On Tue, Aug 20, 2019 at 10:19:00AM +0200, Daniel Vetter wrote:

We want to teach lockdep that mmu notifiers can be called from direct reclaim paths, since on many CI systems load might never reach that level (e.g. when just running fuzzer or small functional tests).

Motivated by a discussion with Jason.

I've put the annotation into mmu_notifier_register since only when we have mmu notifiers registered is there any point in teaching lockdep about them. Also, we already have a kmalloc(, GFP_KERNEL), so this is safe.

Cc: Jason Gunthorpe jgg@ziepe.ca Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Andrew Morton akpm@linux-foundation.org Cc: David Rientjes rientjes@google.com Cc: "Jérôme Glisse" jglisse@redhat.com Cc: Michal Hocko mhocko@suse.com Cc: "Christian König" christian.koenig@amd.com Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Daniel Vetter daniel.vetter@ffwll.ch Cc: Mike Rapoport rppt@linux.vnet.ibm.com Cc: linux-mm@kvack.org Signed-off-by: Daniel Vetter daniel.vetter@intel.com mm/mmu_notifier.c | 7 +++++++ 1 file changed, 7 insertions(+)

diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c index d12e3079e7a4..538d3bb87f9b 100644 +++ b/mm/mmu_notifier.c @@ -256,6 +256,13 @@ static int do_mmu_notifier_register(struct mmu_notifier *mn,

BUG_ON(atomic_read(&mm->mm_users) <= 0);

• if (IS_ENABLED(CONFIG_LOCKDEP)) {

• fs_reclaim_acquire(GFP_KERNEL);
  

• lock_map_acquire(&__mmu_notifier_invalidate_range_start_map);
  

• lock_map_release(&__mmu_notifier_invalidate_range_start_map);
  

• fs_reclaim_release(GFP_KERNEL);
  

• }

Lets try it out at least

Reviewed-by: Jason Gunthorpe jgg@mellanox.com

Jason

On Tue, Aug 20, 2019 at 10:19:01AM +0200, Daniel Vetter wrote:

In some special cases we must not block, but there's not a spinlock, preempt-off, irqs-off or similar critical section already that arms the might_sleep() debug checks. Add a non_block_start/end() pair to annotate these.

This will be used in the oom paths of mmu-notifiers, where blocking is not allowed to make sure there's forward progress. Quoting Michal:

"The notifier is called from quite a restricted context - oom_reaper - which shouldn't depend on any locks or sleepable conditionals. The code should be swift as well but we mostly do care about it to make a forward progress. Checking for sleepable context is the best thing we could come up with that would describe these demands at least partially."

Peter also asked whether we want to catch spinlocks on top, but Michal said those are less of a problem because spinlocks can't have an indirect dependency upon the page allocator and hence close the loop with the oom reaper.

Suggested by Michal Hocko.

v2:

• Improve commit message (Michal)
• Also check in schedule, not just might_sleep (Peter)

v3: It works better when I actually squash in the fixup I had lying around :-/

v4: Pick the suggestion from Andrew Morton to give non_block_start/end some good kerneldoc comments. I added that other blocking calls like wait_event pose similar issues, since that's the other example we discussed.

Cc: Jason Gunthorpe jgg@ziepe.ca Cc: Peter Zijlstra peterz@infradead.org Cc: Ingo Molnar mingo@redhat.com Cc: Andrew Morton akpm@linux-foundation.org Cc: Michal Hocko mhocko@suse.com Cc: David Rientjes rientjes@google.com Cc: "Christian König" christian.koenig@amd.com Cc: Daniel Vetter daniel.vetter@ffwll.ch Cc: "Jérôme Glisse" jglisse@redhat.com Cc: linux-mm@kvack.org Cc: Masahiro Yamada yamada.masahiro@socionext.com Cc: Wei Wang wvw@google.com Cc: Andy Shevchenko andriy.shevchenko@linux.intel.com Cc: Thomas Gleixner tglx@linutronix.de Cc: Jann Horn jannh@google.com Cc: Feng Tang feng.tang@intel.com Cc: Kees Cook keescook@chromium.org Cc: Randy Dunlap rdunlap@infradead.org Cc: linux-kernel@vger.kernel.org Acked-by: Christian König christian.koenig@amd.com (v1) Signed-off-by: Daniel Vetter daniel.vetter@intel.com

Hi Peter,

Iirc you've been involved at least somewhat in discussing this. -mm folks are a bit undecided whether these new non_block semantics are a good idea. Michal Hocko still is in support, but Andrew Morton and Jason Gunthorpe are less enthusiastic. Jason said he's ok with merging the hmm side of this if scheduler folks ack. If not, then I'll respin with the preempt_disable/enable instead like in v1.

So ack/nack for this from the scheduler side?

