Linus Torvalds @ 2020-09-15 6:55 ` Linus Torvalds 2020-09-15 7:05 ` Herbert Xu 2020-09-15 7:08 ` Ard Biesheuvel 0 siblings, 2 replies; 47+ messages in thread From: Linus Torvalds @ 2020-09-15 6:55 UTC (permalink / raw) To: Herbert Xu Cc: Thomas Gleixner, Ard Biesheuvel, LKML, Linux Crypto Mailing List On Mon, Sep 14, 2020 at 11:45 PM Linus Torvalds <torvalds@linux-foundation.org> wrote: > > I mean, I did find one case that didn't set it (cb710-mmc.c), but > pattern-matching to the other mmc cases, that one looks like it > _should_ have set the atomic flag like everybody else did. Oh, and immediately after sending that out I notice nvmet_bdev_execute_rw(), which does seem to make allocations inside that sg_miter loop. So those non-atomic cases do clearly exist. It does make the case for why kmap_atomic() wants to have the debugging code. It will "just work" on 64-bit to do it wrong, because the address doesn't become invalid just because you sleep or get rescheduled. But then the code that every developer tests (since developers tend to run on good hardware) might be completely broken on bad old hardware. Maybe we could hide it behind a debug option, at least. Or, alterantively, introduce a new "debug_preempt_count" that doesn't actually disable preemption, but warns about actual sleeping operations.. Linus ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally 2020-09-15 6:55 ` Linus Torvalds @ 2020-09-15 7:05 ` Herbert Xu 2020-09-15 7:10 ` Ard Biesheuvel 2020-09-15 9:34 ` Thomas Gleixner 2020-09-15 7:08 ` Ard Biesheuvel 1 sibling, 2 replies; 47+ messages in thread From: Herbert Xu @ 2020-09-15 7:05 UTC (permalink / raw) To: Linus Torvalds Cc: Thomas Gleixner, Ard Biesheuvel, LKML, Linux Crypto Mailing List On Mon, Sep 14, 2020 at 11:55:53PM -0700, Linus Torvalds wrote: > > Maybe we could hide it behind a debug option, at least. > > Or, alterantively, introduce a new "debug_preempt_count" that doesn't > actually disable preemption, but warns about actual sleeping > operations.. I'm more worried about existing users of kmap_atomic relying on the preemption disabling semantics. Short of someone checking on every single instance (and that would include derived cases such as all users of sg miter), I think the safer option is to create something brand new and then migrate the existing users to it. Something like static inline void *kmap_atomic_ifhigh(struct page *page) { if (PageHighMem(page)) return kmap_atomic(page); return page_address(page); } static inline void kunmap_atomic_ifhigh(struct page *page, void *addr) { if (PageHighMem(page)) kunmap_atomic(addr); } Cheers, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally 2020-09-15 7:05 ` Herbert Xu @ 2020-09-15 7:10 ` Ard Biesheuvel 2020-09-15 9:34 ` Thomas Gleixner 1 sibling, 0 replies; 47+ messages in thread From: Ard Biesheuvel @ 2020-09-15 7:10 UTC (permalink / raw) To: Herbert Xu Cc: Linus Torvalds, Thomas Gleixner, LKML, Linux Crypto Mailing List On Tue, 15 Sep 2020 at 10:05, Herbert Xu <herbert@gondor.apana.org.au> wrote: > > On Mon, Sep 14, 2020 at 11:55:53PM -0700, Linus Torvalds wrote: > > > > Maybe we could hide it behind a debug option, at least. > > > > Or, alterantively, introduce a new "debug_preempt_count" that doesn't > > actually disable preemption, but warns about actual sleeping > > operations.. > > I'm more worried about existing users of kmap_atomic relying on > the preemption disabling semantics. Short of someone checking > on every single instance (and that would include derived cases > such as all users of sg miter), I think the safer option is to > create something brand new and then migrate the existing users > to it. Something like > > static inline void *kmap_atomic_ifhigh(struct page *page) > { > if (PageHighMem(page)) > return kmap_atomic(page); > return page_address(page); > } > > static inline void kunmap_atomic_ifhigh(struct page *page, void *addr) > { > if (PageHighMem(page)) > kunmap_atomic(addr); > } > But we would still need to check all users of SG miter before we could move it to this interface. ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally 2020-09-15 7:05 ` Herbert Xu 2020-09-15 7:10 ` Ard Biesheuvel @ 2020-09-15 9:34 ` Thomas Gleixner 2020-09-15 10:02 ` Ard Biesheuvel 1 sibling, 1 reply; 47+ messages in thread From: Thomas Gleixner @ 2020-09-15 9:34 UTC (permalink / raw) To: Herbert Xu, Linus Torvalds Cc: Ard Biesheuvel, LKML, Linux Crypto Mailing List On Tue, Sep 15 2020 at 17:05, Herbert Xu wrote: > On Mon, Sep 14, 2020 at 11:55:53PM -0700, Linus Torvalds wrote: >> >> Maybe we could hide it behind a debug option, at least. >> >> Or, alterantively, introduce a new "debug_preempt_count" that doesn't >> actually disable preemption, but warns about actual sleeping >> operations.. > > I'm more worried about existing users of kmap_atomic relying on > the preemption disabling semantics. Short of someone checking > on every single instance (and that would include derived cases > such as all users of sg miter), I think the safer option is to > create something brand new and then migrate the existing users > to it. Something like > > static inline void *kmap_atomic_ifhigh(struct page *page) > { > if (PageHighMem(page)) > return kmap_atomic(page); > return page_address(page); > } > > static inline void kunmap_atomic_ifhigh(struct page *page, void *addr) > { > if (PageHighMem(page)) > kunmap_atomic(addr); > } Hmm, that still has the issue that the code between map and unmap must not sleep and the conversion must carefully check whether anything in this region relies on preemption being disabled by kmap_atomic() regardless of highmem or not. kmap_atomic() is at least consistent vs. preemption, the above not so much. I'd rather go for a preemptible/sleepable version of highmem mapping which is in itself consistent for both highmen and not highmem. Thanks, tglx ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally 2020-09-15 9:34 ` Thomas Gleixner @ 2020-09-15 10:02 ` Ard Biesheuvel 2020-09-15 10:05 ` Herbert Xu 0 siblings, 1 reply; 47+ messages in thread From: Ard Biesheuvel @ 2020-09-15 10:02 UTC (permalink / raw) To: Thomas Gleixner Cc: Herbert Xu, Linus Torvalds, LKML, Linux Crypto Mailing List On Tue, 15 Sep 2020 at 12:34, Thomas Gleixner <tglx@linutronix.de> wrote: > > On Tue, Sep 15 2020 at 17:05, Herbert Xu wrote: > > On Mon, Sep 14, 2020 at 11:55:53PM -0700, Linus Torvalds wrote: > >> > >> Maybe we could hide it behind a debug option, at least. > >> > >> Or, alterantively, introduce a new "debug_preempt_count" that doesn't > >> actually disable preemption, but warns about actual sleeping > >> operations.. > > > > I'm more worried about existing users of kmap_atomic relying on > > the preemption disabling semantics. Short of someone checking > > on every single instance (and that would include derived cases > > such as all users of sg miter), I think the safer option is to > > create something brand new and then migrate the existing users > > to it. Something like > > > > static inline void *kmap_atomic_ifhigh(struct page *page) > > { > > if (PageHighMem(page)) > > return kmap_atomic(page); > > return page_address(page); > > } > > > > static inline void kunmap_atomic_ifhigh(struct page *page, void *addr) > > { > > if (PageHighMem(page)) > > kunmap_atomic(addr); > > } > > Hmm, that still has the issue that the code between map and unmap must > not sleep and the conversion must carefully check whether anything in > this region relies on preemption being disabled by kmap_atomic() > regardless of highmem or not. > > kmap_atomic() is at least consistent vs. preemption, the above not so > much. > But that is really the point. I don't *want* to be forced to disable preemption in brand new code simply because some legacy highmem API conflates being callable from atomic context with instantiating an atomic context by disabling preemption for no good reason. IIUC, in the past, you would really only call kmap_atomic() if you absolutely had to, and so you would never rely on the preemption disabling semantics accidentally. By making kmap_atomic() the preferred API even for calls from non-atomic contexts, this line has blurred and we no longer know why individual kmap_atomic() occurrences exist in the first place. > I'd rather go for a preemptible/sleepable version of highmem mapping > which is in itself consistent for both highmen and not highmem. > I don't think we need to obsess about highmem, although we should obviously take care not to regress its performance unnecessarily. What I want to avoid is to burden a brand new subsystem with legacy highmem baggage simply because we could not agree on how to avoid that. ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally 2020-09-15 10:02 ` Ard Biesheuvel @ 2020-09-15 10:05 ` Herbert Xu 2020-09-15 10:08 ` Ard Biesheuvel 0 siblings, 1 reply; 47+ messages in thread From: Herbert Xu @ 2020-09-15 10:05 UTC (permalink / raw) To: Ard Biesheuvel Cc: Thomas Gleixner, Linus Torvalds, LKML, Linux Crypto Mailing List On Tue, Sep 15, 2020 at 01:02:10PM +0300, Ard Biesheuvel wrote: > > > I'd rather go for a preemptible/sleepable version of highmem mapping > > which is in itself consistent for both highmen and not highmem. > > I don't think we need to obsess about highmem, although we should > obviously take care not to regress its performance unnecessarily. What > I want to avoid is to burden a brand new subsystem with legacy highmem > baggage simply because we could not agree on how to avoid that. I think what Thomas is proposing should address your concerns Ard. As long as nobody objects to the slight performance degradation on legacy highmem platforms it should make kmap_atomic just go away on modern platforms. Cheers, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally 2020-09-15 10:05 ` Herbert Xu @ 2020-09-15 10:08 ` Ard Biesheuvel 2020-09-15 10:10 ` Herbert Xu 0 siblings, 1 reply; 47+ messages in thread From: Ard Biesheuvel @ 2020-09-15 10:08 UTC (permalink / raw) To: Herbert Xu Cc: Thomas Gleixner, Linus Torvalds, LKML, Linux Crypto Mailing List On Tue, 15 Sep 2020 at 13:05, Herbert Xu <herbert@gondor.apana.org.au> wrote: > > On Tue, Sep 15, 2020 at 01:02:10PM +0300, Ard Biesheuvel wrote: > > > > > I'd rather go for a preemptible/sleepable version of highmem mapping > > > which is in itself consistent for both highmen and not highmem. > > > > I don't think we need to obsess about highmem, although we should > > obviously take care not to regress its performance unnecessarily. What > > I want to avoid is to burden a brand new subsystem with legacy highmem > > baggage simply because we could not agree on how to avoid that. > > I think what Thomas is proposing should address your concerns Ard. > As long as nobody objects to the slight performance degradation on > legacy highmem platforms it should make kmap_atomic just go away on > modern platforms. > But making atomic kmap preemptible/sleepable creates the exact same problem, i.e., that we have no idea which existing callers are currently relying on those preemption disabling semantics, so we can't just take them away. Or am I missing something? ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally 2020-09-15 10:08 ` Ard Biesheuvel @ 2020-09-15 10:10 ` Herbert Xu 2020-09-15 19:04 ` Thomas Gleixner 0 siblings, 1 reply; 47+ messages in thread From: Herbert Xu @ 2020-09-15 10:10 UTC (permalink / raw) To: Ard Biesheuvel Cc: Thomas Gleixner, Linus Torvalds, LKML, Linux Crypto Mailing List On Tue, Sep 15, 2020 at 01:08:31PM +0300, Ard Biesheuvel wrote: > > But making atomic kmap preemptible/sleepable creates the exact same > problem, i.e., that we have no idea which existing callers are > currently relying on those preemption disabling semantics, so we can't > just take them away. Or am I missing something? Good point. Thomas mentioned that RT has been doing this for a while now so perhaps someone has studied this problem already? Thomas? Cheers, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally 2020-09-15 10:10 ` Herbert Xu @ 2020-09-15 19:04 ` Thomas Gleixner 0 siblings, 0 replies; 47+ messages in thread From: Thomas Gleixner @ 2020-09-15 19:04 UTC (permalink / raw) To: Herbert Xu, Ard Biesheuvel Cc: Linus Torvalds, LKML, Linux Crypto Mailing List On Tue, Sep 15 2020 at 20:10, Herbert Xu wrote: > On Tue, Sep 15, 2020 at 01:08:31PM +0300, Ard Biesheuvel wrote: >> >> But making atomic kmap preemptible/sleepable creates the exact same >> problem, i.e., that we have no idea which existing callers are >> currently relying on those preemption disabling semantics, so we can't >> just take them away. Or am I missing something? > > Good point. > > Thomas mentioned that RT has been doing this for a while now so > perhaps someone has studied this problem already? Thomas? RT is substituting preempt_disable() with migrate_disable() which pins the task on the CPU so that per CPU stuff still works. And we did quite some staring whether there is code which purely relies on the preempt_disable() to prevent reentrancy, but there is almost none. Though we don't have migrate disable on !RT and PeterZ is not a great fan of making it available as it wreckages schedulability - though IMO not much more than preempt disable :) Thanks, tglx ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally 2020-09-15 6:55 ` Linus Torvalds 2020-09-15 7:05 ` Herbert Xu @ 2020-09-15 7:08 ` Ard Biesheuvel 1 sibling, 0 replies; 47+ messages in thread From: Ard Biesheuvel @ 2020-09-15 7:08 UTC (permalink / raw) To: Linus Torvalds Cc: Herbert Xu, Thomas Gleixner, LKML, Linux Crypto Mailing List On Tue, 15 Sep 2020 at 09:56, Linus Torvalds <torvalds@linux-foundation.org> wrote: > > On Mon, Sep 14, 2020 at 11:45 PM Linus Torvalds > <torvalds@linux-foundation.org> wrote: > > > > I mean, I did find one case that didn't set it (cb710-mmc.c), but > > pattern-matching to the other mmc cases, that one looks like it > > _should_ have set the atomic flag like everybody else did. > > Oh, and immediately after sending that out I notice > nvmet_bdev_execute_rw(), which does seem to make allocations inside > that sg_miter loop. > > So those non-atomic cases do clearly exist. > > It does make the case for why kmap_atomic() wants to have the > debugging code. It will "just work" on 64-bit to do it wrong, because > the address doesn't become invalid just because you sleep or get > rescheduled. But then the code that every developer tests (since > developers tend to run on good hardware) might be completely broken on > bad old hardware. > If we want code that is optimal on recent hardware, and yet still correct on older 32-bit hardware, kmap() is definitely a better choice here than kmap_atomic(), since it is a no-op on !HIGHMEM, and tolerates sleeping on 32-bit. /That/ is why I wrote the code this way. The problem is of course that kmap() itself might sleep. So I would argue that the semantics in the name of kmap_atomic() are not about the fact that it starts a non-preemptible section, but that it can be *called from* a non-preemptible section. And starting a non-preemptible section is unnecessary on !HIGHMEM, and should be avoided if possible. > Maybe we could hide it behind a debug option, at least. > > Or, alterantively, introduce a new "debug_preempt_count" that doesn't > actually disable preemption, but warns about actual sleeping > operations.. > > Linus ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional [not found] ` <CAHk-=wjOV6f_ddg+QVCF6RUe+pXPhSR2WevnNyOs9oT+q2ihEA@mail.gmail.com> 2020-09-15 3:30 ` [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally Herbert Xu @ 2020-09-15 6:20 ` Ard Biesheuvel [not found] ` <20200915062253.GA26275@gondor.apana.org.au> 1 sibling, 1 reply; 47+ messages in thread From: Ard Biesheuvel @ 2020-09-15 6:20 UTC (permalink / raw) To: Linus Torvalds Cc: Thomas Gleixner, Herbert Xu, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, Daniel Vetter, intel-gfx, dri-devel, Paul E. McKenney, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Tue, 15 Sep 2020 at 01:43, Linus Torvalds <torvalds@linux-foundation.org> wrote: > > On Mon, Sep 14, 2020 at 3:24 PM Linus Torvalds > <torvalds@linux-foundation.org> wrote: > > > > Ard and Herbert added to participants: see > > chacha20poly1305_crypt_sg_inplace(), which does > > > > flags = SG_MITER_TO_SG; > > if (!preemptible()) > > flags |= SG_MITER_ATOMIC; > > > > introduced in commit d95312a3ccc0 ("crypto: lib/chacha20poly1305 - > > reimplement crypt_from_sg() routine"). > > As far as I can tell, the only reason for this all is to try to use > "kmap()" rather than "kmap_atomic()". > > And kmap() actually has the much more complex "might_sleep()" tests, > and apparently the "preemptible()" check wasn't even the proper full > debug check, it was just a complete hack to catch the one that > triggered. > This was not driven by a failing check. The documentation of kmap_atomic() states the following: * The use of kmap_atomic/kunmap_atomic is discouraged - kmap/kunmap * gives a more generic (and caching) interface. But kmap_atomic can * be used in IRQ contexts, so in some (very limited) cases we need * it. so if this is no longer accurate, perhaps we should fix it? But another reason I tried to avoid kmap_atomic() is that it disables preemption unconditionally, even on 64-bit architectures where HIGHMEM is irrelevant. So using kmap_atomic() here means that the bulk of WireGuard packet encryption runs with preemption disabled, essentially for legacy reasons. > From a quick look, that code should probably just get rid of > SG_MITER_ATOMIC entirely, and alwayse use kmap_atomic(). > > kmap_atomic() is actually the faster and proper interface to use > anyway (never mind that any of this matters on any sane hardware). The > old kmap() and kunmap() interfaces should generally be avoided like > the plague - yes, they allow sleeping in the middle and that is > sometimes required, but if you don't need that, you should never ever > use them. > > We used to have a very nasty kmap_atomic() that required people to be > very careful and know exactly which atomic entry to use, and that was > admitedly quite nasty. > > So it _looks_ like this code started using kmap() - probably back when > kmap_atomic() was so cumbersome to use - and was then converted > (conditionally) to kmap_atomic() rather than just changed whole-sale. > Is there actually something that wants to use those sg_miter functions > and sleep? > > Because if there is, that choice should come from the outside, not > from inside lib/scatterlist.c trying to make some bad guess based on > the wrong thing entirely. > > Linus ^ permalink raw reply [flat|nested] 47+ messages in thread
