[PATCH] cgroup, blkcg: prevent dirty inodes to pin dying memory cgroups

[Roman Gushchin]

We've noticed that the number of dying cgroups on our production hosts
tends to grow with the uptime. This time it's caused by the writeback
code.

An inode which is getting dirty for the first time is associated
with the wb structure (look at __inode_attach_wb()). It can later
be switched to another wb under some conditions (e.g. some other
cgroup is writing a lot of data to the same inode), but generally
stays associated up to the end of life of the inode structure.

The problem is that the wb structure holds a reference to the original
memory cgroup. So if an inode has been dirty once, it has a good chance
to pin down the original memory cgroup.

An example from the real life: some service runs periodically and
updates rpm packages. Each time in a new memory cgroup. Installed
.so files are heavily used by other cgroups, so corresponding inodes
tend to stay alive for a long. So do pinned memory cgroups.
In production I've seen many hosts with 1-2 thousands of dying
cgroups.

This is not the first problem with the dying memory cgroups. As
always, the problem is with their relative size: memory cgroups
are large objects, easily 100x-1000x larger that inodes. So keeping
a couple of thousands of dying cgroups in memory without a good reason
(what we easily do with inodes) is quite costly (and is measured
in tens and hundreds of Mb).

To solve this problem let's perform a periodic scan of inodes
attached to dying wbs, which don't have active io operations,
and switched them to the root memory cgroup's wb.
That will eventually release the wb structure and corresponding
memory cgroup.

To make this scanning effective, let's keep a list of attached
inodes. inode->i_io_list can be reused for this purpose. This idea
was suggested by Jan Kara.

The scan is performed from the cgroup offlining path. Dying wbs
are placed on the global list. On each cgroup removal we traverse
the whole list ignoring wbs with active io operations. That will
allow the majority of io operations to be finished after the
removal of the cgroup.

To avoid scheduling too many switch operations, let's stop on a first
failure. To make it's possible, inode_switch_wbs() can return a
boolean value: false if it's failed to schedule a switching operation
because there are already too many in flight, or if there is not
enough memory; true otherwise.

Signed-off-by: Roman Gushchin <guro@xxxxxx>
---
 fs/fs-writeback.c                | 64 +++++++++++++++++++++++++------
 include/linux/backing-dev-defs.h |  2 +
 include/linux/writeback.h        |  2 +
 mm/backing-dev.c                 | 66 ++++++++++++++++++++++++++++++--
 4 files changed, 119 insertions(+), 15 deletions(-)

diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
index e88421d9a48d..af608276fbf6 100644
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -136,16 +136,21 @@ static bool inode_io_list_move_locked(struct inode *i=
node,
  * inode_io_list_del_locked - remove an inode from its bdi_writeback IO li=
st
  * @inode: inode to be removed
  * @wb: bdi_writeback @inode is being removed from
+ * @keep_attached: keep the inode on the list of inodes attached to wb
  *
  * Remove @inode which may be on one of @wb->b_{dirty|io|more_io} lists an=
d
  * clear %WB_has_dirty_io if all are empty afterwards.
  */
 static void inode_io_list_del_locked(struct inode *inode,
-				     struct bdi_writeback *wb)
+				     struct bdi_writeback *wb,
+				     bool keep_attached)
 {
 	assert_spin_locked(&wb->list_lock);
=20
-	list_del_init(&inode->i_io_list);
+	if (keep_attached)
+		list_move(&inode->i_io_list, &wb->b_attached);
+	else
+		list_del_init(&inode->i_io_list);
 	wb_io_lists_depopulated(wb);
 }
=20
@@ -426,7 +431,7 @@ static void inode_switch_wbs_work_fn(struct work_struct=
 *work)
 	if (!list_empty(&inode->i_io_list)) {
 		struct inode *pos;
=20
-		inode_io_list_del_locked(inode, old_wb);
+		inode_io_list_del_locked(inode, old_wb, false);
 		inode->i_wb =3D new_wb;
 		list_for_each_entry(pos, &new_wb->b_dirty, i_io_list)
 			if (time_after_eq(inode->dirtied_when,
@@ -485,24 +490,29 @@ static void inode_switch_wbs_rcu_fn(struct rcu_head *=
rcu_head)
  *
  * Switch @inode's wb association to the wb identified by @new_wb_id.  The
  * switching is performed asynchronously and may fail silently.
+ *
+ * Returns %true is the operation has been scheduled successfully or
+ * if the inode cannot be switched because of its own state
+ * (e.g. inode is already switching). Returns %false otherwise.
  */
-static void inode_switch_wbs(struct inode *inode, int new_wb_id)
+static bool inode_switch_wbs(struct inode *inode, int new_wb_id)
 {
 	struct backing_dev_info *bdi =3D inode_to_bdi(inode);
 	struct cgroup_subsys_state *memcg_css;
 	struct inode_switch_wbs_context *isw;
+	bool ret =3D false;
=20
 	/* noop if seems to be already in progress */
 	if (inode->i_state & I_WB_SWITCH)
-		return;
+		return true;
=20
 	/* avoid queueing a new switch if too many are already in flight */
 	if (atomic_read(&isw_nr_in_flight) > WB_FRN_MAX_IN_FLIGHT)
-		return;
+		return false;
=20
 	isw =3D kzalloc(sizeof(*isw), GFP_ATOMIC);
 	if (!isw)
-		return;
+		return true;
=20
 	/* find and pin the new wb */
 	rcu_read_lock();
@@ -519,6 +529,7 @@ static void inode_switch_wbs(struct inode *inode, int n=
ew_wb_id)
 	    inode->i_state & (I_WB_SWITCH | I_FREEING) ||
 	    inode_to_wb(inode) =3D=3D isw->new_wb) {
 		spin_unlock(&inode->i_lock);
+		ret =3D true;
 		goto out_free;
 	}
 	inode->i_state |=3D I_WB_SWITCH;
@@ -536,12 +547,43 @@ static void inode_switch_wbs(struct inode *inode, int=
 new_wb_id)
 	call_rcu(&isw->rcu_head, inode_switch_wbs_rcu_fn);
=20
 	atomic_inc(&isw_nr_in_flight);
-	return;
+	return true;
=20
 out_free:
 	if (isw->new_wb)
 		wb_put(isw->new_wb);
 	kfree(isw);
+	return ret;
+}
+
+/**
+ * cleanup_offline_wb - switch attached inodes to the root wb
+ * @wb: target wb
+ *
+ * Switch inodes attached to @wb to the root memory cgroup's wb.
+ * Switching is performed asynchronously and may fail silently.
+ *
+ * Returns %false if at least one switching attempt has been failed,
+ * %true otherwise.
+ */
+bool cleanup_offline_wb(struct bdi_writeback *wb)
+{
+	struct inode *inode;
+	bool ret =3D true;
+
+	spin_lock(&wb->list_lock);
+	if (list_empty(&wb->b_attached))
+		goto unlock;
+
+	list_for_each_entry(inode, &wb->b_attached, i_io_list) {
+		ret =3D inode_switch_wbs(inode, root_mem_cgroup->css.id);
