2005-04-16 15:20:36 -07:00
/*
* Copyright ( C ) 2001 Momchil Velikov
* Portions Copyright ( C ) 2001 Christoph Hellwig
2008-07-04 09:59:22 -07:00
* Copyright ( C ) 2005 SGI , Christoph Lameter
2006-12-06 20:33:44 -08:00
* Copyright ( C ) 2006 Nick Piggin
2012-03-28 14:42:53 -07:00
* Copyright ( C ) 2012 Konstantin Khlebnikov
2016-05-20 17:02:58 -07:00
* Copyright ( C ) 2016 Intel , Matthew Wilcox
* Copyright ( C ) 2016 Intel , Ross Zwisler
2005-04-16 15:20:36 -07:00
*
* This program is free software ; you can redistribute it and / or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation ; either version 2 , or ( at
* your option ) any later version .
*
* This program is distributed in the hope that it will be useful , but
* WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the GNU
* General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program ; if not , write to the Free Software
* Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
2016-12-20 10:27:56 -05:00
# include <linux/bitmap.h>
# include <linux/bitops.h>
2017-11-28 15:16:24 -05:00
# include <linux/bug.h>
2016-12-14 15:09:01 -08:00
# include <linux/cpu.h>
2005-04-16 15:20:36 -07:00
# include <linux/errno.h>
2016-12-20 10:27:56 -05:00
# include <linux/export.h>
# include <linux/idr.h>
2005-04-16 15:20:36 -07:00
# include <linux/init.h>
# include <linux/kernel.h>
2016-12-20 10:27:56 -05:00
# include <linux/kmemleak.h>
2005-04-16 15:20:36 -07:00
# include <linux/percpu.h>
2016-12-20 10:27:56 -05:00
# include <linux/preempt.h> /* in_interrupt() */
# include <linux/radix-tree.h>
# include <linux/rcupdate.h>
2005-04-16 15:20:36 -07:00
# include <linux/slab.h>
# include <linux/string.h>
2016-07-26 15:26:02 -07:00
/* Number of nodes in fully populated tree of given height */
static unsigned long height_to_maxnodes [ RADIX_TREE_MAX_PATH + 1 ] __read_mostly ;
2005-04-16 15:20:36 -07:00
/*
* Radix tree node cache .
*/
2006-12-06 20:33:20 -08:00
static struct kmem_cache * radix_tree_node_cachep ;
2005-04-16 15:20:36 -07:00
2012-05-29 15:07:34 -07:00
/*
* The radix tree is variable - height , so an insert operation not only has
* to build the branch to its corresponding item , it also has to build the
* branch to existing items if the size has to be increased ( by
* radix_tree_extend ) .
*
* The worst case is a zero height tree with just a single item at index 0 ,
* and then inserting an item at index ULONG_MAX . This requires 2 new branches
* of RADIX_TREE_MAX_PATH size to be created , with only the root node shared .
* Hence :
*/
# define RADIX_TREE_PRELOAD_SIZE (RADIX_TREE_MAX_PATH * 2 - 1)
2016-12-20 10:27:56 -05:00
/*
* The IDR does not have to be as high as the radix tree since it uses
* signed integers , not unsigned longs .
*/
# define IDR_INDEX_BITS (8 /* CHAR_BIT */ * sizeof(int) - 1)
# define IDR_MAX_PATH (DIV_ROUND_UP(IDR_INDEX_BITS, \
RADIX_TREE_MAP_SHIFT ) )
# define IDR_PRELOAD_SIZE (IDR_MAX_PATH * 2 - 1)
2016-12-16 11:55:56 -05:00
/*
* The IDA is even shorter since it uses a bitmap at the last level .
*/
# define IDA_INDEX_BITS (8 * sizeof(int) - 1 - ilog2(IDA_BITMAP_BITS))
# define IDA_MAX_PATH (DIV_ROUND_UP(IDA_INDEX_BITS, \
RADIX_TREE_MAP_SHIFT ) )
# define IDA_PRELOAD_SIZE (IDA_MAX_PATH * 2 - 1)
2005-04-16 15:20:36 -07:00
/*
* Per - cpu pool of preloaded nodes
*/
struct radix_tree_preload {
2016-05-20 17:03:04 -07:00
unsigned nr ;
2017-01-16 16:41:29 -05:00
/* nodes->parent points to next preallocated node */
2015-06-25 15:02:19 -07:00
struct radix_tree_node * nodes ;
2005-04-16 15:20:36 -07:00
} ;
2009-01-06 14:40:50 -08:00
static DEFINE_PER_CPU ( struct radix_tree_preload , radix_tree_preloads ) = { 0 , } ;
2005-04-16 15:20:36 -07:00
2016-12-14 15:08:49 -08:00
static inline struct radix_tree_node * entry_to_node ( void * ptr )
{
return ( void * ) ( ( unsigned long ) ptr & ~ RADIX_TREE_INTERNAL_NODE ) ;
}
2016-05-20 17:03:24 -07:00
static inline void * node_to_entry ( void * ptr )
2010-11-11 14:05:19 -08:00
{
2016-05-20 17:03:22 -07:00
return ( void * ) ( ( unsigned long ) ptr | RADIX_TREE_INTERNAL_NODE ) ;
2010-11-11 14:05:19 -08:00
}
2016-05-20 17:03:24 -07:00
# define RADIX_TREE_RETRY node_to_entry(NULL)
2016-05-20 17:02:17 -07:00
2016-05-20 17:01:57 -07:00
# ifdef CONFIG_RADIX_TREE_MULTIORDER
/* Sibling slots point directly to another slot in the same node */
2016-12-19 17:43:19 -05:00
static inline
bool is_sibling_entry ( const struct radix_tree_node * parent , void * node )
2016-05-20 17:01:57 -07:00
{
2017-02-13 15:58:24 -05:00
void __rcu * * ptr = node ;
2016-05-20 17:01:57 -07:00
return ( parent - > slots < = ptr ) & &
( ptr < parent - > slots + RADIX_TREE_MAP_SIZE ) ;
}
# else
2016-12-19 17:43:19 -05:00
static inline
bool is_sibling_entry ( const struct radix_tree_node * parent , void * node )
2016-05-20 17:01:57 -07:00
{
return false ;
}
# endif
2017-02-13 15:58:24 -05:00
static inline unsigned long
get_slot_offset ( const struct radix_tree_node * parent , void __rcu * * slot )
2016-05-20 17:01:57 -07:00
{
return slot - parent - > slots ;
}
2016-12-19 17:43:19 -05:00
static unsigned int radix_tree_descend ( const struct radix_tree_node * parent ,
2016-05-20 17:03:48 -07:00
struct radix_tree_node * * nodep , unsigned long index )
2016-05-20 17:01:57 -07:00
{
2016-05-20 17:03:48 -07:00
unsigned int offset = ( index > > parent - > shift ) & RADIX_TREE_MAP_MASK ;
2017-02-13 15:58:24 -05:00
void __rcu * * entry = rcu_dereference_raw ( parent - > slots [ offset ] ) ;
2016-05-20 17:01:57 -07:00
# ifdef CONFIG_RADIX_TREE_MULTIORDER
2016-05-20 17:03:30 -07:00
if ( radix_tree_is_internal_node ( entry ) ) {
2016-09-25 13:32:46 -07:00
if ( is_sibling_entry ( parent , entry ) ) {
2017-02-13 15:58:24 -05:00
void __rcu * * sibentry ;
sibentry = ( void __rcu * * ) entry_to_node ( entry ) ;
2016-09-25 13:32:46 -07:00
offset = get_slot_offset ( parent , sibentry ) ;
entry = rcu_dereference_raw ( * sibentry ) ;
2016-05-20 17:01:57 -07:00
}
}
# endif
* nodep = ( void * ) entry ;
return offset ;
}
2016-12-19 17:43:19 -05:00
static inline gfp_t root_gfp_mask ( const struct radix_tree_root * root )
2006-06-23 02:03:22 -07:00
{
radix tree: use GFP_ZONEMASK bits of gfp_t for flags
Patch series "XArray", v9. (First part thereof).
