From nobody Mon Feb 9 22:20:39 2026 Received: from out-171.mta1.migadu.com (out-171.mta1.migadu.com [95.215.58.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5CE692C18F for ; Tue, 27 Feb 2024 03:03:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709002995; cv=none; b=bYNM4aPKIz/Ce+Phh8bCqqYt4oVu9NC3blfcKgi3eTmSdDPA+EC4Y9wyBUX/zmC8H1Dysm6hGxix/I+OozShKDJI2vE/WEDP5VH9S5Cb9Q2kT0ToAg2nUKmXUI+etwPkjImOesL5C01Suuydc9EYJittOnJKMOxbOwEF6G7gYi0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709002995; c=relaxed/simple; bh=/Y+8Rr5r7R4qG0VPWtmHKI3CmlgVA1JjzF5IldWYPOo=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=fgmHFrcwJ47DzP8q9u2PnWcT5OBtJD12xLFcigDhUp3z9jOAyF2B+HIQad2mEopJothWhVNXZoFWKOtKwrII9Y3gQAfrOj7hs3Y8XMqIXHlcdJ6PrGPYKLdZVxZvz9E6Y8UuzGzVlQ+1ckUfvne3I9w5iQnEDwDgJTdFSh16odc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=bytedance.com; spf=pass smtp.mailfrom=linux.dev; arc=none smtp.client-ip=95.215.58.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=bytedance.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Chengming Zhou Date: Tue, 27 Feb 2024 03:02:54 +0000 Subject: [PATCH 1/2] mm/zsmalloc: don't hold locks of all pages when free_zspage() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20240226-zsmalloc-zspage-rcu-v1-1-456b0ef1a89d@bytedance.com> References: <20240226-zsmalloc-zspage-rcu-v1-0-456b0ef1a89d@bytedance.com> In-Reply-To: <20240226-zsmalloc-zspage-rcu-v1-0-456b0ef1a89d@bytedance.com> To: yosryahmed@google.com, Sergey Senozhatsky , hannes@cmpxchg.org, nphamcs@gmail.com, Andrew Morton , Minchan Kim Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, Chengming Zhou X-Developer-Signature: v=1; a=ed25519-sha256; t=1709002985; l=7649; i=zhouchengming@bytedance.com; s=20240220; h=from:subject:message-id; bh=/Y+8Rr5r7R4qG0VPWtmHKI3CmlgVA1JjzF5IldWYPOo=; b=Ipe8SF91JeqdJP/MV2fbyh7lbm0zV5Funv1K3Qy6bYmAr/Mo669Z/C6TNDwxz1AL+WdI8ItTm pWaD8WRhpRYDB285bxUKML+G8G1G1EV72v/91+bR9W3Kf9H97jTCK7k X-Developer-Key: i=zhouchengming@bytedance.com; a=ed25519; pk=5+68Wfci+T30FoQos5RH+hfToF6SlC+S9LMPSPBFWuw= X-Migadu-Flow: FLOW_OUT free_zspage() has to hold locks of all pages, since zs_page_migrate() path rely on this page lock to protect the race between zs_free() and it, so it can safely get zspage from page->private. But this way is not good and simple enough: 1. Since zs_free() couldn't be sleepable, it can only trylock pages, or has to kick_deferred_free() to defer that to a work. 2. Even in the worker context, async_free_zspage() can't simply lock all pages in lock_zspage(), it's still trylock because of the race between zs_free() and zs_page_migrate(). Please see the commit 2505a981114d ("zsmalloc: fix races between asynchronous zspage free and page migration") for details. Actually, all free_zspage() needs is to get zspage from page safely, we can use RCU to achieve it easily. Then free_zspage() don't need to hold locks of all pages, so don't need the deferred free mechanism at all. The updated zs_page_migrate() now has two more cases to consider: 1. get_zspage_lockless() return NULL: it means free_zspage() has used reset_page() on this page and its reference of page. 2. get_zspage_lockless() return zspage but it's not on pool list: it means zspage has been removed from list and in process of free. I'm not