| Message ID | 1563171470-3117-1-git-send-email-anshuman.khandual@arm.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | arm64/mm: Enable memory hot remove | expand |
Hi Anshuman, On Mon, Jul 15, 2019 at 11:47:47AM +0530, Anshuman Khandual wrote: > This series enables memory hot remove on arm64 after fixing a memblock > removal ordering problem in generic try_remove_memory() and a possible > arm64 platform specific kernel page table race condition. This series > is based on linux-next (next-20190712). > > Concurrent vmalloc() and hot-remove conflict: > > As pointed out earlier on the v5 thread [2] there can be potential conflict > between concurrent vmalloc() and memory hot-remove operation. This can be > solved or at least avoided with some possible methods. The problem here is > caused by inadequate locking in vmalloc() which protects installation of a > page table page but not the walk or the leaf entry modification. > > Option 1: Making locking in vmalloc() adequate > > Current locking scheme protects installation of page table pages but not the > page table walk or leaf entry creation which can conflict with hot-remove. > This scheme is sufficient for now as vmalloc() works on mutually exclusive > ranges which can proceed concurrently only if their shared page table pages > can be created while inside the lock. It achieves performance improvement > which will be compromised if entire vmalloc() operation (even if with some > optimization) has to be completed under a lock. > > Option 2: Making sure hot-remove does not happen during vmalloc() > > Take mem_hotplug_lock in read mode through [get|put]_online_mems() constructs > for the entire duration of vmalloc(). It protects from concurrent memory hot > remove operation and does not add any significant overhead to other concurrent > vmalloc() threads. It solves the problem in right way unless we do not want to > extend the usage of mem_hotplug_lock in generic MM. > > Option 3: Memory hot-remove does not free (conflicting) page table pages > > Don't not free page table pages (if any) for vmemmap mappings after unmapping > it's virtual range. The only downside here is that some page table pages might > remain empty and unused until next memory hot-add operation of the same memory > range. > > Option 4: Dont let vmalloc and vmemmap share intermediate page table pages > > The conflict does not arise if vmalloc and vmemap range do not share kernel > page table pages to start with. If such placement can be ensured in platform > kernel virtual address layout, this problem can be successfully avoided. > > There are two generic solutions (Option 1 and 2) and two platform specific > solutions (Options 2 and 3). This series has decided to go with (Option 3) > which requires minimum changes while self-contained inside the functionality. ... while also leaking memory, right? In my view, option 2 or 4 would have been preferable. Were there specific technical reasons to not go down either of those routes? I'm not sure that minimizing changes is the right rout given that this same problem presumably applies to other architectures, which will need to be fixed. Do we know why we aren't seeing issues on other architectures? e.g. is the issue possible but rare (and hence not reported), or masked by something else (e.g. the layout of the kernel VA space)? I'd like to solve the underyling issue before we start adding new functionality. > Testing: > > Memory hot remove has been tested on arm64 for 4K, 16K, 64K page config > options with all possible CONFIG_ARM64_VA_BITS and CONFIG_PGTABLE_LEVELS > combinations. Its only build tested on non-arm64 platforms. Could you please share how you've tested this? Having instructions so that I could reproduce this locally would be very helpful. Thanks, Mark.
On 07/23/2019 04:26 PM, Mark Rutland wrote: > Hi Anshuman, Hello Mark, > > On Mon, Jul 15, 2019 at 11:47:47AM +0530, Anshuman Khandual wrote: >> This series enables memory hot remove on arm64 after fixing a memblock >> removal ordering problem in generic try_remove_memory() and a possible >> arm64 platform specific kernel page table race condition. This series >> is based on linux-next (next-20190712). >> >> Concurrent vmalloc() and hot-remove conflict: >> >> As pointed out earlier on the v5 thread [2] there can be potential conflict >> between concurrent vmalloc() and memory hot-remove operation. This can be >> solved or at least avoided with some possible methods. The problem here is >> caused by inadequate locking in vmalloc() which protects installation of a >> page table page but not the walk or the leaf entry modification. >> >> Option 1: Making locking in vmalloc() adequate >> >> Current locking scheme protects installation of page table pages but not the >> page table walk or leaf entry creation which can conflict with hot-remove. >> This scheme is sufficient for now as vmalloc() works on mutually exclusive >> ranges