This patchset is, I believe, appropriate for merging for 4.17. It
contains the XArray implementation, to eventually replace the radix
tree, and converts the page cache to use it.
This conversion keeps the radix tree and XArray data structures in sync
at all times. That allows us to convert the page cache one function at
a time and should allow for easier bisection. Other than renaming some
elements of the structures, the data structures are fundamentally
unchanged; a radix tree walk and an XArray walk will touch the same
number of cachelines. I have changes planned to the XArray data
structure, but those will happen in future patches.
Improvements the XArray has over the radix tree:
- The radix tree provides operations like other trees do; 'insert' and
'delete'. But what most users really want is an automatically
resizing array, and so it makes more sense to give users an API that
is like an array -- 'load' and 'store'. We still have an 'insert'
operation for users that really want that semantic.
- The XArray considers locking as part of its API. This simplifies a
lot of users who formerly had to manage their own locking just for
the radix tree. It also improves code generation as we can now tell
RCU that we're holding a lock and it doesn't need to generate as much
fencing code. The other advantage is that tree nodes can be moved
(not yet implemented).
- GFP flags are now parameters to calls which may need to allocate
memory. The radix tree forced users to decide what the allocation
flags would be at creation time. It's much clearer to specify them at
allocation time.
- Memory is not preloaded; we don't tie up dozens of pages on the off
chance that the slab allocator fails. Instead, we drop the lock,
allocate a new node and retry the operation. We have to convert all
the radix tree, IDA and IDR preload users before we can realise this
benefit, but I have not yet found a user which cannot be converted.
- The XArray provides a cmpxchg operation. The radix tree forces users
to roll their own (and at least four have).
- Iterators take a 'max' parameter. That simplifies many users and will
reduce the amount of iteration done.
- Iteration can proceed backwards. We only have one user for this, but
since it's called as part of the pagefault readahead algorithm, that
seemed worth mentioning.
- RCU-protected pointers are not exposed as part of the API. There are
some fun bugs where the page cache forgets to use rcu_dereference()
in the current codebase.
- Value entries gain an extra bit compared to radix tree exceptional
entries. That gives us the extra bit we need to put huge page swap
entries in the page cache.
- Some iterators now take a 'filter' argument instead of having
separate iterators for tagged/untagged iterations.
The page cache is improved by this:
- Shorter, easier to read code
- More efficient iterations
- Reduction in size of struct address_space
- Fewer walks from the top of the data structure; the XArray API
encourages staying at the leaf node and conducting operations there.
This patch (of 8):
None of these bits may be used for slab allocations, so we can use them
as radix tree flags as long as we mask them off before passing them to
the slab allocator. Move the IDR flag from the high bits to the
GFP_ZONEMASK bits.
Link: http://lkml.kernel.org/r/20180313132639.17387-3-willy@infradead.org
Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
Acked-by: Jeff Layton <jlayton@kernel.org>
Cc: Darrick J. Wong <darrick.wong@oracle.com>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2018-04-10 16:36:28 -07:00
return root - > gfp_mask & ( __GFP_BITS_MASK & ~ GFP_ZONEMASK ) ;
2006-06-23 02:03:22 -07:00
}
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
static inline void tag_set ( struct radix_tree_node * node , unsigned int tag ,
int offset )
{
__set_bit ( offset , node - > tags [ tag ] ) ;
}
static inline void tag_clear ( struct radix_tree_node * node , unsigned int tag ,
int offset )
{
__clear_bit ( offset , node - > tags [ tag ] ) ;
}
2016-12-19 17:43:19 -05:00
static inline int tag_get ( const struct radix_tree_node * node , unsigned int tag ,
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
int offset )
{
return test_bit ( offset , node - > tags [ tag ] ) ;
}
2016-12-19 17:43:19 -05:00
static inline void root_tag_set ( struct radix_tree_root * root , unsigned tag )
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
{
2016-12-20 10:27:56 -05:00
root - > gfp_mask | = ( __force gfp_t ) ( 1 < < ( tag + ROOT_TAG_SHIFT ) ) ;
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
}
2016-05-20 17:03:04 -07:00
static inline void root_tag_clear ( struct radix_tree_root * root , unsigned tag )
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
{
2016-12-20 10:27:56 -05:00
root - > gfp_mask & = ( __force gfp_t ) ~ ( 1 < < ( tag + ROOT_TAG_SHIFT ) ) ;
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
}
static inline void root_tag_clear_all ( struct radix_tree_root * root )
{
2016-12-20 10:27:56 -05:00
root - > gfp_mask & = ( 1 < < ROOT_TAG_SHIFT ) - 1 ;
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
}
2016-12-19 17:43:19 -05:00
static inline int root_tag_get ( const struct radix_tree_root * root , unsigned tag )
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
{
2016-12-20 10:27:56 -05:00
return ( __force int ) root - > gfp_mask & ( 1 < < ( tag + ROOT_TAG_SHIFT ) ) ;
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
}
2016-12-19 17:43:19 -05:00
static inline unsigned root_tags_get ( const struct radix_tree_root * root )
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
{
2016-12-20 10:27:56 -05:00
return ( __force unsigned ) root - > gfp_mask > > ROOT_TAG_SHIFT ;
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
}
2016-12-20 10:27:56 -05:00
static inline bool is_idr ( const struct radix_tree_root * root )
2016-05-20 17:02:23 -07:00
{
2016-12-20 10:27:56 -05:00
return ! ! ( root - > gfp_mask & ROOT_IS_IDR ) ;
2016-05-20 17:02:23 -07:00
}
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
/*
* Returns 1 if any slot in the node has this tag set .