sure what value should be returned in these cases? -EINVAL or -EAGAIN or other value? If the migration caller can find that page has no extra referenced and can just free it, I think we should return -EAGAIN to let the migration caller retry this page later to free it. Now I choose to use -EINVAL to skip migration of this page, it seems not a big deal to fail migration of some pages? Signed-off-by: Chengming Zhou --- mm/zsmalloc.c | 97 ++++++++++++++++++++++++++++++++++---------------------= ---- 1 file changed, 56 insertions(+), 41 deletions(-) diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c index 63ec385cd670..b153f2e5fc0f 100644 --- a/mm/zsmalloc.c +++ b/mm/zsmalloc.c @@ -253,6 +253,7 @@ struct zspage { struct list_head list; /* fullness list */ struct zs_pool *pool; rwlock_t lock; + struct rcu_head rcu_head; }; =20 struct mapping_area { @@ -310,6 +311,8 @@ static int create_cache(struct zs_pool *pool) static void destroy_cache(struct zs_pool *pool) { kmem_cache_destroy(pool->handle_cachep); + /* Synchronize RCU to free zspage. */ + synchronize_rcu(); kmem_cache_destroy(pool->zspage_cachep); } =20 @@ -335,6 +338,14 @@ static void cache_free_zspage(struct zs_pool *pool, st= ruct zspage *zspage) kmem_cache_free(pool->zspage_cachep, zspage); } =20 +static void rcu_free_zspage(struct rcu_head *h) +{ + struct zspage *zspage =3D container_of(h, struct zspage, rcu_head); + struct zs_pool *pool =3D zspage->pool; + + kmem_cache_free(pool->zspage_cachep, zspage); +} + /* pool->lock(which owns the handle) synchronizes races */ static void record_obj(unsigned long handle, unsigned long obj) { @@ -710,14 +721,31 @@ static int fix_fullness_group(struct size_class *clas= s, struct zspage *zspage) return newfg; } =20 +static void set_zspage(struct page *page, struct zspage *zspage) +{ + struct zspage __rcu **private =3D (struct zspage __rcu **)&page->private; + + rcu_assign_pointer(*private, zspage); +} + static struct zspage *get_zspage(struct page *page) { - struct zspage *zspage =3D (struct zspage *)page_private(page); + struct zspage __rcu **private =3D (struct zspage __rcu **)&page->private; + struct zspage *zspage; =20 + zspage =3D rcu_dereference_protected(*private, true); BUG_ON(zspage->magic !=3D ZSPAGE_MAGIC); return zspage; } =20 +/* Only used in zs_page_migrate() to get zspage locklessly. */ +static struct zspage *get_zspage_lockless(struct page *page) +{ + struct zspage __rcu **private =3D (struct zspage __rcu **)&page->private; + + return rcu_dereference(*private); +} + static struct page *get_next_page(struct page *page) { struct zspage *zspage =3D get_zspage(page); @@ -793,32 +821,11 @@ static void reset_page(struct page *page) { __ClearPageMovable(page); ClearPagePrivate(page); - set_page_private(page, 0); + set_zspage(page, NULL); page_mapcount_reset(page); page->index =3D 0; } =20 -static int trylock_zspage(struct zspage *zspage) -{ - struct page *cursor, *fail; - - for (cursor =3D get_first_page(zspage); cursor !=3D NULL; cursor =3D - get_next_page(cursor)) { - if (!trylock_page(cursor)) { - fail =3D cursor; - goto unlock; - } - } - - return 1; -unlock: - for (cursor =3D get_first_page(zspage); cursor !