Thanks, Daniel

---

include/linux/kernel.h | 25 ++++++++++++++++++++++++- include/linux/sched.h | 4 ++++ kernel/sched/core.c | 19 ++++++++++++++----- 3 files changed, 42 insertions(+), 6 deletions(-)

diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 4fa360a13c1e..82f84cfe372f 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -217,7 +217,9 @@ extern void __cant_sleep(const char *file, int line, int preempt_offset);

• might_sleep - annotation for functions that can sleep
• this macro will print a stack trace if it is executed in an atomic

• • context (spinlock, irq-handler, ...).

• • context (spinlock, irq-handler, ...). Additional sections where blocking is
• • not allowed can be annotated with non_block_start() and non_block_end()
• • pairs.
  • This is a useful debugging help to be able to catch problems early and not
  • be bitten later when the calling function happens to sleep when it is not

@@ -233,6 +235,25 @@ extern void __cant_sleep(const char *file, int line, int preempt_offset); # define cant_sleep() \ do { __cant_sleep(__FILE__, __LINE__, 0); } while (0) # define sched_annotate_sleep() (current->task_state_change = 0) +/**

• • non_block_start - annotate the start of section where sleeping is prohibited
• • This is on behalf of the oom reaper, specifically when it is calling the mmu
• • notifiers. The problem is that if the notifier were to block on, for example,
• • mutex_lock() and if the process which holds that mutex were to perform a
• • sleeping memory allocation, the oom reaper is now blocked on completion of
• • that memory allocation. Other blocking calls like wait_event() pose similar
• • issues.
• */

+# define non_block_start() \

• do { current->non_block_count++; } while (0)

+/**

• • non_block_end - annotate the end of section where sleeping is prohibited
• • Closes a section opened by non_block_start().
• */

+# define non_block_end() \

• do { WARN_ON(current->non_block_count-- == 0); } while (0)

#else static inline void ___might_sleep(const char *file, int line, int preempt_offset) { } @@ -241,6 +262,8 @@ extern void __cant_sleep(const char *file, int line, int preempt_offset); # define might_sleep() do { might_resched(); } while (0) # define cant_sleep() do { } while (0) # define sched_annotate_sleep() do { } while (0) +# define non_block_start() do { } while (0) +# define non_block_end() do { } while (0) #endif

#define might_sleep_if(cond) do { if (cond) might_sleep(); } while (0) diff --git a/include/linux/sched.h b/include/linux/sched.h index 9f51932bd543..c5630f3dca1f 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -974,6 +974,10 @@ struct task_struct { struct mutex_waiter *blocked_on; #endif

+#ifdef CONFIG_DEBUG_ATOMIC_SLEEP

• int non_block_count;

+#endif

#ifdef CONFIG_TRACE_IRQFLAGS unsigned int irq_events; unsigned long hardirq_enable_ip; diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 2b037f195473..57245770d6cc 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -3700,13 +3700,22 @@ static noinline void __schedule_bug(struct task_struct *prev) /*

• Various schedule()-time debugging checks and statistics:

*/ -static inline void schedule_debug(struct task_struct *prev) +static inline void schedule_debug(struct task_struct *prev, bool preempt) { #ifdef CONFIG_SCHED_STACK_END_CHECK if (task_stack_end_corrupted(prev)) panic("corrupted stack end detected inside scheduler\n"); #endif

+#ifdef CONFIG_DEBUG_ATOMIC_SLEEP

• if (!preempt && prev->state && prev->non_block_count) {

• printk(KERN_ERR "BUG: scheduling in a non-blocking section: %s/%d/%i\n",
  

• 	prev->comm, prev->pid, prev->non_block_count);
  

• dump_stack();
  

• add_taint(TAINT_WARN, LOCKDEP_STILL_OK);
  

• }

+#endif

• if (unlikely(in_atomic_preempt_off())) { __schedule_bug(prev); preempt_count_set(PREEMPT_DISABLED);

@@ -3813,7 +3822,7 @@ static void __sched notrace __schedule(bool preempt) rq = cpu_rq(cpu); prev = rq->curr;

• schedule_debug(prev);

• schedule_debug(prev, preempt);

  if (sched_feat(HRTICK)) hrtick_clear(rq);

@@ -6570,7 +6579,7 @@ void ___might_sleep(const char *file, int line, int preempt_offset) rcu_sleep_check();

if ((preempt_count_equals(preempt_offset) && !irqs_disabled() &&

•     !is_idle_task(current)) ||
  

•     !is_idle_task(current) && !current->non_block_count) ||
   system_state == SYSTEM_BOOTING || system_state > SYSTEM_RUNNING ||
   oops_in_progress)
  

  return;

@@ -6586,8 +6595,8 @@ void ___might_sleep(const char *file, int line, int preempt_offset) "BUG: sleeping function called from invalid context at %s:%d\n", file, line); printk(KERN_ERR

• "in_atomic(): %d, irqs_disabled(): %d, pid: %d, name: %s\n",
  

• 	in_atomic(), irqs_disabled(),
  

• "in_atomic(): %d, irqs_disabled(): %d, non_block: %d, pid: %d, name: %s\n",
  

• 	in_atomic(), irqs_disabled(), current->non_block_count,
  current->pid, current->comm);
  
  

  if (task_stack_end_corrupted(current))

-- 2.23.0.rc1

On Tue, Aug 20, 2019 at 10:34:18AM -0300, Jason Gunthorpe wrote:

On Tue, Aug 20, 2019 at 10:19:02AM +0200, Daniel Vetter wrote:

...

