diff mbox

[v8,15/18] mm, fs, dax: handle layout changes to pinned dax mappings

Message ID 152246901060.36038.4487158506830998280.stgit@dwillia2-desk3.amr.corp.intel.com (mailing list archive)
State New, archived
Headers show

Commit Message

Dan Williams March 31, 2018, 4:03 a.m. UTC
Background:

get_user_pages() in the filesystem pins file backed memory pages for
access by devices performing dma. However, it only pins the memory pages
not the page-to-file offset association. If a file is truncated the
pages are mapped out of the file and dma may continue indefinitely into
a page that is owned by a device driver. This breaks coherency of the
file vs dma, but the assumption is that if userspace wants the
file-space truncated it does not matter what data is inbound from the
device, it is not relevant anymore. The only expectation is that dma can
safely continue while the filesystem reallocates the block(s).

Problem:

This expectation that dma can safely continue while the filesystem
changes the block map is broken by dax. With dax the target dma page
*is* the filesystem block. The model of leaving the page pinned for dma,
but truncating the file block out of the file, means that the filesytem
is free to reallocate a block under active dma to another file and now
the expected data-incoherency situation has turned into active
data-corruption.

Solution:

Defer all filesystem operations (fallocate(), truncate()) on a dax mode
file while any page/block in the file is under active dma. This solution
assumes that dma is transient. Cases where dma operations are known to
not be transient, like RDMA, have been explicitly disabled via
commits like 5f1d43de5416 "IB/core: disable memory registration of
filesystem-dax vmas".

The dax_layout_busy_page() routine is called by filesystems with a lock
held against mm faults (i_mmap_lock) to find pinned / busy dax pages.
The process of looking up a busy page invalidates all mappings
to trigger any subsequent get_user_pages() to block on i_mmap_lock.
The filesystem continues to call dax_layout_busy_page() until it finally
returns no more active pages. This approach assumes that the page
pinning is transient, if that assumption is violated the system would
have likely hung from the uncompleted I/O.

Cc: Jan Kara <jack@suse.cz>
Cc: Jeff Moyer <jmoyer@redhat.com>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Matthew Wilcox <mawilcox@microsoft.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: "Darrick J. Wong" <darrick.wong@oracle.com>
Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Reported-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 drivers/dax/super.c |    2 +
 fs/dax.c            |   92 +++++++++++++++++++++++++++++++++++++++++++++++++++
 include/linux/dax.h |   25 ++++++++++++++
 mm/gup.c            |    5 +++
 4 files changed, 123 insertions(+), 1 deletion(-)

Comments

Jan Kara April 4, 2018, 9:46 a.m. UTC | #1
On Fri 30-03-18 21:03:30, Dan Williams wrote:
> Background:
> 
> get_user_pages() in the filesystem pins file backed memory pages for
> access by devices performing dma. However, it only pins the memory pages
> not the page-to-file offset association. If a file is truncated the
> pages are mapped out of the file and dma may continue indefinitely into
> a page that is owned by a device driver. This breaks coherency of the
> file vs dma, but the assumption is that if userspace wants the
> file-space truncated it does not matter what data is inbound from the
> device, it is not relevant anymore. The only expectation is that dma can
> safely continue while the filesystem reallocates the block(s).
> 
> Problem:
> 
> This expectation that dma can safely continue while the filesystem
> changes the block map is broken by dax. With dax the target dma page
> *is* the filesystem block. The model of leaving the page pinned for dma,
> but truncating the file block out of the file, means that the filesytem
> is free to reallocate a block under active dma to another file and now
> the expected data-incoherency situation has turned into active
> data-corruption.
> 
> Solution:
> 
> Defer all filesystem operations (fallocate(), truncate()) on a dax mode
> file while any page/block in the file is under active dma. This solution
> assumes that dma is transient. Cases where dma operations are known to
> not be transient, like RDMA, have been explicitly disabled via
> commits like 5f1d43de5416 "IB/core: disable memory registration of
> filesystem-dax vmas".
> 
> The dax_layout_busy_page() routine is called by filesystems with a lock
> held against mm faults (i_mmap_lock) to find pinned / busy dax pages.
> The process of looking up a busy page invalidates all mappings
> to trigger any subsequent get_user_pages() to block on i_mmap_lock.
> The filesystem continues to call dax_layout_busy_page() until it finally
> returns no more active pages. This approach assumes that the page
> pinning is transient, if that assumption is violated the system would
> have likely hung from the uncompleted I/O.
> 
> Cc: Jan Kara <jack@suse.cz>
> Cc: Jeff Moyer <jmoyer@redhat.com>
> Cc: Dave Chinner <david@fromorbit.com>
> Cc: Matthew Wilcox <mawilcox@microsoft.com>
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: "Darrick J. Wong" <darrick.wong@oracle.com>
> Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Reported-by: Christoph Hellwig <hch@lst.de>
> Reviewed-by: Christoph Hellwig <hch@lst.de>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> ---
>  drivers/dax/super.c |    2 +
>  fs/dax.c            |   92 +++++++++++++++++++++++++++++++++++++++++++++++++++
>  include/linux/dax.h |   25 ++++++++++++++
>  mm/gup.c            |    5 +++
>  4 files changed, 123 insertions(+), 1 deletion(-)

...

> +/**
> + * dax_layout_busy_page - find first pinned page in @mapping
> + * @mapping: address space to scan for a page with ref count > 1
> + *
> + * DAX requires ZONE_DEVICE mapped pages. These pages are never
> + * 'onlined' to the page allocator so they are considered idle when
> + * page->count == 1. A filesystem uses this interface to determine if
> + * any page in the mapping is busy, i.e. for DMA, or other
> + * get_user_pages() usages.
> + *
> + * It is expected that the filesystem is holding locks to block the
> + * establishment of new mappings in this address_space. I.e. it expects
> + * to be able to run unmap_mapping_range() and subsequently not race
> + * mapping_mapped() becoming true. It expects that get_user_pages() pte
> + * walks are performed under rcu_read_lock().
> + */
> +struct page *dax_layout_busy_page(struct address_space *mapping)
> +{
> +	pgoff_t	indices[PAGEVEC_SIZE];
> +	struct page *page = NULL;
> +	struct pagevec pvec;
> +	pgoff_t	index, end;
> +	unsigned i;
> +
> +	/*
> +	 * In the 'limited' case get_user_pages() for dax is disabled.
> +	 */
> +	if (IS_ENABLED(CONFIG_FS_DAX_LIMITED))
> +		return NULL;
> +
> +	if (!dax_mapping(mapping) || !mapping_mapped(mapping))
> +		return NULL;
> +
> +	pagevec_init(&pvec);
> +	index = 0;
> +	end = -1;
> +	/*
> +	 * Flush dax_layout_lock() sections to ensure all possible page
> +	 * references have been taken, or otherwise arrange for faults
> +	 * to block on the filesystem lock that is taken for
> +	 * establishing new mappings.
> +	 */
> +	unmap_mapping_range(mapping, 0, 0, 1);
> +	synchronize_rcu();

So I still don't like the use of RCU for this. It just seems as an abuse to
use RCU like that. Furthermore it has a hefty latency cost for the truncate
path. A trivial test to truncate 100 times the last page of a 16k file that
is mmaped (only the first page):

DAX+your patches	3.899s
non-DAX			0.015s

So you can see synchronize_rcu() increased time to run truncate(2) more
than 200 times (the process is indeed sitting in __wait_rcu_gp all the
time). IMHO that's just too costly.

> +	while (index < end && pagevec_lookup_entries(&pvec, mapping, index,
> +				min(end - index, (pgoff_t)PAGEVEC_SIZE),
> +				indices)) {
> +		for (i = 0; i < pagevec_count(&pvec); i++) {
> +			struct page *pvec_ent = pvec.pages[i];
> +			void *entry;
> +
> +			index = indices[i];
> +			if (index >= end)
> +				break;
> +
> +			if (!radix_tree_exceptional_entry(pvec_ent))
> +				continue;

This would be a bug - so WARN_ON_ONCE() here?

