On Thu, Mar 02, 2017 at 04:14:11PM +0100, Michal Hocko wrote: > On Thu 02-03-17 09:51:31, Brian Foster wrote: > > On Thu, Mar 02, 2017 at 03:34:41PM +0100, Michal Hocko wrote: > > > On Thu 02-03-17 09:23:15, Brian Foster wrote: > > > > On Thu, Mar 02, 2017 at 02:50:01PM +0100, Michal Hocko wrote: > > > > > On Thu 02-03-17 08:41:58, Brian Foster wrote: > > > > > > On Thu, Mar 02, 2017 at 02:27:55PM +0100, Michal Hocko wrote: > > > > > [...] > > > > > > > I see your argument about being in sync with other kmem helpers but > > > > > > > those are bit different because regular page/slab allocators allow never > > > > > > > fail semantic (even though this is mostly ignored by those helpers which > > > > > > > implement their own retries but that is a different topic). > > > > > > > > > > > > > > > > > > > ... but what I'm trying to understand here is whether this failure > > > > > > scenario is specific to vmalloc() or whether the other kmem_*() > > > > > > functions are susceptible to the same problem. For example, suppose we > > > > > > replaced this kmem_zalloc_greedy() call with a kmem_zalloc(PAGE_SIZE, > > > > > > KM_SLEEP) call. Could we hit the same problem if the process is killed? > > > > > > > > > > Well, kmem_zalloc uses kmalloc which can also fail when we are out of > > > > > memory but in that case we can expect the OOM killer releasing some > > > > > memory which would allow us to make a forward progress on the next > > > > > retry. So essentially retrying around kmalloc is much more safe in this > > > > > regard. Failing vmalloc might be permanent because there is no vmalloc > > > > > space to allocate from or much more likely due to already mentioned > > > > > patch. So vmalloc is different, really. > > > > > > > > Right.. that's why I'm asking. So it's technically possible but highly > > > > unlikely due to the different failure characteristics. That seems > > > > reasonable to me, then. > > > > > > > > To be clear, do we understand what causes the vzalloc() failure to be > > > > effectively permanent in this specific reproducer? I know you mention > > > > above that we could be out of vmalloc space, but that doesn't clarify > > > > whether there are other potential failure paths or then what this has to > > > > do with the fact that the process was killed. Does the pending signal > > > > cause the subsequent failures or are you saying that there is some other > > > > root cause of the failure, this process would effectively be spinning > > > > here anyways, and we're just noticing it because it's trying to exit? > > > > > > In this particular case it is fatal_signal_pending that causes the > > > permanent failure. This check has been added to prevent from complete > > > memory reserves depletion on OOM when a killed task has a free ticket to > > > reserves and vmalloc requests can be really large. In this case there > > > was no OOM killer going on but fsstress has SIGKILL pending for other > > > reason. Most probably as a result of the group_exit when all threads > > > are killed (see zap_process). I could have turn fatal_signal_pending > > > into tsk_is_oom_victim which would be less likely to hit but in > > > principle fatal_signal_pending should be better because we do want to > > > bail out when the process is existing as soon as possible. > > > > > > What I really wanted to say is that there are other possible permanent > > > failure paths in vmalloc AFAICS. They are much less probable but they > > > still exist. > > > > > > Does that make more sense now? > > > > Yes, thanks. That explains why this crops up now where it hasn't in the > > past. Please include that background in the commit log description. > > OK, does this sound better. I am open to any suggestions to improve this > of course > Yeah.. > : xfs: allow kmem_zalloc_greedy to fail > : > : Even though kmem_zalloc_greedy is documented it might fail the current > : code doesn't really implement this properly and loops on the smallest > : allowed size for ever. This is a problem because vzalloc might fail > : permanently - we might run out of vmalloc space or since 5d17a73a2ebe > : ("vmalloc: back off when the current task is killed") when the current > : task is killed. The later one makes the failure scenario much more > : probable than it used to be. Fix this by bailing out if the minimum size ^ " because it makes vmalloc() failures permanent for tasks with fatal signals pending." > : request failed. > : > : This has been noticed by a hung generic/269 xfstest by Xiong Zhou. > : > : fsstress: vmalloc: allocation failure, allocated 12288 of 20480 bytes, mode:0x14080c2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_ZERO), nodemask=(null) > : fsstress cpuset=/ mems_allowed=0-1 > : CPU: 1 PID: 23460 Comm: fsstress Not tainted 4.10.0-master-45554b2+ #21 > : Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 10/05/2016 > : Call Trace: > : dump_stack+0x63/0x87 > : warn_alloc+0x114/0x1c0 > : ? alloc_pages_current+0x88/0x120 > : __vmalloc_node_range+0x250/0x2a0 > : ? kmem_zalloc_greedy+0x2b/0x40 [xfs] > : ? free_hot_cold_page+0x21f/0x280 > : vzalloc+0x54/0x60 > : ? kmem_zalloc_greedy+0x2b/0x40 [xfs] > : kmem_zalloc_greedy+0x2b/0x40 [xfs] > : xfs_bulkstat+0x11b/0x730 [xfs] > : ? xfs_bulkstat_one_int+0x340/0x340 [xfs] > : ? selinux_capable+0x20/0x30 > : ? security_capable+0x48/0x60 > : xfs_ioc_bulkstat+0xe4/0x190 [xfs] > : xfs_file_ioctl+0x9dd/0xad0 [xfs] > : ? do_filp_open+0xa5/0x100 > : do_vfs_ioctl+0xa7/0x5e0 > : SyS_ioctl+0x79/0x90 > : do_syscall_64+0x67/0x180 > : entry_SYSCALL64_slow_path+0x25/0x25 > : > : fsstress keeps looping inside kmem_zalloc_greedy without any way out > : because vmalloc keeps failing due to fatal_signal_pending. > : > : Reported-by: Xiong Zhou <xzhou@xxxxxxxxxx> > : Analyzed-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> > : Signed-off-by: Michal Hocko <mhocko@xxxxxxxx> > > > Also, that kind of makes me think that a fatal_signal_pending() check is > > still appropriate in the loop, even if we want to drop the infinite > > retry loop in kmem_zalloc_greedy() as well. There's no sense in doing > > however many retries are left before we return and that's also more > > explicit for the next person who goes to change this code in the future. > > I am not objecting to adding fatal_signal_pending as well I just thought > that from the logic POV breaking after reaching the minimum size is just > the right thing to do. We can optimize further by checking > fatal_signal_pending and reducing retries when we know it doesn't make > much sense but that should be done on top as an optimization IMHO. > I don't think of it as an optimization to not invoke calls (a non-deterministic number of times) that we know are going to fail, but ultimately I don't care too much how it's framed or if it's done in separate patches or whatnot. As long as they are posted at the same time. ;) Brian > > Otherwise, I'm fine with breaking the infinite retry loop at the same > > time. It looks like Christoph added this function originally so this > > should probably require his ack as well.. > > What do you think Christoph? > -- > Michal Hocko > SUSE Labs