which can proceed concurrently only if their shared page table pages >> can be created while inside the lock. It achieves performance improvement >> which will be compromised if entire vmalloc() operation (even if with some >> optimization) has to be completed under a lock. >> >> Option 2: Making sure hot-remove does not happen during vmalloc() >> >> Take mem_hotplug_lock in read mode through [get|put]_online_mems() constructs >> for the entire duration of vmalloc(). It protects from concurrent memory hot >> remove operation and does not add any significant overhead to other concurrent >> vmalloc() threads. It solves the problem in right way unless we do not want to >> extend the usage of mem_hotplug_lock in generic MM. >> >> Option 3: Memory hot-remove does not free (conflicting) page table pages >> >> Don't not free page table pages (if any) for vmemmap mappings after unmapping >> it's virtual range. The only downside here is that some page table pages might >> remain empty and unused until next memory hot-add operation of the same memory >> range. >> >> Option 4: Dont let vmalloc and vmemmap share intermediate page table pages >> >> The conflict does not arise if vmalloc and vmemap range do not share kernel >> page table pages to start with. If such placement can be ensured in platform >> kernel virtual address layout, this problem can be successfully avoided. >> >> There are two generic solutions (Option 1 and 2) and two platform specific >> solutions (Options 2 and 3). This series has decided to go with (Option 3) s/Option 2 and 3/Option 3 and 4/ >> which requires minimum changes while self-contained inside the functionality. > > ... while also leaking memory, right? This is not a memory leak. In the worst case where an empty page table page could have been freed after parts of it's kernel virtual range span's vmemmap mapping has been taken down still remains attached to the higher level page table entry. This empty page table page will be completely reusable during future vmalloc() allocations or vmemmap mapping for newly hot added memory in overlapping memory range. It is just an empty data structure sticking around which could (probably would) be reused later. This problem will not scale and get worse because its part of kernel page table not user process which could get multiplied. Its a small price we are paying to remain safe from a vmalloc() and memory hot remove potential collisions on the kernel page table. IMHO that is fair enough. > > In my view, option 2 or 4 would have been preferable. Were there I would say option 2 is the ideal solution where we make sure that each vmalloc() instance is protected against concurrent memory hot remove through a read side lock via [get|put]_online_mems(). Option 4 is very much platform specific and each platform has to make sure that they remain compliant all the time which is not ideal. Its is also an a work around which avoids the problem and does not really fix it. > specific technical reasons to not go down either of those routes? I'm Option 2 will require wider agreement as it involves a very critical hot-path vmalloc() which can affect many workloads. IMHO Option 4 is neither optimal and not does it solve the problem correctly. Like this approach it just avoids it but unlike this touches upon another code area. > not sure that minimizing changes is the right rout given that this same > problem presumably applies to other architectures, which will need to be > fixed. Yes this needs to be fixed but we can get there one step at a time. vmemmap tear down process can start freeing empty page table pages when this gets solved. But why should it prevent entire memory hot remove functionality from being available. > > Do we know why we aren't seeing issues on other architectures? e.g. is > the issue possible but rare (and hence not reported), or masked by > something else (e.g. the layout of the kernel VA space)? I would believe so but we can only get more insights from respective architecture folks. > > I'd like to solve the underyling issue before we start adding new > functionality. The entire memory hot-remove functionality from the platform perspective has four primary functions. 