> +
> +			spin_lock_irq(&mapping->tree_lock);
> +			entry = get_unlocked_mapping_entry(mapping, index, NULL);
> +			if (entry)
> +				page = dax_busy_page(entry);
> +			put_unlocked_mapping_entry(mapping, index, entry);
> +			spin_unlock_irq(&mapping->tree_lock);
> +			if (page)
> +				break;
> +		}
> +		pagevec_remove_exceptionals(&pvec);
> +		pagevec_release(&pvec);
> +		index++;
> +
> +		if (page)
> +			break;
> +	}
> +	return page;
> +}
> +EXPORT_SYMBOL_GPL(dax_layout_busy_page);
> +
>  static int __dax_invalidate_mapping_entry(struct address_space *mapping,
>  					  pgoff_t index, bool trunc)
>  {

								Honza
Jan Kara April 4, 2018, 10:06 a.m. UTC | #2
On Wed 04-04-18 11:46:56, Jan Kara wrote:
> On Fri 30-03-18 21:03:30, Dan Williams wrote:
> > Background:
> > 
> > get_user_pages() in the filesystem pins file backed memory pages for
> > access by devices performing dma. However, it only pins the memory pages
> > not the page-to-file offset association. If a file is truncated the
> > pages are mapped out of the file and dma may continue indefinitely into
> > a page that is owned by a device driver. This breaks coherency of the
> > file vs dma, but the assumption is that if userspace wants the
> > file-space truncated it does not matter what data is inbound from the
> > device, it is not relevant anymore. The only expectation is that dma can
> > safely continue while the filesystem reallocates the block(s).
> > 
> > Problem:
> > 
> > This expectation that dma can safely continue while the filesystem
> > changes the block map is broken by dax. With dax the target dma page
> > *is* the filesystem block. The model of leaving the page pinned for dma,
> > but truncating the file block out of the file, means that the filesytem
> > is free to reallocate a block under active dma to another file and now
> > the expected data-incoherency situation has turned into active
> > data-corruption.
> > 
> > Solution:
> > 
> > Defer all filesystem operations (fallocate(), truncate()) on a dax mode
> > file while any page/block in the file is under active dma. This solution
> > assumes that dma is transient. Cases where dma operations are known to
> > not be transient, like RDMA, have been explicitly disabled via
> > commits like 5f1d43de5416 "IB/core: disable memory registration of
> > filesystem-dax vmas".
> > 
> > The dax_layout_busy_page() routine is called by filesystems with a lock
> > held against mm faults (i_mmap_lock) to find pinned / busy dax pages.
> > The process of looking up a busy page invalidates all mappings
> > to trigger any subsequent get_user_pages() to block on i_mmap_lock.
> > The filesystem continues to call dax_layout_busy_page() until it finally
> > returns no more active pages. This approach assumes that the page
> > pinning is transient, if that assumption is violated the system would
> > have likely hung from the uncompleted I/O.
> > 
> > Cc: Jan Kara <jack@suse.cz>
> > Cc: Jeff Moyer <jmoyer@redhat.com>
> > Cc: Dave Chinner <david@fromorbit.com>
> > Cc: Matthew Wilcox <mawilcox@microsoft.com>
> > Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> > Cc: "Darrick J. Wong" <darrick.wong@oracle.com>
> > Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
> > Cc: Dave Hansen <dave.hansen@linux.intel.com>
> > Cc: Andrew Morton <akpm@linux-foundation.org>
> > Reported-by: Christoph Hellwig <hch@lst.de>
> > Reviewed-by: Christoph Hellwig <hch@lst.de>
> > Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> > ---
> >  drivers/dax/super.c |    2 +
> >  fs/dax.c            |   92 +++++++++++++++++++++++++++++++++++++++++++++++++++
> >  include/linux/dax.h |   25 ++++++++++++++
> >  mm/gup.c            |    5 +++
> >  4 files changed, 123 insertions(+), 1 deletion(-)
> 
> ...
> 
> > +/**
> > + * dax_layout_busy_page - find first pinned page in @mapping
> > + * @mapping: address space to scan for a page with ref count > 1
> > + *
> > + * DAX requires ZONE_DEVICE mapped pages. These pages are never
> > + * 'onlined' to the page allocator so they are considered idle when
> > + * page->count == 1. A filesystem uses this interface to determine if
> > + * any page in the mapping is busy, i.e. for DMA, or other
> > + * get_user_pages() usages.
> > + *
> > + * It is expected that the filesystem is holding locks to block the
> > + * establishment of new mappings in this address_space. I.e. it expects
> > + * to be able to run unmap_mapping_range() and subsequently not race
> > + * mapping_mapped() becoming true. It expects that get_user_pages() pte
> > + * walks are performed under rcu_read_lock().
> > + */
> > +struct page *dax_layout_busy_page(struct address_space *mapping)
> > +{
> > +	pgoff_t	indices[PAGEVEC_SIZE];
> > +	struct page *page = NULL;
> > +	struct pagevec pvec;
> > +	pgoff_t	index, end;
> > +	unsigned i;
> > +
> > +	/*
> > +	 * In the 'limited' case get_user_pages() for dax is disabled.
> > +	 */
> > +	if (IS_ENABLED(CONFIG_FS_DAX_LIMITED))
> > +		return NULL;
> > +
> > +	if (!dax_mapping(mapping) || !mapping_mapped(mapping))
> > +		return NULL;
> > +
> > +	pagevec_init(&pvec);
> > +	index = 0;
> > +	end = -1;
> > +	/*
> > +	 * Flush dax_layout_lock() sections to ensure all possible page
> > +	 * references have been taken, or otherwise arrange for faults
> > +	 * to block on the filesystem lock that is taken for
> > +	 * establishing new mappings.
> > +	 */
> > +	unmap_mapping_range(mapping, 0, 0, 1);
> > +	synchronize_rcu();
> 
> So I still don't like the use of RCU for this. It just seems as an abuse to
> use RCU like that. Furthermore it has a hefty latency cost for the truncate
> path. A trivial test to truncate 100 times the last page of a 16k file that
> is mmaped (only the first page):
> 
> DAX+your patches	3.899s
> non-DAX			0.015s
> 
> So you can see synchronize_rcu() increased time to run truncate(2) more
> than 200 times (the process is indeed sitting in __wait_rcu_gp all the
> time). IMHO that's just too costly.

Forgot to add some more thoughts: Maybe we could use global percpu rwsem
for this instead of RCU? That would cut down the truncate latency and the
cost on GUP path should be very small. Or I'm still not convinced that my
PageTruncateInProgress() idea cannot be made to work - that would be free
on the GUP side for the non-DAX case, relatively cheap for the DAX case,
and also reasonably cheap for the truncate side. But I admit it requires
more work on the fs side to propagate offsets that are going to be
truncated into the DAX helper.

								Honza
Dan Williams April 4, 2018, 2:12 p.m. UTC | #3
On Wed, Apr 4, 2018 at 2:46 AM, Jan Kara <jack@suse.cz> wrote:
> On Fri 30-03-18 21:03:30, Dan Williams wrote:
>> Background:
>>
>> get_user_pages() in the filesystem pins file backed memory pages for
>> access by devices performing dma. However, it only pins the memory pages
>> not the page-to-file offset association. If a file is truncated the
>> pages are mapped out of the file and dma may continue indefinitely into
>> a page that is owned by a device driver. This breaks coherency of the
>> file vs dma, but the assumption is that if userspace wants the
>> file-space truncated it does not matter what data is inbound from the
>> device, it is not relevant anymore. The only expectation is that dma can
>> safely continue while the filesystem reallocates the block(s).
>>
>> Problem:
>>
>> This expectation that dma can safely continue while the filesystem
>> changes the block map is broken by dax. With dax the target dma page
>> *is* the filesystem block. The model of leaving the page pinned for dma,
>> but truncating the file block out of the file, means that the filesytem
>> is free to reallocate a block under active dma to another file and now
>> the expected data-incoherency situation has turned into active
>> data-corruption.
>>
>> Solution:
>>
>> Defer all filesystem operations (fallocate(), truncate()) on a dax mode
>> file while any page/block in the file is under active dma. This solution
>> assumes that dma is transient. Cases where dma operations are known to
>> not be transient, like RDMA, have been explicitly disabled via
>> commits like 5f1d43de5416 "IB/core: disable memory registration of
>> filesystem-dax vmas".
>>
>> The dax_layout_busy_page() routine is called by filesystems with a lock
>> held against mm faults (i_mmap_lock) to find pinned / busy dax pages.
>> The process of looking up a busy page invalidates all mappings
>> to trigger any subsequent get_user_pages() to block on i_mmap_lock.
>> The filesystem continues to call dax_layout_busy_page() until it finally
>> returns no more active pages. This approach assumes that the page
>> pinning is transient, if that assumption is violated the system would
>> have likely hung from the uncompleted I/O.
>>
>> Cc: Jan Kara <jack@suse.cz>
>> Cc: Jeff Moyer <jmoyer@redhat.com>
>> Cc: Dave Chinner <david@fromorbit.com>
>> Cc: Matthew Wilcox <mawilcox@microsoft.com>
>> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
>> Cc: "Darrick J. Wong" <darrick.wong@oracle.com>
>> Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
>> Cc: Dave Hansen <dave.hansen@linux.intel.com>
>> Cc: Andrew Morton <akpm@linux-foundation.org>
>> Reported-by: Christoph Hellwig <hch@lst.de>
>> Reviewed-by: Christoph Hellwig <hch@lst.de>
>> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
>> ---
>>  drivers/dax/super.c |    2 +
>>  fs/dax.c            |   92 +++++++++++++++++++++++++++++++++++++++++++++++++++
>>  include/linux/dax.h |   25 ++++++++++++++
>>  mm/gup.c            |    5 +++
>>  4 files changed, 123 insertions(+), 1 deletion(-)
>
> ...
>
>> +/**
>> + * dax_layout_busy_page - find first pinned page in @mapping
>> + * @mapping: address space to scan for a page with ref count > 1
>> + *
>> + * DAX requires ZONE_DEVICE mapped pages. These pages are never
>> + * 'onlined' to the page allocator so they are considered idle when
>> + * page->count == 1. A filesystem uses this interface to determine if
>> + * any page in the mapping is busy, i.e. for DMA, or other
>> + * get_user_pages() usages.
>> + *
>> + * It is expected that the filesystem is holding locks to block the
>> + * establishment of new mappings in this address_space. I.e. it expects
>> + * to be able to run unmap_mapping_range() and subsequently not race
>> + * mapping_mapped() becoming true. It expects that get_user_pages() pte
>> + * walks are performed under rcu_read_lock().
>> + */
>> +struct page *dax_layout_busy_page(struct address_space *mapping)
>> +{
>> +     pgoff_t indices[PAGEVEC_SIZE];
>> +     struct page *page = NULL;
>> +     struct pagevec pvec;
>> +     pgoff_t index, end;
>> +     unsigned i;
>> +
>> +     /*
>> +      * In the 'limited' case get_user_pages() for dax is disabled.
>> +      */
>> +     if (IS_ENABLED(CONFIG_FS_DAX_LIMITED))
>> +             return NULL;
>> +
>> +     if (!dax_mapping(mapping) || !mapping_mapped(mapping))
>> +             return NULL;
>> +
>> +     pagevec_init(&pvec);
>> +     index = 0;
>> +     end = -1;
>> +     /*
>> +      * Flush dax_layout_lock() sections to ensure all possible page
>> +      * references have been taken, or otherwise arrange for faults
>> +      * to block on the filesystem lock that is taken for
>> +      * establishing new mappings.
>> +      */
>> +     unmap_mapping_range(mapping, 0, 0, 1);
>> +     synchronize_rcu();
>
> So I still don't like the use of RCU for this. It just seems as an abuse to
> use RCU like that. Furthermore it has a hefty latency cost for the truncate
> path. A trivial test to truncate 100 times the last page of a 16k file that
> is mmaped (only the first page):
>
> DAX+your patches        3.899s
> non-DAX                 0.015s
>
> So you can see synchronize_rcu() increased time to run truncate(2) more
> than 200 times (the process is indeed sitting in __wait_rcu_gp all the
> time). IMHO that's just too costly.