+		if (!ret)
+			break;
+	}
+unlock:
+	spin_unlock(&wb->list_lock);
+
+	return ret;
 }
=20
 /**
@@ -1120,7 +1162,7 @@ void inode_io_list_del(struct inode *inode)
 	struct bdi_writeback *wb;
=20
 	wb =3D inode_to_wb_and_lock_list(inode);
-	inode_io_list_del_locked(inode, wb);
+	inode_io_list_del_locked(inode, wb, false);
 	spin_unlock(&wb->list_lock);
 }
=20
@@ -1425,7 +1467,7 @@ static void requeue_inode(struct inode *inode, struct=
 bdi_writeback *wb,
 		inode_io_list_move_locked(inode, wb, &wb->b_dirty_time);
 	} else {
 		/* The inode is clean. Remove from writeback lists. */
-		inode_io_list_del_locked(inode, wb);
+		inode_io_list_del_locked(inode, wb, true);
 	}
 }
=20
@@ -1570,7 +1612,7 @@ static int writeback_single_inode(struct inode *inode=
,
 	 * touch it. See comment above for explanation.
 	 */
 	if (!(inode->i_state & I_DIRTY_ALL))
-		inode_io_list_del_locked(inode, wb);
+		inode_io_list_del_locked(inode, wb, true);
 	spin_unlock(&wb->list_lock);
 	inode_sync_complete(inode);
 out:
diff --git a/include/linux/backing-dev-defs.h b/include/linux/backing-dev-d=
efs.h
index 4fc87dee005a..68b167fda259 100644
--- a/include/linux/backing-dev-defs.h
+++ b/include/linux/backing-dev-defs.h
@@ -137,6 +137,7 @@ struct bdi_writeback {
 	struct list_head b_io;		/* parked for writeback */
 	struct list_head b_more_io;	/* parked for more writeback */
 	struct list_head b_dirty_time;	/* time stamps are dirty */
+	struct list_head b_attached;	/* attached inodes */
 	spinlock_t list_lock;		/* protects the b_* lists */
=20
 	struct percpu_counter stat[NR_WB_STAT_ITEMS];
@@ -177,6 +178,7 @@ struct bdi_writeback {
 	struct cgroup_subsys_state *blkcg_css; /* and blkcg */
 	struct list_head memcg_node;	/* anchored at memcg->cgwb_list */
 	struct list_head blkcg_node;	/* anchored at blkcg->cgwb_list */
+	struct list_head offline_node;
=20
 	union {
 		struct work_struct release_work;
diff --git a/include/linux/writeback.h b/include/linux/writeback.h
index a19d845dd7eb..7f430644a629 100644
--- a/include/linux/writeback.h
+++ b/include/linux/writeback.h
@@ -220,6 +220,7 @@ void wbc_account_cgroup_owner(struct writeback_control =
*wbc, struct page *page,
 int cgroup_writeback_by_id(u64 bdi_id, int memcg_id, unsigned long nr_page=
s,
 			   enum wb_reason reason, struct wb_completion *done);
 void cgroup_writeback_umount(void);
+bool cleanup_offline_wb(struct bdi_writeback *wb);
=20
 /**
  * inode_attach_wb - associate an inode with its wb
@@ -247,6 +248,7 @@ static inline void inode_detach_wb(struct inode *inode)
 	if (inode->i_wb) {
 		WARN_ON_ONCE(!(inode->i_state & I_CLEAR));
 		wb_put(inode->i_wb);
+		WARN_ON_ONCE(!list_empty(&inode->i_io_list));
 		inode->i_wb =3D NULL;
 	}
 }
diff --git a/mm/backing-dev.c b/mm/backing-dev.c
index d9daa3e422d0..774c05672a27 100644
--- a/mm/backing-dev.c
+++ b/mm/backing-dev.c
@@ -52,10 +52,10 @@ static int bdi_debug_stats_show(struct seq_file *m, voi=
d *v)
 	unsigned long background_thresh;
 	unsigned long dirty_thresh;
 	unsigned long wb_thresh;
-	unsigned long nr_dirty, nr_io, nr_more_io, nr_dirty_time;
+	unsigned long nr_dirty, nr_io, nr_more_io, nr_dirty_time, nr_attached;
 	struct inode *inode;
=20
-	nr_dirty =3D nr_io =3D nr_more_io =3D nr_dirty_time =3D 0;
+	nr_dirty =3D nr_io =3D nr_more_io =3D nr_dirty_time =3D nr_attached =3D 0=
;
 	spin_lock(&wb->list_lock);
 	list_for_each_entry(inode, &wb->b_dirty, i_io_list)
 		nr_dirty++;
@@ -66,6 +66,8 @@ static int bdi_debug_stats_show(struct seq_file *m, void =
*v)
 	list_for_each_entry(inode, &wb->b_dirty_time, i_io_list)
 		if (inode->i_state & I_DIRTY_TIME)
 			nr_dirty_time++;
+	list_for_each_entry(inode, &wb->b_attached, i_io_list)