1. Tear down linear mapping 2. Tear down vmemmap mapping 3. Free empty kernel page table pages after tearing down linear mapping 4. Free empty kernel page table pages after tearing down vmemmap mapping This particular issue mentioned before prevents just the last function (4) which in the worst case will retain some empty page tables pages erstwhile holding vmemmap mapping in the kernel page table but otherwise provides complete memory hot remove functionality. Why should all these remaining memory hot-remove functions be prevented from being available for use ? The remaining set of functions (1-3) do not create any side affects or introduce any new bugs. Also function (4) is not tightly coupled with rest of the functions (1-3) and anyways will be unlocked independently when the particular issue gets resolved. The point I am trying to make here is they are not tightly coupled and perceiving them that way blocks remaining memory hot-remove functionality from being available. > >> Testing: >> >> Memory hot remove has been tested on arm64 for 4K, 16K, 64K page config >> options with all possible CONFIG_ARM64_VA_BITS and CONFIG_PGTABLE_LEVELS >> combinations. Its only build tested on non-arm64 platforms. > > Could you please share how you've tested this? > > Having instructions so that I could reproduce this locally would be very > helpful. Please find the series rebased on v5.3-rc1 along with test patches which enable sysfs interfaces for memory hot add and remove used for testing. git://linux-arm.org/linux-anshuman.git (memory_hotremove/v6_resend_v5.3-rc1) Sample Testing Procedure: echo offline > /sys/devices/system/memory/auto_online_blocks echo 0x680000000 > /sys/devices/system/memory/probe echo online_movable > /sys/devices/system/memory/memory26/state echo 0x680000000 > /sys/devices/system/memory/unprobe Writing into unprobe trigger offlining first followed by actual memory removal. NOTE: This assumes that 0x680000000 is valid memory block starting physical address and memory26 gets created because of the preceding memory hot addition. Please use appropriate values based on your local setup. Let me know how it goes and if I could provide more information. - Anshuman
On Wed, Jul 24, 2019 at 12:28:50PM +0530, Anshuman Khandual wrote: > On 07/23/2019 04:26 PM, Mark Rutland wrote: > > On Mon, Jul 15, 2019 at 11:47:47AM +0530, Anshuman Khandual wrote: > >> This series enables memory hot remove on arm64 after fixing a memblock > >> removal ordering problem in generic try_remove_memory() and a possible > >> arm64 platform specific kernel page table race condition. This series > >> is based on linux-next (next-20190712). > >> > >> Concurrent vmalloc() and hot-remove conflict: > >> > >> As pointed out earlier on the v5 thread [2] there can be potential conflict > >> between concurrent vmalloc() and memory hot-remove operation. This can be > >> solved or at least avoided with some possible methods. The problem here is > >> caused by inadequate locking in vmalloc() which protects installation of a > >> page table page but not the walk or the leaf entry modification. > >> > >> Option 1: Making locking in vmalloc() adequate > >> > >> Current locking scheme protects installation of page table pages but not the > >> page table walk or leaf entry creation which can conflict with hot-remove. > >> This scheme is sufficient for now as vmalloc() works on mutually exclusive > >> ranges which can proceed concurrently only if their shared page table pages > >> can be created while inside the lock. It achieves performance improvement > >> which will be compromised if entire vmalloc() operation (even if with some > >> optimization) has to be completed under a lock. > >> > >> Option 2: Making sure hot-remove does not happen during vmalloc() > >> > >> Take mem_hotplug_lock in read mode through [get|put]_online_mems() constructs > >> for the entire duration of vmalloc(). It protects from concurrent memory hot > >> remove operation and does not add any significant overhead to other concurrent > >> vmalloc() threads. It solves the problem in right way unless we do not want to > >> extend the usage of mem_hotplug_lock in generic MM. > >> > >> Option 3: Memory hot-remove does not free (conflicting) page table pages > >> > >> Don't not free page table pages (if any) for vmemmap mappings after unmapping > >> it's virtual range. The only downside here is that some page table pages might > >> remain empty and unused until next memory hot-add operation of the same memory > >> range. > >> > >> Option 4: Dont let vmalloc and vmemmap share intermediate page table pages > >> > >> The conflict does not arise if vmalloc and vmemap range do not share kernel > >> page table pages to start with. If such placement can be ensured in platform > >> kernel virtual address layout, this problem can be successfully avoided. > >> > >> There are two generic solutions (Option 1 and 2) and two platform specific > >> solutions (Options 2 and 3). This series has decided to go with (Option 3) > > s/Option 2 and 3/Option 3 and 4/ > > >> which requires minimum changes while self-contained inside the functionality. > > > > ... while also leaking memory, right? > > This is not a memory leak. In the worst case where an empty page table page could > have been freed after parts of it's kernel virtual range span's vmemmap mapping has > been taken down still remains attached to the higher level page table entry. This > empty page table page will be completely reusable during future vmalloc() allocations > or vmemmap mapping for newly hot added memory in overlapping memory range. It is just > an empty data structure sticking around