On Wed, Aug 04, 2021 at 01:54:47AM +0200, Thomas Gleixner wrote: > Mel! > I hope the ! is not a sign that the patch is a wtf :) > On Fri, Jul 23 2021 at 11:00, Mel Gorman wrote: > > From: Ingo Molnar <mingo@xxxxxxx> > > > > Disable preemption on -RT for the vmstat code. On vanila the code runs > > in IRQ-off regions while on -RT it may not when stats are updated under > > a local_lock. "preempt_disable" ensures that the same resources is not > > updated in parallel due to preemption. > > > > This patch differs from the preempt-rt version where __count_vm_event and > > __count_vm_events are also protected. The counters are explicitly "allowed > > to be to be racy" so there is no need to protect them from preemption. Only > > the accurate page stats that are updated by a read-modify-write need > > protection. > > > > Signed-off-by: Ingo Molnar <mingo@xxxxxxx> > > Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx> > > Signed-off-by: Mel Gorman <mgorman@xxxxxxxxxxxxxxxxxxx> > > --- > > mm/vmstat.c | 12 ++++++++++++ > > 1 file changed, 12 insertions(+) > > > > diff --git a/mm/vmstat.c b/mm/vmstat.c > > index b0534e068166..d06332c221b1 100644 > > --- a/mm/vmstat.c > > +++ b/mm/vmstat.c > > @@ -319,6 +319,7 @@ void __mod_zone_page_state(struct zone *zone, enum zone_stat_item item, > > long x; > > long t; > > > > + preempt_disable_rt(); > > Yes, this is smart to some extent. But in reality it's a bandaid simply > because nobody can tell which item of vmstat requires which protection. > They were not split correctly when first introduced unfortunately. I don't recall why but it's very likely that it simply was not thought about very heavily. The naming doesn't help because there is no clue to the names if accuracy is needed for functional correctness. I only put heavy thought into it when I was dealing with excessive overhead from accurate counters. Most of zone_stat_item and node_stat_item *must* be accurate for correctness (e.g. NR_FREE_PAGES drifting would be very bad) but not all. NR_VMSCAN_IMMEDIATE does not need special protection for example, same for NR_WRITTEN and NR_DIRTIED. Some of the WORKINGSET ones may not need protection either but I didn't audit every single one. Either way, some of the events could be moved out. Commit f19298b9516c ("mm/vmstat: convert NUMA statistics to basic NUMA counters") is an example where some counters were moved because they did not require accuracy and were updated from fast paths. The existance of the path allows some other counters to move relatively easily. > If you go back in RT history then you will figure out that we were able > to eliminate _all_ occurences of preempt_disable_rt() except for this > one. > > Even mm developers are wary about this: > > <tglx> so in vmstat.c there is this magic comment: > <tglx> * For use when we know that interrupts are disabled > <tglx> * or when we know that preemption is disabled and that > <tglx> * particular counter cannot be updated from interrupt context. > <tglx> how can I know which counters need what? > <mm_expert> I don't think there's a list, one would have to check on counter to counter basis :/ > <tglx> and of course there is nothing which validates that, right? > <mm_expert> exactly > While I'm not "mm_expert", I agree with his/her statements. Each counter would need to be audited and two question are asked o If this counter is inaccurate, does anything break? o If this counter is inaccurate, does it both increment and decrement allowing the possibility it goes negative? The decision on that is looking at the counter and seeing if any functional decision is made based on its value. So two examples; NR_VMSCAN_IMMEDIATE is a node-based counter that only every increments and is reported to userspace. No kernel code makes any decision based on its value. Therefore it's likely safe to move to numa_stat_item instead. Action: move it WORKINGSET_ACTIVATE_FILE is a node-based counter that is used to determine if a mem cgroup is potentially congested by looking at the ratio of cgroup to node refault rates as well as deciding if LRU file pages should be deactivate. If that value drifts, the ratios are miscalculated and could lead to functional oddities and therefore must be accurate. Action: leave it alone I guess it could be further split into state that must be accurate from IRQ and non-IRQ contexts but that probably would be very fragile and offer limited value. > Brilliant stuff which prevents you to do any validation on this. Over > the years there have been several issues where callers had to be fixed > by analysing bug reports instead of having a proper instrumentation in > that code which would have told the developer that he got it wrong. > I'm not sure it could be validated at build-time but I'm just back from holiday and may be lacking imagination. > Of course on RT kernels the preempt_disable_rt() will serialize > everything correctly, but as we have learned over the years just > slapping _if_rt() or if_not_rt() variants of things around is most of > the time papering over the underlying problem of badly defined > protection scopes. Let's not proliferate that. As I said in the above > IRC conversation: > > <tglx> I fundamentally hate this preempt_disable_rt() muck > The issue is that even if this was properly audited and the inaccurate and accurate counters were in the proper enums using the correct APIs, it would still be necessary to protect the accurate counters from updates from IRQ context. Hence, as I write this, I don't think preempt_[dis|en]able_rt would go away and that is why I didn't continue with the series to break out "accurate" stats -- Mel Gorman SUSE Labs