fscache recursive hang -- similar to loopback NFS issues

Commit Message

NeilBrown July 21, 2014, 6:40 a.m. UTC

On Sat, 19 Jul 2014 16:20:01 -0400 Milosz Tanski <milosz@adfin.com> wrote:

> Neil,
> 
> I saw your recent patcheset for improving the wait_on_bit interface
> (particular: SCHED: allow wait_on_bit_action functions to support a
> timeout.) I'm looking on some guidance on leveraging that work to
> solve other recursive lock hang in fscache.
> 
> I've ran into similar issues you're trying to solve with loopback NFS
> but in the fscache code. This happens under heavy vma preasure when
> the kernel is aggressively trying to trim the page cache.
> 
> The hang is caused by this serious of events
> 1. cachefiles_write_page - cachefiles (the fscache backend, sitting on
> ext4) tries to write page to disk
> 2. ext4 tries to allocate a page in writeback (without GPF_NOFS and
> with wait flag)
> 3. due to vma preasure the kernel tries to free-up pages
> 4. this causes release pages in ceph to be called
> 5. the selected page is cached page in process of write out (from step #1)
> 6. fscache_wait_on_page_write hangs forever
> 
> Is there a solution that you have to NFS as another patch that
> implements the timeout that I can use a template? I'm not familiar
> with that piece of the code base.

It looks like the comment in  __fscache_maybe_release_page

	/* We will wait here if we're allowed to, but that could deadlock the
	 * allocator as the work threads writing to the cache may all end up
	 * sleeping on memory allocation, so we may need to impose a timeout
	 * too. */

is correct when it says "we may need to impose a timeout".
The following __fscache_wait_on_page_write() needs to timeout.

However that doesn't use wait_on_bit(), it just has a simple wait_event.
So something like this should fix it (or should at least move the problem
along a bit).

NeilBrown

Comments

David Howells July 29, 2014, 4:12 p.m. UTC | #1

Milosz Tanski <milosz@adfin.com> wrote:

> That's the same thing exact fix I started testing on Saturday. I found that
> there already is a wait_event_timeout (even without your recent changes). The
> thing I'm not quite sure is what timeout it should use?

That's probably something to make an external tuning knob for.

David
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

NeilBrown July 29, 2014, 9:17 p.m. UTC | #2

On Tue, 29 Jul 2014 17:12:34 +0100 David Howells <dhowells@redhat.com> wrote:

> Milosz Tanski <milosz@adfin.com> wrote:
> 
> > That's the same thing exact fix I started testing on Saturday. I found that
> > there already is a wait_event_timeout (even without your recent changes). The
> > thing I'm not quite sure is what timeout it should use?
> 
> That's probably something to make an external tuning knob for.
> 
> David

Ugg.  External tuning knobs should be avoided wherever possible, and always
come with detailed instructions on how to tune them  </rant>

In this case I think it very nearly doesn't matter *at all* what value is
used.

If you set it a bit too high, then on the very very rare occasion that it
would currently deadlock, you get a longer-than-necessary wait.  So just make
sure that is short enough that by the time the sysadmin notices and starts
looking for the problem, it will be gone.

And if you set it a bit too low, then it will loop around to find another
page to deal with before that one is finished being written out, and so maybe
do a little bit more work than is needed (though it'll be needed eventually).

So the perfect number is somewhere between the typical response time for
storage, and the typical response time for the sys-admin.  Anywhere between
100ms and 10sec would do.  1 second is the geo-mean.

(sorry I didn't reply earlier - I missed you email somehow).

NeilBrown

Milosz Tanski July 30, 2014, 1:48 a.m. UTC | #3

I would vote on the lower end of the spectrum by default (closer to
100ms) since I imagine anybody deploying this in production
environment would likely be using SSD drives for the caching. And in
my tests on spinning disks there was little to no benefit outside of
reducing network traffic.