which could (probably would) be reused later. > This problem will not scale and get worse because its part of kernel page table not > user process which could get multiplied. Its a small price we are paying to remain > safe from a vmalloc() and memory hot remove potential collisions on the kernel page > table. IMHO that is fair enough. I appreciate that we can reuse the memory if we hotplug the same phyiscal range. Regardless, I think it's important to note that this approach leaves that memory around. Could you please quantify how much memory this would be? i.e. for a 4K 48-bit VA kernel, how many pages would be left over for a 1GiB region of memory? > > In my view, option 2 or 4 would have been preferable. Were there > > I would say option 2 is the ideal solution where we make sure that each vmalloc() > instance is protected against concurrent memory hot remove through a read side lock > via [get|put]_online_mems(). I agree that this would be simple to reason about. However, even taking a read lock could significantly change the performance of operations in the vmalloc space, so that would need to be quantified. Additionally, hotplug operations would stall all vmalloc space operations, which is unfortunate. > Option 4 is very much platform specific and each platform has to make sure that they > remain compliant all the time which is not ideal. Its is also an a work around which > avoids the problem and does not really fix it. I understand that you don't like this solution. I think it should be simple to verify that the layout is safe via BUILD_BUG_ON() checking the regions we care about don't overlap, so I don't buy that it's all that difficult to ensure going forward if it's naturally the case today. > > specific technical reasons to not go down either of those routes? I'm > > Option 2 will require wider agreement as it involves a very critical hot-path vmalloc() > which can affect many workloads. I agree that this would need to be quantified. > IMHO Option 4 is neither optimal and not does it solve the problem > correctly. Like this approach it just avoids it but unlike this > touches upon another code area. I disagree that option 4 wouldn't be correct; it's just avoiding the issue at a different level. > > not sure that minimizing changes is the right rout given that this same > > problem presumably applies to other architectures, which will need to be > > fixed. > > Yes this needs to be fixed but we can get there one step at a time. vmemmap tear > down process can start freeing empty page table pages when this gets solved. But > why should it prevent entire memory hot remove functionality from being available. My experience has been that people rarely go back to solve the edge cases once the feature they care about has been merged, and we're left with more edge cases... I think we at least need to have a clear idea that we can fix the problem before we punt it on as later cleanup. Especially given that this seems like it is an existing problem affecting other architectures. > > Do we know why we aren't seeing issues on other architectures? e.g. is > > the issue possible but rare (and hence not reported), or masked by > > something else (e.g. the layout of the kernel VA space)? > > I would believe so but we can only get more insights from respective architecture folks. Could you please investigate, e.g. have a look at how this works on x86? You should be able to figure out if the VA ranges overlap, and I suspect that if there is a problem youi can deliberately trigger it within a QEMU VM. > >> Testing: > >> > >> Memory hot remove has been tested on arm64 for 4K, 16K, 64K page config > >> options with all possible CONFIG_ARM64_VA_BITS and CONFIG_PGTABLE_LEVELS > >> combinations. Its only build tested on non-arm64 platforms. > > > > Could you please share how you've tested this? > > > > Having instructions so that I could reproduce this locally would be very > > helpful. > > Please find the series rebased on v5.3-rc1 along with test patches which > enable sysfs interfaces for memory hot add and remove used for testing. > > git://linux-arm.org/linux-anshuman.git (memory_hotremove/v6_resend_v5.3-rc1) > > Sample Testing Procedure: > > echo offline > /sys/devices/system/memory/auto_online_blocks > echo 0x680000000 > /sys/devices/system/memory/probe > echo online_movable > /sys/devices/system/memory/memory26/state > echo 0x680000000 > /sys/devices/system/memory/unprobe > > Writing into unprobe trigger offlining first followed by actual memory removal. > > NOTE: > > This assumes that 0x680000000 is valid memory block starting physical address > and memory26 gets created because of the preceding memory hot addition. Please > use appropriate values based on your local setup. Let me know how it goes and > if I could provide more information. Thanks for these notes; they're very helpful! Mark.