Agree. I was quietly hoping that it wouldn't be that bad, but numbers
are numbers.

At this point I think we should just go with the
address_space_operations conversions and the sector-to-pfn conversion
for what's stored in the dax radix for 4.17-rc1, and circle back on a
better way to do this synchronization for 4.18.
Dan Williams April 7, 2018, 7:38 p.m. UTC | #4
[ adding Paul and Josh ]

On Wed, Apr 4, 2018 at 2:46 AM, Jan Kara <jack@suse.cz> wrote:
> On Fri 30-03-18 21:03:30, Dan Williams wrote:
>> Background:
>>
>> get_user_pages() in the filesystem pins file backed memory pages for
>> access by devices performing dma. However, it only pins the memory pages
>> not the page-to-file offset association. If a file is truncated the
>> pages are mapped out of the file and dma may continue indefinitely into
>> a page that is owned by a device driver. This breaks coherency of the
>> file vs dma, but the assumption is that if userspace wants the
>> file-space truncated it does not matter what data is inbound from the
>> device, it is not relevant anymore. The only expectation is that dma can
>> safely continue while the filesystem reallocates the block(s).
>>
>> Problem:
>>
>> This expectation that dma can safely continue while the filesystem
>> changes the block map is broken by dax. With dax the target dma page
>> *is* the filesystem block. The model of leaving the page pinned for dma,
>> but truncating the file block out of the file, means that the filesytem
>> is free to reallocate a block under active dma to another file and now
>> the expected data-incoherency situation has turned into active
>> data-corruption.
>>
>> Solution:
>>
>> Defer all filesystem operations (fallocate(), truncate()) on a dax mode
>> file while any page/block in the file is under active dma. This solution
>> assumes that dma is transient. Cases where dma operations are known to
>> not be transient, like RDMA, have been explicitly disabled via
>> commits like 5f1d43de5416 "IB/core: disable memory registration of
>> filesystem-dax vmas".
>>
>> The dax_layout_busy_page() routine is called by filesystems with a lock
>> held against mm faults (i_mmap_lock) to find pinned / busy dax pages.
>> The process of looking up a busy page invalidates all mappings
>> to trigger any subsequent get_user_pages() to block on i_mmap_lock.
>> The filesystem continues to call dax_layout_busy_page() until it finally
>> returns no more active pages. This approach assumes that the page
>> pinning is transient, if that assumption is violated the system would
>> have likely hung from the uncompleted I/O.
>>
>> Cc: Jan Kara <jack@suse.cz>
>> Cc: Jeff Moyer <jmoyer@redhat.com>
>> Cc: Dave Chinner <david@fromorbit.com>
>> Cc: Matthew Wilcox <mawilcox@microsoft.com>
>> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
>> Cc: "Darrick J. Wong" <darrick.wong@oracle.com>
>> Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
>> Cc: Dave Hansen <dave.hansen@linux.intel.com>
>> Cc: Andrew Morton <akpm@linux-foundation.org>
>> Reported-by: Christoph Hellwig <hch@lst.de>
>> Reviewed-by: Christoph Hellwig <hch@lst.de>
>> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
>> ---
>>  drivers/dax/super.c |    2 +
>>  fs/dax.c            |   92 +++++++++++++++++++++++++++++++++++++++++++++++++++
>>  include/linux/dax.h |   25 ++++++++++++++
>>  mm/gup.c            |    5 +++
>>  4 files changed, 123 insertions(+), 1 deletion(-)
>
> ...
>
>> +/**
>> + * dax_layout_busy_page - find first pinned page in @mapping
>> + * @mapping: address space to scan for a page with ref count > 1
>> + *
>> + * DAX requires ZONE_DEVICE mapped pages. These pages are never
>> + * 'onlined' to the page allocator so they are considered idle when
>> + * page->count == 1. A filesystem uses this interface to determine if
>> + * any page in the mapping is busy, i.e. for DMA, or other
>> + * get_user_pages() usages.
>> + *
>> + * It is expected that the filesystem is holding locks to block the
>> + * establishment of new mappings in this address_space. I.e. it expects
>> + * to be able to run unmap_mapping_range() and subsequently not race
>> + * mapping_mapped() becoming true. It expects that get_user_pages() pte
>> + * walks are performed under rcu_read_lock().
>> + */
>> +struct page *dax_layout_busy_page(struct address_space *mapping)
>> +{
>> +     pgoff_t indices[PAGEVEC_SIZE];
>> +     struct page *page = NULL;
>> +     struct pagevec pvec;
>> +     pgoff_t index, end;
>> +     unsigned i;
>> +
>> +     /*
>> +      * In the 'limited' case get_user_pages() for dax is disabled.
>> +      */
>> +     if (IS_ENABLED(CONFIG_FS_DAX_LIMITED))
>> +             return NULL;
>> +
>> +     if (!dax_mapping(mapping) || !mapping_mapped(mapping))
>> +             return NULL;
>> +
>> +     pagevec_init(&pvec);
>> +     index = 0;
>> +     end = -1;
>> +     /*
>> +      * Flush dax_layout_lock() sections to ensure all possible page
>> +      * references have been taken, or otherwise arrange for faults
>> +      * to block on the filesystem lock that is taken for
>> +      * establishing new mappings.
>> +      */
>> +     unmap_mapping_range(mapping, 0, 0, 1);
>> +     synchronize_rcu();
>
> So I still don't like the use of RCU for this. It just seems as an abuse to
> use RCU like that. Furthermore it has a hefty latency cost for the truncate
> path. A trivial test to truncate 100 times the last page of a 16k file that
> is mmaped (only the first page):
>
> DAX+your patches        3.899s
> non-DAX                 0.015s
>
> So you can see synchronize_rcu() increased time to run truncate(2) more
> than 200 times (the process is indeed sitting in __wait_rcu_gp all the
> time). IMHO that's just too costly.