[parent not found: <20200915062253.GA26275@gondor.apana.org.au>]
* Re: [patch 00/13] preempt: Make preempt count unconditional [not found] ` <20200915062253.GA26275@gondor.apana.org.au> @ 2020-09-15 6:39 ` Linus Torvalds 2020-09-15 7:24 ` Thomas Gleixner 0 siblings, 1 reply; 47+ messages in thread From: Linus Torvalds @ 2020-09-15 6:39 UTC (permalink / raw) To: Herbert Xu Cc: Ard Biesheuvel, Thomas Gleixner, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, Daniel Vetter, intel-gfx, dri-devel, Paul E. McKenney, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu On Mon, Sep 14, 2020 at 11:24 PM Herbert Xu <herbert@gondor.apana.org.au> wrote: > > On Tue, Sep 15, 2020 at 09:20:59AM +0300, Ard Biesheuvel wrote: > > > > The documentation of kmap_atomic() states the following: > > > > * The use of kmap_atomic/kunmap_atomic is discouraged - kmap/kunmap > > * gives a more generic (and caching) interface. But kmap_atomic can > > * be used in IRQ contexts, so in some (very limited) cases we need > > * it. > > > > so if this is no longer accurate, perhaps we should fix it? > > This hasn't been accurate for at least ten years :) Yeah, that used to be true a long long time ago, but the comment is very stale. > > But another reason I tried to avoid kmap_atomic() is that it disables > > preemption unconditionally, even on 64-bit architectures where HIGHMEM > > is irrelevant. So using kmap_atomic() here means that the bulk of > > WireGuard packet encryption runs with preemption disabled, essentially > > for legacy reasons. > > Agreed. We should definitely fix that. Well, honestly, one big reason for that is debugging. The *semantics* of the kmap_atomic() is in the name - you can't sleep in between it and the kunmap_atomic(). On any sane architecture, kmap_atomic() ends up being a no-op from an implementation standpoint, and sleeping would work just fine. But we very much want to make sure that people don't then write code that doesn't work on the bad old 32-bit machines where it really needs that sequence to be safe from preemption. So it's mostly a debug thing. I say "mostly", because there might be small other details too, like shared code, and perhaps even a couple of users out in the wild that depend on the pagefault_disable() inherent in the current kmap_atomic(), who knows.. So no, the preemption disabling isn't inherent in the operation itself. But it does have some argument for it. Linus ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-15 6:39 ` Linus Torvalds @ 2020-09-15 7:24 ` Thomas Gleixner 2020-09-15 17:29 ` Linus Torvalds 0 siblings, 1 reply; 47+ messages in thread From: Thomas Gleixner @ 2020-09-15 7:24 UTC (permalink / raw) To: Linus Torvalds, Herbert Xu Cc: Ard Biesheuvel, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, Daniel Vetter, intel-gfx, dri-devel, Paul E. McKenney, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu On Mon, Sep 14 2020 at 23:39, Linus Torvalds wrote: > On Mon, Sep 14, 2020 at 11:24 PM Herbert Xu <herbert@gondor.apana.org.au> wrote: >> > But another reason I tried to avoid kmap_atomic() is that it disables >> > preemption unconditionally, even on 64-bit architectures where HIGHMEM >> > is irrelevant. So using kmap_atomic() here means that the bulk of >> > WireGuard packet encryption runs with preemption disabled, essentially >> > for legacy reasons. >> >> Agreed. We should definitely fix that. > > Well, honestly, one big reason for that is debugging. > > The *semantics* of the kmap_atomic() is in the name - you can't sleep > in between it and the kunmap_atomic(). > > On any sane architecture, kmap_atomic() ends up being a no-op from an > implementation standpoint, and sleeping would work just fine. > > But we very much want to make sure that people don't then write code > that doesn't work on the bad old 32-bit machines where it really needs > that sequence to be safe from preemption. Alternatively we just make highmem a bit more expensive by making these maps preemptible. RT is doing this for a long time and it's not that horrible. The approach is to keep track about the number of active maps in a task and on an eventual context switch save them away in the task struct and restore them when the task is scheduled back in. Thanks, tglx ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-15 7:24 ` Thomas Gleixner @ 2020-09-15 17:29 ` Linus Torvalds 0 siblings, 0 replies; 47+ messages in thread From: Linus Torvalds @ 2020-09-15 17:29 UTC (permalink / raw) To: Thomas Gleixner Cc: Herbert Xu, Ard Biesheuvel, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, Daniel Vetter, intel-gfx, dri-devel, Paul E. McKenney, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu On Tue, Sep 15, 2020 at 12:24 AM Thomas Gleixner <tglx@linutronix.de> wrote: > > Alternatively we just make highmem a bit more expensive by making these > maps preemptible. RT is doing this for a long time and it's not that > horrible. Ack. In fact, I've wanted to start just removing kmap support entirely. At some point it's not so much about "I have an old machine that wants HIGHMEM" but about "I have an old CPU, and I'll just run an old kernel". It's not that 32-bit is irrelevant, it's that 32-bit with large amounts of memory is irrelevant. Last time this was discussed, iirc the main issue was some questionable old ARM chips that were still very common in embedded environments, even with large memory. But we could definitely start de-emphasizing HIGHMEM. Linus ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional [not found] ` <CAHk-=wj0eUuVQ=hRFZv_nY7g5ZLt7Fy3K7SMJL0ZCzniPtsbbg@mail.gmail.com> [not found] ` <CAHk-=wjOV6f_ddg+QVCF6RUe+pXPhSR2WevnNyOs9oT+q2ihEA@mail.gmail.com> @ 2020-09-15 8:39 ` Thomas Gleixner 2020-09-15 17:35 ` Linus Torvalds 1 sibling, 1 reply; 47+ messages in thread From: Thomas Gleixner @ 2020-09-15 8:39 UTC (permalink / raw) To: Linus Torvalds, Ard Biesheuvel, Herbert Xu Cc: LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, Daniel Vetter, intel-gfx, dri-devel, Paul E. McKenney, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Mon, Sep 14 2020 at 15:24, Linus Torvalds wrote: > On Mon, Sep 14, 2020 at 2:55 PM Thomas Gleixner <tglx@linutronix.de> wrote: >> >> Yes it does generate better code, but I tried hard to spot a difference >> in various metrics exposed by perf. It's all in the noise and I only >> can spot a difference when the actual preemption check after the >> decrement > > I'm somewhat more worried about the small-device case. I just checked on one of my old UP ARM toys which I run at home. The .text increase is about 2% (75k) and none of the tests I ran showed any significant difference. Couldn't verify with perf though as the PMU on that piece of art is unusable. > That said, the diffstat certainly has its very clear charm, and I do > agree that it makes things simpler. > > I'm just not convinced people should ever EVER do things like that "if > (preemptible())" garbage. It sounds like somebody is doing seriously > bad things. OTOH, having a working 'preemptible()' or maybe better named 'can_schedule()' check makes tons of sense to make decisions about allocation modes or other things. We're currently looking through all of in_atomic(), in_interrupt() etc. usage sites and quite some of them are historic and have the clear intent of checking whether the code is called from task context or hard/softirq context. Lots of them are completely broken or just work by chance. But there is clearly historic precendence that context checks are useful, but they only can be useful if we have a consistent mechanism which works everywhere. Of course we could mandate that every interface which might be called from one or the other context has a context argument or provides two variants of the same thing. But I'm not really convinced whether that's a win over having a consistent and reliable set of checks. Thanks, tglx ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-15 8:39 ` Thomas Gleixner @ 2020-09-15 17:35 ` Linus Torvalds 2020-09-15 19:57 ` Thomas Gleixner 2020-09-16 7:37 ` Daniel Vetter 0 siblings, 2 replies; 47+ messages in thread From: Linus Torvalds @ 2020-09-15 17:35 UTC (permalink / raw) To: Thomas Gleixner Cc: Ard Biesheuvel, Herbert Xu, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, Daniel Vetter, intel-gfx, dri-devel, Paul E. McKenney, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Tue, Sep 15, 2020 at 1:39 AM Thomas Gleixner <tglx@linutronix.de> wrote: > > OTOH, having a working 'preemptible()' or maybe better named > 'can_schedule()' check makes tons of sense to make decisions about > allocation modes or other things. No. I think that those kinds of decisions about actual behavior are always simply fundamentally wrong. Note that this is very different from having warnings about invalid use. THAT is correct. It may not warn in all configurations, but that doesn't matter: what matters is that it warns in common enough configurations that developers will catch it. So having a warning in "might_sleep()" that doesn't always trigger, because you have a limited configuration that can't even detect the situation, that's fine and dandy and intentional. But having code like if (can_schedule()) .. do something different .. is fundamentally complete and utter garbage. It's one thing if you test for "am I in hardware interrupt context". Those tests aren't great either, but at least they make sense. But a driver - or some library routine - making a difference based on some nebulous "can I schedule" is fundamentally and basically WRONG. If some code changes behavior, it needs to be explicit to the *caller* of that code. So this is why GFP_ATOMIC is fine, but "if (!can_schedule()) do_something_atomic()" is pure shite. And I am not IN THE LEAST interested in trying to help people doing pure shite. We need to fix them. Like the crypto code is getting fixed. Linus ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-15 17:35 ` Linus Torvalds @ 2020-09-15 19:57 ` Thomas Gleixner 2020-09-16 18:34 ` Linus Torvalds 2020-09-16 7:37 ` Daniel Vetter 1 sibling, 1 reply; 47+ messages in thread From: Thomas Gleixner @ 2020-09-15 19:57 UTC (permalink / raw) To: Linus Torvalds Cc: Ard Biesheuvel, Herbert Xu, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, Daniel Vetter, intel-gfx, dri-devel, Paul E. McKenney, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Tue, Sep 15 2020 at 10:35, Linus Torvalds wrote: > On Tue, Sep 15, 2020 at 1:39 AM Thomas Gleixner <tglx@linutronix.de> wrote: >> >> OTOH, having a working 'preemptible()' or maybe better named >> 'can_schedule()' check makes tons of sense to make decisions about >> allocation modes or other things. > > No. I think that those kinds of decisions about actual behavior are > always simply fundamentally wrong. > > Note that this is very different from having warnings about invalid > use. THAT is correct. It may not warn in all configurations, but that > doesn't matter: what matters is that it warns in common enough > configurations that developers will catch it. You wish. I just found a 7 year old bug in a 10G network driver which surely would have been found if people would enable debug configs and not just run the crap on their PREEMPT_NONE, all debug off kernel. And that driver is not subject to bitrot, it gets regular bug fixes from people who seem to care (distro folks). > So having a warning in "might_sleep()" that doesn't always trigger, > because you have a limited configuration that can't even detect the > situation, that's fine and dandy and intentional. and lets people get away with their crap. > But having code like > > if (can_schedule()) > .. do something different .. > > is fundamentally complete and utter garbage. > > It's one thing if you test for "am I in hardware interrupt context". > Those tests aren't great either, but at least they make sense. They make sense in limited situations like exception handlers and such which really have to know from which context an exception was raised. But with the above reasoning such checks do not make sense in any other general code. 