Re: [RFC] mm: gup: add helper page_try_gup_pin(page)

[Jerome Glisse]

On Mon, Nov 04, 2019 at 06:20:50PM +0800, Hillf Danton wrote:
> 
> On Sun, 3 Nov 2019 22:09:03 -0800 John Hubbard wrote:
> > On 11/3/19 8:34 PM, Hillf Danton wrote:
> > ...
> > >>
> > >> Well, as long as we're counting bits, I've taken 21 bits (!) to track
> > >> "gupers". :)  More accurately, I'm sharing 31 bits with get_page()...please
> > > 
> > > Would you please specify the reasoning of tracking multiple gupers
> > > for a dirty page? Do you mean that it is all fine for guper-A to add
> > > changes to guper-B's data without warning and vice versa?
> > 
> > It's generally OK to call get_user_pages() on a page more than once.
> 
> Does this explain that it's generally OK to gup pin a page under
> writeback and then start DMA to it behind the flusher's back without
> warning? 

It can happens today, is it ok ... well no but we live in an imperfect
world. GUP have been abuse by few device driver over the years and those
never checked what it meant to use it so now we are left with existing
device driver that we can not break that do wrong thing.

I personaly think that we should use bounce page for writeback so that
writeback can still happens if a page is GUPed. John's patchset is the
first step to be able to identify GUPed page and maybe special case them.

> 
> > And even though we are seeing some work to reduce the number of places
> > in the kernel that call get_user_pages(), there are still lots of call sites.
> > That means lots of combinations and situations that could result in more
> > than one gup call per page.
> > 
> > Furthermore, there is no mechanism, convention, documentation, nor anything
> > at all that attempts to enforce "for each page, get_user_pages() may only
> > be called once."
> 
> What sense is this making wrt the data corruption resulting specifically
> from multiple gup references?

Multiple GUP references do not imply corruption. Only one or more devices
writing to the page while writeback is happening is a cause of corruption.
Multiple device writting in the same page concurrently is like multiple
CPU thread doing the same. Either the application/device drivers are doing
this rightfully on purpose or the application has a bug. Either way it is
not our problem (note here i am talking about userspace portion of the
device driver).


> > >> I think you must have missed the many contentious debates about the
> > >> tension between gup-pinned pages, and writeback. File systems can't
> > >> just ignore writeback in all cases. This patch leads to either
> > >> system hangs or filesystem corruption, in the presence of long-lasting
> > >> gup pins.
> > > 
> > > The current risk of data corruption due to writeback with long-lived
> > > gup references all ignored is zeroed out by detecting gup-pinned dirty
> > > pages and skipping them; that may lead to problems you mention above.
> > > 
> > 
> > Here, I believe you're pointing out that the current situation in the
> > kernel is already broken, with respect to fs interactions (especially
> > writeback) with gup. Yes, you are correct, there is a problem.
> > 
> > > Though I doubt anything helpful about it can be expected from fs in near
> > 
> > Actually, fs and mm folks are working together to solve this.
> > 
> > > future, we have options for instance that gupers periodically release
> > > their references and re-pin pages after data sync the same way as the
> > > current flusher does.
> > > 
> > 
> > That's one idea. I don't see it as viable, given the behavior of, say,
> > a compute process running OpenCL jobs on a GPU that is connected via
> > a network or Infiniband card--the idea of "pause" really looks more like
> > "tear down the complicated multi-driver connection, writeback, then set it
> > all up again", I suspect. (And if we could easily interrupt the job, we'd
> > probably really be running with a page-fault-capable GPU plus and IB card
> > that does ODP, plus HMM, and we wouldn't need to gup-pin anyway...)
> 
> Well is it OK to shorten the behavior above to "data corruption in
> writeback is tolerable in practice because of the expensive cost of
> data sync"?
> 
> What is the point of writeback? Why can the writeback of long-lived
> gup-pinned pages not be skipped while data sync can be entirely
> ignored?

I do not think we want that (skip writeback on GUPed page). I think what
we should do is use a bounce page ie take a snapshot of the page and
starts writeback with the snapshot. We need a snapshot because fs code
expect stable page content for things like encryption or hashing or other
crazy fs features :)

Cheers,
Jérôme