I wonder if this can be trivially solved by using srcu. I.e. we don't
need to wait for a global quiescent state, just a
get_user_pages_fast() quiescent state. ...or is that an abuse of the
srcu api?
Paul E. McKenney April 8, 2018, 3:11 a.m. UTC | #5
On Sat, Apr 07, 2018 at 12:38:24PM -0700, Dan Williams wrote:
> [ adding Paul and Josh ]
> 
> On Wed, Apr 4, 2018 at 2:46 AM, Jan Kara <jack@suse.cz> wrote:
> > On Fri 30-03-18 21:03:30, Dan Williams wrote:
> >> Background:
> >>
> >> get_user_pages() in the filesystem pins file backed memory pages for
> >> access by devices performing dma. However, it only pins the memory pages
> >> not the page-to-file offset association. If a file is truncated the
> >> pages are mapped out of the file and dma may continue indefinitely into
> >> a page that is owned by a device driver. This breaks coherency of the
> >> file vs dma, but the assumption is that if userspace wants the
> >> file-space truncated it does not matter what data is inbound from the
> >> device, it is not relevant anymore. The only expectation is that dma can
> >> safely continue while the filesystem reallocates the block(s).
> >>
> >> Problem:
> >>
> >> This expectation that dma can safely continue while the filesystem
> >> changes the block map is broken by dax. With dax the target dma page
> >> *is* the filesystem block. The model of leaving the page pinned for dma,
> >> but truncating the file block out of the file, means that the filesytem
> >> is free to reallocate a block under active dma to another file and now
> >> the expected data-incoherency situation has turned into active
> >> data-corruption.
> >>
> >> Solution:
> >>
> >> Defer all filesystem operations (fallocate(), truncate()) on a dax mode
> >> file while any page/block in the file is under active dma. This solution
> >> assumes that dma is transient. Cases where dma operations are known to
> >> not be transient, like RDMA, have been explicitly disabled via
> >> commits like 5f1d43de5416 "IB/core: disable memory registration of
> >> filesystem-dax vmas".
> >>
> >> The dax_layout_busy_page() routine is called by filesystems with a lock
> >> held against mm faults (i_mmap_lock) to find pinned / busy dax pages.
> >> The process of looking up a busy page invalidates all mappings
> >> to trigger any subsequent get_user_pages() to block on i_mmap_lock.
> >> The filesystem continues to call dax_layout_busy_page() until it finally
> >> returns no more active pages. This approach assumes that the page
> >> pinning is transient, if that assumption is violated the system would
> >> have likely hung from the uncompleted I/O.
> >>
> >> Cc: Jan Kara <jack@suse.cz>
> >> Cc: Jeff Moyer <jmoyer@redhat.com>
> >> Cc: Dave Chinner <david@fromorbit.com>
> >> Cc: Matthew Wilcox <mawilcox@microsoft.com>
> >> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> >> Cc: "Darrick J. Wong" <darrick.wong@oracle.com>
> >> Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
> >> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> >> Cc: Andrew Morton <akpm@linux-foundation.org>
> >> Reported-by: Christoph Hellwig <hch@lst.de>
> >> Reviewed-by: Christoph Hellwig <hch@lst.de>
> >> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> >> ---
> >>  drivers/dax/super.c |    2 +
> >>  fs/dax.c            |   92 +++++++++++++++++++++++++++++++++++++++++++++++++++
> >>  include/linux/dax.h |   25 ++++++++++++++
> >>  mm/gup.c            |    5 +++
> >>  4 files changed, 123 insertions(+), 1 deletion(-)
> >
> > ...
> >
> >> +/**
> >> + * dax_layout_busy_page - find first pinned page in @mapping
> >> + * @mapping: address space to scan for a page with ref count > 1
> >> + *
> >> + * DAX requires ZONE_DEVICE mapped pages. These pages are never
> >> + * 'onlined' to the page allocator so they are considered idle when
> >> + * page->count == 1. A filesystem uses this interface to determine if
> >> + * any page in the mapping is busy, i.e. for DMA, or other
> >> + * get_user_pages() usages.
> >> + *
> >> + * It is expected that the filesystem is holding locks to block the
> >> + * establishment of new mappings in this address_space. I.e. it expects
> >> + * to be able to run unmap_mapping_range() and subsequently not race
> >> + * mapping_mapped() becoming true. It expects that get_user_pages() pte
> >> + * walks are performed under rcu_read_lock().
> >> + */
> >> +struct page *dax_layout_busy_page(struct address_space *mapping)
> >> +{
> >> +     pgoff_t indices[PAGEVEC_SIZE];
> >> +     struct page *page = NULL;
> >> +     struct pagevec pvec;
> >> +     pgoff_t index, end;
> >> +     unsigned i;
> >> +
> >> +     /*
> >> +      * In the 'limited' case get_user_pages() for dax is disabled.
> >> +      */
> >> +     if (IS_ENABLED(CONFIG_FS_DAX_LIMITED))
> >> +             return NULL;
> >> +
> >> +     if (!dax_mapping(mapping) || !mapping_mapped(mapping))
> >> +             return NULL;
> >> +
> >> +     pagevec_init(&pvec);
> >> +     index = 0;
> >> +     end = -1;
> >> +     /*
> >> +      * Flush dax_layout_lock() sections to ensure all possible page
> >> +      * references have been taken, or otherwise arrange for faults
> >> +      * to block on the filesystem lock that is taken for
> >> +      * establishing new mappings.
> >> +      */
> >> +     unmap_mapping_range(mapping, 0, 0, 1);
> >> +     synchronize_rcu();
> >
> > So I still don't like the use of RCU for this. It just seems as an abuse to
> > use RCU like that. Furthermore it has a hefty latency cost for the truncate
> > path. A trivial test to truncate 100 times the last page of a 16k file that
> > is mmaped (only the first page):
> >
> > DAX+your patches        3.899s
> > non-DAX                 0.015s
> >
> > So you can see synchronize_rcu() increased time to run truncate(2) more
> > than 200 times (the process is indeed sitting in __wait_rcu_gp all the
> > time). IMHO that's just too costly.
> 
> I wonder if this can be trivially solved by using srcu. I.e. we don't
> need to wait for a global quiescent state, just a
> get_user_pages_fast() quiescent state. ...or is that an abuse of the
> srcu api?

From what I can see (not that I claim to understand DAX), SRCU
is worth trying.  Another thing to try (as a test) is to replace the
synchronize_rcu() above with synchronize_rcu_expedited(), which might
get you an order of magnitude or thereabouts.

							Thanx, Paul
Jan Kara April 9, 2018, 4:39 p.m. UTC | #6
On Sat 07-04-18 20:11:13, Paul E. McKenney wrote:
> On Sat, Apr 07, 2018 at 12:38:24PM -0700, Dan Williams wrote:
> > [ adding Paul and Josh ]
> > 
> > On Wed, Apr 4, 2018 at 2:46 AM, Jan Kara <jack@suse.cz> wrote:
> > > On Fri 30-03-18 21:03:30, Dan Williams wrote:
> > >> Background:
> > >>
> > >> get_user_pages() in the filesystem pins file backed memory pages for
> > >> access by devices performing dma. However, it only pins the memory pages
> > >> not the page-to-file offset association. If a file is truncated the
> > >> pages are mapped out of the file and dma may continue indefinitely into
> > >> a page that is owned by a device driver. This breaks coherency of the
> > >> file vs dma, but the assumption is that if userspace wants the
> > >> file-space truncated it does not matter what data is inbound from the
> > >> device, it is not relevant anymore. The only expectation is that dma can
> > >> safely continue while the filesystem reallocates the block(s).
> > >>
> > >> Problem:
> > >>
> > >> This expectation that dma can safely continue while the filesystem
> > >> changes the block map is broken by dax. With dax the target dma page
> > >> *is* the filesystem block. The model of leaving the page pinned for dma,
> > >> but truncating the file block out of the file, means that the filesytem
> > >> is free to reallocate a block under active dma to another file and now
> > >> the expected data-incoherency situation has turned into active
> > >> data-corruption.
> > >>
> > >> Solution:
> > >>
> > >> Defer all filesystem operations (fallocate(), truncate()) on a dax mode
> > >> file while any page/block in the file is under active dma. This solution
> > >> assumes that dma is transient. Cases where dma operations are known to
> > >> not be transient, like RDMA, have been explicitly disabled via
> > >> commits like 5f1d43de5416 "IB/core: disable memory registration of
> > >> filesystem-dax vmas".
> > >>
> > >> The dax_layout_busy_page() routine is called by filesystems with a lock
> > >> held against mm faults (i_mmap_lock) to find pinned / busy dax pages.
> > >> The process of looking up a busy page invalidates all mappings
> > >> to trigger any subsequent get_user_pages() to block on i_mmap_lock.
> > >> The filesystem continues to call dax_layout_busy_page() until it finally
> > >> returns no more active pages. This approach assumes that the page
> > >> pinning is transient, if that assumption is violated the system would
> > >> have likely hung from the uncompleted I/O.
> > >>
> > >> Cc: Jan Kara <jack@suse.cz>
> > >> Cc: Jeff Moyer <jmoyer@redhat.com>
> > >> Cc: Dave Chinner <david@fromorbit.com>
> > >> Cc: Matthew Wilcox <mawilcox@microsoft.com>
> > >> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> > >> Cc: "Darrick J. Wong" <darrick.wong@oracle.com>
> > >> Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
> > >> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> > >> Cc: Andrew Morton <akpm@linux-foundation.org>
> > >> Reported-by: Christoph Hellwig <hch@lst.de>
> > >> Reviewed-by: Christoph Hellwig <hch@lst.de>
> > >> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> > >> ---
> > >>  drivers/dax/super.c |    2 +
> > >>  fs/dax.c            |   92 +++++++++++++++++++++++++++++++++++++++++++++++++++
> > >>  include/linux/dax.h |   25 ++++++++++++++
> > >>  mm/gup.c            |    5 +++
> > >>  4 files changed, 123 insertions(+), 1 deletion(-)
> > >
> > > ...
> > >
> > >> +/**
> > >> + * dax_layout_busy_page - find first pinned page in @mapping
> > >> + * @mapping: address space to scan for a page with ref count > 1
> > >> + *
> > >> + * DAX requires ZONE_DEVICE mapped pages. These pages are never
> > >> + * 'onlined' to the page allocator so they are considered idle when
> > >> + * page->count == 1. A filesystem uses this interface to determine if
> > >> + * any page in the mapping is busy, i.e. for DMA, or other
> > >> + * get_user_pages() usages.
> > >> + *
> > >> + * It is expected that the filesystem is holding locks to block the
> > >> + * establishment of new mappings in this address_space. I.e. it expects
> > >> + * to be able to run unmap_mapping_range() and subsequently not race
> > >> + * mapping_mapped() becoming true. It expects that get_user_pages() pte
> > >> + * walks are performed under rcu_read_lock().
> > >> + */
> > >> +struct page *dax_layout_busy_page(struct address_space *mapping)
> > >> +{
> > >> +     pgoff_t indices[PAGEVEC_SIZE];
> > >> +     struct page *page = NULL;
> > >> +     struct pagevec pvec;
> > >> +     pgoff_t index, end;
> > >> +     unsigned i;
> > >> +
> > >> +     /*
> > >> +      * In the 'limited' case get_user_pages() for dax is disabled.
> > >> +      */
> > >> +     if (IS_ENABLED(CONFIG_FS_DAX_LIMITED))
> > >> +             return NULL;
> > >> +
> > >> +     if (!dax_mapping(mapping) || !mapping_mapped(mapping))
> > >> +             return NULL;
> > >> +
> > >> +     pagevec_init(&pvec);
> > >> +     index = 0;
> > >> +     end = -1;
> > >> +     /*
> > >> +      * Flush dax_layout_lock() sections to ensure all possible page
> > >> +      * references have been taken, or otherwise arrange for faults
> > >> +      * to block on the filesystem lock that is taken for
> > >> +      * establishing new mappings.
> > >> +      */
> > >> +     unmap_mapping_range(mapping, 0, 0, 1);
> > >> +     synchronize_rcu();
> > >
> > > So I still don't like the use of RCU for this. It just seems as an abuse to
> > > use RCU like that. Furthermore it has a hefty latency cost for the truncate
> > > path. A trivial test to truncate 100 times the last page of a 16k file that
> > > is mmaped (only the first page):
> > >
> > > DAX+your patches        3.899s
> > > non-DAX                 0.015s
> > >
> > > So you can see synchronize_rcu() increased time to run truncate(2) more
> > > than 200 times (the process is indeed sitting in __wait_rcu_gp all the
> > > time). IMHO that's just too costly.
> > 
> > I wonder if this can be trivially solved by using srcu. I.e. we don't
> > need to wait for a global quiescent state, just a
> > get_user_pages_fast() quiescent state. ...or is that an abuse of the
> > srcu api?
> 
> From what I can see (not that I claim to understand DAX), SRCU
> is worth trying.  Another thing to try (as a test) is to replace the
> synchronize_rcu() above with synchronize_rcu_expedited(), which might
> get you an order of magnitude or thereabouts.