- Milosz

On Tue, Jul 29, 2014 at 5:17 PM, NeilBrown <neilb@suse.de> wrote:
> On Tue, 29 Jul 2014 17:12:34 +0100 David Howells <dhowells@redhat.com> wrote:
>
>> Milosz Tanski <milosz@adfin.com> wrote:
>>
>> > That's the same thing exact fix I started testing on Saturday. I found that
>> > there already is a wait_event_timeout (even without your recent changes). The
>> > thing I'm not quite sure is what timeout it should use?
>>
>> That's probably something to make an external tuning knob for.
>>
>> David
>
> Ugg.  External tuning knobs should be avoided wherever possible, and always
> come with detailed instructions on how to tune them  </rant>
>
> In this case I think it very nearly doesn't matter *at all* what value is
> used.
>
> If you set it a bit too high, then on the very very rare occasion that it
> would currently deadlock, you get a longer-than-necessary wait.  So just make
> sure that is short enough that by the time the sysadmin notices and starts
> looking for the problem, it will be gone.
>
> And if you set it a bit too low, then it will loop around to find another
> page to deal with before that one is finished being written out, and so maybe
> do a little bit more work than is needed (though it'll be needed eventually).
>
> So the perfect number is somewhere between the typical response time for
> storage, and the typical response time for the sys-admin.  Anywhere between
> 100ms and 10sec would do.  1 second is the geo-mean.
>
> (sorry I didn't reply earlier - I missed you email somehow).
>
> NeilBrown

NeilBrown July 30, 2014, 2:19 a.m. UTC | #4

On Tue, 29 Jul 2014 21:48:34 -0400 Milosz Tanski <milosz@adfin.com> wrote:

> I would vote on the lower end of the spectrum by default (closer to
> 100ms) since I imagine anybody deploying this in production
> environment would likely be using SSD drives for the caching. And in
> my tests on spinning disks there was little to no benefit outside of
> reducing network traffic.

Maybe I'm confused......

I thought the whole point of this patch was to avoid deadlocks.
Now you seem to be talking about a performance benefit.
What did I miss?

NeilBrown


> 
> - Milosz
> 
> On Tue, Jul 29, 2014 at 5:17 PM, NeilBrown <neilb@suse.de> wrote:
> > On Tue, 29 Jul 2014 17:12:34 +0100 David Howells <dhowells@redhat.com> wrote:
> >
> >> Milosz Tanski <milosz@adfin.com> wrote:
> >>
> >> > That's the same thing exact fix I started testing on Saturday. I found that
> >> > there already is a wait_event_timeout (even without your recent changes). The
> >> > thing I'm not quite sure is what timeout it should use?
> >>
> >> That's probably something to make an external tuning knob for.
> >>
> >> David
> >
> > Ugg.  External tuning knobs should be avoided wherever possible, and always
> > come with detailed instructions on how to tune them  </rant>
> >
> > In this case I think it very nearly doesn't matter *at all* what value is
> > used.
> >
> > If you set it a bit too high, then on the very very rare occasion that it
> > would currently deadlock, you get a longer-than-necessary wait.  So just make
> > sure that is short enough that by the time the sysadmin notices and starts
> > looking for the problem, it will be gone.
> >
> > And if you set it a bit too low, then it will loop around to find another
> > page to deal with before that one is finished being written out, and so maybe
> > do a little bit more work than is needed (though it'll be needed eventually).
> >
> > So the perfect number is somewhere between the typical response time for
> > storage, and the typical response time for the sys-admin.  Anywhere between
> > 100ms and 10sec would do.  1 second is the geo-mean.
> >
> > (sorry I didn't reply earlier - I missed you email somehow).
> >
> > NeilBrown
> 
> 
>

Milosz Tanski July 30, 2014, 4:06 p.m. UTC | #5

I don't think that fixing a dead lock should impose a somewhat
un-explainable high latency for the for the end user (or system
admin). With old drives such latencies (second plus) were not
unexpected.