+		nr_attached++;
 	spin_unlock(&wb->list_lock);
=20
 	global_dirty_limits(&background_thresh, &dirty_thresh);
@@ -85,6 +87,7 @@ static int bdi_debug_stats_show(struct seq_file *m, void =
*v)
 		   "b_io:               %10lu\n"
 		   "b_more_io:          %10lu\n"
 		   "b_dirty_time:       %10lu\n"
+		   "b_attached:         %10lu\n"
 		   "bdi_list:           %10u\n"
 		   "state:              %10lx\n",
 		   (unsigned long) K(wb_stat(wb, WB_WRITEBACK)),
@@ -99,6 +102,7 @@ static int bdi_debug_stats_show(struct seq_file *m, void=
 *v)
 		   nr_io,
 		   nr_more_io,
 		   nr_dirty_time,
+		   nr_attached,
 		   !list_empty(&bdi->bdi_list), bdi->wb.state);
 #undef K
=20
@@ -295,6 +299,7 @@ static int wb_init(struct bdi_writeback *wb, struct bac=
king_dev_info *bdi,
 	INIT_LIST_HEAD(&wb->b_io);
 	INIT_LIST_HEAD(&wb->b_more_io);
 	INIT_LIST_HEAD(&wb->b_dirty_time);
+	INIT_LIST_HEAD(&wb->b_attached);
 	spin_lock_init(&wb->list_lock);
=20
 	wb->bw_time_stamp =3D jiffies;
@@ -385,11 +390,12 @@ static void wb_exit(struct bdi_writeback *wb)
=20
 /*
  * cgwb_lock protects bdi->cgwb_tree, bdi->cgwb_congested_tree,
- * blkcg->cgwb_list, and memcg->cgwb_list.  bdi->cgwb_tree is also RCU
- * protected.
+ * blkcg->cgwb_list, offline_cgwbs and memcg->cgwb_list.
+ * bdi->cgwb_tree is also RCU protected.
  */
 static DEFINE_SPINLOCK(cgwb_lock);
 static struct workqueue_struct *cgwb_release_wq;
+static LIST_HEAD(offline_cgwbs);
=20
 /**
  * wb_congested_get_create - get or create a wb_congested
@@ -486,6 +492,10 @@ static void cgwb_release_workfn(struct work_struct *wo=
rk)
 	mutex_lock(&wb->bdi->cgwb_release_mutex);
 	wb_shutdown(wb);
=20
+	spin_lock_irq(&cgwb_lock);
+	list_del(&wb->offline_node);
+	spin_unlock_irq(&cgwb_lock);
+
 	css_put(wb->memcg_css);
 	css_put(wb->blkcg_css);
 	mutex_unlock(&wb->bdi->cgwb_release_mutex);
@@ -513,6 +523,7 @@ static void cgwb_kill(struct bdi_writeback *wb)
 	WARN_ON(!radix_tree_delete(&wb->bdi->cgwb_tree, wb->memcg_css->id));
 	list_del(&wb->memcg_node);
 	list_del(&wb->blkcg_node);
+	list_add(&wb->offline_node, &offline_cgwbs);
 	percpu_ref_kill(&wb->refcnt);
 }
=20
@@ -734,6 +745,50 @@ static void cgwb_bdi_unregister(struct backing_dev_inf=
o *bdi)
 	mutex_unlock(&bdi->cgwb_release_mutex);
 }
=20
+/**
+ * cleanup_offline_cgwbs - try to release dying cgwbs
+ *
+ * Try to release dying cgwbs by switching attached inodes to the wb
+ * belonging to the root memory cgroup. Processed wbs are placed at the
+ * end of the list to guarantee the forward progress.
+ *
+ * Should be called with the acquired cgwb_lock lock, which might
+ * be released and re-acquired in the process.
+ */
+static void cleanup_offline_cgwbs(void)
+{
+	struct bdi_writeback *wb;
+	LIST_HEAD(processed);
+	bool cont =3D true;
+
+	lockdep_assert_held(&cgwb_lock);
+
+	do {
+		wb =3D list_first_entry_or_null(&offline_cgwbs,
+					      struct bdi_writeback,
+					      offline_node);
+		if (!wb)
+			break;
+
+		list_move_tail(&wb->offline_node, &processed);
+
+		if (wb_has_dirty_io(wb))
+			continue;
+
+		if (!percpu_ref_tryget(&wb->refcnt))
+			continue;
+
+		spin_unlock_irq(&cgwb_lock);
+		cont =3D cleanup_offline_wb(wb);
+		spin_lock_irq(&cgwb_lock);
+
+		wb_put(wb);
+	} while (cont);
+
+	if (!list_empty(&processed))
+		list_splice_tail(&processed, &offline_cgwbs);
+}
+
 /**
  * wb_memcg_offline - kill all wb's associated with a memcg being offlined
  * @memcg: memcg being offlined
@@ -749,6 +804,9 @@ void wb_memcg_offline(struct mem_cgroup *memcg)
 	list_for_each_entry_safe(wb, next, memcg_cgwb_list, memcg_node)
 		cgwb_kill(wb);
 	memcg_cgwb_list->next =3D NULL;	/* prevent new wb's */
+
+	cleanup_offline_cgwbs();
+
 	spin_unlock_irq(&cgwb_lock);
 }
=20
--=20
2.21.0