'in hard interrupt context' is just another context where you can't do stuff which you can do when in preemptible task context. Most tests are way broader than a single context. in_interrupt() is true for hard interrupt, soft interrupt delivery and all BH disabled contexts, which is completely ill defined. > But a driver - or some library routine - making a difference based on > some nebulous "can I schedule" is fundamentally and basically WRONG. > > If some code changes behavior, it needs to be explicit to the *caller* > of that code. I'm fine with that, but then we have to be consequent and ban _all_ of these and not just declare can_schedule() to be a bad one. Thanks, tglx ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-15 19:57 ` Thomas Gleixner @ 2020-09-16 18:34 ` Linus Torvalds 0 siblings, 0 replies; 47+ messages in thread From: Linus Torvalds @ 2020-09-16 18:34 UTC (permalink / raw) To: Thomas Gleixner Cc: Ard Biesheuvel, Herbert Xu, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, Daniel Vetter, intel-gfx, dri-devel, Paul E. McKenney, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Tue, Sep 15, 2020 at 12:57 PM Thomas Gleixner <tglx@linutronix.de> wrote: > > You wish. I just found a 7 year old bug in a 10G network driver which > surely would have been found if people would enable debug configs and > not just run the crap on their PREEMPT_NONE, all debug off kernel. And > that driver is not subject to bitrot, it gets regular bug fixes from > people who seem to care (distro folks). That driver clearly cannot be very well maintained. All the distro kernels have the basic debug checks in place, afaik. Is it some wonderful "enterprise hardware" garbage again that only gets used in special data centers? Becasue the "enterprise" people really are special. Very much in the "short bus" special kind of way. The fact that they have fooled so much of the industry into thinking that they are the competent and serious people is a disgrace. Linus ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-15 17:35 ` Linus Torvalds 2020-09-15 19:57 ` Thomas Gleixner @ 2020-09-16 7:37 ` Daniel Vetter 2020-09-16 15:29 ` Paul E. McKenney 1 sibling, 1 reply; 47+ messages in thread From: Daniel Vetter @ 2020-09-16 7:37 UTC (permalink / raw) To: Linus Torvalds Cc: Thomas Gleixner, Ard Biesheuvel, Herbert Xu, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, intel-gfx, dri-devel, Paul E. McKenney, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Tue, Sep 15, 2020 at 7:35 PM Linus Torvalds <torvalds@linux-foundation.org> wrote: > > On Tue, Sep 15, 2020 at 1:39 AM Thomas Gleixner <tglx@linutronix.de> wrote: > > > > OTOH, having a working 'preemptible()' or maybe better named > > 'can_schedule()' check makes tons of sense to make decisions about > > allocation modes or other things. > > No. I think that those kinds of decisions about actual behavior are > always simply fundamentally wrong. > > Note that this is very different from having warnings about invalid > use. THAT is correct. It may not warn in all configurations, but that > doesn't matter: what matters is that it warns in common enough > configurations that developers will catch it. > > So having a warning in "might_sleep()" that doesn't always trigger, > because you have a limited configuration that can't even detect the > situation, that's fine and dandy and intentional. > > But having code like > > if (can_schedule()) > .. do something different .. > > is fundamentally complete and utter garbage. > > It's one thing if you test for "am I in hardware interrupt context". > Those tests aren't great either, but at least they make sense. > > But a driver - or some library routine - making a difference based on > some nebulous "can I schedule" is fundamentally and basically WRONG. > > If some code changes behavior, it needs to be explicit to the *caller* > of that code. > > So this is why GFP_ATOMIC is fine, but "if (!can_schedule()) > do_something_atomic()" is pure shite. > > And I am not IN THE LEAST interested in trying to help people doing > pure shite. We need to fix them. Like the crypto code is getting > fixed. Just figured I'll throw my +1 in from reading too many (gpu) drivers. Code that tries to cleverly adjust its behaviour depending upon the context it's running in is harder to understand and blows up in more interesting ways. We still have drm_can_sleep() and it's mostly just used for debug code, and I've largely ended up just deleting everything that used it because when you're driver is blowing up the last thing you want is to realize your debug code and output can't be relied upon. Or worse, that the only Oops you have is the one in the debug code, because the real one scrolled away - the original idea behind drm_can_sleep was to make all the modeset code work automagically both in normal ioctl/kworker context and in the panic handlers or kgdb callbacks. Wishful thinking at best. Also at least for me that extends to everything, e.g. I much prefer explicit spin_lock and spin_lock_irq vs magic spin_lock_irqsave for locks shared with interrupt handlers, since the former two gives me clear information from which contexts such function can be called. Other end is the memalloc_no*_save/restore functions, where I recently made a real big fool of myself because I didn't realize how much that impacts everything that's run within - suddenly "GFP_KERNEL for small stuff never fails" is wrong everywhere. It's all great for debugging and sanity checks (and we run with all that stuff enabled in our CI), but really semantic changes depending upon magic context checks freak my out :-) -Daniel -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-16 7:37 ` Daniel Vetter @ 2020-09-16 15:29 ` Paul E. McKenney 2020-09-16 18:32 ` Linus Torvalds 2020-09-16 20:29 ` Daniel Vetter 0 siblings, 2 replies; 47+ messages in thread From: Paul E. McKenney @ 2020-09-16 15:29 UTC (permalink / raw) To: Daniel Vetter Cc: Linus Torvalds, Thomas Gleixner, Ard Biesheuvel, Herbert Xu, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, intel-gfx, dri-devel, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Wed, Sep 16, 2020 at 09:37:17AM +0200, Daniel Vetter wrote: > On Tue, Sep 15, 2020 at 7:35 PM Linus Torvalds > <torvalds@linux-foundation.org> wrote: > > > > On Tue, Sep 15, 2020 at 1:39 AM Thomas Gleixner <tglx@linutronix.de> wrote: > > > > > > OTOH, having a working 'preemptible()' or maybe better named > > > 'can_schedule()' check makes tons of sense to make decisions about > > > allocation modes or other things. > > > > No. I think that those kinds of decisions about actual behavior are > > always simply fundamentally wrong. > > > > Note that this is very different from having warnings about invalid > > use. THAT is correct. It may not warn in all configurations, but that > > doesn't matter: what matters is that it warns in common enough > > configurations that developers will catch it. > > > > So having a warning in "might_sleep()" that doesn't always trigger, > > because you have a limited configuration that can't even detect the > > situation, that's fine and dandy and intentional. > > > > But having code like > > > > if (can_schedule()) > > .. do something different .. > > > > is fundamentally complete and utter garbage. > > > > It's one thing if you test for "am I in hardware interrupt context". > > Those tests aren't great either, but at least they make sense. > > > > But a driver - or some library routine - making a difference based on > > some nebulous "can I schedule" is fundamentally and basically WRONG. > > > > If some code changes behavior, it needs to be explicit to the *caller* > > of that code. > > > > So this is why GFP_ATOMIC is fine, but "if (!can_schedule()) > > do_something_atomic()" is pure shite. > > > > And I am not IN THE LEAST interested in trying to help people doing > > pure shite. We need to fix them. Like the crypto code is getting > > fixed. > > Just figured I'll throw my +1 in from reading too many (gpu) drivers. > Code that tries to cleverly adjust its behaviour depending upon the > context it's running in is harder to understand and blows up in more > interesting ways. We still have drm_can_sleep() and it's mostly just > used for debug code, and I've largely ended up just deleting > everything that used it because when you're driver is blowing up the > last thing you want is to realize your debug code and output can't be > relied upon. Or worse, that the only Oops you have is the one in the > debug code, because the real one scrolled away - the original idea > behind drm_can_sleep was to make all the modeset code work > automagically both in normal ioctl/kworker context and in the panic > handlers or kgdb callbacks. Wishful thinking at best. > > Also at least for me that extends to everything, e.g. I much prefer > explicit spin_lock and spin_lock_irq vs magic spin_lock_irqsave for > locks shared with interrupt handlers, since the former two gives me > clear information from which contexts such function can be called. > Other end is the memalloc_no*_save/restore functions, where I recently > made a real big fool of myself because I didn't realize how much that > impacts everything that's run within - suddenly "GFP_KERNEL for small > stuff never fails" is wrong everywhere. > > It's all great for debugging and sanity checks (and we run with all > that stuff enabled in our CI), but really semantic changes depending > upon magic context checks freak my out :-) All fair, but some of us need to write code that must handle being invoked from a wide variety of contexts. Now perhaps you like the idea of call_rcu() for schedulable contexts, call_rcu_nosched() when preemption is disabled, call_rcu_irqs_are_disabled() when interrupts are disabled, call_rcu_raw_atomic() from contexts where (for example) raw spinlocks are held, and so on. However, from what I can see, most people instead consistently prefer that the RCU API instead be consolidated. Some in-flight cache-efficiency work for kvfree_rcu() and call_rcu() needs to be able to allocate memory occasionally. It can do that when invoked from some contexts, but not when invoked from others. Right now, in !PREEMPT kernels, it cannot tell, and must either do things to the memory allocators that some of the MM hate or must unnecessarily invoke workqueues. Thomas's patches would allow the code to just allocate in the common case when these primitives are invoked from contexts where allocation is permitted. If we want to restrict access to the can_schedule() or whatever primitive, fine and good. We can add a check to checkpatch.pl, for example. Maybe we can go back to the old brlock approach of requiring certain people's review for each addition to the kernel. But there really are use cases that it would greatly help. Thanx, Paul ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-16 15:29 ` Paul E. McKenney @ 2020-09-16 18:32 ` Linus Torvalds 2020-09-16 20:43 ` Paul E. McKenney 2020-09-17 6:38 ` Ard Biesheuvel 2020-09-16 20:29 ` Daniel Vetter 1 sibling, 2 replies; 47+ messages in thread From: Linus Torvalds @ 2020-09-16 18:32 UTC (permalink / raw) To: Paul E. McKenney Cc: Daniel Vetter, Thomas Gleixner, Ard Biesheuvel, Herbert Xu, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, intel-gfx, dri-devel, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Wed, Sep 16, 2020 at 8:29 AM Paul E. McKenney <paulmck@kernel.org> wrote: > > All fair, but some of us need to write code that must handle being > invoked from a wide variety of contexts. Note that I think that core functionality is different from random drivers. Of course core code can (and will) look at things like if (in_interrupt()) .. schedule work asynchronously .. because core code ends up being called from odd places, and code like that is expected to have understanding of the rules it plays with. But something like RCU is a very different beast from some "walk the scatter-gather list" code. RCU does its work in the background, and works with lots of different things. And it's so core and used everywhere that it knows about these things. I mean, we literally have special code explicitly to let RCU know "we entered kernel context now". But something like a driver list walking thing should not be doing different things behind peoples back depending on whether they hold spinlocks or not. It should either just work regardless, or there should be a flag (or special interface) for the "you're being called in a crtitical region". Because dynamically changing behavior really is very confusing. Linus ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-16 18:32 ` Linus Torvalds @ 2020-09-16 20:43 ` Paul E. McKenney 2020-09-17 6:38 ` Ard Biesheuvel 1 sibling, 0 replies; 47+ messages in thread From: Paul E. McKenney @ 2020-09-16 20:43 UTC (permalink / raw) To: Linus Torvalds Cc: Daniel Vetter, Thomas Gleixner, Ard Biesheuvel, Herbert Xu, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, intel-gfx, dri-devel, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Wed, Sep 16, 2020 at 11:32:00AM -0700, Linus Torvalds wrote: > On Wed, Sep 16, 2020 at 8:29 AM Paul E. McKenney <paulmck@kernel.org> wrote: > > > > All fair, but some of us need to write code that must handle being > > invoked from a wide variety of contexts. > > Note that I think that core functionality is different from random drivers. > > Of course core code can (and will) look at things like > > if (in_interrupt()) > .. schedule work asynchronously .. > > because core code ends up being called from odd places, and code like > that is expected to have understanding of the rules it plays with. > > But something like RCU is a very different beast from some "walk the > scatter-gather list" code. > > RCU does its work in the background, and works with lots of different > things. And it's so core and used everywhere that it knows about these > things. I mean, we literally have special code explicitly to let RCU > know "we entered kernel context now". > > But something like a driver list walking thing should not be doing > different things behind peoples back depending on whether they hold > spinlocks or not. It should either just work regardless, or there > should be a flag (or special interface) for the "you're being called > in a crtitical region". > > Because dynamically changing behavior really is very confusing. Whew! I feel much better now. ;-) Thanx, Paul ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-16 18:32 ` Linus Torvalds 2020-09-16 20:43 ` Paul E. McKenney @ 2020-09-17 6:38 ` Ard Biesheuvel 1 sibling, 0 replies; 47+ messages in thread From: Ard Biesheuvel @ 2020-09-17 6:38 UTC (permalink / raw) To: Linus Torvalds Cc: Paul E. McKenney, Daniel Vetter, Thomas Gleixner, Herbert Xu, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, intel-gfx, dri-devel, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Wed, 16 Sep 2020 at 21:32, Linus Torvalds <torvalds@linux-foundation.org> wrote: > > But something like a driver list walking thing should not be doing > different things behind peoples back depending on whether they hold > spinlocks or not. It should either just work regardless, or there > should be a flag (or special interface) for the "you're being called > in a crtitical region". > > Because dynamically changing behavior really is very confusing. > By the same reasoning, I don't think a generic crypto library should be playing tricks with preemption en/disabling under the hood when iterating over some data that is all directly accessible via the linear map on the platforms that most people care about. And using kmap_atomic() unconditionally achieves exactly that. As I argued before, the fact that kmap_atomic() can be called from an atomic context, and the fact that its implementation on HIGHMEM platforms requires preemption to be disabled until the next kunmap() are two different things, and I don't agree with your assertion that the name kmap_atomic() implies the latter semantics. If we can avoid disabling preemption on HIGHMEM, as Thomas suggests, we surely don't need it on !HIGHMEM either, and given that kmap_atomic() is preferred today anyway, we can just merge the two implementations. Are there any existing debug features that could help us spot [ab]use of things like raw per-CPU data within kmap_atomic regions? Re your point about deprecating HIGHMEM: some work is underway on ARM to implement a 3.75/3.75 GB kernel/user split on recent LPAE capable hardware (which shouldn't suffer from the performance issues that plagued the 4/4 split on i686), and so hopefully, there is a path forward for ARM that does not rely on HIGHMEM as it does today. ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-16 15:29 ` Paul E. McKenney 2020-09-16 18:32 ` Linus Torvalds @ 2020-09-16 20:29 ` Daniel Vetter 2020-09-16 20:58 ` Paul E. McKenney 1 sibling, 1 reply; 47+ messages in thread From: Daniel Vetter @ 2020-09-16 20:29 UTC (permalink / raw) To: Paul E. McKenney Cc: Linus Torvalds, Thomas Gleixner, Ard Biesheuvel, Herbert Xu, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, intel-gfx, dri-devel, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Wed, Sep 16, 2020 at 5:29 PM Paul E. McKenney <paulmck@kernel.org> wrote: > > On Wed, Sep 16, 2020 at 09:37:17AM +0200, Daniel Vetter wrote: > > On Tue, Sep 15, 2020 at 7:35 PM Linus Torvalds > > <torvalds@linux-foundation.org> wrote: > > > > > > On Tue, Sep 15, 2020 at 1:39 AM Thomas Gleixner <tglx@linutronix.de> wrote: > > > > > > > > OTOH, having a working 'preemptible()' or maybe better named > > > > 'can_schedule()' check makes tons of sense to make decisions about > > > > allocation modes or other things. > > > > > > No. I think that those kinds of decisions about actual behavior are > > > always simply fundamentally wrong. > > > > > > Note that this is very different from having warnings about invalid > > > use. THAT is correct. It may not warn in all configurations, but that > > > doesn't matter: what matters is that it warns in common enough > > > configurations that developers will catch it. > > > > > > So having a warning in "might_sleep()" that doesn't always trigger, > > > because you have a limited configuration that can't even detect the > > > situation, that's fine and dandy and intentional. > > > > > > But having code like > > > > > > if (can_schedule()) > > > .. do something different .. > > > > > > is fundamentally complete and utter garbage. > > > > > > It's one thing if you test for "am I in hardware interrupt context". > > > Those tests aren't great either, but at least they make sense. > > > > > > But a driver - or some library routine - making a difference based on > > > some nebulous "can I schedule" is fundamentally and basically WRONG. > > > > > > If some code changes behavior, it needs to be explicit to the *caller* > > > of that code. > > > > > > So this is why GFP_ATOMIC is fine, but "if (!can_schedule()) > > > do_something_atomic()" is pure shite. > > > > > > And I am not IN THE LEAST interested in trying to help people doing > > > pure shite. We need to fix them. Like the crypto code is getting > > > fixed. > > > > Just figured I'll throw my +1 in from reading too many (gpu) drivers. > > Code that tries to cleverly adjust its behaviour depending upon the > > context it's running in is harder to understand and blows up in more > > interesting ways. We still have drm_can_sleep() and it's mostly just > > used for debug code, and I've largely ended up just deleting > > everything that used it because when you're driver is blowing up the > > last thing you want is to realize your debug code and output can't be > > relied upon. Or worse, that the only Oops you have is the one in the > > debug code, because the real one scrolled away - the original idea > > behind drm_can_sleep was to make all the modeset code work > > automagically both in normal ioctl/kworker context and in the panic > > handlers or kgdb callbacks. Wishful thinking at best. > > > > Also at least for me that extends to everything, e.g. I much prefer > > explicit spin_lock and spin_lock_irq vs magic spin_lock_irqsave for > > locks shared with interrupt handlers, since the former two gives me > > clear information from which contexts such function can be called. > > Other end is the memalloc_no*_save/restore functions, where I recently > > made a real big fool of myself because I didn't realize how much that > > impacts everything that's run within - suddenly "GFP_KERNEL for small > > stuff never fails" is wrong everywhere. > > > > It's all great for debugging and sanity checks (and we run with all > > that stuff enabled in our CI), but really semantic changes depending > > upon magic context checks freak my out :-) > > All fair, but some of us need to write code that must handle being > invoked from a wide variety of contexts. Now perhaps you like the idea of > call_rcu() for schedulable contexts, call_rcu_nosched() when preemption > is disabled, call_rcu_irqs_are_disabled() when interrupts are disabled, > call_rcu_raw_atomic() from contexts where (for example) raw spinlocks > are held, and so on. However, from what I can see, most people instead > consistently prefer that the RCU API instead be consolidated. > > Some in-flight cache-efficiency work for kvfree_rcu() and call_rcu() > needs to be able to allocate memory occasionally. It can do that when > invoked from some contexts, but not when invoked from others. Right now, > in !PREEMPT kernels, it cannot tell, and must either do things to the > memory allocators that some of the MM hate or must unnecessarily invoke > workqueues. Thomas's patches would allow the code to just allocate in > the common case when these primitives are invoked from contexts where > allocation is permitted. > > If we want to restrict access to the can_schedule() or whatever primitive, > fine and good. We can add a check to checkpatch.pl, for example. Maybe > we can go back to the old brlock approach of requiring certain people's > review for each addition to the kernel. > > But there really are use cases that it would greatly help. We can deadlock in random fun places if random stuff we're calling suddenly starts allocating. Sometimes. Maybe once in a blue moon, to make it extra fun to reproduce. Maybe most driver subsystems are less brittle, but gpu drivers definitely need to know about the details for exactly this example. And yes gpu drivers use rcu for freeing dma_fence structures, and that tends to happen in code that we only recently figured out should really not allocate memory. I think minimally you need to throw in an unconditional fs_reclaim_acquire();fs_reclaim_release(); so that everyone who runs with full debugging knows what might happen. It's kinda like might_sleep, but a lot more specific. might_sleep() alone is not enough, because in the specific code paths I'm thinking of (and created special lockdep annotations for just recently) sleeping is allowed, but any memory allocations with GFP_RECLAIM set are no-go. Cheers, Daniel -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-16 20:29 ` Daniel Vetter @ 2020-09-16 20:58 ` Paul E. McKenney 2020-09-16 21:43 ` Daniel Vetter 0 siblings, 1 reply; 47+ messages in thread From: Paul E. McKenney @ 2020-09-16 20:58 UTC (permalink / raw) To: Daniel Vetter Cc: Linus Torvalds, Thomas Gleixner, Ard Biesheuvel, Herbert Xu, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, intel-gfx, dri-devel, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Wed, Sep 16, 2020 at 10:29:06PM +0200, Daniel Vetter wrote: > On Wed, Sep 16, 2020 at 5:29 PM Paul E. McKenney <paulmck@kernel.org> wrote: > > > > On Wed, Sep 16, 2020 at 09:37:17AM +0200, Daniel Vetter wrote: > > > On Tue, Sep 15, 2020 at 7:35 PM Linus Torvalds > > > <torvalds@linux-foundation.org> wrote: > > > > > > > > On Tue, Sep 15, 2020 at 1:39 AM Thomas Gleixner <tglx@linutronix.de> wrote: > > > > > > > > > > OTOH, having a working 'preemptible()' or maybe better named > > > > > 'can_schedule()' check makes tons of sense to make decisions about > > > > > allocation modes or other things. > > > > > > > > No. I think that those kinds of decisions about actual behavior are > > > > always simply fundamentally wrong. > > > > > > > > Note that this is very different from having warnings about invalid > > > > use. THAT is correct. It may not warn in all configurations, but that > > > > doesn't matter: what matters is that it warns in common enough > > > > configurations that developers will catch it. > > > > > > > > So having a warning in "might_sleep()" that doesn't always trigger, > > > > because you have a limited configuration that can't even detect the > > > > situation, that's fine and dandy and intentional. > > > > > > > > But having code like > > > > > > > > if (can_schedule()) > > > > .. do something different .. > > > > > > > > is fundamentally complete and utter garbage. > > > > > > > > It's one thing if you test for "am I in hardware interrupt context". > > > > Those tests aren't great either, but at least they make sense. > > > > > > > > But a driver - or some library routine - making a difference based on > > > > some nebulous "can I schedule" is fundamentally and basically WRONG. > > > > > > > > If some code changes behavior, it needs to be explicit to the *caller* > > > > of that code. > > > > > > > > So this is why GFP_ATOMIC is fine, but "if (!can_schedule()) > > > > do_something_atomic()" is pure shite. > > > > > > > > And I am not IN THE LEAST interested in trying to help people doing > > > > pure shite. We need to fix them. Like the crypto code is getting > > > > fixed. > > > > > > Just figured I'll throw my +1 in from reading too many (gpu) drivers. > > > Code that tries to cleverly adjust its behaviour depending upon the > > > context it's running in is harder to understand and blows up in more > > > interesting ways. We still have drm_can_sleep() and it's mostly just > > > used for debug code, and I've largely ended up just deleting > > > everything that used it because when you're driver is blowing up the > > > last thing you want is to realize your debug code and output can't be > > > relied upon. Or worse, that the only Oops you have is the one in the > > > debug code, because the real one scrolled away - the original idea > > > behind drm_can_sleep was to make all the modeset code work > > > automagically both in normal ioctl/kworker context and in the panic > > > handlers or kgdb callbacks. Wishful thinking at best. > > > > > > Also at least for me that extends to everything, e.g. I much prefer > > > explicit spin_lock and spin_lock_irq vs magic spin_lock_irqsave for > > > locks shared with interrupt handlers, since the former two gives me > > > clear information from which contexts such function can be called. > > > Other end is the memalloc_no*_save/restore functions, where I recently > > > made a real big fool of myself because I didn't realize how much that > > > impacts everything that's run within - suddenly "GFP_KERNEL for small > > > stuff never fails" is wrong everywhere. > > > > > > It's all great for debugging and sanity checks (and we run with all > > > that stuff enabled in our CI), but really semantic changes depending > > > upon magic context checks freak my out :-) > > > > All fair, but some of us need to write code that must handle being > > invoked from a wide variety of contexts. Now perhaps you like the idea of > > call_rcu() for schedulable contexts, call_rcu_nosched() when preemption > > is disabled, call_rcu_irqs_are_disabled() when interrupts are disabled, > > call_rcu_raw_atomic() from contexts where (for example) raw spinlocks > > are held, and so on. However, from what I can see, most people instead > > consistently prefer that the RCU API instead be consolidated. > > > > Some in-flight cache-efficiency work for kvfree_rcu() and call_rcu() > > needs to be able to allocate memory occasionally. It can do that when > > invoked from some contexts, but not when invoked from others. Right now, > > in !PREEMPT kernels, it cannot tell, and must either do things to the > > memory allocators that some of the MM hate or must unnecessarily invoke > > workqueues. Thomas's patches would allow the code to just allocate in > > the common case when these primitives are invoked from contexts where > > allocation is permitted. > > > > If we want to restrict access to the can_schedule() or whatever primitive, > > fine and good. We can add a check to checkpatch.pl, for example. Maybe > > we can go back to the old brlock approach of requiring certain people's > > review for each addition to the kernel. > > > > But there really are use cases that it would greatly help. > > We can deadlock in random fun places if random stuff we're calling > suddenly starts allocating. Sometimes. Maybe once in a blue moon, to > make it extra fun to reproduce. Maybe most driver subsystems are less > brittle, but gpu drivers definitely need to know about the details for > exactly this example. And yes gpu drivers use rcu for freeing > dma_fence structures, and that tends to happen in code that we only > recently figured out should really not allocate memory. > > I think minimally you need to throw in an unconditional > fs_reclaim_acquire();fs_reclaim_release(); so that everyone who runs > with full debugging knows what might happen. It's kinda like > might_sleep, but a lot more specific. might_sleep() alone is not > enough, because in the specific code paths I'm thinking of (and > created special lockdep annotations for just recently) sleeping is > allowed, but any memory allocations with GFP_RECLAIM set are no-go. Completely agreed! Any allocation on any free path must be handled -extremely- carefully. To that end... First, there is always a fallback in case the allocation fails. Which might have performance or corner-case robustness issues, but which will at least allow forward progress. Second, we consulted with a number of MM experts to arrive at appropriate GFP_* flags (and their patience is greatly appreciated). Third, the paths that can allocate will do so about one time of 500, so any issues should be spotted sooner rather than later. So you are quite right to be concerned, but I believe we will be doing the right things. And based on his previous track record, I am also quite certain that Mr. Murphy will be on hand to provide me any additional education that I might require. Finally, I have noted down your point about fs_reclaim_acquire() and fs_reclaim_release(). Whether or not they prove to be needed, I do appreciate your calling them to my attention. Thanx, Paul ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-16 20:58 ` Paul E. McKenney @ 2020-09-16 21:43 ` Daniel Vetter 2020-09-16 22:39 ` Paul E. McKenney 2020-09-29 8:19 ` Michal Hocko 0 siblings, 2 replies; 47+ messages in thread From: Daniel Vetter @ 2020-09-16 21:43 UTC (permalink / raw) To: Paul E. McKenney Cc: Linus Torvalds, Thomas Gleixner, Ard Biesheuvel, Herbert Xu, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, intel-gfx, dri-devel, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Wed, Sep 16, 2020 at 10:58 PM Paul E. McKenney <paulmck@kernel.org> wrote: > > On Wed, Sep 16, 2020 at 10:29:06PM +0200, Daniel Vetter wrote: > > On Wed, Sep 16, 2020 at 5:29 PM Paul E. McKenney <paulmck@kernel.org> wrote: > > > > > > On Wed, Sep 16, 2020 at 09:37:17AM +0200, Daniel Vetter wrote: > > > > On Tue, Sep 15, 2020 at 7:35 PM Linus Torvalds > > > > <torvalds@linux-foundation.org> wrote: > > > > > > > > > > On Tue, Sep 15, 2020 at 1:39 AM Thomas Gleixner <tglx@linutronix.de> wrote: > > > > > > > > > > > > OTOH, having a working 'preemptible()' or maybe better named > > > > > > 'can_schedule()' check makes tons of sense to make decisions about > > > > > > allocation modes or other things. > > > > > > > > > > No. I think that those kinds of decisions about actual behavior are > > > > > always simply fundamentally wrong. > > > > > > > > > > Note that this is very different from having warnings about invalid > > > > > use. THAT is correct. It may not warn in all configurations, but that > > > > > doesn't matter: what matters is that it warns in common enough > > > > > configurations that developers will catch it. > > > > > > > > > > So having a warning in "might_sleep()" that doesn't always trigger, > > > > > because you have a limited configuration that can't even detect the > > > > > situation, that's fine and dandy and intentional. > > > > > > > > > > But having code like > > > > > > > > > > if (can_schedule()) > > > > > .. do something different .. > > > > > > > > > > is fundamentally complete and utter garbage. > > > > > > > > > > It's one thing if you test for "am I in hardware interrupt context". > > > > > Those tests aren't great either, but at least they make sense. > > > > > > > > > > But a driver - or some library routine - making a difference based on > > > > > some nebulous "can I schedule" is fundamentally and basically WRONG. > > > > > > > > > > If some code changes behavior, it needs to be explicit to the *caller* > > > > > of that code. > > > > > > > > > > So this is why GFP_ATOMIC is fine, but "if (!can_schedule()) > > > > > do_something_atomic()" is pure shite. > > > > > > > > > > And I am not IN THE LEAST interested in trying to help people doing > > > > > pure shite. We need to fix them. Like the crypto code is getting > > > > > fixed. > > > > > > > > Just figured I'll throw my +1 in from reading too many (gpu) drivers. > > > > Code that tries to cleverly adjust its behaviour depending upon the > > > > context it's running in is harder to understand and blows up in more > > > > interesting ways. We still have drm_can_sleep() and it's mostly just > > > > used for debug code, and I've largely ended up just deleting > > > > everything that used it because when you're driver is blowing up the > > > > last thing you want is to realize your debug code and output can't be > > > > relied upon. Or worse, that the only Oops you have is the one in the > > > > debug code, because the real one scrolled away - the original idea > > > > behind drm_can_sleep was to make all the modeset code work > > > > automagically both in normal ioctl/kworker context and in the panic > > > > handlers or kgdb callbacks. Wishful thinking at best. > > > > > > > > Also at least for me that extends to everything, e.g. I much prefer > > > > explicit spin_lock and spin_lock_irq vs magic spin_lock_irqsave for > > > > locks shared with interrupt handlers, since the former two gives me > > > > clear information from which contexts such function can be called. > > > > Other end is the memalloc_no*_save/restore