But having synchronize_rcu_expedited() easily triggerable by userspace
(potentially every 100 usec or even less) is not a great thing, right?
It would be hogging the system with IPIs...

								Honza
Jan Kara April 9, 2018, 4:49 p.m. UTC | #7
On Sat 07-04-18 12:38:24, Dan Williams wrote:
> [ adding Paul and Josh ]
> 
> On Wed, Apr 4, 2018 at 2:46 AM, Jan Kara <jack@suse.cz> wrote:
> > On Fri 30-03-18 21:03:30, Dan Williams wrote:
> >> Background:
> >>
> >> get_user_pages() in the filesystem pins file backed memory pages for
> >> access by devices performing dma. However, it only pins the memory pages
> >> not the page-to-file offset association. If a file is truncated the
> >> pages are mapped out of the file and dma may continue indefinitely into
> >> a page that is owned by a device driver. This breaks coherency of the
> >> file vs dma, but the assumption is that if userspace wants the
> >> file-space truncated it does not matter what data is inbound from the
> >> device, it is not relevant anymore. The only expectation is that dma can
> >> safely continue while the filesystem reallocates the block(s).
> >>
> >> Problem:
> >>
> >> This expectation that dma can safely continue while the filesystem
> >> changes the block map is broken by dax. With dax the target dma page
> >> *is* the filesystem block. The model of leaving the page pinned for dma,
> >> but truncating the file block out of the file, means that the filesytem
> >> is free to reallocate a block under active dma to another file and now
> >> the expected data-incoherency situation has turned into active
> >> data-corruption.
> >>
> >> Solution:
> >>
> >> Defer all filesystem operations (fallocate(), truncate()) on a dax mode
> >> file while any page/block in the file is under active dma. This solution
> >> assumes that dma is transient. Cases where dma operations are known to
> >> not be transient, like RDMA, have been explicitly disabled via
> >> commits like 5f1d43de5416 "IB/core: disable memory registration of
> >> filesystem-dax vmas".
> >>
> >> The dax_layout_busy_page() routine is called by filesystems with a lock
> >> held against mm faults (i_mmap_lock) to find pinned / busy dax pages.
> >> The process of looking up a busy page invalidates all mappings
> >> to trigger any subsequent get_user_pages() to block on i_mmap_lock.
> >> The filesystem continues to call dax_layout_busy_page() until it finally
> >> returns no more active pages. This approach assumes that the page
> >> pinning is transient, if that assumption is violated the system would
> >> have likely hung from the uncompleted I/O.
> >>
> >> Cc: Jan Kara <jack@suse.cz>
> >> Cc: Jeff Moyer <jmoyer@redhat.com>
> >> Cc: Dave Chinner <david@fromorbit.com>
> >> Cc: Matthew Wilcox <mawilcox@microsoft.com>
> >> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> >> Cc: "Darrick J. Wong" <darrick.wong@oracle.com>
> >> Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
> >> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> >> Cc: Andrew Morton <akpm@linux-foundation.org>
> >> Reported-by: Christoph Hellwig <hch@lst.de>
> >> Reviewed-by: Christoph Hellwig <hch@lst.de>
> >> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> >> ---
> >>  drivers/dax/super.c |    2 +
> >>  fs/dax.c            |   92 +++++++++++++++++++++++++++++++++++++++++++++++++++
> >>  include/linux/dax.h |   25 ++++++++++++++
> >>  mm/gup.c            |    5 +++
> >>  4 files changed, 123 insertions(+), 1 deletion(-)
> >
> > ...
> >
> >> +/**
> >> + * dax_layout_busy_page - find first pinned page in @mapping
> >> + * @mapping: address space to scan for a page with ref count > 1
> >> + *
> >> + * DAX requires ZONE_DEVICE mapped pages. These pages are never
> >> + * 'onlined' to the page allocator so they are considered idle when
> >> + * page->count == 1. A filesystem uses this interface to determine if
> >> + * any page in the mapping is busy, i.e. for DMA, or other
> >> + * get_user_pages() usages.
> >> + *
> >> + * It is expected that the filesystem is holding locks to block the
> >> + * establishment of new mappings in this address_space. I.e. it expects
> >> + * to be able to run unmap_mapping_range() and subsequently not race
> >> + * mapping_mapped() becoming true. It expects that get_user_pages() pte
> >> + * walks are performed under rcu_read_lock().
> >> + */
> >> +struct page *dax_layout_busy_page(struct address_space *mapping)
> >> +{
> >> +     pgoff_t indices[PAGEVEC_SIZE];
> >> +     struct page *page = NULL;
> >> +     struct pagevec pvec;
> >> +     pgoff_t index, end;
> >> +     unsigned i;
> >> +
> >> +     /*
> >> +      * In the 'limited' case get_user_pages() for dax is disabled.
> >> +      */
> >> +     if (IS_ENABLED(CONFIG_FS_DAX_LIMITED))
> >> +             return NULL;
> >> +
> >> +     if (!dax_mapping(mapping) || !mapping_mapped(mapping))
> >> +             return NULL;
> >> +
> >> +     pagevec_init(&pvec);
> >> +     index = 0;
> >> +     end = -1;
> >> +     /*
> >> +      * Flush dax_layout_lock() sections to ensure all possible page
> >> +      * references have been taken, or otherwise arrange for faults
> >> +      * to block on the filesystem lock that is taken for
> >> +      * establishing new mappings.
> >> +      */
> >> +     unmap_mapping_range(mapping, 0, 0, 1);
> >> +     synchronize_rcu();
> >
> > So I still don't like the use of RCU for this. It just seems as an abuse to
> > use RCU like that. Furthermore it has a hefty latency cost for the truncate
> > path. A trivial test to truncate 100 times the last page of a 16k file that
> > is mmaped (only the first page):
> >
> > DAX+your patches        3.899s
> > non-DAX                 0.015s
> >
> > So you can see synchronize_rcu() increased time to run truncate(2) more
> > than 200 times (the process is indeed sitting in __wait_rcu_gp all the
> > time). IMHO that's just too costly.
> 
> I wonder if this can be trivially solved by using srcu. I.e. we don't
> need to wait for a global quiescent state, just a
> get_user_pages_fast() quiescent state. ...or is that an abuse of the
> srcu api?

Well, I'd rather use the percpu rwsemaphore (linux/percpu-rwsem.h) than
SRCU. It is a more-or-less standard locking mechanism rather than relying
on implementation properties of SRCU which is a data structure protection
method. And the overhead of percpu rwsemaphore for your use case should be
about the same as that of SRCU.