* Otherwise returns 0.
*/
2016-12-19 17:43:19 -05:00
static inline int any_tag_set ( const struct radix_tree_node * node ,
unsigned int tag )
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
{
2016-05-20 17:03:04 -07:00
unsigned idx ;
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
for ( idx = 0 ; idx < RADIX_TREE_TAG_LONGS ; idx + + ) {
if ( node - > tags [ tag ] [ idx ] )
return 1 ;
}
return 0 ;
}
2012-03-28 14:42:53 -07:00
2016-12-20 10:27:56 -05:00
static inline void all_tag_set ( struct radix_tree_node * node , unsigned int tag )
{
bitmap_fill ( node - > tags [ tag ] , RADIX_TREE_MAP_SIZE ) ;
}
2012-03-28 14:42:53 -07:00
/**
* radix_tree_find_next_bit - find the next set bit in a memory region
*
* @ addr : The address to base the search on
* @ size : The bitmap size in bits
* @ offset : The bitnumber to start searching at
*
* Unrollable variant of find_next_bit ( ) for constant size arrays .
* Tail bits starting from size to roundup ( size , BITS_PER_LONG ) must be zero .
* Returns next bit offset , or size if nothing found .
*/
static __always_inline unsigned long
2016-12-14 15:08:40 -08:00
radix_tree_find_next_bit ( struct radix_tree_node * node , unsigned int tag ,
unsigned long offset )
2012-03-28 14:42:53 -07:00
{
2016-12-14 15:08:40 -08:00
const unsigned long * addr = node - > tags [ tag ] ;
2012-03-28 14:42:53 -07:00
2016-12-14 15:08:40 -08:00
if ( offset < RADIX_TREE_MAP_SIZE ) {
2012-03-28 14:42:53 -07:00
unsigned long tmp ;
addr + = offset / BITS_PER_LONG ;
tmp = * addr > > ( offset % BITS_PER_LONG ) ;
if ( tmp )
return __ffs ( tmp ) + offset ;
offset = ( offset + BITS_PER_LONG ) & ~ ( BITS_PER_LONG - 1 ) ;
2016-12-14 15:08:40 -08:00
while ( offset < RADIX_TREE_MAP_SIZE ) {
2012-03-28 14:42:53 -07:00
tmp = * + + addr ;
if ( tmp )
return __ffs ( tmp ) + offset ;
offset + = BITS_PER_LONG ;
}
}
2016-12-14 15:08:40 -08:00
return RADIX_TREE_MAP_SIZE ;
2012-03-28 14:42:53 -07:00
}
2016-12-14 15:08:55 -08:00
static unsigned int iter_offset ( const struct radix_tree_iter * iter )
{
return ( iter - > index > > iter_shift ( iter ) ) & RADIX_TREE_MAP_MASK ;
}
2016-12-14 15:08:43 -08:00
/*
* The maximum index which can be stored in a radix tree
*/
static inline unsigned long shift_maxindex ( unsigned int shift )
{
return ( RADIX_TREE_MAP_SIZE < < shift ) - 1 ;
}
2016-12-19 17:43:19 -05:00
static inline unsigned long node_maxindex ( const struct radix_tree_node * node )
2016-12-14 15:08:43 -08:00
{
return shift_maxindex ( node - > shift ) ;
}
2016-12-20 10:27:56 -05:00
static unsigned long next_index ( unsigned long index ,
const struct radix_tree_node * node ,
unsigned long offset )
{
return ( index & ~ node_maxindex ( node ) ) + ( offset < < node - > shift ) ;
}
2016-05-20 17:02:55 -07:00
# ifndef __KERNEL__
2016-05-20 17:03:19 -07:00
static void dump_node ( struct radix_tree_node * node , unsigned long index )
2016-03-17 14:21:57 -07:00
{
2016-05-20 17:02:55 -07:00
unsigned long i ;
2016-03-17 14:21:57 -07:00
2016-12-14 15:08:43 -08:00
pr_debug ( " radix node: %p offset %d indices %lu-%lu parent %p tags %lx %lx %lx shift %d count %d exceptional %d \n " ,
node , node - > offset , index , index | node_maxindex ( node ) ,
node - > parent ,
2016-05-20 17:02:55 -07:00
node - > tags [ 0 ] [ 0 ] , node - > tags [ 1 ] [ 0 ] , node - > tags [ 2 ] [ 0 ] ,
2016-12-14 15:08:43 -08:00
node - > shift , node - > count , node - > exceptional ) ;
2016-05-20 17:02:55 -07:00
for ( i = 0 ; i < RADIX_TREE_MAP_SIZE ; i + + ) {
2016-05-20 17:03:19 -07:00
unsigned long first = index | ( i < < node - > shift ) ;
unsigned long last = first | ( ( 1UL < < node - > shift ) - 1 ) ;
2016-05-20 17:02:55 -07:00
void * entry = node - > slots [ i ] ;
if ( ! entry )
continue ;
2016-12-14 15:08:43 -08:00
if ( entry = = RADIX_TREE_RETRY ) {
pr_debug ( " radix retry offset %ld indices %lu-%lu parent %p \n " ,
i , first , last , node ) ;
2016-05-20 17:03:30 -07:00
} else if ( ! radix_tree_is_internal_node ( entry ) ) {
2016-12-14 15:08:43 -08:00
pr_debug ( " radix entry %p offset %ld indices %lu-%lu parent %p \n " ,
entry , i , first , last , node ) ;
} else if ( is_sibling_entry ( node , entry ) ) {
pr_debug ( " radix sblng %p offset %ld indices %lu-%lu parent %p val %p \n " ,
entry , i , first , last , node ,
* ( void * * ) entry_to_node ( entry ) ) ;
2016-05-20 17:02:55 -07:00
} else {
2016-05-20 17:03:27 -07:00
dump_node ( entry_to_node ( entry ) , first ) ;
2016-05-20 17:02:55 -07:00
}
}
2016-03-17 14:21:57 -07:00
}
/* For debug */
static void radix_tree_dump ( struct radix_tree_root * root )
{
2016-05-20 17:03:19 -07:00
pr_debug ( " radix root: %p rnode %p tags %x \n " ,
root , root - > rnode ,
2016-12-20 10:27:56 -05:00
root - > gfp_mask > > ROOT_TAG_SHIFT ) ;
2016-05-20 17:03:30 -07:00
if ( ! radix_tree_is_internal_node ( root - > rnode ) )
2016-03-17 14:21:57 -07:00