=3D fail; cursor =3D - get_next_page(cursor)) - unlock_page(cursor); - - return 0; -} - static void __free_zspage(struct zs_pool *pool, struct size_class *class, struct zspage *zspage) { @@ -834,13 +841,12 @@ static void __free_zspage(struct zs_pool *pool, struc= t size_class *class, VM_BUG_ON_PAGE(!PageLocked(page), page); next =3D get_next_page(page); reset_page(page); - unlock_page(page); dec_zone_page_state(page, NR_ZSPAGES); put_page(page); page =3D next; } while (page !=3D NULL); =20 - cache_free_zspage(pool, zspage); + call_rcu(&zspage->rcu_head, rcu_free_zspage); =20 class_stat_dec(class, ZS_OBJS_ALLOCATED, class->objs_per_zspage); atomic_long_sub(class->pages_per_zspage, &pool->pages_allocated); @@ -852,16 +858,6 @@ static void free_zspage(struct zs_pool *pool, struct s= ize_class *class, VM_BUG_ON(get_zspage_inuse(zspage)); VM_BUG_ON(list_empty(&zspage->list)); =20 - /* - * Since zs_free couldn't be sleepable, this function cannot call - * lock_page. The page locks trylock_zspage got will be released - * by __free_zspage. - */ - if (!trylock_zspage(zspage)) { - kick_deferred_free(pool); - return; - } - remove_zspage(class, zspage); __free_zspage(pool, class, zspage); } @@ -929,7 +925,7 @@ static void create_page_chain(struct size_class *class,= struct zspage *zspage, */ for (i =3D 0; i < nr_pages; i++) { page =3D pages[i]; - set_page_private(page, (unsigned long)zspage); + set_zspage(page, zspage); page->index =3D 0; if (i =3D=3D 0) { zspage->first_page =3D page; @@ -978,10 +974,11 @@ static struct zspage *alloc_zspage(struct zs_pool *po= ol, pages[i] =3D page; } =20 - create_page_chain(class, zspage, pages); init_zspage(class, zspage); zspage->pool =3D pool; zspage->class =3D class->index; + /* RCU set_zspage() after zspage initialized. */ + create_page_chain(class, zspage, pages); =20 return zspage; } @@ -1765,17 +1762,35 @@ static int zs_page_migrate(struct page *newpage, st= ruct page *page, =20 VM_BUG_ON_PAGE(!PageIsolated(page), page); =20 - /* The page is locked, so this pointer must remain valid */ - zspage =3D get_zspage(page); - pool =3D zspage->pool; + rcu_read_lock(); + zspage =3D get_zspage_lockless(page); + if (!zspage) { + rcu_read_unlock(); + return -EINVAL; + } =20 /* * The pool's lock protects the race between zpage migration - * and zs_free. + * and zs_free. We check if the zspage is still in pool with + * pool->lock protection. If the zspage isn't in pool anymore, + * it should be freed by RCU soon. */ + pool =3D zspage->pool; spin_lock(&pool->lock); class =3D zspage_class(pool, zspage); =20 + if (list_empty(&zspage->list)) { + spin_unlock(&pool->lock); + rcu_read_unlock(); + return -EINVAL; + } + + /* + * Now the zspage is still on pool, and we held pool->lock, + * it can't be freed in the meantime. + */ + rcu_read_unlock(); + /* the migrate_write_lock protects zpage access via zs_map_object */ migrate_write_lock(zspage); =20 --=20 b4 0.10.1 From nobody Mon Feb 9 22:20:39 2026 Received: from out-175.mta1.migadu.com (out-175.mta1.migadu.com [95.215.58.