On 07/25/2019 07:21 PM, Mark Rutland wrote: > On Wed, Jul 24, 2019 at 12:28:50PM +0530, Anshuman Khandual wrote: >> On 07/23/2019 04:26 PM, Mark Rutland wrote: >>> On Mon, Jul 15, 2019 at 11:47:47AM +0530, Anshuman Khandual wrote: >>>> This series enables memory hot remove on arm64 after fixing a memblock >>>> removal ordering problem in generic try_remove_memory() and a possible >>>> arm64 platform specific kernel page table race condition. This series >>>> is based on linux-next (next-20190712). >>>> >>>> Concurrent vmalloc() and hot-remove conflict: >>>> >>>> As pointed out earlier on the v5 thread [2] there can be potential conflict >>>> between concurrent vmalloc() and memory hot-remove operation. This can be >>>> solved or at least avoided with some possible methods. The problem here is >>>> caused by inadequate locking in vmalloc() which protects installation of a >>>> page table page but not the walk or the leaf entry modification. >>>> >>>> Option 1: Making locking in vmalloc() adequate >>>> >>>> Current locking scheme protects installation of page table pages but not the >>>> page table walk or leaf entry creation which can conflict with hot-remove. >>>> This scheme is sufficient for now as vmalloc() works on mutually exclusive >>>> ranges which can proceed concurrently only if their shared page table pages >>>> can be created while inside the lock. It achieves performance improvement >>>> which will be compromised if entire vmalloc() operation (even if with some >>>> optimization) has to be completed under a lock. >>>> >>>> Option 2: Making sure hot-remove does not happen during vmalloc() >>>> >>>> Take mem_hotplug_lock in read mode through [get|put]_online_mems() constructs >>>> for the entire duration of vmalloc(). It protects from concurrent memory hot >>>> remove operation and does not add any significant overhead to other concurrent >>>> vmalloc() threads. It solves the problem in right way unless we do not want to >>>> extend the usage of mem_hotplug_lock in generic MM. >>>> >>>> Option 3: Memory hot-remove does not free (conflicting) page table pages >>>> >>>> Don't not free page table pages (if any) for vmemmap mappings after unmapping >>>> it's virtual range. The only downside here is that some page table pages might >>>> remain empty and unused until next memory hot-add operation of the same memory >>>> range. >>>> >>>> Option 4: Dont let vmalloc and vmemmap share intermediate page table pages >>>> >>>> The conflict does not arise if vmalloc and vmemap range do not share kernel >>>> page table pages to start with. If such placement can be ensured in platform >>>> kernel virtual address layout, this problem can be successfully avoided. >>>> >>>> There are two generic solutions (Option 1 and 2) and two platform specific >>>> solutions (Options 2 and 3). This series has decided to go with (Option 3) >> >> s/Option 2 and 3/Option 3 and 4/ >> >>>> which requires minimum changes while self-contained inside the functionality. >>> >>> ... while also leaking memory, right? >> >> This is not a memory leak. In the worst case where an empty page table page could >> have been freed after parts of it's kernel virtual range span's vmemmap mapping has >> been taken down still remains attached to the higher level page table entry. This >> empty page table page will be completely reusable during future vmalloc() allocations >> or vmemmap mapping for newly hot added memory in overlapping memory range. It is just >> an empty data structure sticking around which could (probably would) be reused later. >> This problem will not scale and get worse because its part of kernel page table not >> user process which could get multiplied. Its a small price we are paying to remain >> safe from a vmalloc() and memory hot remove potential collisions on the kernel page >> table. IMHO that is fair enough. > > I appreciate that we can reuse the memory if we hotplug the same > phyiscal range. > > Regardless, I think it's important to note that this approach leaves > that memory around. Could you please quantify how much memory this > would be? i.e. for a 4K 48-bit VA kernel, how many pages would be left > over for a 1GiB region of memory? Evaluated this for all possible configs with a single 1GB memory region for hot remove. 1. 4K page size - 39 bit VA - 3 LEVEL PGTABLE Potential pte page [freed: 0 skipped: 0] Potential pmd page [freed: 0 skipped: 1] 2. 4K page size - 48 bit VA - 4 LEVEL PGTABLE Potential pte page [freed: 0 skipped: 0] Potential pmd page [freed: 0 skipped: 1] Potential pud page [freed: 0 skipped: 1] 3. 16K page size - 47 bit VA - 3 LEVEL PGTABLE Potential pte page [freed: 0 skipped: 1] Potential pmd page [freed: 0 skipped: 1] 4. 16K page size - 48 bit VA - 4 LEVEL PGTABLE Potential pte page [freed: 0 skipped: 1] Potential pmd page [freed: 0 skipped: 1] Potential pud page [freed: 0 skipped: 1] 5. 64K page size - 42 bit VA - 2 LEVEL PGTABLE Potential pte page [freed: 0 skipped: 1] 6. 