return ;
2016-05-20 17:03:27 -07:00
dump_node ( entry_to_node ( root - > rnode ) , 0 ) ;
2016-03-17 14:21:57 -07:00
}
2016-12-20 10:27:56 -05:00
static void dump_ida_node ( void * entry , unsigned long index )
{
unsigned long i ;
if ( ! entry )
return ;
if ( radix_tree_is_internal_node ( entry ) ) {
struct radix_tree_node * node = entry_to_node ( entry ) ;
pr_debug ( " ida node: %p offset %d indices %lu-%lu parent %p free %lx shift %d count %d \n " ,
node , node - > offset , index * IDA_BITMAP_BITS ,
( ( index | node_maxindex ( node ) ) + 1 ) *
IDA_BITMAP_BITS - 1 ,
node - > parent , node - > tags [ 0 ] [ 0 ] , node - > shift ,
node - > count ) ;
for ( i = 0 ; i < RADIX_TREE_MAP_SIZE ; i + + )
dump_ida_node ( node - > slots [ i ] ,
index | ( i < < node - > shift ) ) ;
2016-12-17 08:18:17 -05:00
} else if ( radix_tree_exceptional_entry ( entry ) ) {
pr_debug ( " ida excp: %p offset %d indices %lu-%lu data %lx \n " ,
entry , ( int ) ( index & RADIX_TREE_MAP_MASK ) ,
index * IDA_BITMAP_BITS ,
index * IDA_BITMAP_BITS + BITS_PER_LONG -
RADIX_TREE_EXCEPTIONAL_SHIFT ,
( unsigned long ) entry > >
RADIX_TREE_EXCEPTIONAL_SHIFT ) ;
2016-12-20 10:27:56 -05:00
} else {
struct ida_bitmap * bitmap = entry ;
pr_debug ( " ida btmp: %p offset %d indices %lu-%lu data " , bitmap ,
( int ) ( index & RADIX_TREE_MAP_MASK ) ,
index * IDA_BITMAP_BITS ,
( index + 1 ) * IDA_BITMAP_BITS - 1 ) ;
for ( i = 0 ; i < IDA_BITMAP_LONGS ; i + + )
pr_cont ( " %lx " , bitmap - > bitmap [ i ] ) ;
pr_cont ( " \n " ) ;
}
}
static void ida_dump ( struct ida * ida )
{
struct radix_tree_root * root = & ida - > ida_rt ;
2016-12-16 11:55:56 -05:00
pr_debug ( " ida: %p node %p free %d \n " , ida , root - > rnode ,
root - > gfp_mask > > ROOT_TAG_SHIFT ) ;
2016-12-20 10:27:56 -05:00
dump_ida_node ( root - > rnode , 0 ) ;
}
2016-03-17 14:21:57 -07:00
# endif
2005-04-16 15:20:36 -07:00
/*
* This assumes that the caller has performed appropriate preallocation , and
* that the caller has pinned this thread of control to the current CPU .
*/
static struct radix_tree_node *
2016-12-20 10:27:56 -05:00
radix_tree_node_alloc ( gfp_t gfp_mask , struct radix_tree_node * parent ,
2017-01-16 17:10:21 -05:00
struct radix_tree_root * root ,
2016-12-14 15:09:31 -08:00
unsigned int shift , unsigned int offset ,
unsigned int count , unsigned int exceptional )
2005-04-16 15:20:36 -07:00
{
2008-02-04 22:29:10 -08:00
struct radix_tree_node * ret = NULL ;
2005-04-16 15:20:36 -07:00
2013-09-11 14:26:05 -07:00
/*
2016-05-20 17:03:04 -07:00
* Preload code isn ' t irq safe and it doesn ' t make sense to use
* preloading during an interrupt anyway as all the allocations have
* to be atomic . So just do normal allocation when in interrupt .
2013-09-11 14:26:05 -07:00
*/
2015-11-06 16:28:21 -08:00
if ( ! gfpflags_allow_blocking ( gfp_mask ) & & ! in_interrupt ( ) ) {
2005-04-16 15:20:36 -07:00
struct radix_tree_preload * rtp ;
2016-03-17 14:18:36 -07:00
/*
* Even if the caller has preloaded , try to allocate from the
2016-08-02 14:03:01 -07:00
* cache first for the new node to get accounted to the memory
* cgroup .
2016-03-17 14:18:36 -07:00
*/
ret = kmem_cache_alloc ( radix_tree_node_cachep ,
2016-08-02 14:03:01 -07:00
gfp_mask | __GFP_NOWARN ) ;
2016-03-17 14:18:36 -07:00
if ( ret )
goto out ;
2008-02-04 22:29:10 -08:00
/*
* Provided the caller has preloaded here , we will always
* succeed in getting a node here ( and never reach
* kmem_cache_alloc )
*/
2014-06-04 16:07:56 -07:00
rtp = this_cpu_ptr ( & radix_tree_preloads ) ;
2005-04-16 15:20:36 -07:00
if ( rtp - > nr ) {
2015-06-25 15:02:19 -07:00
ret = rtp - > nodes ;
2017-01-16 16:41:29 -05:00
rtp - > nodes = ret - > parent ;
2005-04-16 15:20:36 -07:00
rtp - > nr - - ;
}
2014-06-06 14:38:18 -07:00
/*
* Update the allocation stack trace as this is more useful
* for debugging .
*/
kmemleak_update_trace ( ret ) ;
2016-03-17 14:18:36 -07:00
goto out ;
2005-04-16 15:20:36 -07:00
}
2016-08-02 14:03:01 -07:00
ret = kmem_cache_alloc ( radix_tree_node_cachep , gfp_mask ) ;
2016-03-17 14:18:36 -07:00
out :
2016-05-20 17:03:30 -07:00
BUG_ON ( radix_tree_is_internal_node ( ret ) ) ;
2016-12-14 15:09:31 -08:00
if ( ret ) {
ret - > shift = shift ;
ret - > offset = offset ;
ret - > count = count ;
ret - > exceptional = exceptional ;
2017-01-16 17:10:21 -05:00
ret - > parent = parent ;
ret - > root = root ;
2016-12-14 15:09:31 -08:00
}
2005-04-16 15:20:36 -07:00
return ret ;
}
2006-12-06 20:33:44 -08:00
static void radix_tree_node_rcu_free ( struct rcu_head * head )
{
struct radix_tree_node * node =
container_of ( head , struct radix_tree_node , rcu_head ) ;
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
/*
2016-12-14 15:08:58 -08:00
* Must only free zeroed nodes into the slab . We can be left with
* non - NULL entries by radix_tree_free_nodes , so clear the entries
* and tags here .