- Milosz

On Tue, Jul 29, 2014 at 10:19 PM, NeilBrown <neilb@suse.de> wrote:
> On Tue, 29 Jul 2014 21:48:34 -0400 Milosz Tanski <milosz@adfin.com> wrote:
>
>> I would vote on the lower end of the spectrum by default (closer to
>> 100ms) since I imagine anybody deploying this in production
>> environment would likely be using SSD drives for the caching. And in
>> my tests on spinning disks there was little to no benefit outside of
>> reducing network traffic.
>
> Maybe I'm confused......
>
> I thought the whole point of this patch was to avoid deadlocks.
> Now you seem to be talking about a performance benefit.
> What did I miss?
>
> NeilBrown
>
>
>>
>> - Milosz
>>
>> On Tue, Jul 29, 2014 at 5:17 PM, NeilBrown <neilb@suse.de> wrote:
>> > On Tue, 29 Jul 2014 17:12:34 +0100 David Howells <dhowells@redhat.com> wrote:
>> >
>> >> Milosz Tanski <milosz@adfin.com> wrote:
>> >>
>> >> > That's the same thing exact fix I started testing on Saturday. I found that
>> >> > there already is a wait_event_timeout (even without your recent changes). The
>> >> > thing I'm not quite sure is what timeout it should use?
>> >>
>> >> That's probably something to make an external tuning knob for.
>> >>
>> >> David
>> >
>> > Ugg.  External tuning knobs should be avoided wherever possible, and always
>> > come with detailed instructions on how to tune them  </rant>
>> >
>> > In this case I think it very nearly doesn't matter *at all* what value is
>> > used.
>> >
>> > If you set it a bit too high, then on the very very rare occasion that it
>> > would currently deadlock, you get a longer-than-necessary wait.  So just make
>> > sure that is short enough that by the time the sysadmin notices and starts
>> > looking for the problem, it will be gone.
>> >
>> > And if you set it a bit too low, then it will loop around to find another
>> > page to deal with before that one is finished being written out, and so maybe
>> > do a little bit more work than is needed (though it'll be needed eventually).
>> >
>> > So the perfect number is somewhere between the typical response time for
>> > storage, and the typical response time for the sys-admin.  Anywhere between
>> > 100ms and 10sec would do.  1 second is the geo-mean.
>> >
>> > (sorry I didn't reply earlier - I missed you email somehow).
>> >
>> > NeilBrown
>>
>>
>>
>

Milosz Tanski Aug. 5, 2014, 4:12 a.m. UTC | #6

I was away for a few days but I did think about this some more and how
to avoid a tunable and having a sensible default option.

FSCache already tracks statistics about how long writes and reads take
(at least if you enable that option). With those stats in hand we
should be able generate a default timeout value that works well and
avoid a tunable.

My self I thinking something like the 90th percentile time for page
write... whatever the value may be this should be a decent way of
auto-optimizing this timeout.