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 819B02D603 for ; Tue, 27 Feb 2024 03:03:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709002997; cv=none; b=m3beYM5DYS8xD+5ssIuY7Ydl/UHZXY8uhWcwJwmAxoUFDx5gJjyF7zrcu7y542mHt6/NihFq9iZRwrT//qOJU2hnhq2t2FjpylBcupRLK8RebNmSg4k4aRjChpGX4hQkKcMKLBXrOMGZnGTOlvKj5SmFrdkTz+rdXGK2vJPJRsg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709002997; c=relaxed/simple; bh=/M8dgwAyEda7XsNe3iFiXBlSIntC0kanjsl4nXxFc+E=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=in11NGnxUyKJy+w6hmCsH451dK8boiic8m7oFgg/xPytVR/21JXn+15BvNrBRhOvGQ1PACTvx6xL3e+qdSzCic+OJ/2/7jndPSW4PvGPtHo46SSx8dEoTyZ1JrKS2Rb0RQoPpAdwK5y8uVW/HWVXpw39bfAbnZuhBLimxlEaWJA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=bytedance.com; spf=pass smtp.mailfrom=linux.dev; arc=none smtp.client-ip=95.215.58.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=bytedance.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Chengming Zhou Date: Tue, 27 Feb 2024 03:02:55 +0000 Subject: [PATCH 2/2] mm/zsmalloc: remove the deferred free mechanism Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20240226-zsmalloc-zspage-rcu-v1-2-456b0ef1a89d@bytedance.com> References: <20240226-zsmalloc-zspage-rcu-v1-0-456b0ef1a89d@bytedance.com> In-Reply-To: <20240226-zsmalloc-zspage-rcu-v1-0-456b0ef1a89d@bytedance.com> To: yosryahmed@google.com, Sergey Senozhatsky , hannes@cmpxchg.org, nphamcs@gmail.com, Andrew Morton , Minchan Kim Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, Chengming Zhou X-Developer-Signature: v=1; a=ed25519-sha256; t=1709002985; l=5278; i=zhouchengming@bytedance.com; s=20240220; h=from:subject:message-id; bh=/M8dgwAyEda7XsNe3iFiXBlSIntC0kanjsl4nXxFc+E=; b=HKzHCzoHlRScN2CAHFL2LHEXBGcx4FZexrsgeFkUsWRTeBSsg2wQ+Kv5cGnhN6T8q7yMHkqfy LkC11bU4POFDX84RKgcD2IwlI1sl7CP9Dx9yfr3MiZEdk9Ydr9BUfAL X-Developer-Key: i=zhouchengming@bytedance.com; a=ed25519; pk=5+68Wfci+T30FoQos5RH+hfToF6SlC+S9LMPSPBFWuw= X-Migadu-Flow: FLOW_OUT Since the only user of kick_deferred_free() has gone, remove all the deferred mechanism related code. Signed-off-by: Chengming Zhou --- mm/zsmalloc.c | 109 ------------------------------------------------------= ---- 1 file changed, 109 deletions(-) diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c index b153f2e5fc0f..1a044690b389 100644 --- a/mm/zsmalloc.c +++ b/mm/zsmalloc.c @@ -232,9 +232,6 @@ struct zs_pool { =20 #ifdef CONFIG_ZSMALLOC_STAT struct dentry *stat_dentry; -#endif -#ifdef CONFIG_COMPACTION - struct work_struct free_work; #endif spinlock_t lock; atomic_t compaction_in_progress; @@ -281,12 +278,8 @@ static void migrate_write_lock(struct zspage *zspage); static void migrate_write_unlock(struct zspage *zspage); =20 #ifdef CONFIG_COMPACTION -static void kick_deferred_free(struct zs_pool *pool); -static void init_deferred_free(struct zs_pool *pool); static void SetZsPageMovable(struct zs_pool *pool, struct zspage *zspage); #else -static void kick_deferred_free(struct zs_pool *pool) {} -static void init_deferred_free(struct zs_pool *pool) {} static void SetZsPageMovable(struct zs_pool *pool, struct zspage *zspage) = {} #endif =20 @@ -1632,50 +1625,6 @@ static int putback_zspage(struct size_class *class, = struct zspage *zspage) return fullness; } =20 -#ifdef CONFIG_COMPACTION -/* - * To prevent zspage destroy during migration, zspage freeing should - * hold locks of all pages in the zspage. - */ -static void lock_zspage(struct zspage *zspage) -{ - struct page *curr_page, *page; - - /* - * Pages we haven't locked yet can be migrated off the list while we're - * trying to lock them, so we need to be careful and only attempt to - * lock each page under migrate_read_lock(). Otherwise, the