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
*/
2016-12-14 15:08:58 -08:00
memset ( node - > slots , 0 , sizeof ( node - > slots ) ) ;
memset ( node - > tags , 0 , sizeof ( node - > tags ) ) ;
2016-12-14 15:08:34 -08:00
INIT_LIST_HEAD ( & node - > private_list ) ;
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-12 15:21:52 -07:00
2006-12-06 20:33:44 -08:00
kmem_cache_free ( radix_tree_node_cachep , node ) ;
}
2005-04-16 15:20:36 -07:00
static inline void
radix_tree_node_free ( struct radix_tree_node * node )
{
2006-12-06 20:33:44 -08:00
call_rcu ( & node - > rcu_head , radix_tree_node_rcu_free ) ;
2005-04-16 15:20:36 -07:00
}
/*
* Load up this CPU ' s radix_tree_node buffer with sufficient objects to
* ensure that the addition of a single element in the tree cannot fail . On
* success , return zero , with preemption disabled . On error , return - ENOMEM
* with preemption not disabled .
FS-Cache: Use radix tree preload correctly in tracking of pages to be stored
__fscache_write_page() attempts to load the radix tree preallocation pool for
the CPU it is on before calling radix_tree_insert(), as the insertion must be
done inside a pair of spinlocks.
Use of the preallocation pool, however, is contingent on the radix tree being
initialised without __GFP_WAIT specified. __fscache_acquire_cookie() was
passing GFP_NOFS to INIT_RADIX_TREE() - but that includes __GFP_WAIT.
The solution is to AND out __GFP_WAIT.
Additionally, the banner comment to radix_tree_preload() is altered to make
note of this prerequisite. Possibly there should be a WARN_ON() too.
Without this fix, I have seen the following recursive deadlock caused by
radix_tree_insert() attempting to allocate memory inside the spinlocked
region, which resulted in FS-Cache being called back into to release memory -
which required the spinlock already held.
=============================================
[ INFO: possible recursive locking detected ]
2.6.32-rc6-cachefs #24
---------------------------------------------
nfsiod/7916 is trying to acquire lock:
(&cookie->lock){+.+.-.}, at: [<ffffffffa0076872>] __fscache_uncache_page+0xdb/0x160 [fscache]
but task is already holding lock:
(&cookie->lock){+.+.-.}, at: [<ffffffffa0076acc>] __fscache_write_page+0x15c/0x3f3 [fscache]
other info that might help us debug this:
5 locks held by nfsiod/7916:
#0: (nfsiod){+.+.+.}, at: [<ffffffff81048290>] worker_thread+0x19a/0x2e2
#1: (&task->u.tk_work#2){+.+.+.}, at: [<ffffffff81048290>] worker_thread+0x19a/0x2e2
#2: (&cookie->lock){+.+.-.}, at: [<ffffffffa0076acc>] __fscache_write_page+0x15c/0x3f3 [fscache]
#3: (&object->lock#2){+.+.-.}, at: [<ffffffffa0076b07>] __fscache_write_page+0x197/0x3f3 [fscache]
#4: (&cookie->stores_lock){+.+...}, at: [<ffffffffa0076b0f>] __fscache_write_page+0x19f/0x3f3 [fscache]
stack backtrace:
Pid: 7916, comm: nfsiod Not tainted 2.6.32-rc6-cachefs #24
Call Trace:
[<ffffffff8105ac7f>] __lock_acquire+0x1649/0x16e3
[<ffffffff81059ded>] ? __lock_acquire+0x7b7/0x16e3
[<ffffffff8100e27d>] ? dump_trace+0x248/0x257
[<ffffffff8105ad70>] lock_acquire+0x57/0x6d
[<ffffffffa0076872>] ? __fscache_uncache_page+0xdb/0x160 [fscache]
[<ffffffff8135467c>] _spin_lock+0x2c/0x3b
[<ffffffffa0076872>] ? __fscache_uncache_page+0xdb/0x160 [fscache]
[<ffffffffa0076872>] __fscache_uncache_page+0xdb/0x160 [fscache]
[<ffffffffa0077eb7>] ? __fscache_check_page_write+0x0/0x71 [fscache]
[<ffffffffa00b4755>] nfs_fscache_release_page+0x86/0xc4 [nfs]
[<ffffffffa00907f0>] nfs_release_page+0x3c/0x41 [nfs]
[<ffffffff81087ffb>] try_to_release_page+0x32/0x3b
[<ffffffff81092c2b>] shrink_page_list+0x316/0x4ac
[<ffffffff81058a9b>] ? mark_held_locks+0x52/0x70
[<ffffffff8135451b>] ? _spin_unlock_irq+0x2b/0x31
[<ffffffff81093153>] shrink_inactive_list+0x392/0x67c
[<ffffffff81058a9b>] ? mark_held_locks+0x52/0x70
[<ffffffff810934ca>] shrink_list+0x8d/0x8f
[<ffffffff81093744>] shrink_zone+0x278/0x33c
[<ffffffff81052c70>] ? ktime_get_ts+0xad/0xba
[<ffffffff8109453b>] try_to_free_pages+0x22e/0x392
[<ffffffff8109184c>] ? isolate_pages_global+0x0/0x212
[<ffffffff8108e16b>] __alloc_pages_nodemask+0x3dc/0x5cf
[<ffffffff810ae24a>] cache_alloc_refill+0x34d/0x6c1
[<ffffffff811bcf74>] ? radix_tree_node_alloc+0x52/0x5c
[<ffffffff810ae929>] kmem_cache_alloc+0xb2/0x118
[<ffffffff811bcf74>] radix_tree_node_alloc+0x52/0x5c
[<ffffffff811bcfd5>] radix_tree_insert+0x57/0x19c
[<ffffffffa0076b53>] __fscache_write_page+0x1e3/0x3f3 [fscache]
[<ffffffffa00b4248>] __nfs_readpage_to_fscache+0x58/0x11e [nfs]
[<ffffffffa009bb77>] nfs_readpage_release+0x34/0x9b [nfs]
[<ffffffffa009c0d9>] nfs_readpage_release_full+0x32/0x4b [nfs]
[<ffffffffa0006cff>] rpc_release_calldata+0x12/0x14 [sunrpc]
[<ffffffffa0006e2d>] rpc_free_task+0x59/0x61 [sunrpc]
[<ffffffffa0006f03>] rpc_async_release+0x10/0x12 [sunrpc]
[<ffffffff810482e5>] worker_thread+0x1ef/0x2e2
[<ffffffff81048290>] ? worker_thread+0x19a/0x2e2
[<ffffffff81352433>] ? thread_return+0x3e/0x101
[<ffffffffa0006ef3>] ? rpc_async_release+0x0/0x12 [sunrpc]
[<ffffffff8104bff5>] ? autoremove_wake_function+0x0/0x34
[<ffffffff81058d25>] ? trace_hardirqs_on+0xd/0xf
[<ffffffff810480f6>] ? worker_thread+0x0/0x2e2
[<ffffffff8104bd21>] kthread+0x7a/0x82
[<ffffffff8100beda>] child_rip+0xa/0x20
[<ffffffff8100b87c>] ? restore_args+0x0/0x30
[<ffffffff8104c2b9>] ? add_wait_queue+0x15/0x44
[<ffffffff8104bca7>] ? kthread+0x0/0x82
[<ffffffff8100bed0>] ? child_rip+0x0/0x20
Signed-off-by: David Howells <dhowells@redhat.com>
2009-11-19 18:11:14 +00:00
*
* To make use of this facility , the radix tree must be initialised without
2015-11-06 16:28:21 -08:00
* __GFP_DIRECT_RECLAIM being passed to INIT_RADIX_TREE ( ) .