functions, where I recently > > > > made a real big fool of myself because I didn't realize how much that > > > > impacts everything that's run within - suddenly "GFP_KERNEL for small > > > > stuff never fails" is wrong everywhere. > > > > > > > > It's all great for debugging and sanity checks (and we run with all > > > > that stuff enabled in our CI), but really semantic changes depending > > > > upon magic context checks freak my out :-) > > > > > > All fair, but some of us need to write code that must handle being > > > invoked from a wide variety of contexts. Now perhaps you like the idea of > > > call_rcu() for schedulable contexts, call_rcu_nosched() when preemption > > > is disabled, call_rcu_irqs_are_disabled() when interrupts are disabled, > > > call_rcu_raw_atomic() from contexts where (for example) raw spinlocks > > > are held, and so on. However, from what I can see, most people instead > > > consistently prefer that the RCU API instead be consolidated. > > > > > > Some in-flight cache-efficiency work for kvfree_rcu() and call_rcu() > > > needs to be able to allocate memory occasionally. It can do that when > > > invoked from some contexts, but not when invoked from others. Right now, > > > in !PREEMPT kernels, it cannot tell, and must either do things to the > > > memory allocators that some of the MM hate or must unnecessarily invoke > > > workqueues. Thomas's patches would allow the code to just allocate in > > > the common case when these primitives are invoked from contexts where > > > allocation is permitted. > > > > > > If we want to restrict access to the can_schedule() or whatever primitive, > > > fine and good. We can add a check to checkpatch.pl, for example. Maybe > > > we can go back to the old brlock approach of requiring certain people's > > > review for each addition to the kernel. > > > > > > But there really are use cases that it would greatly help. > > > > We can deadlock in random fun places if random stuff we're calling > > suddenly starts allocating. Sometimes. Maybe once in a blue moon, to > > make it extra fun to reproduce. Maybe most driver subsystems are less > > brittle, but gpu drivers definitely need to know about the details for > > exactly this example. And yes gpu drivers use rcu for freeing > > dma_fence structures, and that tends to happen in code that we only > > recently figured out should really not allocate memory. > > > > I think minimally you need to throw in an unconditional > > fs_reclaim_acquire();fs_reclaim_release(); so that everyone who runs > > with full debugging knows what might happen. It's kinda like > > might_sleep, but a lot more specific. might_sleep() alone is not > > enough, because in the specific code paths I'm thinking of (and > > created special lockdep annotations for just recently) sleeping is > > allowed, but any memory allocations with GFP_RECLAIM set are no-go. > > Completely agreed! Any allocation on any free path must be handled > -extremely- carefully. To that end... > > First, there is always a fallback in case the allocation fails. Which > might have performance or corner-case robustness issues, but which will > at least allow forward progress. Second, we consulted with a number of > MM experts to arrive at appropriate GFP_* flags (and their patience is > greatly appreciated). Third, the paths that can allocate will do so about > one time of 500, so any issues should be spotted sooner rather than later. > > So you are quite right to be concerned, but I believe we will be doing the > right things. And based on his previous track record, I am also quite > certain that Mr. Murphy will be on hand to provide me any additional > education that I might require. > > Finally, I have noted down your point about fs_reclaim_acquire() and > fs_reclaim_release(). Whether or not they prove to be needed, I do > appreciate your calling them to my attention. I just realized that since these dma_fence structs are refcounted and userspace can hold references (directly, it can pass them around behind file descriptors) we might never hit such a path until slightly unusual or evil userspace does something interesting. Do you have links to those patches? Some googling didn't turn up anything. I can then figure out whether it's better to risk not spotting issues with call_rcu vs slapping a memalloc_noio_save/restore around all these critical section which force-degrades any allocation to GFP_ATOMIC at most, but has the risk that we run into code that assumes "GFP_KERNEL never fails for small stuff" and has a decidedly less tested fallback path than rcu code. -Daniel -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-16 21:43 ` Daniel Vetter @ 2020-09-16 22:39 ` Paul E. McKenney 2020-09-17 7:52 ` Daniel Vetter 2020-09-29 8:19 ` Michal Hocko 1 sibling, 1 reply; 47+ messages in thread From: Paul E. McKenney @ 2020-09-16 22:39 UTC (permalink / raw) To: Daniel Vetter Cc: Linus Torvalds, Thomas Gleixner, Ard Biesheuvel, Herbert Xu, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, intel-gfx, dri-devel, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Wed, Sep 16, 2020 at 11:43:02PM +0200, Daniel Vetter wrote: > On Wed, Sep 16, 2020 at 10:58 PM Paul E. McKenney <paulmck@kernel.org> wrote: > > > > On Wed, Sep 16, 2020 at 10:29:06PM +0200, Daniel Vetter wrote: > > > On Wed, Sep 16, 2020 at 5:29 PM Paul E. McKenney <paulmck@kernel.org> wrote: > > > > > > > > On Wed, Sep 16, 2020 at 09:37:17AM +0200, Daniel Vetter wrote: > > > > > On Tue, Sep 15, 2020 at 7:35 PM Linus Torvalds > > > > > <torvalds@linux-foundation.org> wrote: > > > > > > > > > > > > On Tue, Sep 15, 2020 at 1:39 AM Thomas Gleixner <tglx@linutronix.de> wrote: > > > > > > > > > > > > > > OTOH, having a working 'preemptible()' or maybe better named > > > > > > > 'can_schedule()' check makes tons of sense to make decisions about > > > > > > > allocation modes or other things. > > > > > > > > > > > > No. I think that those kinds of decisions about actual behavior are > > > > > > always simply fundamentally wrong. > > > > > > > > > > > > Note that this is very different from having warnings about invalid > > > > > > use. THAT is correct. It may not warn in all configurations, but that > > > > > > doesn't matter: what matters is that it warns in common enough > > > > > > configurations that developers will catch it. > > > > > > > > > > > > So having a warning in "might_sleep()" that doesn't always trigger, > > > > > > because you have a limited configuration that can't even detect the > > > > > > situation, that's fine and dandy and intentional. > > > > > > > > > > > > But having code like > > > > > > > > > > > > if (can_schedule()) > > > > > > .. do something different .. > > > > > > > > > > > > is fundamentally complete and utter garbage. > > > > > > > > > > > > It's one thing if you test for "am I in hardware interrupt context". > > > > > > Those tests aren't great either, but at least they make sense. > > > > > > > > > > > > But a driver - or some library routine - making a difference based on > > > > > > some nebulous "can I schedule" is fundamentally and basically WRONG. > > > > > > > > > > > > If some code changes behavior, it needs to be explicit to the *caller* > > > > > > of that code. > > > > > > > > > > > > So this is why GFP_ATOMIC is fine, but "if (!can_schedule()) > > > > > > do_something_atomic()" is pure shite. > > > > > > > > > > > > And I am not IN THE LEAST interested in trying to help people doing > > > > > > pure shite. We need to fix them. Like the crypto code is getting > > > > > > fixed. > > > > > > > > > > Just figured I'll throw my +1 in from reading too many (gpu) drivers. > > > > > Code that tries to cleverly adjust its behaviour depending upon the > > > > > context it's running in is harder to understand and blows up in more > > > > > interesting ways. We still have drm_can_sleep() and it's mostly just > > > > > used for debug code, and I've largely ended up just deleting > > > > > everything that used it because when you're driver is blowing up the > > > > > last thing you want is to realize your debug code and output can't be > > > > > relied upon. Or worse, that the only Oops you have is the one in the > > > > > debug code, because the real one scrolled away - the original idea > > > > > behind drm_can_sleep was to make all the modeset code work > > > > > automagically both in normal ioctl/kworker context and in the panic > > > > > handlers or kgdb callbacks. Wishful thinking at best. > > > > > > > > > > Also at least for me that extends to everything, e.g. I much prefer > > > > > explicit spin_lock and spin_lock_irq vs magic spin_lock_irqsave for > > > > > locks shared with interrupt handlers, since the former two gives me > > > > > clear information from which contexts such function can be called. > > > > > Other end is the memalloc_no*_save/restore functions, where I recently > > > > > made a real big fool of myself because I didn't realize how much that > > > > > impacts everything that's run within - suddenly "GFP_KERNEL for small > > > > > stuff never fails" is wrong everywhere. > > > > > > > > > > It's all great for debugging and sanity checks (and we run with all > > > > > that stuff enabled in our CI), but really semantic changes depending > > > > > upon magic context checks freak my out :-) > > > > > > > > All fair, but some of us need to write code that must handle being > > > > invoked from a wide variety of contexts. Now perhaps you like the idea of > > > > call_rcu() for schedulable contexts, call_rcu_nosched() when preemption > > > > is disabled, call_rcu_irqs_are_disabled() when interrupts are disabled, > > > > call_rcu_raw_atomic() from contexts where (for example) raw spinlocks > > > > are held, and so on. However, from what I can see, most people instead > > > > consistently prefer that the RCU API instead be consolidated. > > > > > > > > Some in-flight cache-efficiency work for kvfree_rcu() and call_rcu() > > > > needs to be able to allocate memory occasionally. It can do that when > > > > invoked from some contexts, but not when invoked from others. Right now, > > > > in !PREEMPT kernels, it cannot tell, and must either do things to the > > > > memory allocators that some of the MM hate or must unnecessarily invoke > > > > workqueues. Thomas's patches would allow the code to just allocate in > > > > the common case when these primitives are invoked from contexts where > > > > allocation is permitted. > > > > > > > > If we want to restrict access to the can_schedule() or whatever primitive, > > > > fine and good. We can add a check to checkpatch.pl, for example. Maybe > > > > we can go back to the old brlock approach of requiring certain people's > > > > review for each addition to the kernel. > > > > > > > > But there really are use cases that it would greatly help. > > > > > > We can deadlock in random fun places if random stuff we're calling > > > suddenly starts allocating. Sometimes. Maybe once in a blue moon, to > > > make it extra fun to reproduce. Maybe most driver subsystems are less > > > brittle, but gpu drivers definitely need to know about the details for > > > exactly this example. And yes gpu drivers use rcu for freeing > > > dma_fence structures, and that tends to happen in code that we only > > > recently figured out should really not allocate memory. > > > > > > I think minimally you need to throw in an unconditional > > > fs_reclaim_acquire();fs_reclaim_release(); so that everyone who runs > > > with full debugging knows what might happen. It's kinda like > > > might_sleep, but a lot more specific. might_sleep() alone is not > > > enough, because in the specific code paths I'm thinking of (and > > > created special lockdep annotations for just recently) sleeping is > > > allowed, but any memory allocations with GFP_RECLAIM set are no-go. > > > > Completely agreed! Any allocation on any free path must be handled > > -extremely- carefully. To that end... > > > > First, there is always a fallback in case the allocation fails. Which > > might have performance or corner-case robustness issues, but which will > > at least allow forward progress. Second, we consulted with a number of > > MM experts to arrive at appropriate GFP_* flags (and their patience is > > greatly appreciated). Third, the paths that can allocate will do so about > > one time of 500, so any issues should be spotted sooner rather than later. > > > > So you are quite right to be concerned, but I believe we will be doing the > > right things. And based on his previous track record, I am also quite > > certain that Mr. Murphy will be on hand to provide me any additional > > education that I might require. > > > > Finally, I have noted down your point about fs_reclaim_acquire() and > > fs_reclaim_release(). Whether or not they prove to be needed, I do > > appreciate your calling them to my attention. > > I just realized that since these dma_fence structs are refcounted and > userspace can hold references (directly, it can pass them around > behind file descriptors) we might never hit such a path until slightly > unusual or evil userspace does something interesting. Do you have > links to those patches? Some googling didn't turn up anything. I can > then figure out whether it's better to risk not spotting issues with > call_rcu vs slapping a memalloc_noio_save/restore around all these > critical section which force-degrades any allocation to GFP_ATOMIC at > most, but has the risk that we run into code that assumes "GFP_KERNEL > never fails for small stuff" and has a decidedly less tested fallback > path than rcu code. Here is the previous early draft version, which will change considerably for the next version: lore.kernel.org/lkml/20200809204354.20137-1-urezki@gmail.com This does kvfree_rcu(), but we expect to handle call_rcu() similarly. The version in preparation will use workqueues to do the allocation in a known-safe environment and also use lockless access to certain portions of the allocator caches (as noted earlier, this last is not much loved by some of the MM guys). Given Thomas's patch, we could with high probability allocate directly, perhaps even not needing memory-allocator modifications. Either way, kvfree_rcu(), and later call_rcu(), will avoid asking the allocator to do anything that the calling context prohibits. So what types of bugs are you looking for? Where reclaim calls back into the driver or some such? Thanx, Paul ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-16 22:39 ` Paul E. McKenney @ 2020-09-17 7:52 ` Daniel Vetter 2020-09-17 16:28 ` Paul E. McKenney 0 siblings, 1 reply; 47+ messages in thread From: Daniel Vetter @ 2020-09-17 7:52 UTC (permalink / raw) To: Paul E. McKenney Cc: Linus Torvalds, Thomas Gleixner, Ard Biesheuvel, Herbert Xu, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, intel-gfx, dri-devel, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Thu, Sep 17, 2020 at 12:39 AM Paul E. McKenney <paulmck@kernel.org> wrote: > > On Wed, Sep 16, 2020 at 11:43:02PM +0200, Daniel Vetter wrote: > > On Wed, Sep 16, 2020 at 10:58 PM Paul E. McKenney <paulmck@kernel.org> wrote: > > > > > > On Wed, Sep 16, 2020 at 10:29:06PM +0200, Daniel Vetter wrote: > > > > On Wed, Sep 16, 2020 at 5:29 PM Paul E. McKenney <paulmck@kernel.org> wrote: > > > > > > > > > > On Wed, Sep 16, 2020 at 09:37:17AM +0200, Daniel Vetter wrote: > > > > > > On Tue, Sep 15, 2020 at 7:35 PM Linus Torvalds > > > > > > <torvalds@linux-foundation.org> wrote: > > > > > > > > > > > > > > On Tue, Sep 15, 2020 at 1:39 AM Thomas Gleixner <tglx@linutronix.de> wrote: > > > > > > > > > > > > > > > > OTOH, having a working 'preemptible()' or maybe better named > > > > > > > > 'can_schedule()' check makes tons of sense to make decisions about > > > > > > > > allocation modes or other things. > > > > > > > > > > > > > > No. I think that those kinds of decisions about actual behavior are > > > > > > > always simply fundamentally wrong. > > > > > > > > > > > > > > Note that this is very different from having warnings about invalid > > > > > > > use. THAT is correct. It may not warn in all configurations, but that > > > > > > > doesn't matter: what matters is that it warns in common enough > > > > > > > configurations that developers will catch it. > > > > > > > > > > > > > > So having a warning in "might_sleep()" that doesn't