64K page size - 48 bit VA - 3 LEVEL PGTABLE Potential pte page [freed: 0 skipped: 1] Potential pmd page [freed: 0 skipped: 1] 7. 64K page size - 52 bit VA - 3 LEVEL PGTABLE Potential pte page [freed: 0 skipped: 1] Potential pmd page [freed: 0 skipped: 1] This is based on if free_empty_tables() would have been called from vmemmap_free() during memory hot remove process then how many pages would have got freed or skipped. Freed: pgtable pages (pte|pmd|pud) did actually get freed Skipped: pgtable pages (pte|pmd|pud) did not get freed due to other valid and present entries This indicates there no potential free page table pages being left around with 1GB memory region. It might be because of this particular memory region in the experiment which finds a particular place in the kernel page table based on it's starting address. Regardless it at least indicates that memory pages being left around during hot remove (if any) would be minimal. > >>> In my view, option 2 or 4 would have been preferable. Were there >> >> I would say option 2 is the ideal solution where we make sure that each vmalloc() >> instance is protected against concurrent memory hot remove through a read side lock >> via [get|put]_online_mems(). > > I agree that this would be simple to reason about. However, even taking > a read lock could significantly change the performance of operations in > the vmalloc space, so that would need to be quantified. Additionally, > hotplug operations would stall all vmalloc space operations, which is > unfortunate. > >> Option 4 is very much platform specific and each platform has to make sure that they >> remain compliant all the time which is not ideal. Its is also an a work around which >> avoids the problem and does not really fix it. > > I understand that you don't like this solution. > > I think it should be simple to verify that the layout is safe via > BUILD_BUG_ON() checking the regions we care about don't overlap, so I > don't buy that it's all that difficult to ensure going forward if it's > naturally the case today. The concern was that platform need to ensure this all the time not that it is difficult to do so. I did evaluate this for all possible config options. 1. 4K page size - 39 bit VA - 3 LEVEL PGTABLE vmalloc [start ffffff8010000000 end ffffffbebfff0000 size 3eafff0000] vmemmap [start ffffffbf00000000 end ffffffc000000000 size 100000000] pgtable [pgdir 40000000 pud 40000000 pmd 200000] spacing [40010000] 2. 4K page size - 48 bit VA - 4 LEVEL PGTABLE vmalloc [start ffff000010000000 end ffff7dffbfff0000 size 7dffafff0000] vmemmap [start ffff7e0000000000 end ffff800000000000 size 20000000000] pgtable [pgdir 8000000000 pud 40000000 pmd 200000] spacing [40010000] 3. 16K page size - 47 bit VA - 3 LEVEL PGTABLE vmalloc [start ffff800010000000 end ffffbfafffff0000 size 3fafefff0000] vmemmap [start ffffbfc000000000 end ffffc00000000000 size 4000000000] pgtable [pgdir 1000000000 pud 1000000000 pmd 2000000] spacing [1000010000] 4. 16K page size - 48 bit VA - 4 LEVEL PGTABLE vmalloc [start ffff000010000000 end ffff7f6fffff0000 size 7f6fefff0000] vmemmap [start ffff7f8000000000 end ffff800000000000 size 8000000000] pgtable [pgdir 800000000000 pud 1000000000 pmd 2000000] spacing [1000010000] PGD overlapping 5. 64K page size - 42 bit VA - 2 LEVEL PGTABLE vmalloc [start fffffc0010000000 end fffffdff5fff0000 size 1ff4fff0000] vmemmap [start fffffdff80000000 end fffffe0000000000 size 80000000] pgtable [pgdir 20000000 pud 20000000 pmd 20000000] spacing [20010000] 6. 64K page size - 48 bit VA - 3 LEVEL PGTABLE vmalloc [start ffff000010000000 end ffff7bdfffff0000 size 7bdfefff0000] vmemmap [start ffff7fe000000000 end ffff800000000000 size 2000000000] pgtable [pgdir 40000000000 pud 40000000000 pmd 20000000] spacing [40000010000] 7. 64K page size - 52 bit VA - 3 LEVEL PGTABLE vmalloc [start ffff000010000000 end ffff7bdfffff0000 size 7bdfefff0000] vmemmap [start ffff7fe000000000 end ffff800000000000 size 2000000000] pgtable [pgdir 40000000000 pud 40000000000 pmd 20000000] spacing [40000010000] So except just one case (16K page size - 48 bit VA - 4 LEVEL PGTABLE) vmalloc and vmemmap does not seem to share any intermediate page table entry. Even in that case it shares just a PGD entry. So calling free_empty_tables() during memory hot-remove might not be that risky as it appeared before and just to be sure we can have a BUILD_BUG_ON() when memory hot remove is enabled which will make sure that (vmalloc - vmemap) spacing is adequate. When a PGD entry (i.e PUD page) is being shared it can still potentially collide with a concurrent vmalloc(). Should we not call free_empty_tables() only for that particular case ? Any thoughts ? spacing: (vmalloc - vmemmap) pgdir: PGDIR_SIZE pud: PUD_SIZE pmd: PMD_SIZE > >>> specific technical reasons to not go down either of those routes? I'm >> >> Option 2 will require wider agreement as it involves a very critical hot-path vmalloc() >> which can affect many