2005-04-16 15:20:36 -07:00
*/
2017-09-08 16:15:54 -07:00
static __must_check int __radix_tree_preload ( gfp_t gfp_mask , unsigned nr )
2005-04-16 15:20:36 -07:00
{
struct radix_tree_preload * rtp ;
struct radix_tree_node * node ;
int ret = - ENOMEM ;
2016-08-02 14:03:01 -07:00
/*
* Nodes preloaded by one cgroup can be be used by another cgroup , so
* they should never be accounted to any particular memory cgroup .
*/
gfp_mask & = ~ __GFP_ACCOUNT ;
2005-04-16 15:20:36 -07:00
preempt_disable ( ) ;
2014-06-04 16:07:56 -07:00
rtp = this_cpu_ptr ( & radix_tree_preloads ) ;
2016-07-26 15:26:02 -07:00
while ( rtp - > nr < nr ) {
2005-04-16 15:20:36 -07:00
preempt_enable ( ) ;
2008-04-28 02:12:05 -07:00
node = kmem_cache_alloc ( radix_tree_node_cachep , gfp_mask ) ;
2005-04-16 15:20:36 -07:00
if ( node = = NULL )
goto out ;
preempt_disable ( ) ;
2014-06-04 16:07:56 -07:00
rtp = this_cpu_ptr ( & radix_tree_preloads ) ;
2016-07-26 15:26:02 -07:00
if ( rtp - > nr < nr ) {
2017-01-16 16:41:29 -05:00
node - > parent = rtp - > nodes ;
2015-06-25 15:02:19 -07:00
rtp - > nodes = node ;
rtp - > nr + + ;
} else {
2005-04-16 15:20:36 -07:00
kmem_cache_free ( radix_tree_node_cachep , node ) ;
2015-06-25 15:02:19 -07:00
}
2005-04-16 15:20:36 -07:00
}
ret = 0 ;
out :
return ret ;
}
2013-09-11 14:26:05 -07:00
/*
* Load up this CPU ' s radix_tree_node buffer with sufficient objects to
* ensure that the addition of a single element in the tree cannot fail . On
* success , return zero , with preemption disabled . On error , return - ENOMEM
* with preemption not disabled .
*
* To make use of this facility , the radix tree must be initialised without
2015-11-06 16:28:21 -08:00
* __GFP_DIRECT_RECLAIM being passed to INIT_RADIX_TREE ( ) .
2013-09-11 14:26:05 -07:00
*/
int radix_tree_preload ( gfp_t gfp_mask )
{
/* Warn on non-sensical use... */
2015-11-06 16:28:21 -08:00
WARN_ON_ONCE ( ! gfpflags_allow_blocking ( gfp_mask ) ) ;
2016-07-26 15:26:02 -07:00
return __radix_tree_preload ( gfp_mask , RADIX_TREE_PRELOAD_SIZE ) ;
2013-09-11 14:26:05 -07:00
}
2007-07-14 16:05:04 +10:00
EXPORT_SYMBOL ( radix_tree_preload ) ;
2005-04-16 15:20:36 -07:00
2013-09-11 14:26:05 -07:00
/*
* The same as above function , except we don ' t guarantee preloading happens .
* We do it , if we decide it helps . On success , return zero with preemption
* disabled . On error , return - ENOMEM with preemption not disabled .
*/
int radix_tree_maybe_preload ( gfp_t gfp_mask )
{
2015-11-06 16:28:21 -08:00
if ( gfpflags_allow_blocking ( gfp_mask ) )
2016-07-26 15:26:02 -07:00
return __radix_tree_preload ( gfp_mask , RADIX_TREE_PRELOAD_SIZE ) ;
2013-09-11 14:26:05 -07:00
/* Preloading doesn't help anything with this gfp mask, skip it */
preempt_disable ( ) ;
return 0 ;
}
EXPORT_SYMBOL ( radix_tree_maybe_preload ) ;
2016-12-14 15:09:04 -08:00
# ifdef CONFIG_RADIX_TREE_MULTIORDER
/*
* Preload with enough objects to ensure that we can split a single entry
* of order @ old_order into many entries of size @ new_order
*/
int radix_tree_split_preload ( unsigned int old_order , unsigned int new_order ,
gfp_t gfp_mask )
{
unsigned top = 1 < < ( old_order % RADIX_TREE_MAP_SHIFT ) ;
unsigned layers = ( old_order / RADIX_TREE_MAP_SHIFT ) -
( new_order / RADIX_TREE_MAP_SHIFT ) ;
unsigned nr = 0 ;
WARN_ON_ONCE ( ! gfpflags_allow_blocking ( gfp_mask ) ) ;
BUG_ON ( new_order > = old_order ) ;
while ( layers - - )
nr = nr * RADIX_TREE_MAP_SIZE + 1 ;
return __radix_tree_preload ( gfp_mask , top * nr ) ;
}
# endif
2016-07-26 15:26:02 -07:00
/*
* The same as function above , but preload number of nodes required to insert
* ( 1 < < order ) continuous naturally - aligned elements .
*/
int radix_tree_maybe_preload_order ( gfp_t gfp_mask , int order )
{
unsigned long nr_subtrees ;
int nr_nodes , subtree_height ;
/* Preloading doesn't help anything with this gfp mask, skip it */
if ( ! gfpflags_allow_blocking ( gfp_mask ) ) {
preempt_disable ( ) ;
return 0 ;
}
/*
* Calculate number and height of fully populated subtrees it takes to
* store ( 1 < < order ) elements .
*/
nr_subtrees = 1 < < order ;
for ( subtree_height = 0 ; nr_subtrees > RADIX_TREE_MAP_SIZE ;
subtree_height + + )
nr_subtrees > > = RADIX_TREE_MAP_SHIFT ;
/*
* The worst case is zero height tree with a single item at index 0 and
* then inserting items starting at ULONG_MAX - ( 1 < < order ) .
*
* This requires RADIX_TREE_MAX_PATH nodes to build branch from root to
* 0 - index item .