always trigger, > > > > > > > because you have a limited configuration that can't even detect the > > > > > > > situation, that's fine and dandy and intentional. > > > > > > > > > > > > > > But having code like > > > > > > > > > > > > > > if (can_schedule()) > > > > > > > .. do something different .. > > > > > > > > > > > > > > is fundamentally complete and utter garbage. > > > > > > > > > > > > > > It's one thing if you test for "am I in hardware interrupt context". > > > > > > > Those tests aren't great either, but at least they make sense. > > > > > > > > > > > > > > But a driver - or some library routine - making a difference based on > > > > > > > some nebulous "can I schedule" is fundamentally and basically WRONG. > > > > > > > > > > > > > > If some code changes behavior, it needs to be explicit to the *caller* > > > > > > > of that code. > > > > > > > > > > > > > > So this is why GFP_ATOMIC is fine, but "if (!can_schedule()) > > > > > > > do_something_atomic()" is pure shite. > > > > > > > > > > > > > > And I am not IN THE LEAST interested in trying to help people doing > > > > > > > pure shite. We need to fix them. Like the crypto code is getting > > > > > > > fixed. > > > > > > > > > > > > Just figured I'll throw my +1 in from reading too many (gpu) drivers. > > > > > > Code that tries to cleverly adjust its behaviour depending upon the > > > > > > context it's running in is harder to understand and blows up in more > > > > > > interesting ways. We still have drm_can_sleep() and it's mostly just > > > > > > used for debug code, and I've largely ended up just deleting > > > > > > everything that used it because when you're driver is blowing up the > > > > > > last thing you want is to realize your debug code and output can't be > > > > > > relied upon. Or worse, that the only Oops you have is the one in the > > > > > > debug code, because the real one scrolled away - the original idea > > > > > > behind drm_can_sleep was to make all the modeset code work > > > > > > automagically both in normal ioctl/kworker context and in the panic > > > > > > handlers or kgdb callbacks. Wishful thinking at best. > > > > > > > > > > > > Also at least for me that extends to everything, e.g. I much prefer > > > > > > explicit spin_lock and spin_lock_irq vs magic spin_lock_irqsave for > > > > > > locks shared with interrupt handlers, since the former two gives me > > > > > > clear information from which contexts such function can be called. > > > > > > Other end is the memalloc_no*_save/restore functions, where I recently > > > > > > made a real big fool of myself because I didn't realize how much that > > > > > > impacts everything that's run within - suddenly "GFP_KERNEL for small > > > > > > stuff never fails" is wrong everywhere. > > > > > > > > > > > > It's all great for debugging and sanity checks (and we run with all > > > > > > that stuff enabled in our CI), but really semantic changes depending > > > > > > upon magic context checks freak my out :-) > > > > > > > > > > All fair, but some of us need to write code that must handle being > > > > > invoked from a wide variety of contexts. Now perhaps you like the idea of > > > > > call_rcu() for schedulable contexts, call_rcu_nosched() when preemption > > > > > is disabled, call_rcu_irqs_are_disabled() when interrupts are disabled, > > > > > call_rcu_raw_atomic() from contexts where (for example) raw spinlocks > > > > > are held, and so on. However, from what I can see, most people instead > > > > > consistently prefer that the RCU API instead be consolidated. > > > > > > > > > > Some in-flight cache-efficiency work for kvfree_rcu() and call_rcu() > > > > > needs to be able to allocate memory occasionally. It can do that when > > > > > invoked from some contexts, but not when invoked from others. Right now, > > > > > in !PREEMPT kernels, it cannot tell, and must either do things to the > > > > > memory allocators that some of the MM hate or must unnecessarily invoke > > > > > workqueues. Thomas's patches would allow the code to just allocate in > > > > > the common case when these primitives are invoked from contexts where > > > > > allocation is permitted. > > > > > > > > > > If we want to restrict access to the can_schedule() or whatever primitive, > > > > > fine and good. We can add a check to checkpatch.pl, for example. Maybe > > > > > we can go back to the old brlock approach of requiring certain people's > > > > > review for each addition to the kernel. > > > > > > > > > > But there really are use cases that it would greatly help. > > > > > > > > We can deadlock in random fun places if random stuff we're calling > > > > suddenly starts allocating. Sometimes. Maybe once in a blue moon, to > > > > make it extra fun to reproduce. Maybe most driver subsystems are less > > > > brittle, but gpu drivers definitely need to know about the details for > > > > exactly this example. And yes gpu drivers use rcu for freeing > > > > dma_fence structures, and that tends to happen in code that we only > > > > recently figured out should really not allocate memory. > > > > > > > > I think minimally you need to throw in an unconditional > > > > fs_reclaim_acquire();fs_reclaim_release(); so that everyone who runs > > > > with full debugging knows what might happen. It's kinda like > > > > might_sleep, but a lot more specific. might_sleep() alone is not > > > > enough, because in the specific code paths I'm thinking of (and > > > > created special lockdep annotations for just recently) sleeping is > > > > allowed, but any memory allocations with GFP_RECLAIM set are no-go. > > > > > > Completely agreed! Any allocation on any free path must be handled > > > -extremely- carefully. To that end... > > > > > > First, there is always a fallback in case the allocation fails. Which > > > might have performance or corner-case robustness issues, but which will > > > at least allow forward progress. Second, we consulted with a number of > > > MM experts to arrive at appropriate GFP_* flags (and their patience is > > > greatly appreciated). Third, the paths that can allocate will do so about > > > one time of 500, so any issues should be spotted sooner rather than later. > > > > > > So you are quite right to be concerned, but I believe we will be doing the > > > right things. And based on his previous track record, I am also quite > > > certain that Mr. Murphy will be on hand to provide me any additional > > > education that I might require. > > > > > > Finally, I have noted down your point about fs_reclaim_acquire() and > > > fs_reclaim_release(). Whether or not they prove to be needed, I do > > > appreciate your calling them to my attention. > > > > I just realized that since these dma_fence structs are refcounted and > > userspace can hold references (directly, it can pass them around > > behind file descriptors) we might never hit such a path until slightly > > unusual or evil userspace does something interesting. Do you have > > links to those patches? Some googling didn't turn up anything. I can > > then figure out whether it's better to risk not spotting issues with > > call_rcu vs slapping a memalloc_noio_save/restore around all these > > critical section which force-degrades any allocation to GFP_ATOMIC at > > most, but has the risk that we run into code that assumes "GFP_KERNEL > > never fails for small stuff" and has a decidedly less tested fallback > > path than rcu code. > > Here is the previous early draft version, which will change considerably > for the next version: > > lore.kernel.org/lkml/20200809204354.20137-1-urezki@gmail.com > > This does kvfree_rcu(), but we expect to handle call_rcu() similarly. > > The version in preparation will use workqueues to do the allocation in a > known-safe environment and also use lockless access to certain portions > of the allocator caches (as noted earlier, this last is not much loved > by some of the MM guys). Given Thomas's patch, we could with high > probability allocate directly, perhaps even not needing memory-allocator > modifications. > > Either way, kvfree_rcu(), and later call_rcu(), will avoid asking the > allocator to do anything that the calling context prohibits. So what > types of bugs are you looking for? Where reclaim calls back into the > driver or some such? Yeah pretty much. It's a problem for gpu, fs, block drivers and really anything else that's remotely involved in memory reclaim somehow. Generally this is all handled explicitly by passing gfp_t flags down any call chain, but in some cases it's instead solved with the memalloc_no* functions. E.g. sunrpc uses that to make sure the network stack (which generally just assumes it can allocate memory) doesn't, to avoid recursions back into nfs/sunrpc. To my knowledge there's no way to check at runtime with which gfp flags you're allowed to allocate memory, a preemptible check is definitely not enough. Disabled preemption implies only GFP_ATOMIC is allowed (ignoring nmi and stuff like that), but the inverse is not true. So if you want the automagic in call_rcu I think either - we need to replace all explicit gfp flags with the context marking memalloc_no* across the entire kernel, or at least anywhere rcu might be used. - audit all callchains and make sure a call_rcu_noalloc is used anywhere there might be a problem. probably better to have a call_rcu_gfp with explicit gfp flags parameter, since generally that needs to be passed down. But at least to me the lockless magic in mm sounds a lot safer, since it contains the complexity and doesn't leak it out to callers of call_rcu. -Daniel -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-17 7:52 ` Daniel Vetter @ 2020-09-17 16:28 ` Paul E. McKenney 0 siblings, 0 replies; 47+ messages in thread From: Paul E. McKenney @ 2020-09-17 16:28 UTC (permalink / raw) To: Daniel Vetter Cc: Linus Torvalds, Thomas Gleixner, Ard Biesheuvel, Herbert Xu, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, intel-gfx, dri-devel, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Thu, Sep 17, 2020 at 09:52:30AM +0200, Daniel Vetter wrote: > On Thu, Sep 17, 2020 at 12:39 AM Paul E. McKenney <paulmck@kernel.org> wrote: > > > > On Wed, Sep 16, 2020 at 11:43:02PM +0200, Daniel Vetter wrote: > > > On Wed, Sep 16, 2020 at 10:58 PM Paul E. McKenney <paulmck@kernel.org> wrote: > > > > > > > > On Wed, Sep 16, 2020 at 10:29:06PM +0200, Daniel Vetter wrote: > > > > > On Wed, Sep 16, 2020 at 5:29 PM Paul E. McKenney <paulmck@kernel.org> wrote: > > > > > > > > > > > > On Wed, Sep 16, 2020 at 09:37:17AM +0200, Daniel Vetter wrote: > > > > > > > On Tue, Sep 15, 2020 at 7:35 PM Linus Torvalds > > > > > > > <torvalds@linux-foundation.org> wrote: > > > > > > > > > > > > > > > > On Tue, Sep 15, 2020 at 1:39 AM Thomas Gleixner <tglx@linutronix.de> wrote: > > > > > > > > > > > > > > > > > > OTOH, having a working 'preemptible()' or maybe better named > > > > > > > > > 'can_schedule()' check makes tons of sense to make decisions about > > > > > > > > > allocation modes or other things. > > > > > > > > > > > > > > > > No. I think that those kinds of decisions about actual behavior are > > > > > > > > always simply fundamentally wrong. > > > > > > > > > > > > > > > > Note that this is very different from having warnings about invalid > > > > > > > > use. THAT is correct. It may not warn in all configurations, but that > > > > > > > > doesn't matter: what matters is that it warns in common enough > > > > > > > > configurations that developers will catch it. > > > > > > > > > > > > > > > > So having a warning in "might_sleep()" that doesn't always trigger, > > > > > > > > because you have a limited configuration that can't even detect the > > > > > > > > situation, that's fine and dandy and intentional. > > > > > > > > > > > > > > > > But having code like > > > > > > > > > > > > > > > > if (can_schedule()) > > > > > > > > .. do something different .. > > > > > > > > > > > > > > > > is fundamentally complete and utter garbage. > > > > > > > > > > > > > > > > It's one thing if you test for "am I in hardware interrupt context". > > > > > > > > Those tests aren't great either, but at least they make sense. > > > > > > > > > > > > > > > > But a driver - or some library routine - making a difference based on > > > > > > > > some nebulous "can I schedule" is fundamentally and basically WRONG. > > > > > > > > > > > > > > > > If some code changes behavior, it needs to be explicit to the *caller* > > > > > > > > of that code. > > > > > > > > > > > > > > > > So this is why GFP_ATOMIC is fine, but "if (!can_schedule()) > > > > > > > > do_something_atomic()" is pure shite. > > > > > > > > > > > > > > > > And I am not IN THE LEAST interested in trying to help people doing > > > > > > > > pure shite. We need to fix them. Like the crypto code is getting > > > > > > > > fixed. > > > > > > > > > > > > > > Just figured I'll throw my +1 in from reading too many (gpu) drivers. > > > > > > > Code that tries to cleverly adjust its behaviour depending upon the > > > > > > > context it's running in is harder to understand and blows up in more > > > > > > > interesting ways. We still have drm_can_sleep() and it's mostly just > > > > > > > used for debug code, and I've largely ended up just deleting > > > > > > > everything that used it because when you're driver is blowing up the > > > > > > > last thing you want is to realize your debug code and output can't be > > > > > > > relied upon. Or worse, that the only Oops you have is the one in the > > > > > > > debug code, because the real one scrolled away - the original idea > > > > > > > behind drm_can_sleep was to make all the modeset code work > > > > > > > automagically both in normal ioctl/kworker context and in the panic > > > > > > > handlers or kgdb callbacks. Wishful thinking at best. > > > > > > > > > > > > > > Also at least for me that extends to everything, e.g. I much prefer > > > > > > > explicit spin_lock and spin_lock_irq vs magic spin_lock_irqsave for > > > > > > > locks shared with interrupt handlers, since the former two gives me > > > > > > > clear information from which contexts such function can be called. > > > > > > > Other end is the memalloc_no*_save/restore functions, where I recently > > > > > > > made a real big fool of myself because I didn't realize how much that > > > > > > > impacts everything that's run within - suddenly "GFP_KERNEL for small > > > > > > > stuff never fails" is wrong everywhere. > > > > > > > > > > > > > > It's all great for debugging and sanity checks (and we run with all > > > > > > > that stuff enabled in our CI), but really semantic changes depending > > > > > > > upon magic context checks freak my out :-) > > > > > > > > > > > > All fair, but some of us need to write code that must handle being > > > > > > invoked from a wide variety of contexts. Now perhaps you like the idea of > > > > > > call_rcu() for schedulable contexts, call_rcu_nosched() when preemption > > > > > > is disabled, call_rcu_irqs_are_disabled() when interrupts are disabled, > > > > > > call_rcu_raw_atomic() from contexts where (for example) raw spinlocks > > > > > > are held, and so on. However, from what I can see, most people instead > > > > > > consistently prefer that the RCU API instead be consolidated. > > > > > > > > > > > > Some in-flight cache-efficiency work for kvfree_rcu() and call_rcu() > > > > > > needs to be able to allocate memory occasionally. It can do that when > > > > > > invoked from some contexts, but not when invoked from others. Right now, > > > > > > in !PREEMPT kernels, it cannot tell, and must either do things to the > > > > > > memory allocators that some of the MM hate or must unnecessarily invoke > > > > > > workqueues. Thomas's patches would allow the code to just allocate in > > > > > > the common case when these primitives are invoked from contexts where > > > > > > allocation is permitted. > > > > > > > > > > > > If we want to restrict access to the can_schedule() or whatever primitive, > > > > > > fine and good. We can add a check to checkpatch.pl, for example. Maybe > > > > > > we can go back to the old brlock approach of requiring certain people's > > > > > > review for each addition to the kernel. > > > > > > > > > > > > But there really are use cases that it would greatly help. > > > > > > > > > > We can deadlock in random fun places if random stuff