workloads. > > I agree that this would need to be quantified. > >> IMHO Option 4 is neither optimal and not does it solve the problem >> correctly. Like this approach it just avoids it but unlike this >> touches upon another code area. > > I disagree that option 4 wouldn't be correct; it's just avoiding the > issue at a different level. > >>> not sure that minimizing changes is the right rout given that this same >>> problem presumably applies to other architectures, which will need to be >>> fixed. >> >> Yes this needs to be fixed but we can get there one step at a time. vmemmap tear >> down process can start freeing empty page table pages when this gets solved. But >> why should it prevent entire memory hot remove functionality from being available. > > My experience has been that people rarely go back to solve the edge > cases once the feature they care about has been merged, and we're left > with more edge cases... > > I think we at least need to have a clear idea that we can fix the > problem before we punt it on as later cleanup. Especially given that > this seems like it is an existing problem affecting other architectures. > >>> Do we know why we aren't seeing issues on other architectures? e.g. is >>> the issue possible but rare (and hence not reported), or masked by >>> something else (e.g. the layout of the kernel VA space)? >> >> I would believe so but we can only get more insights from respective architecture folks. > > Could you please investigate, e.g. have a look at how this works on x86? > > You should be able to figure out if the VA ranges overlap, and I suspect > that if there is a problem youi can deliberately trigger it within a > QEMU VM. Even on x86 the vmemmap vmalloc separation seems adequate. IIUC X86 does not seem to have other config combinations which need to verified. Please let me know if that is not correct. vmalloc [start ffffb91080000000 end ffffd9107fffffff size 1fffffffffff] vmemmap [start ffffe9c3c0000000 end ffffe9efc0000000 size 2c00000000] pgtable [pgdir 8000000000 pud 40000000 pmd 200000] spacing [10b340000001] So x86 might never have faced this problem ? It does not have VMEMMAP_SIZE hence computed these with a hack.
This series enables memory hot remove on arm64 after fixing a memblock removal ordering problem in generic try_remove_memory() and a possible arm64 platform specific kernel page table race condition. This series is based on linux-next (next-20190712). Concurrent vmalloc() and hot-remove conflict: As pointed out earlier on the v5 thread [2] there can be potential conflict between concurrent vmalloc() and memory hot-remove operation. This can be solved or at least avoided with some possible methods. The problem here is caused by inadequate locking in vmalloc() which protects installation of a page table page but not the walk or the leaf entry modification. Option 1: Making locking in vmalloc() adequate Current locking scheme protects installation of page table pages but not the page table walk or leaf entry creation which can conflict with hot-remove. This scheme is sufficient for now as vmalloc() works on mutually exclusive ranges which can proceed concurrently only if their shared page table pages can be created while inside the lock. It achieves performance improvement which will be compromised if entire vmalloc() operation (even if with some optimization) has to be completed under a lock. Option 2: Making sure hot-remove does not happen during vmalloc() Take mem_hotplug_lock in read mode through [get|put]_online_mems() constructs for the entire duration of vmalloc(). It protects from concurrent memory hot remove operation and does not add any significant overhead to other concurrent vmalloc() threads. It solves the problem in right way unless we do not want to extend the usage of mem_hotplug_lock in generic MM. Option 3: Memory hot-remove does not free (conflicting) page table pages Don't not free page table pages (if any) for vmemmap mappings after unmapping it's virtual range. The only downside here is that some page table pages might remain empty and unused until next memory hot-add operation of the same memory range. Option 4: Dont let vmalloc and vmemmap share intermediate page table pages The conflict does not arise if vmalloc and vmemap range do not share kernel page table pages to start with. If such placement can be ensured in platform kernel virtual address layout, this problem can be successfully avoided. There are two generic solutions (Option 1 and 2) and two platform specific solutions (Options 2 and 3). This series has decided to go with (Option 3) which requires minimum changes while self-contained inside the functionality. Testing: Memory hot remove has been tested on arm64 for 4K, 16K, 64K page config options with all possible CONFIG_ARM64_VA_BITS and CONFIG_PGTABLE_LEVELS combinations. Its only build tested on non-arm64 platforms. Changes in V6: - Implemented most of the