*/
nr_nodes = RADIX_TREE_MAX_PATH ;
/* Plus branch to fully populated subtrees. */
nr_nodes + = RADIX_TREE_MAX_PATH - subtree_height ;
/* Root node is shared. */
nr_nodes - - ;
/* Plus nodes required to build subtrees. */
nr_nodes + = nr_subtrees * height_to_maxnodes [ subtree_height ] ;
return __radix_tree_preload ( gfp_mask , nr_nodes ) ;
}
2016-12-19 17:43:19 -05:00
static unsigned radix_tree_load_root ( const struct radix_tree_root * root ,
2016-05-20 17:02:08 -07:00
struct radix_tree_node * * nodep , unsigned long * maxindex )
{
struct radix_tree_node * node = rcu_dereference_raw ( root - > rnode ) ;
* nodep = node ;
2016-05-20 17:03:30 -07:00
if ( likely ( radix_tree_is_internal_node ( node ) ) ) {
2016-05-20 17:03:27 -07:00
node = entry_to_node ( node ) ;
2016-05-20 17:02:08 -07:00
* maxindex = node_maxindex ( node ) ;
2016-05-20 17:03:10 -07:00
return node - > shift + RADIX_TREE_MAP_SHIFT ;
2016-05-20 17:02:08 -07:00
}
* maxindex = 0 ;
return 0 ;
}
2005-04-16 15:20:36 -07:00
/*
* Extend a radix tree so it can store key @ index .
*/
2016-12-20 10:27:56 -05:00
static int radix_tree_extend ( struct radix_tree_root * root , gfp_t gfp ,
2016-05-20 17:03:19 -07:00
unsigned long index , unsigned int shift )
2005-04-16 15:20:36 -07:00
{
2017-02-13 15:58:24 -05:00
void * entry ;
2016-05-20 17:03:19 -07:00
unsigned int maxshift ;
2005-04-16 15:20:36 -07:00
int tag ;
2016-05-20 17:03:19 -07:00
/* Figure out what the shift should be. */
maxshift = shift ;
while ( index > shift_maxindex ( maxshift ) )
maxshift + = RADIX_TREE_MAP_SHIFT ;
2005-04-16 15:20:36 -07:00
2017-02-13 15:58:24 -05:00
entry = rcu_dereference_raw ( root - > rnode ) ;
if ( ! entry & & ( ! is_idr ( root ) | | root_tag_get ( root , IDR_FREE ) ) )
2005-04-16 15:20:36 -07:00
goto out ;
do {
2016-12-20 10:27:56 -05:00
struct radix_tree_node * node = radix_tree_node_alloc ( gfp , NULL ,
2017-01-16 17:10:21 -05:00
root , shift , 0 , 1 , 0 ) ;
2016-05-20 17:03:04 -07:00
if ( ! node )
2005-04-16 15:20:36 -07:00
return - ENOMEM ;
2016-12-20 10:27:56 -05:00
if ( is_idr ( root ) ) {
all_tag_set ( node , IDR_FREE ) ;
if ( ! root_tag_get ( root , IDR_FREE ) ) {
tag_clear ( node , IDR_FREE , 0 ) ;
root_tag_set ( root , IDR_FREE ) ;
}
} else {
/* Propagate the aggregated tag info to the new child */
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + ) {
if ( root_tag_get ( root , tag ) )
tag_set ( node , tag , 0 ) ;
}
2005-04-16 15:20:36 -07:00
}
2016-05-20 17:03:19 -07:00
BUG_ON ( shift > BITS_PER_LONG ) ;
2017-02-13 15:58:24 -05:00
if ( radix_tree_is_internal_node ( entry ) ) {
entry_to_node ( entry ) - > parent = node ;
} else if ( radix_tree_exceptional_entry ( entry ) ) {
2016-12-12 16:43:41 -08:00
/* Moving an exceptional root->rnode to a node */
2016-12-14 15:09:31 -08:00
node - > exceptional = 1 ;
2016-12-12 16:43:41 -08:00
}
2017-02-13 15:58:24 -05:00
/*
* entry was already in the radix tree , so we do not need
* rcu_assign_pointer here
*/
node - > slots [ 0 ] = ( void __rcu * ) entry ;
entry = node_to_entry ( node ) ;
rcu_assign_pointer ( root - > rnode , entry ) ;
2016-05-20 17:03:19 -07:00
shift + = RADIX_TREE_MAP_SHIFT ;
} while ( shift < = maxshift ) ;
2005-04-16 15:20:36 -07:00
out :
2016-05-20 17:03:19 -07:00
return maxshift + RADIX_TREE_MAP_SHIFT ;
2005-04-16 15:20:36 -07:00
}
2016-12-12 16:43:46 -08:00
/**
* radix_tree_shrink - shrink radix tree to minimum height
* @ root radix tree root
*/
2017-01-28 09:56:22 -05:00
static inline bool radix_tree_shrink ( struct radix_tree_root * root ,
2017-11-15 17:37:41 -08:00
radix_tree_update_node_t update_node )
2016-12-12 16:43:46 -08:00
{
2017-01-28 09:56:22 -05:00
bool shrunk = false ;
2016-12-12 16:43:46 -08:00
for ( ; ; ) {
2017-02-13 15:22:48 -05:00
struct radix_tree_node * node = rcu_dereference_raw ( root - > rnode ) ;
2016-12-12 16:43:46 -08:00
struct radix_tree_node * child ;
if ( ! radix_tree_is_internal_node ( node ) )
break ;
node = entry_to_node ( node ) ;
/*
* The candidate node has more than one child , or its child
* is not at the leftmost slot , or the child is a multiorder
* entry , we cannot shrink .
*/
if ( node - > count ! = 1 )
break ;
2017-02-13 15:22:48 -05:00
child = rcu_dereference_raw ( node - > slots [ 0 ] ) ;
2016-12-12 16:43:46 -08:00
if ( ! child )
break ;
if ( ! radix_tree_is_internal_node ( child ) & & node - > shift )
break ;
if ( radix_tree_is_internal_node ( child ) )
entry_to_node ( child ) - > parent = NULL ;
/*
* We don ' t need rcu_assign_pointer ( ) , since we are simply
* moving the node from one part of the tree to another : if it
* was safe to dereference the old pointer to it
* ( node - > slots [ 0 ] ) , it will be safe to dereference the new
* one ( root - > rnode ) as far as dependent read barriers go .
*/
2017-02-13 15:58:24 -05:00
root - > rnode = ( void __rcu * ) child ;
2016-12-20 10:27:56 -05:00
if ( is_idr ( root ) & & ! tag_get ( node , IDR_FREE , 0 ) )
root_tag_clear ( root , IDR_FREE ) ;
2016-12-12 16:43:46 -08:00
/*
* We have a dilemma here . The node ' s slot [ 0 ] must not be
* NULLed in case there are concurrent lookups expecting to
* find the item . However if this was a bottom - level node ,
* then it may be subject to the slot pointer being visible
* to callers dereferencing it . If item corresponding to
* slot [ 0 ] is subsequently deleted , these callers would expect
* their slot to become empty sooner or later .