- M

On Wed, Jul 30, 2014 at 12:06 PM, Milosz Tanski <milosz@adfin.com> wrote:
> I don't think that fixing a dead lock should impose a somewhat
> un-explainable high latency for the for the end user (or system
> admin). With old drives such latencies (second plus) were not
> unexpected.
>
> - Milosz
>
> On Tue, Jul 29, 2014 at 10:19 PM, NeilBrown <neilb@suse.de> wrote:
>> On Tue, 29 Jul 2014 21:48:34 -0400 Milosz Tanski <milosz@adfin.com> wrote:
>>
>>> I would vote on the lower end of the spectrum by default (closer to
>>> 100ms) since I imagine anybody deploying this in production
>>> environment would likely be using SSD drives for the caching. And in
>>> my tests on spinning disks there was little to no benefit outside of
>>> reducing network traffic.
>>
>> Maybe I'm confused......
>>
>> I thought the whole point of this patch was to avoid deadlocks.
>> Now you seem to be talking about a performance benefit.
>> What did I miss?
>>
>> NeilBrown
>>
>>
>>>
>>> - Milosz
>>>
>>> On Tue, Jul 29, 2014 at 5:17 PM, NeilBrown <neilb@suse.de> wrote:
>>> > On Tue, 29 Jul 2014 17:12:34 +0100 David Howells <dhowells@redhat.com> wrote:
>>> >
>>> >> Milosz Tanski <milosz@adfin.com> wrote:
>>> >>
>>> >> > That's the same thing exact fix I started testing on Saturday. I found that
>>> >> > there already is a wait_event_timeout (even without your recent changes). The
>>> >> > thing I'm not quite sure is what timeout it should use?
>>> >>
>>> >> That's probably something to make an external tuning knob for.
>>> >>
>>> >> David
>>> >
>>> > Ugg.  External tuning knobs should be avoided wherever possible, and always
>>> > come with detailed instructions on how to tune them  </rant>
>>> >
>>> > In this case I think it very nearly doesn't matter *at all* what value is
>>> > used.
>>> >
>>> > If you set it a bit too high, then on the very very rare occasion that it
>>> > would currently deadlock, you get a longer-than-necessary wait.  So just make
>>> > sure that is short enough that by the time the sysadmin notices and starts
>>> > looking for the problem, it will be gone.
>>> >
>>> > And if you set it a bit too low, then it will loop around to find another
>>> > page to deal with before that one is finished being written out, and so maybe
>>> > do a little bit more work than is needed (though it'll be needed eventually).
>>> >
>>> > So the perfect number is somewhere between the typical response time for
>>> > storage, and the typical response time for the sys-admin.  Anywhere between
>>> > 100ms and 10sec would do.  1 second is the geo-mean.
>>> >
>>> > (sorry I didn't reply earlier - I missed you email somehow).
>>> >
>>> > NeilBrown
>>>
>>>
>>>
>>
>
>
>
> --
> Milosz Tanski
> CTO
> 16 East 34th Street, 15th floor
> New York, NY 10016
>
> p: 646-253-9055
> e: milosz@adfin.com

NeilBrown Aug. 5, 2014, 4:49 a.m. UTC | #7

On Tue, 5 Aug 2014 00:12:25 -0400 Milosz Tanski <milosz@adfin.com> wrote:

> I was away for a few days but I did think about this some more and how
> to avoid a tunable and having a sensible default option.
> 
> FSCache already tracks statistics about how long writes and reads take
> (at least if you enable that option). With those stats in hand we
> should be able generate a default timeout value that works well and
> avoid a tunable.
> 
> My self I thinking something like the 90th percentile time for page
> write... whatever the value may be this should be a decent way of
> auto-optimizing this timeout.

Sounds like it could be a good approach, though if stats aren't enabled we
need a sensible fall back.

What is the actual cost of having the timeout too small?  I guess it might be
unnecessary writeouts, but I haven't done any analysis.
If the cost is expected to be quite small, a smaller timeout might be very
appropriate.

One statistic that might be interesting is how long that wait typically takes
at present, and how often it deadlocks.

Mind you, we might be trying too hard.  Maybe just go for 100ms.

When you suggested that, I wasn't really objecting to your choice of a
number.  I was surprised because you seemed to justify it as a performance
concern, and I didn't think deadlocks would happen often enough for that to
be a valid concern.  When deadlock do happen, I presume the system is
temporarily under high memory pressure so lots of things are probably going
slowly, so a delay of a second might not be noticed.
But there are way too many "probably"s and "might"s.  If you can present
anything that looks like real data, it'll certainly trump all my hypotheses.