page we lock - * may no longer belong to the zspage. This means that we may wait for - * the wrong page to unlock, so we must take a reference to the page - * prior to waiting for it to unlock outside migrate_read_lock(). - */ - while (1) { - migrate_read_lock(zspage); - page =3D get_first_page(zspage); - if (trylock_page(page)) - break; - get_page(page); - migrate_read_unlock(zspage); - wait_on_page_locked(page); - put_page(page); - } - - curr_page =3D page; - while ((page =3D get_next_page(curr_page))) { - if (trylock_page(page)) { - curr_page =3D page; - } else { - get_page(page); - migrate_read_unlock(zspage); - wait_on_page_locked(page); - put_page(page); - migrate_read_lock(zspage); - } - } - migrate_read_unlock(zspage); -} -#endif /* CONFIG_COMPACTION */ - static void migrate_lock_init(struct zspage *zspage) { rwlock_init(&zspage->lock); @@ -1730,10 +1679,6 @@ static void replace_sub_page(struct size_class *clas= s, struct zspage *zspage, =20 static bool zs_page_isolate(struct page *page, isolate_mode_t mode) { - /* - * Page is locked so zspage couldn't be destroyed. For detail, look at - * lock_zspage in free_zspage. - */ VM_BUG_ON_PAGE(PageIsolated(page), page); =20 return true; @@ -1848,56 +1793,6 @@ static const struct movable_operations zsmalloc_mops= =3D { .putback_page =3D zs_page_putback, }; =20 -/* - * Caller should hold page_lock of all pages in the zspage - * In here, we cannot use zspage meta data. - */ -static void async_free_zspage(struct work_struct *work) -{ - int i; - struct size_class *class; - struct zspage *zspage, *tmp; - LIST_HEAD(free_pages); - struct zs_pool *pool =3D container_of(work, struct zs_pool, - free_work); - - for (i =3D 0; i < ZS_SIZE_CLASSES; i++) { - class =3D pool->size_class[i]; - if (class->index !=3D i) - continue; - - spin_lock(&pool->lock); - list_splice_init(&class->fullness_list[ZS_INUSE_RATIO_0], - &free_pages); - spin_unlock(&pool->lock); - } - - list_for_each_entry_safe(zspage, tmp, &free_pages, list) { - list_del(&zspage->list); - lock_zspage(zspage); - - spin_lock(&pool->lock); - class =3D zspage_class(pool, zspage); - __free_zspage(pool, class, zspage); - spin_unlock(&pool->lock); - } -}; - -static void kick_deferred_free(struct zs_pool *pool) -{ - schedule_work(&pool->free_work); -} - -static void zs_flush_migration(struct zs_pool *pool) -{ - flush_work(&pool->free_work); -} - -static void init_deferred_free(struct zs_pool *pool) -{ - INIT_WORK(&pool->free_work, async_free_zspage); -} - static void SetZsPageMovable(struct zs_pool *pool, struct zspage *zspage) { struct page *page =3D get_first_page(zspage); @@ -1908,8 +1803,6 @@ static void SetZsPageMovable(struct zs_pool *pool, st= ruct zspage *zspage) unlock_page(page); } while ((page =3D get_next_page(page)) !=3D NULL); } -#else -static inline void zs_flush_migration(struct zs_pool *pool) { } #endif =20 /* @@ -2121,7 +2014,6 @@ struct zs_pool *zs_create_pool(const char *name) if (!pool) return NULL; =20 - init_deferred_free(pool); spin_lock_init(&pool->lock); atomic_set(&pool->compaction_in_progress, 0); =20 @@ -2229,7 +2121,6 @@ void zs_destroy_pool(struct zs_pool *pool) int i; =20 zs_unregister_shrinker(pool); - zs_flush_migration(pool); zs_pool_stat_destroy(pool); =20 for (i =3D 0; i < ZS_SIZE_CLASSES; i++) { --=20 b4 0.10.1