suggestions from Mark Rutland - Added <linux/memory_hotplug.h> in ptdump - remove_pagetable() now has two distinct passes over the kernel page table - First pass unmap_hotplug_range() removes leaf level entries at all level - Second pass free_empty_tables() removes empty page table pages - Kernel page table lock has been dropped completely - vmemmap_free() does not call freee_empty_tables() to avoid conflict with vmalloc() - All address range scanning are converted to do {} while() loop - Added 'unsigned long end' in __remove_pgd_mapping() - Callers need not provide starting pointer argument to free_[pte|pmd|pud]_table() - Drop the starting pointer argument from free_[pte|pmd|pud]_table() functions - Fetching pxxp[i] in free_[pte|pmd|pud]_table() is wrapped around in READ_ONCE() - free_[pte|pmd|pud]_table() now computes starting pointer inside the function - Fixed TLB handling while freeing huge page section mappings at PMD or PUD level - Added WARN_ON(!page) in free_hotplug_page_range() - Added WARN_ON(![pm|pud]_table(pud|pmd)) when there is no section mapping - [PATCH 1/3] mm/hotplug: Reorder memblock_[free|remove]() calls in try_remove_memory() - Request earlier for separate merger (https://patchwork.kernel.org/patch/10986599/) - s/__remove_memory/try_remove_memory in the subject line - s/arch_remove_memory/memblock_[free|remove] in the subject line - A small change in the commit message as re-order happens now for memblock remove functions not for arch_remove_memory() Changes in V5: (https://lkml.org/lkml/2019/5/29/218) - Have some agreement [1] over using memory_hotplug_lock for arm64 ptdump - Change 7ba36eccb3f8 ("arm64/mm: Inhibit huge-vmap with ptdump") already merged - Dropped the above patch from this series - Fixed indentation problem in arch_[add|remove]_memory() as per David - Collected all new Acked-by tags Changes in V4: (https://lkml.org/lkml/2019/5/20/19) - Implemented most of the suggestions from Mark Rutland - Interchanged patch [PATCH 2/4] <---> [PATCH 3/4] and updated commit message - Moved CONFIG_PGTABLE_LEVELS inside free_[pud|pmd]_table() - Used READ_ONCE() in missing instances while accessing page table entries - s/p???_present()/p???_none() for checking valid kernel page table entries - WARN_ON() when an entry is !p???_none() and !p???_present() at the same time - Updated memory hot-remove commit message with additional details as suggested - Rebased the series on 5.2-rc1 with hotplug changes from David and Michal Hocko - Collected all new Acked-by tags Changes in V3: (https://lkml.org/lkml/2019/5/14/197) - Implemented most of the suggestions from Mark Rutland for remove_pagetable() - Fixed applicable PGTABLE_LEVEL wrappers around pgtable page freeing functions - Replaced 'direct' with 'sparse_vmap' in remove_pagetable() with inverted polarity - Changed pointer names ('p' at end) and removed tmp from iterations - Perform intermediate TLB invalidation while clearing pgtable entries - Dropped flush_tlb_kernel_range() in remove_pagetable() - Added flush_tlb_kernel_range() in remove_pte_table() instead - Renamed page freeing functions for pgtable page and mapped pages - Used page range size instead of order while freeing mapped or pgtable pages - Removed all PageReserved() handling while freeing mapped or pgtable pages - Replaced XXX_index() with XXX_offset() while walking the kernel page table - Used READ_ONCE() while fetching individual pgtable entries - Taken overall init_mm.page_table_lock instead of just while changing an entry - Dropped previously added [pmd|pud]_index() which are not required anymore - Added a new patch to protect kernel page table race condition for ptdump - Added a new patch from Mark Rutland to prevent huge-vmap with ptdump Changes in V2: (https://lkml.org/lkml/2019/4/14/5) - Added all received review and ack tags - Split the series from ZONE_DEVICE enablement for better review - Moved memblock re-order patch to the front as per Robin Murphy - Updated commit message on memblock re-order patch per Michal Hocko - Dropped [pmd|pud]_large() definitions - Used existing [pmd|pud]_sect() instead of earlier [pmd|pud]_large() - Removed __meminit and __ref tags as per Oscar Salvador - Dropped unnecessary 'ret' init in arch_add_memory() per Robin Murphy - Skipped calling into pgtable_page_dtor() for linear mapping page table pages and updated all relevant functions Changes in V1: (https://lkml.org/lkml/2019/4/3/28) References: [1] https://lkml.org/lkml/2019/5/28/584 [2] https://lkml.org/lkml/2019/6/11/709 Anshuman Khandual (3): mm/hotplug: Reorder memblock_[free|remove]() calls in try_remove_memory() arm64/mm: Hold memory hotplug lock while walking for kernel page table dump arm64/mm: Enable memory hot remove arch/arm64/Kconfig | 3 + arch/arm64/mm/mmu.c | 290 +++++++++++++++++++++++++++++++++++++++-- arch/arm64/mm/ptdump_debugfs.c | 4 + mm/memory_hotplug.c | 4 +- 4 files changed, 290 insertions(+), 11 deletions(-)