								Honza
Dan Williams April 9, 2018, 4:51 p.m. UTC | #8
On Mon, Apr 9, 2018 at 9:49 AM, Jan Kara <jack@suse.cz> wrote:
> On Sat 07-04-18 12:38:24, Dan Williams wrote:
[..]
>> I wonder if this can be trivially solved by using srcu. I.e. we don't
>> need to wait for a global quiescent state, just a
>> get_user_pages_fast() quiescent state. ...or is that an abuse of the
>> srcu api?
>
> Well, I'd rather use the percpu rwsemaphore (linux/percpu-rwsem.h) than
> SRCU. It is a more-or-less standard locking mechanism rather than relying
> on implementation properties of SRCU which is a data structure protection
> method. And the overhead of percpu rwsemaphore for your use case should be
> about the same as that of SRCU.

I was just about to ask that. Yes, it seems they would share similar
properties and it would be better to use the explicit implementation
rather than a side effect of srcu.
Paul E. McKenney April 9, 2018, 6:14 p.m. UTC | #9
On Mon, Apr 09, 2018 at 06:39:10PM +0200, Jan Kara wrote:
> On Sat 07-04-18 20:11:13, Paul E. McKenney wrote:
> > On Sat, Apr 07, 2018 at 12:38:24PM -0700, Dan Williams wrote:
> > > [ adding Paul and Josh ]
> > > 
> > > On Wed, Apr 4, 2018 at 2:46 AM, Jan Kara <jack@suse.cz> wrote:
> > > > On Fri 30-03-18 21:03:30, Dan Williams wrote:
> > > >> Background:
> > > >>
> > > >> get_user_pages() in the filesystem pins file backed memory pages for
> > > >> access by devices performing dma. However, it only pins the memory pages
> > > >> not the page-to-file offset association. If a file is truncated the
> > > >> pages are mapped out of the file and dma may continue indefinitely into
> > > >> a page that is owned by a device driver. This breaks coherency of the
> > > >> file vs dma, but the assumption is that if userspace wants the
> > > >> file-space truncated it does not matter what data is inbound from the
> > > >> device, it is not relevant anymore. The only expectation is that dma can
> > > >> safely continue while the filesystem reallocates the block(s).
> > > >>
> > > >> Problem:
> > > >>
> > > >> This expectation that dma can safely continue while the filesystem
> > > >> changes the block map is broken by dax. With dax the target dma page
> > > >> *is* the filesystem block. The model of leaving the page pinned for dma,
> > > >> but truncating the file block out of the file, means that the filesytem
> > > >> is free to reallocate a block under active dma to another file and now
> > > >> the expected data-incoherency situation has turned into active
> > > >> data-corruption.
> > > >>
> > > >> Solution:
> > > >>
> > > >> Defer all filesystem operations (fallocate(), truncate()) on a dax mode
> > > >> file while any page/block in the file is under active dma. This solution
> > > >> assumes that dma is transient. Cases where dma operations are known to
> > > >> not be transient, like RDMA, have been explicitly disabled via
> > > >> commits like 5f1d43de5416 "IB/core: disable memory registration of
> > > >> filesystem-dax vmas".
> > > >>
> > > >> The dax_layout_busy_page() routine is called by filesystems with a lock
> > > >> held against mm faults (i_mmap_lock) to find pinned / busy dax pages.
> > > >> The process of looking up a busy page invalidates all mappings
> > > >> to trigger any subsequent get_user_pages() to block on i_mmap_lock.
> > > >> The filesystem continues to call dax_layout_busy_page() until it finally
> > > >> returns no more active pages. This approach assumes that the page
> > > >> pinning is transient, if that assumption is violated the system would
> > > >> have likely hung from the uncompleted I/O.
> > > >>
> > > >> Cc: Jan Kara <jack@suse.cz>
> > > >> Cc: Jeff Moyer <jmoyer@redhat.com>
> > > >> Cc: Dave Chinner <david@fromorbit.com>
> > > >> Cc: Matthew Wilcox <mawilcox@microsoft.com>
> > > >> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> > > >> Cc: "Darrick J. Wong" <darrick.wong@oracle.com>
> > > >> Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
> > > >> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> > > >> Cc: Andrew Morton <akpm@linux-foundation.org>
> > > >> Reported-by: Christoph Hellwig <hch@lst.de>
> > > >> Reviewed-by: Christoph Hellwig <hch@lst.de>
> > > >> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> > > >> ---
> > > >>  drivers/dax/super.c |    2 +
> > > >>  fs/dax.c            |   92 +++++++++++++++++++++++++++++++++++++++++++++++++++
> > > >>  include/linux/dax.h |   25 ++++++++++++++
> > > >>  mm/gup.c            |    5 +++
> > > >>  4 files changed, 123 insertions(+), 1 deletion(-)
> > > >
> > > > ...
> > > >
> > > >> +/**
> > > >> + * dax_layout_busy_page - find first pinned page in @mapping
> > > >> + * @mapping: address space to scan for a page with ref count > 1
> > > >> + *
> > > >> + * DAX requires ZONE_DEVICE mapped pages. These pages are never
> > > >> + * 'onlined' to the page allocator so they are considered idle when
> > > >> + * page->count == 1. A filesystem uses this interface to determine if
> > > >> + * any page in the mapping is busy, i.e. for DMA, or other
> > > >> + * get_user_pages() usages.
> > > >> + *
> > > >> + * It is expected that the filesystem is holding locks to block the
> > > >> + * establishment of new mappings in this address_space. I.e. it expects
> > > >> + * to be able to run unmap_mapping_range() and subsequently not race
> > > >> + * mapping_mapped() becoming true. It expects that get_user_pages() pte
> > > >> + * walks are performed under rcu_read_lock().
> > > >> + */
> > > >> +struct page *dax_layout_busy_page(struct address_space *mapping)
> > > >> +{
> > > >> +     pgoff_t indices[PAGEVEC_SIZE];
> > > >> +     struct page *page = NULL;
> > > >> +     struct pagevec pvec;
> > > >> +     pgoff_t index, end;
> > > >> +     unsigned i;
> > > >> +
> > > >> +     /*
> > > >> +      * In the 'limited' case get_user_pages() for dax is disabled.
> > > >> +      */
> > > >> +     if (IS_ENABLED(CONFIG_FS_DAX_LIMITED))
> > > >> +             return NULL;
> > > >> +
> > > >> +     if (!dax_mapping(mapping) || !mapping_mapped(mapping))
> > > >> +             return NULL;
> > > >> +
> > > >> +     pagevec_init(&pvec);
> > > >> +     index = 0;
> > > >> +     end = -1;
> > > >> +     /*
> > > >> +      * Flush dax_layout_lock() sections to ensure all possible page
> > > >> +      * references have been taken, or otherwise arrange for faults
> > > >> +      * to block on the filesystem lock that is taken for
> > > >> +      * establishing new mappings.
> > > >> +      */
> > > >> +     unmap_mapping_range(mapping, 0, 0, 1);
> > > >> +     synchronize_rcu();
> > > >
> > > > So I still don't like the use of RCU for this. It just seems as an abuse to
> > > > use RCU like that. Furthermore it has a hefty latency cost for the truncate
> > > > path. A trivial test to truncate 100 times the last page of a 16k file that
> > > > is mmaped (only the first page):
> > > >
> > > > DAX+your patches        3.899s
> > > > non-DAX                 0.015s
> > > >
> > > > So you can see synchronize_rcu() increased time to run truncate(2) more
> > > > than 200 times (the process is indeed sitting in __wait_rcu_gp all the
> > > > time). IMHO that's just too costly.
> > > 
> > > I wonder if this can be trivially solved by using srcu. I.e. we don't
> > > need to wait for a global quiescent state, just a
> > > get_user_pages_fast() quiescent state. ...or is that an abuse of the
> > > srcu api?
> > 
> > From what I can see (not that I claim to understand DAX), SRCU
> > is worth trying.  Another thing to try (as a test) is to replace the
> > synchronize_rcu() above with synchronize_rcu_expedited(), which might
> > get you an order of magnitude or thereabouts.
> 
> But having synchronize_rcu_expedited() easily triggerable by userspace
> (potentially every 100 usec or even less) is not a great thing, right?
> It would be hogging the system with IPIs...

Yes, and that is why I have "(as a test)" above.  If doing that restores
performance in the trivial-truncation case, that at least lets us know what
needs to happen, even though it does have some drawbacks.

And there is a synchronize_srcu_expedited() that does not do IPIs, if
that helps.

Another approach is to use call_rcu(), but I am guessing that you cannot
safely return to user until the grace period has completed.