Thanks,
NeilBrown

> 
> - M
> 
> On Wed, Jul 30, 2014 at 12:06 PM, Milosz Tanski <milosz@adfin.com> wrote:
> > I don't think that fixing a dead lock should impose a somewhat
> > un-explainable high latency for the for the end user (or system
> > admin). With old drives such latencies (second plus) were not
> > unexpected.
> >
> > - Milosz
> >
> > On Tue, Jul 29, 2014 at 10:19 PM, NeilBrown <neilb@suse.de> wrote:
> >> On Tue, 29 Jul 2014 21:48:34 -0400 Milosz Tanski <milosz@adfin.com> wrote:
> >>
> >>> I would vote on the lower end of the spectrum by default (closer to
> >>> 100ms) since I imagine anybody deploying this in production
> >>> environment would likely be using SSD drives for the caching. And in
> >>> my tests on spinning disks there was little to no benefit outside of
> >>> reducing network traffic.
> >>
> >> Maybe I'm confused......
> >>
> >> I thought the whole point of this patch was to avoid deadlocks.
> >> Now you seem to be talking about a performance benefit.
> >> What did I miss?
> >>
> >> NeilBrown
> >>
> >>
> >>>
> >>> - Milosz
> >>>
> >>> On Tue, Jul 29, 2014 at 5:17 PM, NeilBrown <neilb@suse.de> wrote:
> >>> > On Tue, 29 Jul 2014 17:12:34 +0100 David Howells <dhowells@redhat.com> wrote:
> >>> >
> >>> >> Milosz Tanski <milosz@adfin.com> wrote:
> >>> >>
> >>> >> > That's the same thing exact fix I started testing on Saturday. I found that
> >>> >> > there already is a wait_event_timeout (even without your recent changes). The
> >>> >> > thing I'm not quite sure is what timeout it should use?
> >>> >>
> >>> >> That's probably something to make an external tuning knob for.
> >>> >>
> >>> >> David
> >>> >
> >>> > Ugg.  External tuning knobs should be avoided wherever possible, and always
> >>> > come with detailed instructions on how to tune them  </rant>
> >>> >
> >>> > In this case I think it very nearly doesn't matter *at all* what value is
> >>> > used.
> >>> >
> >>> > If you set it a bit too high, then on the very very rare occasion that it
> >>> > would currently deadlock, you get a longer-than-necessary wait.  So just make
> >>> > sure that is short enough that by the time the sysadmin notices and starts
> >>> > looking for the problem, it will be gone.
> >>> >
> >>> > And if you set it a bit too low, then it will loop around to find another
> >>> > page to deal with before that one is finished being written out, and so maybe
> >>> > do a little bit more work than is needed (though it'll be needed eventually).
> >>> >
> >>> > So the perfect number is somewhere between the typical response time for
> >>> > storage, and the typical response time for the sys-admin.  Anywhere between
> >>> > 100ms and 10sec would do.  1 second is the geo-mean.
> >>> >
> >>> > (sorry I didn't reply earlier - I missed you email somehow).
> >>> >
> >>> > NeilBrown
> >>>
> >>>
> >>>
> >>
> >
> >
> >
> > --
> > Milosz Tanski
> > CTO
> > 16 East 34th Street, 15th floor
> > New York, NY 10016
> >
> > p: 646-253-9055
> > e: milosz@adfin.com
> 
> 
>

David Howells Aug. 5, 2014, 2:32 p.m. UTC | #8

Milosz Tanski <milosz@adfin.com> wrote:

> FSCache already tracks statistics about how long writes and reads take
> (at least if you enable that option). With those stats in hand we
> should be able generate a default timeout value that works well and
> avoid a tunable.

If stat generation is going to be on all the time, it should probably use
something other than atomic ops.  NFS uses a set of ints on each CPU which are
added together when needed.

David
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/fs/fscache/page.c b/fs/fscache/page.c
index ed70714503fa..58035024c5cf 100644
--- a/fs/fscache/page.c
+++ b/fs/fscache/page.c
@@ -43,6 +43,13 @@  void __fscache_wait_on_page_write(struct fscache_cookie *cookie, struct page *pa
 }
 EXPORT_SYMBOL(__fscache_wait_on_page_write);
 
+void __fscache_wait_on_page_write_timeout(struct fscache_cookie *cookie, struct page *page, unsigned long timeout)
+{
+	wait_queue_head_t *wq = bit_waitqueue(&cookie->flags, 0);
+
+	wait_event_timeout(*wq, !__fscache_check_page_write(cookie, page), timeout);
+}
+
 /*
  * decide whether a page can be released, possibly by cancelling a store to it
  * - we're allowed to sleep if __GFP_WAIT is flagged
@@ -115,7 +122,7 @@  page_busy:
 	}
 
 	fscache_stat(&fscache_n_store_vmscan_wait);
-	__fscache_wait_on_page_write(cookie, page);
+	__fscache_wait_on_page_write_timeout(cookie, page, HZ);
 	gfp &= ~__GFP_WAIT;
 	goto try_again;
 }