we're calling > > > > > suddenly starts allocating. Sometimes. Maybe once in a blue moon, to > > > > > make it extra fun to reproduce. Maybe most driver subsystems are less > > > > > brittle, but gpu drivers definitely need to know about the details for > > > > > exactly this example. And yes gpu drivers use rcu for freeing > > > > > dma_fence structures, and that tends to happen in code that we only > > > > > recently figured out should really not allocate memory. > > > > > > > > > > I think minimally you need to throw in an unconditional > > > > > fs_reclaim_acquire();fs_reclaim_release(); so that everyone who runs > > > > > with full debugging knows what might happen. It's kinda like > > > > > might_sleep, but a lot more specific. might_sleep() alone is not > > > > > enough, because in the specific code paths I'm thinking of (and > > > > > created special lockdep annotations for just recently) sleeping is > > > > > allowed, but any memory allocations with GFP_RECLAIM set are no-go. > > > > > > > > Completely agreed! Any allocation on any free path must be handled > > > > -extremely- carefully. To that end... > > > > > > > > First, there is always a fallback in case the allocation fails. Which > > > > might have performance or corner-case robustness issues, but which will > > > > at least allow forward progress. Second, we consulted with a number of > > > > MM experts to arrive at appropriate GFP_* flags (and their patience is > > > > greatly appreciated). Third, the paths that can allocate will do so about > > > > one time of 500, so any issues should be spotted sooner rather than later. > > > > > > > > So you are quite right to be concerned, but I believe we will be doing the > > > > right things. And based on his previous track record, I am also quite > > > > certain that Mr. Murphy will be on hand to provide me any additional > > > > education that I might require. > > > > > > > > Finally, I have noted down your point about fs_reclaim_acquire() and > > > > fs_reclaim_release(). Whether or not they prove to be needed, I do > > > > appreciate your calling them to my attention. > > > > > > I just realized that since these dma_fence structs are refcounted and > > > userspace can hold references (directly, it can pass them around > > > behind file descriptors) we might never hit such a path until slightly > > > unusual or evil userspace does something interesting. Do you have > > > links to those patches? Some googling didn't turn up anything. I can > > > then figure out whether it's better to risk not spotting issues with > > > call_rcu vs slapping a memalloc_noio_save/restore around all these > > > critical section which force-degrades any allocation to GFP_ATOMIC at > > > most, but has the risk that we run into code that assumes "GFP_KERNEL > > > never fails for small stuff" and has a decidedly less tested fallback > > > path than rcu code. > > > > Here is the previous early draft version, which will change considerably > > for the next version: > > > > lore.kernel.org/lkml/20200809204354.20137-1-urezki@gmail.com > > > > This does kvfree_rcu(), but we expect to handle call_rcu() similarly. > > > > The version in preparation will use workqueues to do the allocation in a > > known-safe environment and also use lockless access to certain portions > > of the allocator caches (as noted earlier, this last is not much loved > > by some of the MM guys). Given Thomas's patch, we could with high > > probability allocate directly, perhaps even not needing memory-allocator > > modifications. > > > > Either way, kvfree_rcu(), and later call_rcu(), will avoid asking the > > allocator to do anything that the calling context prohibits. So what > > types of bugs are you looking for? Where reclaim calls back into the > > driver or some such? > > Yeah pretty much. It's a problem for gpu, fs, block drivers and really > anything else that's remotely involved in memory reclaim somehow. > Generally this is all handled explicitly by passing gfp_t flags down > any call chain, but in some cases it's instead solved with the > memalloc_no* functions. E.g. sunrpc uses that to make sure the network > stack (which generally just assumes it can allocate memory) doesn't, > to avoid recursions back into nfs/sunrpc. To my knowledge there's no > way to check at runtime with which gfp flags you're allowed to > allocate memory, a preemptible check is definitely not enough. > Disabled preemption implies only GFP_ATOMIC is allowed (ignoring nmi > and stuff like that), but the inverse is not true. Thank you for the confirmation! > So if you want the automagic in call_rcu I think either > - we need to replace all explicit gfp flags with the context marking > memalloc_no* across the entire kernel, or at least anywhere rcu might > be used. > - audit all callchains and make sure a call_rcu_noalloc is used > anywhere there might be a problem. probably better to have a > call_rcu_gfp with explicit gfp flags parameter, since generally that > needs to be passed down. > > But at least to me the lockless magic in mm sounds a lot safer, since > it contains the complexity and doesn't leak it out to callers of > call_rcu. Agreed, I greatly prefer Peter Zijlstra's lockless-allocation patch myself. In the meantime, it looks like we will start by causing the allocation to happen in a safe environment. That may have issues with delays, but is at least something that can be done entirely within the confines of RCU. Thanx, Paul ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-16 21:43 ` Daniel Vetter 2020-09-16 22:39 ` Paul E. McKenney @ 2020-09-29 8:19 ` Michal Hocko 2020-09-29 8:19 ` Michal Hocko ` (4 more replies) 1 sibling, 5 replies; 47+ messages in thread From: Michal Hocko @ 2020-09-29 8:19 UTC (permalink / raw) To: Daniel Vetter Cc: Paul E. McKenney, Juri Lelli, Peter Zijlstra, Sebastian Andrzej Siewior, Lai Jiangshan, dri-devel, Ben Segall, Linux-MM, open list:KERNEL SELFTEST FRAMEWORK, linux-hexagon, Will Deacon, Ingo Molnar, Anton Ivanov, linux-arch, Vincent Guittot, Herbert Xu, Brian Cain, Richard Weinberger, Russell King, Ard Biesheuvel, David Airlie, Ingo Molnar, Geert Uytterhoeven, Mel Gorman, intel-gfx, Matt Turner, Valentin Schneider, linux-xtensa, Shuah Khan, Jeff Dike, linux-um, Josh Triplett, Steven Rostedt, rcu, linux-m68k, Ivan Kokshaysky, Rodrigo Vivi, Thomas Gleixner, Dietmar Eggemann, Linux ARM, Richard Henderson, Chris Zankel, Max Filippov, Daniel Bristot de Oliveira, LKML, alpha, Mathieu Desnoyers, Andrew Morton, Linus Torvalds On Wed 16-09-20 23:43:02, Daniel Vetter wrote: > I can > then figure out whether it's better to risk not spotting issues with > call_rcu vs slapping a memalloc_noio_save/restore around all these > critical section which force-degrades any allocation to GFP_ATOMIC at did you mean memalloc_noreclaim_* here? > most, but has the risk that we run into code that assumes "GFP_KERNEL > never fails for small stuff" and has a decidedly less tested fallback > path than rcu code. Even if the above then please note that memalloc_noreclaim_* or PF_MEMALLOC should be used with an extreme care. Essentially only for internal memory reclaimers. It grants access to _all_ the available memory so any abuse can be detrimental to the overall system operation. Allocation failure in this mode means that we are out of memory and any code relying on such an allocation has to carefuly consider failure. This is not a random allocation mode. -- Michal Hocko SUSE Labs ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-29 8:19 ` Michal Hocko @ 2020-09-29 8:19 ` Michal Hocko 2020-09-29 8:20 ` Michal Hocko ` (3 subsequent siblings) 4 siblings, 0 replies; 47+ messages in thread From: Michal Hocko @ 2020-09-29 8:19 UTC (permalink / raw) To: Daniel Vetter Cc: Paul E. McKenney, Juri Lelli, Peter Zijlstra, Sebastian Andrzej Siewior, Lai Jiangshan, dri-devel, Ben Segall, Linux-MM, open list:KERNEL SELFTEST FRAMEWORK, linux-hexagon, Will Deacon, Ingo Molnar, Anton Ivanov, linux-arch, Vincent Guittot, Herbert Xu, Brian Cain, Richard Weinberger, Russell King, Ard Biesheuvel, David Airlie, Ingo Molnar, Geert Uytterhoeven, Mel Gorman, intel-gfx, Matt Turner, Valentin Schneider, linux-xtensa, Shuah Khan, Jeff Dike, linux-um, Josh Triplett, Steven Rostedt, rcu, linux-m68k, Ivan Kokshaysky, Rodrigo Vivi, Thomas Gleixner, Dietmar Eggemann, Linux ARM, Richard Henderson, Chris Zankel, Max Filippov, Daniel Bristot de Oliveira, LKML, alpha, Mathieu Desnoyers, Andrew Morton, Linus Torvalds On Wed 16-09-20 23:43:02, Daniel Vetter wrote: > I can > then figure out whether it's better to risk not spotting issues with > call_rcu vs slapping a memalloc_noio_save/restore around all these > critical section which force-degrades any allocation to GFP_ATOMIC at did you mean memalloc_noreclaim_* here? > most, but has the risk that we run into code that assumes "GFP_KERNEL > never fails for small stuff" and has a decidedly less tested fallback > path than rcu code. Even if the above then please note that memalloc_noreclaim_* or PF_MEMALLOC should be used with an extreme care. Essentially only for internal memory reclaimers. It grants access to _all_ the available memory so any abuse can be detrimental to the overall system operation. Allocation failure in this mode means that we are out of memory and any code relying on such an allocation has to carefuly consider failure. This is not a random allocation mode. -- Michal Hocko SUSE Labs ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-29 8:19 ` Michal Hocko 2020-09-29 8:19 ` Michal Hocko @ 2020-09-29 8:20 ` Michal Hocko 2020-09-29 8:21 ` Michal Hocko ` (2 subsequent siblings) 4 siblings, 0 replies; 47+ messages in thread From: Michal Hocko @ 2020-09-29 8:20 UTC (permalink / raw) To: Daniel Vetter Cc: Paul E. McKenney, Juri Lelli, Peter Zijlstra, Sebastian Andrzej Siewior, Lai Jiangshan, dri-devel, Ben Segall, Linux-MM, open list:KERNEL SELFTEST FRAMEWORK, linux-hexagon, Will Deacon, Ingo Molnar, Anton Ivanov, linux-arch, Vincent Guittot, Herbert Xu, Brian Cain, Richard Weinberger, Russell King, Ard Biesheuvel, David Airlie, Ingo Molnar, Geert Uytterhoeven, Mel Gorman, intel-gfx, Matt Turner, Valentin Schneider, linux-xtensa, Shuah Khan, Jeff Dike, linux-um, Josh Triplett, Steven Rostedt, rcu, linux-m68k, Ivan Kokshaysky, Rodrigo Vivi, Thomas Gleixner, Dietmar Eggemann, Linux ARM, Richard Henderson, Chris Zankel, Max Filippov, Daniel Bristot de Oliveira, LKML, alpha, Mathieu Desnoyers, Andrew Morton, Linus Torvalds On Wed 16-09-20 23:43:02, Daniel Vetter wrote: > I can > then figure out whether it's better to risk not spotting issues with > call_rcu vs slapping a memalloc_noio_save/restore around all these > critical section which force-degrades any allocation to GFP_ATOMIC at did you mean memalloc_noreclaim_* here? > most, but has the risk that we run into code that assumes "GFP_KERNEL > never fails for small stuff" and has a decidedly less tested fallback > path than rcu code. Even if the above then please note that memalloc_noreclaim_* or PF_MEMALLOC should be used with an extreme care. Essentially only for internal memory reclaimers. It grants access to _all_ the available memory so any abuse can be detrimental to the overall system operation. Allocation failure in this mode means that we are out of memory and any code relying on such an allocation has to carefuly consider failure. This is not a random allocation mode. -- Michal Hocko SUSE Labs ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-29 8:19 ` Michal Hocko 2020-09-29 8:19 ` Michal Hocko 2020-09-29 8:20 ` Michal Hocko @ 2020-09-29 8:21 ` Michal Hocko 2020-09-29 8:23 ` Michal Hocko 2020-09-29 9:00 ` Daniel Vetter 4 siblings, 0 replies; 47+ messages in thread From: Michal Hocko @ 2020-09-29 8:21 UTC (permalink / raw) To: Daniel Vetter Cc: Paul E. McKenney, Juri Lelli, Peter Zijlstra, Sebastian Andrzej Siewior, Lai Jiangshan, dri-devel, Ben Segall, Linux-MM, open list:KERNEL SELFTEST FRAMEWORK, linux-hexagon, Will Deacon, Ingo Molnar, Anton Ivanov, linux-arch, Vincent Guittot, Herbert Xu, Brian Cain, Richard Weinberger, Russell King, Ard Biesheuvel, David Airlie, Ingo Molnar, Geert Uytterhoeven, Mel Gorman, intel-gfx, Matt Turner, Valentin Schneider, linux-xtensa, Shuah Khan, Jeff Dike, linux-um, Josh Triplett, Steven Rostedt, rcu, linux-m68k, Ivan Kokshaysky, Rodrigo Vivi, Thomas Gleixner, Dietmar Eggemann, Linux ARM, Richard Henderson, Chris Zankel, Max Filippov, Daniel Bristot de Oliveira, LKML, alpha, Mathieu Desnoyers, Andrew Morton, Linus Torvalds On Wed 16-09-20 23:43:02, Daniel Vetter wrote: > I can > then figure out whether it's better to risk not spotting issues with > call_rcu vs slapping a memalloc_noio_save/restore around all these > critical section which force-degrades any allocation to GFP_ATOMIC at did you mean memalloc_noreclaim_* here? > most, but has the risk that we run into code that assumes "GFP_KERNEL > never fails for small stuff" and has a decidedly less tested fallback > path than rcu code. Even if the above then please note that memalloc_noreclaim_* or PF_MEMALLOC should be used with an extreme care. Essentially only for internal memory reclaimers. It grants access to _all_ the available memory so any abuse can be detrimental to the overall system operation. Allocation failure in this mode means that we are out of memory and any code relying on such an allocation has to carefuly consider failure. This is not a random allocation mode. -- Michal Hocko SUSE Labs ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-29 8:19 ` Michal Hocko ` (2 preceding siblings ...) 2020-09-29 8:21 ` Michal Hocko @ 2020-09-29 8:23 ` Michal Hocko 2020-09-29 9:00 ` Daniel Vetter 4 siblings, 0 replies; 47+ messages in thread From: Michal Hocko @ 2020-09-29 8:23 UTC (permalink / raw) To: Daniel Vetter Cc: Paul E. McKenney, Juri Lelli, Peter Zijlstra, Sebastian Andrzej Siewior, Lai Jiangshan, dri-devel, Ben Segall, Linux-MM, open list:KERNEL SELFTEST FRAMEWORK, linux-hexagon, Will Deacon, Ingo Molnar, Anton Ivanov, linux-arch, Vincent Guittot, Herbert Xu, Brian Cain, Richard Weinberger, Russell King, Ard Biesheuvel, David Airlie, Ingo Molnar, Geert Uytterhoeven, Mel Gorman, intel-gfx, Matt Turner, Valentin Schneider, linux-xtensa, Shuah Khan, Jeff Dike, linux-um, Josh Triplett, Steven Rostedt, rcu, linux-m68k, Ivan Kokshaysky, Rodrigo Vivi, Thomas Gleixner, Dietmar Eggemann, Linux ARM, Richard Henderson, Chris Zankel, Max Filippov, Daniel Bristot de Oliveira, LKML, alpha, Mathieu Desnoyers, Andrew Morton, Linus Torvalds On Wed 16-09-20 23:43:02, Daniel Vetter wrote: > I can > then figure out whether it's better to risk not spotting issues with > call_rcu vs slapping a memalloc_noio_save/restore around all these > critical section which force-degrades any allocation to GFP_ATOMIC at did you mean memalloc_noreclaim_* here? > most, but has the risk that we run into code that assumes "GFP_KERNEL > never fails for small stuff" and has a decidedly less tested fallback > path than rcu code. Even if the above then please note that memalloc_noreclaim_* or PF_MEMALLOC should be used with an extreme care. Essentially only for internal memory reclaimers. It grants access to _all_ the available memory so any abuse can be detrimental to the overall system operation. Allocation failure in this mode means that we are out of memory and any code relying on such an allocation has to carefuly consider failure. This is not a random allocation mode. -- Michal Hocko SUSE Labs ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-29 8:19 ` Michal Hocko ` (3 preceding siblings ...) 