We need to make sure implementations don't cheat and don't have a possible schedule/blocking point deeply burried where review can't catch it.

I'm not sure whether this is the best way to make sure all the might_sleep() callsites trigger, and it's a bit ugly in the code flow. But it gets the job done.

Inspired by an i915 patch series which did exactly that, because the rules haven't been entirely clear to us.

v2: Use the shiny new non_block_start/end annotations instead of abusing preempt_disable/enable.

v3: Rebase on top of Glisse's arg rework.

v4: Rebase on top of more Glisse rework.

Cc: Jason Gunthorpe jgg@ziepe.ca Cc: Andrew Morton akpm@linux-foundation.org Cc: Michal Hocko mhocko@suse.com Cc: David Rientjes rientjes@google.com Cc: "Christian König" christian.koenig@amd.com Cc: Daniel Vetter daniel.vetter@ffwll.ch Cc: "Jérôme Glisse" jglisse@redhat.com Cc: linux-mm@kvack.org Reviewed-by: Christian König christian.koenig@amd.com Reviewed-by: Jérôme Glisse jglisse@redhat.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com mm/mmu_notifier.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c index 538d3bb87f9b..856636d06ee0 100644 +++ b/mm/mmu_notifier.c @@ -181,7 +181,13 @@ int __mmu_notifier_invalidate_range_start(struct mmu_notifier_range *range) id = srcu_read_lock(&srcu); hlist_for_each_entry_rcu(mn, &range->mm->mmu_notifier_mm->list, hlist) { if (mn->ops->invalidate_range_start) {

• 	int _ret = mn->ops->invalidate_range_start(mn, range);
  

• 	int _ret;
  

• 	if (!mmu_notifier_range_blockable(range))
  

• 		non_block_start();
  

• 	_ret = mn->ops->invalidate_range_start(mn, range);
  

• 	if (!mmu_notifier_range_blockable(range))
  

• 		non_block_end();
  

If someone Acks all the sched changes then I can pick this for hmm.git, but I still think the existing pre-emption debugging is fine for this use case.

Ok, I'll ping Peter Z. for an ack, iirc he was involved.

Also, same comment as for the lockdep map, this needs to apply to the non-blocking range_end also.

Hm, I thought the page table locks we're holding there already prevent any sleeping, so would be redundant? But reading through code I think that's not guaranteed, so yeah makes sense to add it for invalidate_range_end too. I'll respin once I have the ack/nack from scheduler people.

Anyhow, since this series has conflicts with hmm.git it would be best to flow through the whole thing through that tree. If there are no remarks on the first two patches I'll grab them in a few days.

Thanks, Daniel

On Wed, Aug 21, 2019 at 9:33 AM Jason Gunthorpe jgg@ziepe.ca wrote:

On Tue, Aug 20, 2019 at 05:18:10PM +0200, Daniel Vetter wrote:

...

...

...

diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c index 538d3bb87f9b..856636d06ee0 100644 +++ b/mm/mmu_notifier.c @@ -181,7 +181,13 @@ int __mmu_notifier_invalidate_range_start(struct mmu_notifier_range *range) id = srcu_read_lock(&srcu); hlist_for_each_entry_rcu(mn, &range->mm->mmu_notifier_mm->list, hlist) { if (mn->ops->invalidate_range_start) {

•             int _ret = mn->ops->invalidate_range_start(mn, range);
  

•             int _ret;
  

•             if (!mmu_notifier_range_blockable(range))
  

•                     non_block_start();
  

•             _ret = mn->ops->invalidate_range_start(mn, range);
  

•             if (!mmu_notifier_range_blockable(range))
  

•                     non_block_end();
  

If someone Acks all the sched changes then I can pick this for hmm.git, but I still think the existing pre-emption debugging is fine for this use case.

Ok, I'll ping Peter Z. for an ack, iirc he was involved.

...

Also, same comment as for the lockdep map, this needs to apply to the non-blocking range_end also.

Hm, I thought the page table locks we're holding there already prevent any sleeping, so would be redundant?

AFAIK no. All callers of invalidate_range_start/end pairs do so a few lines apart and don't change their locking in between - thus since start can block so can end.

Would love to know if that is not true??

Yeah I reviewed them, I think I mixed up a discussion I had a while ago with Jerome. It's a bit tricky to follow in the code since in some places ->invalidate_range and ->invalidate_range_end seem to be called from the same place, in others not at all.

Similarly I've also been idly wondering if we should add a 'might_sleep()' to invalidate_rangestart/end() to make this constraint clear & tested to the mm side?

Hm, sounds like a useful idea. Since in general you wont test with mmu notifiers, but they could happen, and then they will block for at least some mutex usually. I'll throw that as an idea on top for the next round. -Daniel