							Thanx, Paul
Dan Williams April 13, 2018, 10:03 p.m. UTC | #10
On Mon, Apr 9, 2018 at 9:51 AM, Dan Williams <dan.j.williams@intel.com> wrote:
> On Mon, Apr 9, 2018 at 9:49 AM, Jan Kara <jack@suse.cz> wrote:
>> On Sat 07-04-18 12:38:24, Dan Williams wrote:
> [..]
>>> I wonder if this can be trivially solved by using srcu. I.e. we don't
>>> need to wait for a global quiescent state, just a
>>> get_user_pages_fast() quiescent state. ...or is that an abuse of the
>>> srcu api?
>>
>> Well, I'd rather use the percpu rwsemaphore (linux/percpu-rwsem.h) than
>> SRCU. It is a more-or-less standard locking mechanism rather than relying
>> on implementation properties of SRCU which is a data structure protection
>> method. And the overhead of percpu rwsemaphore for your use case should be
>> about the same as that of SRCU.
>
> I was just about to ask that. Yes, it seems they would share similar
> properties and it would be better to use the explicit implementation
> rather than a side effect of srcu.

...unfortunately:

 BUG: sleeping function called from invalid context at
./include/linux/percpu-rwsem.h:34
 [..]
 Call Trace:
  dump_stack+0x85/0xcb
  ___might_sleep+0x15b/0x240
  dax_layout_lock+0x18/0x80
  get_user_pages_fast+0xf8/0x140

...and thinking about it more srcu is a better fit. We don't need the
100% exclusion provided by an rwsem we only need the guarantee that
all cpus that might have been running get_user_pages_fast() have
finished it at least once.

In my tests synchronize_srcu is a bit slower than unpatched for the
trivial 100 truncate test, but certainly not the 200x latency you were
seeing with syncrhonize_rcu.

Elapsed time:
0.006149178 unpatched
0.009426360 srcu
Paul E. McKenney April 13, 2018, 10:48 p.m. UTC | #11
On Fri, Apr 13, 2018 at 03:03:51PM -0700, Dan Williams wrote:
> On Mon, Apr 9, 2018 at 9:51 AM, Dan Williams <dan.j.williams@intel.com> wrote:
> > On Mon, Apr 9, 2018 at 9:49 AM, Jan Kara <jack@suse.cz> wrote:
> >> On Sat 07-04-18 12:38:24, Dan Williams wrote:
> > [..]
> >>> I wonder if this can be trivially solved by using srcu. I.e. we don't
> >>> need to wait for a global quiescent state, just a
> >>> get_user_pages_fast() quiescent state. ...or is that an abuse of the
> >>> srcu api?
> >>
> >> Well, I'd rather use the percpu rwsemaphore (linux/percpu-rwsem.h) than
> >> SRCU. It is a more-or-less standard locking mechanism rather than relying
> >> on implementation properties of SRCU which is a data structure protection
> >> method. And the overhead of percpu rwsemaphore for your use case should be
> >> about the same as that of SRCU.
> >
> > I was just about to ask that. Yes, it seems they would share similar
> > properties and it would be better to use the explicit implementation
> > rather than a side effect of srcu.
> 
> ...unfortunately:
> 
>  BUG: sleeping function called from invalid context at
> ./include/linux/percpu-rwsem.h:34
>  [..]
>  Call Trace:
>   dump_stack+0x85/0xcb
>   ___might_sleep+0x15b/0x240
>   dax_layout_lock+0x18/0x80
>   get_user_pages_fast+0xf8/0x140
> 
> ...and thinking about it more srcu is a better fit. We don't need the
> 100% exclusion provided by an rwsem we only need the guarantee that
> all cpus that might have been running get_user_pages_fast() have
> finished it at least once.
> 
> In my tests synchronize_srcu is a bit slower than unpatched for the
> trivial 100 truncate test, but certainly not the 200x latency you were
> seeing with syncrhonize_rcu.
> 
> Elapsed time:
> 0.006149178 unpatched
> 0.009426360 srcu

You might want to try synchronize_srcu_expedited().  Unlike plain RCU,
it does not send IPIs, so should be less controversial.  And it might
well more than make up the performance difference you are seeing above.

							Thanx, Paul
Jan Kara April 19, 2018, 10:44 a.m. UTC | #12
On Fri 13-04-18 15:03:51, Dan Williams wrote:
> On Mon, Apr 9, 2018 at 9:51 AM, Dan Williams <dan.j.williams@intel.com> wrote:
> > On Mon, Apr 9, 2018 at 9:49 AM, Jan Kara <jack@suse.cz> wrote:
> >> On Sat 07-04-18 12:38:24, Dan Williams wrote:
> > [..]
> >>> I wonder if this can be trivially solved by using srcu. I.e. we don't
> >>> need to wait for a global quiescent state, just a
> >>> get_user_pages_fast() quiescent state. ...or is that an abuse of the
> >>> srcu api?
> >>
> >> Well, I'd rather use the percpu rwsemaphore (linux/percpu-rwsem.h) than
> >> SRCU. It is a more-or-less standard locking mechanism rather than relying
> >> on implementation properties of SRCU which is a data structure protection
> >> method. And the overhead of percpu rwsemaphore for your use case should be
> >> about the same as that of SRCU.
> >
> > I was just about to ask that. Yes, it seems they would share similar
> > properties and it would be better to use the explicit implementation
> > rather than a side effect of srcu.
> 
> ...unfortunately:
> 
>  BUG: sleeping function called from invalid context at
> ./include/linux/percpu-rwsem.h:34
>  [..]
>  Call Trace:
>   dump_stack+0x85/0xcb
>   ___might_sleep+0x15b/0x240
>   dax_layout_lock+0x18/0x80
>   get_user_pages_fast+0xf8/0x140
> 
> ...and thinking about it more srcu is a better fit. We don't need the
> 100% exclusion provided by an rwsem we only need the guarantee that
> all cpus that might have been running get_user_pages_fast() have
> finished it at least once.
> 
> In my tests synchronize_srcu is a bit slower than unpatched for the
> trivial 100 truncate test, but certainly not the 200x latency you were
> seeing with syncrhonize_rcu.
> 
> Elapsed time:
> 0.006149178 unpatched
> 0.009426360 srcu

Hum, right. Yesterday I was looking into KSM for a different reason and
I've noticed it also does writeprotect pages and deals with races with GUP.
And what KSM relies on is:

write_protect_page()
  ...
  entry = ptep_clear_flush(vma, pvmw.address, pvmw.pte);
  /*
   * Check that no O_DIRECT or similar I/O is in progress on the
   * page
   */
  if (page_mapcount(page) + 1 + swapped != page_count(page)) {
    page used -> bail
  }

And this really works because gup_pte_range() does:

  page = pte_page(pte);
  head = compound_head(page);

  if (!page_cache_get_speculative(head))
    goto pte_unmap;

  if (unlikely(pte_val(pte) != pte_val(*ptep))) {
    bail
  }

So either write_protect_page() page sees the elevated reference or
gup_pte_range() bails because it will see the pte changed.

In the truncate path things are a bit different but in principle the same
should work - once truncate blocks page faults and unmaps pages from page
tables, we can be sure GUP will not grab the page anymore or we'll see
elevated page count. So IMO there's no need for any additional locking
against the GUP path (but a comment explaining this is highly desirable I
guess). 

								Honza
Dan Williams April 20, 2018, 3 a.m. UTC | #13
On Thu, Apr 19, 2018 at 3:44 AM, Jan Kara <jack@suse.cz> wrote:
> On Fri 13-04-18 15:03:51, Dan Williams wrote:
>> On Mon, Apr 9, 2018 at 9:51 AM, Dan Williams <dan.j.williams@intel.com> wrote:
>> > On Mon, Apr 9, 2018 at 9:49 AM, Jan Kara <jack@suse.cz> wrote:
>> >> On Sat 07-04-18 12:38:24, Dan Williams wrote:
>> > [..]
>> >>> I wonder if this can be trivially solved by using srcu. I.e. we don't
>> >>> need to wait for a global quiescent state, just a
>> >>> get_user_pages_fast() quiescent state. ...or is that an abuse of the
>> >>> srcu api?
>> >>
>> >> Well, I'd rather use the percpu rwsemaphore (linux/percpu-rwsem.h) than
>> >> SRCU. It is a more-or-less standard locking mechanism rather than relying
>> >> on implementation properties of SRCU which is a data structure protection
>> >> method. And the overhead of percpu rwsemaphore for your use case should be
>> >> about the same as that of SRCU.
>> >
>> > I was just about to ask that. Yes, it seems they would share similar
>> > properties and it would be better to use the explicit implementation
>> > rather than a side effect of srcu.
>>
>> ...unfortunately:
>>
>>  BUG: sleeping function called from invalid context at
>> ./include/linux/percpu-rwsem.h:34
>>  [..]
>>  Call Trace:
>>   dump_stack+0x85/0xcb
>>   ___might_sleep+0x15b/0x240
>>   dax_layout_lock+0x18/0x80
>>   get_user_pages_fast+0xf8/0x140
>>
>> ...and thinking about it more srcu is a better fit. We don't need the
>> 100% exclusion provided by an rwsem we only need the guarantee that
>> all cpus that might have been running get_user_pages_fast() have
>> finished it at least once.
>>
>> In my tests synchronize_srcu is a bit slower than unpatched for the
>> trivial 100 truncate test, but certainly not the 200x latency you were
>> seeing with syncrhonize_rcu.
>>
>> Elapsed time:
>> 0.006149178 unpatched
>> 0.009426360 srcu
>
> Hum, right. Yesterday I was looking into KSM for a different reason and
> I've noticed it also does writeprotect pages and deals with races with GUP.
> And what KSM relies on is:
>
> write_protect_page()
>   ...
>   entry = ptep_clear_flush(vma, pvmw.address, pvmw.pte);
>   /*
>    * Check that no O_DIRECT or similar I/O is in progress on the
>    * page
>    */
>   if (page_mapcount(page) + 1 + swapped != page_count(page)) {
>     page used -> bail

Slick.