2020-09-29 8:23 ` Michal Hocko @ 2020-09-29 9:00 ` Daniel Vetter 2020-09-29 14:54 ` Michal Hocko 4 siblings, 1 reply; 47+ messages in thread From: Daniel Vetter @ 2020-09-29 9:00 UTC (permalink / raw) To: Michal Hocko Cc: Daniel Vetter, Paul E. McKenney, Juri Lelli, Peter Zijlstra, Sebastian Andrzej Siewior, Lai Jiangshan, dri-devel, Ben Segall, Linux-MM, open list:KERNEL SELFTEST FRAMEWORK, linux-hexagon, Will Deacon, Ingo Molnar, Anton Ivanov, linux-arch, Vincent Guittot, Herbert Xu, Brian Cain, Richard Weinberger, Russell King, Ard Biesheuvel, David Airlie, Ingo Molnar, Geert Uytterhoeven, Mel Gorman, intel-gfx, Matt Turner, Valentin Schneider, linux-xtensa, Shuah Khan, Jeff Dike, linux-um, Josh Triplett, Steven Rostedt, rcu, linux-m68k, Ivan Kokshaysky, Rodrigo Vivi, Thomas Gleixner, Dietmar Eggemann, Linux ARM, Richard Henderson, Chris Zankel, Max Filippov, Daniel Bristot de Oliveira, LKML, alpha, Mathieu Desnoyers, Andrew Morton, Linus Torvalds On Tue, Sep 29, 2020 at 10:19:38AM +0200, Michal Hocko wrote: > On Wed 16-09-20 23:43:02, Daniel Vetter wrote: > > I can > > then figure out whether it's better to risk not spotting issues with > > call_rcu vs slapping a memalloc_noio_save/restore around all these > > critical section which force-degrades any allocation to GFP_ATOMIC at > > did you mean memalloc_noreclaim_* here? Yeah I picked the wrong one of that family of functions. > > most, but has the risk that we run into code that assumes "GFP_KERNEL > > never fails for small stuff" and has a decidedly less tested fallback > > path than rcu code. > > Even if the above then please note that memalloc_noreclaim_* or > PF_MEMALLOC should be used with an extreme care. Essentially only for > internal memory reclaimers. It grants access to _all_ the available > memory so any abuse can be detrimental to the overall system operation. > Allocation failure in this mode means that we are out of memory and any > code relying on such an allocation has to carefuly consider failure. > This is not a random allocation mode. Agreed, that's why I don't like having these kind of automagic critical sections. It's a bit a shotgun approach. Paul said that the code would handle failures, but the problem is that it applies everywhere. Anyway my understanding is that call_rcu will be reworked and gain a pile of tricks so that these problems for the callchains leading to call_rcu all disappear. -Daniel -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-29 9:00 ` Daniel Vetter @ 2020-09-29 14:54 ` Michal Hocko 0 siblings, 0 replies; 47+ messages in thread From: Michal Hocko @ 2020-09-29 14:54 UTC (permalink / raw) To: Daniel Vetter Cc: Paul E. McKenney, Juri Lelli, Peter Zijlstra, Sebastian Andrzej Siewior, Lai Jiangshan, dri-devel, Ben Segall, Linux-MM, open list:KERNEL SELFTEST FRAMEWORK, linux-hexagon, Will Deacon, Ingo Molnar, Anton Ivanov, linux-arch, Vincent Guittot, Herbert Xu, Brian Cain, Richard Weinberger, Russell King, Ard Biesheuvel, David Airlie, Ingo Molnar, Geert Uytterhoeven, Mel Gorman, intel-gfx, Matt Turner, Valentin Schneider, linux-xtensa, Shuah Khan, Jeff Dike, linux-um, Josh Triplett, Steven Rostedt, rcu, linux-m68k, Ivan Kokshaysky, Rodrigo Vivi, Thomas Gleixner, Dietmar Eggemann, Linux ARM, Richard Henderson, Chris Zankel, Max Filippov, Daniel Bristot de Oliveira, LKML, alpha, Mathieu Desnoyers, Andrew Morton, Linus Torvalds On Tue 29-09-20 11:00:03, Daniel Vetter wrote: > On Tue, Sep 29, 2020 at 10:19:38AM +0200, Michal Hocko wrote: > > On Wed 16-09-20 23:43:02, Daniel Vetter wrote: > > > I can > > > then figure out whether it's better to risk not spotting issues with > > > call_rcu vs slapping a memalloc_noio_save/restore around all these > > > critical section which force-degrades any allocation to GFP_ATOMIC at > > > > did you mean memalloc_noreclaim_* here? > > Yeah I picked the wrong one of that family of functions. > > > > most, but has the risk that we run into code that assumes "GFP_KERNEL > > > never fails for small stuff" and has a decidedly less tested fallback > > > path than rcu code. > > > > Even if the above then please note that memalloc_noreclaim_* or > > PF_MEMALLOC should be used with an extreme care. Essentially only for > > internal memory reclaimers. It grants access to _all_ the available > > memory so any abuse can be detrimental to the overall system operation. > > Allocation failure in this mode means that we are out of memory and any > > code relying on such an allocation has to carefuly consider failure. > > This is not a random allocation mode. > > Agreed, that's why I don't like having these kind of automagic critical > sections. It's a bit a shotgun approach. Paul said that the code would > handle failures, but the problem is that it applies everywhere. Ohh, in the ideal world we wouldn't need anything like that. But then the reality fires: * PF_MEMALLOC (resp memalloc_noreclaim_* for that matter) is primarily used to make sure that allocations from inside the memory reclaim - yeah that happens - will not recurse. * PF_MEMALLOC_NO{FS,IO} (resp memalloc_no{fs,io}*) are used to mark no fs/io reclaim recursion critical sections because controling that for each allocation inside fs transaction (or other sensitive) or IO contexts turned out to be unmaintainable and people simply fallen into using NOFS/NOIO unconditionally which is causing reclaim imbalance problems. * PF_MEMALLOC_NOCMA (resp memalloc_nocma*) is used for long term pinning when CMA pages cannot be pinned because that would break the CMA guarantees. Communicating this to all potential allocations during pinning is simply unfeasible. So you are absolutely right that these critical sections with side effects on all allocations are far from ideal from the API point of view but they are mostly mirroring a demand for functionality which is _practically_ impossible to achieve with our current code base. Not that we couldn't get back to drawing board and come up with a saner thing and rework the world... -- Michal Hocko SUSE Labs ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional [not found] ` <871rj4owfn.fsf@nanos.tec.linutronix.de> [not found] ` <CAHk-=wj0eUuVQ=hRFZv_nY7g5ZLt7Fy3K7SMJL0ZCzniPtsbbg@mail.gmail.com> @ 2020-09-16 19:23 ` Matthew Wilcox 2020-09-16 20:48 ` Paul E. McKenney 1 sibling, 1 reply; 47+ messages in thread From: Matthew Wilcox @ 2020-09-16 19:23 UTC (permalink / raw) To: Thomas Gleixner Cc: Linus Torvalds, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, Daniel Vetter, intel-gfx, dri-devel, Paul E. McKenney, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Mon, Sep 14, 2020 at 11:55:24PM +0200, Thomas Gleixner wrote: > But just look at any check which uses preemptible(), especially those > which check !preemptible(): hmm. +++ b/include/linux/preempt.h @@ -180,7 +180,9 @@ do { \ #define preempt_enable_no_resched() sched_preempt_enable_no_resched() +#ifndef MODULE #define preemptible() (preempt_count() == 0 && !irqs_disabled()) +#endif #ifdef CONFIG_PREEMPTION #define preempt_enable() \ $ git grep -w preemptible drivers (slightly trimmed by hand to remove, eg, comments) drivers/firmware/arm_sdei.c: WARN_ON_ONCE(preemptible()); drivers/firmware/arm_sdei.c: WARN_ON_ONCE(preemptible()); drivers/firmware/arm_sdei.c: WARN_ON_ONCE(preemptible()); drivers/firmware/arm_sdei.c: WARN_ON_ONCE(preemptible()); drivers/firmware/arm_sdei.c: WARN_ON(preemptible()); drivers/firmware/efi/efi-pstore.c: preemptible(), record->size, record->psi->buf); drivers/irqchip/irq-gic-v4.c: WARN_ON(preemptible()); drivers/irqchip/irq-gic-v4.c: WARN_ON(preemptible()); drivers/scsi/hisi_sas/hisi_sas_main.c: if (!preemptible()) drivers/xen/time.c: BUG_ON(preemptible()); That only looks like two drivers that need more than WARNectomies. Although maybe rcu_read_load_sched_held() or rcu_read_lock_any_held() might get called from a module ... ^ permalink raw reply [flat|nested] 47+ messages in thread
* Re: [patch 00/13] preempt: Make preempt count unconditional 2020-09-16 19:23 ` Matthew Wilcox @ 2020-09-16 20:48 ` Paul E. McKenney 0 siblings, 0 replies; 47+ messages in thread From: Paul E. McKenney @ 2020-09-16 20:48 UTC (permalink / raw) To: Matthew Wilcox Cc: Thomas Gleixner, Linus Torvalds, LKML, linux-arch, Sebastian Andrzej Siewior, Valentin Schneider, Richard Henderson, Ivan Kokshaysky, Matt Turner, alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Will Deacon, Andrew Morton, Linux-MM, Ingo Molnar, Russell King, Linux ARM, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, Daniel Vetter, intel-gfx, dri-devel, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, open list:KERNEL SELFTEST FRAMEWORK On Wed, Sep 16, 2020 at 08:23:52PM +0100, Matthew Wilcox wrote: > On Mon, Sep 14, 2020 at 11:55:24PM +0200, Thomas Gleixner wrote: > > But just look at any check which uses preemptible(), especially those > > which check !preemptible(): > > hmm. > > +++ b/include/linux/preempt.h > @@ -180,7 +180,9 @@ do { \ > > #define preempt_enable_no_resched() sched_preempt_enable_no_resched() > > +#ifndef MODULE > #define preemptible() (preempt_count() == 0 && !irqs_disabled()) > +#endif > > #ifdef CONFIG_PREEMPTION > #define preempt_enable() \ > > > $ git grep -w preemptible drivers > (slightly trimmed by hand to remove, eg, comments) > drivers/firmware/arm_sdei.c: WARN_ON_ONCE(preemptible()); > drivers/firmware/arm_sdei.c: WARN_ON_ONCE(preemptible()); > drivers/firmware/arm_sdei.c: WARN_ON_ONCE(preemptible()); > drivers/firmware/arm_sdei.c: WARN_ON_ONCE(preemptible()); > drivers/firmware/arm_sdei.c: WARN_ON(preemptible()); > drivers/firmware/efi/efi-pstore.c: preemptible(), record->size, record->psi->buf); > drivers/irqchip/irq-gic-v4.c: WARN_ON(preemptible()); > drivers/irqchip/irq-gic-v4.c: WARN_ON(preemptible()); > drivers/scsi/hisi_sas/hisi_sas_main.c: if (!preemptible()) > drivers/xen/time.c: BUG_ON(preemptible()); > > That only looks like two drivers that need more than WARNectomies. I could easily imagine someone thinking that these did something in CONFIG_PREEMPT_NONE=y kernels. In fact, I could easily imagine myself making that mistake. :-/ > Although maybe rcu_read_load_sched_held() or rcu_read_lock_any_held() > might get called from a module ... But yes, from the rcutorture module for certain and also from any other RCU-using module that includes the usual RCU debug checks. Thanx, Paul ^ permalink raw reply [flat|nested] 47+ messages in thread
[parent not found: <20200914204441.268144917@linutronix.de>]
* Re: [patch 03/13] preempt: Clenaup PREEMPT_COUNT leftovers [not found] ` <20200914204441.268144917@linutronix.de> @ 2020-09-16 10:56 ` Valentin Schneider 0 siblings, 0 replies; 47+ messages in thread From: Valentin Schneider @ 2020-09-16 10:56 UTC (permalink / raw) To: Thomas Gleixner Cc: LKML, linux-arch, Linus Torvalds, Sebastian Andrzej Siewior, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Richard Henderson, Ivan Kokshaysky, Matt Turner, linux-alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Will Deacon, Andrew Morton, linux-mm, Ingo Molnar, Russell King, linux-arm-kernel, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, Daniel Vetter, intel-gfx, dri-devel, Paul E. McKenney, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, linux-kselftest On 14/09/20 21:42, Thomas Gleixner wrote: > CONFIG_PREEMPT_COUNT is now unconditionally enabled and will be > removed. Cleanup the leftovers before doing so. > > Signed-off-by: Thomas Gleixner <tglx@linutronix.de> > Cc: Ingo Molnar <mingo@kernel.org> > Cc: Peter Zijlstra <peterz@infradead.org> > Cc: Juri Lelli <juri.lelli@redhat.com> > Cc: Vincent Guittot <vincent.guittot@linaro.org> > Cc: Dietmar Eggemann <dietmar.eggemann@arm.com> > Cc: Steven Rostedt <rostedt@goodmis.org> > Cc: Ben Segall <bsegall@google.com> > Cc: Mel Gorman <mgorman@suse.de> > Cc: Daniel Bristot de Oliveira <bristot@redhat.com> Reviewed-by: Valentin Schneider <valentin.schneider@arm.com> ^ permalink raw reply [flat|nested] 47+ messages in thread
[parent not found: <20200914204441.794954043@linutronix.de>]
* Re: [patch 08/13] sched: Clenaup PREEMPT_COUNT leftovers [not found] ` <20200914204441.794954043@linutronix.de> @ 2020-09-16 10:56 ` Valentin Schneider 0 siblings, 0 replies; 47+ messages in thread From: Valentin Schneider @ 2020-09-16 10:56 UTC (permalink / raw) To: Thomas Gleixner Cc: LKML, linux-arch, Linus Torvalds, Sebastian Andrzej Siewior, Ingo Molnar, Peter Zijlstra, Juri Lelli, Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman, Daniel Bristot de Oliveira, Richard Henderson, Ivan Kokshaysky, Matt Turner, linux-alpha, Jeff Dike, Richard Weinberger, Anton Ivanov, linux-um, Brian Cain, linux-hexagon, Geert Uytterhoeven, linux-m68k, Ingo Molnar, Will Deacon, Andrew Morton, linux-mm, Russell King, linux-arm-kernel, Chris Zankel, Max Filippov, linux-xtensa, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie, Daniel Vetter, intel-gfx, dri-devel, Paul E. McKenney, Josh Triplett, Mathieu Desnoyers, Lai Jiangshan, Shuah Khan, rcu, linux-kselftest On 14/09/20 21:42, Thomas Gleixner wrote: > CONFIG_PREEMPT_COUNT is now unconditionally enabled and will be > removed. Cleanup the leftovers before doing so. > > Signed-off-by: Thomas Gleixner <tglx@linutronix.de> > Cc: Ingo Molnar <mingo@redhat.com> > Cc: Peter Zijlstra <peterz@infradead.org> > Cc: Juri Lelli <juri.lelli@redhat.com> > Cc: Vincent Guittot <vincent.guittot@linaro.org> > Cc: Dietmar Eggemann <dietmar.eggemann@arm.com> > Cc: Steven Rostedt <rostedt@goodmis.org> > Cc: Ben Segall <bsegall@google.com> > Cc: Mel Gorman <mgorman@suse.de> > Cc: Daniel Bristot de Oliveira <bristot@redhat.com> Small nit below; Reviewed-by: Valentin Schneider <valentin.schneider@arm.com> > --- > kernel/sched/core.c | 6 +----- > lib/Kconfig.debug | 1 - > 2 files changed, 1 insertion(+), 6 deletions(-) > > --- a/kernel/sched/core.c > +++ b/kernel/sched/core.c > @@ -3706,8 +3706,7 @@ asmlinkage __visible void schedule_tail( > * finish_task_switch() for details. > * > * finish_task_switch() will drop rq->lock() and lower preempt_count > - * and the preempt_enable() will end up enabling preemption (on > - * PREEMPT_COUNT kernels). I suppose this wanted to be s/PREEMPT_COUNT/PREEMPT/ in the first place, which ought to be still relevant. > + * and the preempt_enable() will end up enabling preemption. > */ > > rq = finish_task_switch(prev); ^ permalink raw reply [flat|nested] 47+ messages in thread
end of thread, other threads:[~2020-09-29 14:54 UTC | newest] Thread overview: 47+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <20200914204209.256266093@linutronix.de> [not found] ` <20200914204441.579902354@linutronix.de> 2020-09-15 16:10 ` [patch 06/13] locking/bitspinlock: Clenaup PREEMPT_COUNT leftovers Will Deacon [not found] ` <20200914204441.375753691@linutronix.de> 2020-09-15 16:11 ` [patch 04/13] lockdep: " Will Deacon [not found] ` <CAHk-=win80rdof8Pb=5k6gT9j_v+hz-TQzKPVastZDvBe9RimQ@mail.gmail.com> 2020-09-15 17:25 ` [patch 00/13] preempt: Make preempt count unconditional Paul E. McKenney [not found] ` <871rj4owfn.fsf@nanos.tec.linutronix.de> [not found] ` <CAHk-=wj0eUuVQ=hRFZv_nY7g5ZLt7Fy3K7SMJL0ZCzniPtsbbg@mail.gmail.com> [not found] ` <CAHk-=wjOV6f_ddg+QVCF6RUe+pXPhSR2WevnNyOs9oT+q2ihEA@mail.gmail.com> 2020-09-15 3:30 ` [PATCH] crypto: lib/chacha20poly1305 - Set SG_MITER_ATOMIC unconditionally Herbert Xu 2020-09-15 6:03 ` Ard Biesheuvel 2020-09-15 6:40 ` Herbert Xu 2020-09-15 6:45 ` Linus Torvalds 2020-09-15 6:55 ` Linus Torvalds 2020-09-15 7:05 ` Herbert Xu 2020-09-15 7:10 ` Ard Biesheuvel 2020-09-15 9:34 ` Thomas Gleixner 2020-09-15 10:02 ` Ard Biesheuvel 2020-09-15 10:05 ` Herbert Xu 2020-09-15 10:08 ` Ard Biesheuvel 2020-09-15 10:10 ` Herbert Xu 2020-09-15 19:04 ` Thomas Gleixner 2020-09-15 7:08 ` Ard Biesheuvel 2020-09-15 6:20 ` [patch 00/13] preempt: Make preempt count unconditional Ard Biesheuvel [not found] ` <20200915062253.GA26275@gondor.apana.org.au> 2020-09-15 6:39 ` Linus Torvalds 2020-09-15 7:24 ` Thomas Gleixner 2020-09-15 17:29 ` Linus Torvalds 2020-09-15 8:39 ` Thomas Gleixner 2020-09-15 17:35 ` Linus Torvalds 2020-09-15 19:57 ` Thomas Gleixner 2020-09-16 18:34 ` Linus Torvalds 2020-09-16 7:37 ` Daniel Vetter 2020-09-16 15:29 ` Paul E. McKenney 2020-09-16 18:32 ` Linus Torvalds 2020-09-16 20:43 ` Paul E. McKenney 2020-09-17 6:38 ` Ard Biesheuvel 2020-09-16 20:29 ` Daniel Vetter 2020-09-16 20:58 ` Paul E. McKenney 2020-09-16 21:43 ` Daniel Vetter 2020-09-16 22:39 ` Paul E. McKenney 2020-09-17 7:52 ` Daniel Vetter 2020-09-17 16:28 ` Paul E. McKenney 2020-09-29 8:19 ` Michal Hocko 2020-09-29 8:19 ` Michal Hocko 2020-09-29 8:20 ` Michal Hocko 2020-09-29 8:21 ` Michal Hocko 2020-09-29 8:23 ` Michal Hocko 2020-09-29 9:00 ` Daniel Vetter 2020-09-29 14:54 ` Michal Hocko 2020-09-16 19:23 ` Matthew Wilcox 2020-09-16 20:48 ` Paul E. McKenney [not found] ` <20200914204441.268144917@linutronix.de> 2020-09-16 10:56 ` [patch 03/13] preempt: Clenaup PREEMPT_COUNT leftovers Valentin Schneider [not found] ` <20200914204441.794954043@linutronix.de> 2020-09-16 10:56 ` [patch 08/13] sched: " Valentin Schneider
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).