>   }
>
> And this really works because gup_pte_range() does:
>
>   page = pte_page(pte);
>   head = compound_head(page);
>
>   if (!page_cache_get_speculative(head))
>     goto pte_unmap;
>
>   if (unlikely(pte_val(pte) != pte_val(*ptep))) {
>     bail

Need to add a similar check to __gup_device_huge_pmd.

>   }
>
> So either write_protect_page() page sees the elevated reference or
> gup_pte_range() bails because it will see the pte changed.
>
> In the truncate path things are a bit different but in principle the same
> should work - once truncate blocks page faults and unmaps pages from page
> tables, we can be sure GUP will not grab the page anymore or we'll see
> elevated page count. So IMO there's no need for any additional locking
> against the GUP path (but a comment explaining this is highly desirable I
> guess).

Yes, those "pte_val(pte) != pte_val(*ptep)" checks should be
documented for the same reason we require comments on rmb/wmb pairs.
I'll take a look, thanks Jan.
diff mbox

Patch

diff --git a/drivers/dax/super.c b/drivers/dax/super.c
index 3bafaddd02f1..91bfc34e3ca7 100644
--- a/drivers/dax/super.c
+++ b/drivers/dax/super.c
@@ -167,7 +167,7 @@  struct dax_device {
 #if IS_ENABLED(CONFIG_DEV_PAGEMAP_OPS)
 static void generic_dax_pagefree(struct page *page, void *data)
 {
-	/* TODO: wakeup page-idle waiters */
+	wake_up_var(&page->_refcount);
 }
 
 struct dax_device *fs_dax_claim(struct dax_device *dax_dev, void *owner)
diff --git a/fs/dax.c b/fs/dax.c
index a77394fe586e..c01f7989e0aa 100644
--- a/fs/dax.c
+++ b/fs/dax.c
@@ -355,6 +355,19 @@  static void dax_disassociate_entry(void *entry, struct address_space *mapping,
 	}
 }
 
+static struct page *dax_busy_page(void *entry)
+{
+	unsigned long pfn;
+
+	for_each_mapped_pfn(entry, pfn) {
+		struct page *page = pfn_to_page(pfn);
+
+		if (page_ref_count(page) > 1)
+			return page;
+	}
+	return NULL;
+}
+
 /*
  * Find radix tree entry at given index. If it points to an exceptional entry,
  * return it with the radix tree entry locked. If the radix tree doesn't
@@ -496,6 +509,85 @@  static void *grab_mapping_entry(struct address_space *mapping, pgoff_t index,
 	return entry;
 }
 
+/**
+ * dax_layout_busy_page - find first pinned page in @mapping
+ * @mapping: address space to scan for a page with ref count > 1
+ *
+ * DAX requires ZONE_DEVICE mapped pages. These pages are never
+ * 'onlined' to the page allocator so they are considered idle when
+ * page->count == 1. A filesystem uses this interface to determine if
+ * any page in the mapping is busy, i.e. for DMA, or other
+ * get_user_pages() usages.
+ *
+ * It is expected that the filesystem is holding locks to block the
+ * establishment of new mappings in this address_space. I.e. it expects
+ * to be able to run unmap_mapping_range() and subsequently not race
+ * mapping_mapped() becoming true. It expects that get_user_pages() pte
+ * walks are performed under rcu_read_lock().
+ */
+struct page *dax_layout_busy_page(struct address_space *mapping)
+{
+	pgoff_t	indices[PAGEVEC_SIZE];
+	struct page *page = NULL;
+	struct pagevec pvec;
+	pgoff_t	index, end;
+	unsigned i;
+
+	/*
+	 * In the 'limited' case get_user_pages() for dax is disabled.
+	 */
+	if (IS_ENABLED(CONFIG_FS_DAX_LIMITED))
+		return NULL;
+
+	if (!dax_mapping(mapping) || !mapping_mapped(mapping))
+		return NULL;
+
+	pagevec_init(&pvec);
+	index = 0;
+	end = -1;
+	/*
+	 * Flush dax_layout_lock() sections to ensure all possible page
+	 * references have been taken, or otherwise arrange for faults
+	 * to block on the filesystem lock that is taken for
+	 * establishing new mappings.
+	 */
+	unmap_mapping_range(mapping, 0, 0, 1);
+	synchronize_rcu();
+
+	while (index < end && pagevec_lookup_entries(&pvec, mapping, index,
+				min(end - index, (pgoff_t)PAGEVEC_SIZE),
+				indices)) {
+		for (i = 0; i < pagevec_count(&pvec); i++) {
+			struct page *pvec_ent = pvec.pages[i];
+			void *entry;
+
+			index = indices[i];
+			if (index >= end)
+				break;
+
+			if (!radix_tree_exceptional_entry(pvec_ent))
+				continue;
+
+			spin_lock_irq(&mapping->tree_lock);
+			entry = get_unlocked_mapping_entry(mapping, index, NULL);
+			if (entry)
+				page = dax_busy_page(entry);
+			put_unlocked_mapping_entry(mapping, index, entry);
+			spin_unlock_irq(&mapping->tree_lock);
+			if (page)
+				break;
+		}
+		pagevec_remove_exceptionals(&pvec);
+		pagevec_release(&pvec);
+		index++;
+
+		if (page)
+			break;
+	}
+	return page;
+}
+EXPORT_SYMBOL_GPL(dax_layout_busy_page);
+
 static int __dax_invalidate_mapping_entry(struct address_space *mapping,
 					  pgoff_t index, bool trunc)
 {
diff --git a/include/linux/dax.h b/include/linux/dax.h
index a36b74aa96e8..1b0ad014bc28 100644
--- a/include/linux/dax.h
+++ b/include/linux/dax.h
@@ -90,6 +90,8 @@  static inline struct dax_device *fs_dax_get_by_host(const char *host)
 
 int dax_writeback_mapping_range(struct address_space *mapping,
 		struct block_device *bdev, struct writeback_control *wbc);
+
+struct page *dax_layout_busy_page(struct address_space *mapping);
 #else
 static inline int bdev_dax_supported(struct super_block *sb, int blocksize)
 {
@@ -106,6 +108,11 @@  static inline int dax_writeback_mapping_range(struct address_space *mapping,
 {
 	return -EOPNOTSUPP;
 }
+
+static inline struct page *dax_layout_busy_page(struct address_space *mapping)
+{
+	return NULL;
+}
 #endif
 
 #if IS_ENABLED(CONFIG_DEV_PAGEMAP_OPS)
@@ -113,6 +120,16 @@  struct dax_device *fs_dax_claim_bdev(struct block_device *bdev, void *owner);
 struct dax_device *fs_dax_claim(struct dax_device *dax_dev, void *owner);
 void __fs_dax_release(struct dax_device *dax_dev, void *owner);
 void fs_dax_release(struct dax_device *dax_dev, void *owner);
+
+static inline void dax_layout_lock(void)
+{
+	rcu_read_lock();
+}
+
+static inline void dax_layout_unlock(void)
+{
+	rcu_read_unlock();
+}
 #else
 #ifdef CONFIG_BLOCK
 static inline struct dax_device *fs_dax_claim_bdev(struct block_device *bdev,
@@ -142,6 +159,14 @@  static inline struct dax_device *fs_dax_claim(struct dax_device *dax_dev,
 static inline void __fs_dax_release(struct dax_device *dax_dev, void *owner)
 {
 }
+
+static inline void dax_layout_lock(void)
+{
+}
+
+static inline void dax_layout_unlock(void)
+{
+}
 #endif
 
 int dax_read_lock(void);
diff --git a/mm/gup.c b/mm/gup.c
index 1b46e6e74881..a81efac6983a 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -13,6 +13,7 @@ 
 #include <linux/sched/signal.h>
 #include <linux/rwsem.h>
 #include <linux/hugetlb.h>
+#include <linux/dax.h>
 
 #include <asm/mmu_context.h>
 #include <asm/pgtable.h>
@@ -693,7 +694,9 @@  static long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
 		if (unlikely(fatal_signal_pending(current)))
 			return i ? i : -ERESTARTSYS;
 		cond_resched();
+		dax_layout_lock();
 		page = follow_page_mask(vma, start, foll_flags, &page_mask);
+		dax_layout_unlock();
 		if (!page) {
 			int ret;
 			ret = faultin_page(tsk, vma, start, &foll_flags,
@@ -1809,7 +1812,9 @@  int get_user_pages_fast(unsigned long start, int nr_pages, int write,
 
 	if (gup_fast_permitted(start, nr_pages, write)) {
 		local_irq_disable();
+		dax_layout_lock();
 		gup_pgd_range(addr, end, write, pages, &nr);
+		dax_layout_unlock();
 		local_irq_enable();
 		ret = nr;
 	}