*
* For example , lockless pagecache will look up a slot , deref
* the page pointer , and if the page has 0 refcount it means it
* was concurrently deleted from pagecache so try the deref
* again . Fortunately there is already a requirement for logic
* to retry the entire slot lookup - - the indirect pointer
* problem ( replacing direct root node with an indirect pointer
* also results in a stale slot ) . So tag the slot as indirect
* to force callers to retry .
*/
2016-12-12 16:43:49 -08:00
node - > count = 0 ;
if ( ! radix_tree_is_internal_node ( child ) ) {
2017-02-13 15:58:24 -05:00
node - > slots [ 0 ] = ( void __rcu * ) RADIX_TREE_RETRY ;
2016-12-12 16:43:49 -08:00
if ( update_node )
2017-11-15 17:37:41 -08:00
update_node ( node ) ;
2016-12-12 16:43:49 -08:00
}
2016-12-12 16:43:46 -08:00
mm: workingset: fix use-after-free in shadow node shrinker
Several people report seeing warnings about inconsistent radix tree
nodes followed by crashes in the workingset code, which all looked like
use-after-free access from the shadow node shrinker.
Dave Jones managed to reproduce the issue with a debug patch applied,
which confirmed that the radix tree shrinking indeed frees shadow nodes
while they are still linked to the shadow LRU:
WARNING: CPU: 2 PID: 53 at lib/radix-tree.c:643 delete_node+0x1e4/0x200
CPU: 2 PID: 53 Comm: kswapd0 Not tainted 4.10.0-rc2-think+ #3
Call Trace:
delete_node+0x1e4/0x200
__radix_tree_delete_node+0xd/0x10
shadow_lru_isolate+0xe6/0x220
__list_lru_walk_one.isra.4+0x9b/0x190
list_lru_walk_one+0x23/0x30
scan_shadow_nodes+0x2e/0x40
shrink_slab.part.44+0x23d/0x5d0
shrink_node+0x22c/0x330
kswapd+0x392/0x8f0
This is the WARN_ON_ONCE(!list_empty(&node->private_list)) placed in the
inlined radix_tree_shrink().
The problem is with 14b468791fa9 ("mm: workingset: move shadow entry
tracking to radix tree exceptional tracking"), which passes an update
callback into the radix tree to link and unlink shadow leaf nodes when
tree entries change, but forgot to pass the callback when reclaiming a
shadow node.
While the reclaimed shadow node itself is unlinked by the shrinker, its
deletion from the tree can cause the left-most leaf node in the tree to
be shrunk. If that happens to be a shadow node as well, we don't unlink
it from the LRU as we should.
Consider this tree, where the s are shadow entries:
root->rnode
|
[0 n]
| |
[s ] [sssss]
Now the shadow node shrinker reclaims the rightmost leaf node through
the shadow node LRU:
root->rnode
|
[0 ]
|
[s ]
Because the parent of the deleted node is the first level below the
root and has only one child in the left-most slot, the intermediate
level is shrunk and the node containing the single shadow is put in
its place:
root->rnode
|
[s ]
The shrinker again sees a single left-most slot in a first level node
and thus decides to store the shadow in root->rnode directly and free
the node - which is a leaf node on the shadow node LRU.
root->rnode
|
s
Without the update callback, the freed node remains on the shadow LRU,
where it causes later shrinker runs to crash.
Pass the node updater callback into __radix_tree_delete_node() in case
the deletion causes the left-most branch in the tree to collapse too.
Also add warnings when linked nodes are freed right away, rather than
wait for the use-after-free when the list is scanned much later.
Fixes: 14b468791fa9 ("mm: workingset: move shadow entry tracking to radix tree exceptional tracking")
Reported-by: Dave Chinner <david@fromorbit.com>
Reported-by: Hugh Dickins <hughd@google.com>
Reported-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-and-tested-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Chris Leech <cleech@redhat.com>
Cc: Lee Duncan <lduncan@suse.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Matthew Wilcox <mawilcox@linuxonhyperv.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-01-06 19:21:43 -05:00
WARN_ON_ONCE ( ! list_empty ( & node - > private_list ) ) ;
2016-12-12 16:43:46 -08:00
radix_tree_node_free ( node ) ;
2017-01-28 09:56:22 -05:00
shrunk = true ;
2016-12-12 16:43:46 -08:00
}
2017-01-28 09:56:22 -05:00
return shrunk ;
2016-12-12 16:43:46 -08:00
}
2017-01-28 09:56:22 -05:00
static bool delete_node ( struct radix_tree_root * root ,
2016-12-12 16:43:49 -08:00
struct radix_tree_node * node ,
2017-11-15 17:37:41 -08:00
radix_tree_update_node_t update_node )
2016-12-12 16:43:46 -08:00
{
2017-01-28 09:56:22 -05:00
bool deleted = false ;
2016-12-12 16:43:46 -08:00
do {
struct radix_tree_node * parent ;
if ( node - > count ) {
2017-02-13 15:22:48 -05:00
if ( node_to_entry ( node ) = =
rcu_dereference_raw ( root - > rnode ) )
2017-11-15 17:37:41 -08:00
deleted | = radix_tree_shrink ( root ,
update_node ) ;
2017-01-28 09:56:22 -05:00
return deleted ;
2016-12-12 16:43:46 -08:00
}
parent = node - > parent ;
if ( parent ) {
parent - > slots [ node - > offset ] = NULL ;
parent - > count - - ;
} else {
2016-12-20 10:27:56 -05:00
/*
* Shouldn ' t the tags already have all been cleared
* by the caller ?
*/
if ( ! is_idr ( root ) )
root_tag_clear_all ( root ) ;
2016-12-12 16:43:46 -08:00
root - > rnode = NULL ;
}
mm: workingset: fix use-after-free in shadow node shrinker
Several people report seeing warnings about inconsistent radix tree
nodes followed by crashes in the workingset code, which all looked like
use-after-free access from the shadow node shrinker.
Dave Jones managed to reproduce the issue with a debug patch applied,
which confirmed that the radix tree shrinking indeed frees shadow nodes
while they are still linked to the shadow LRU:
WARNING: CPU: 2 PID: 53 at lib/radix-tree.c:643 delete_node+0x1e4/0x200
CPU: 2 PID: 53 Comm: kswapd0 Not tainted 4.10.0-rc2-think+ #3
Call Trace:
delete_node+0x1e4/0x200
__radix_tree_delete_node+0xd/0x10
shadow_lru_isolate+0xe6/0x220
__list_lru_walk_one.isra.4+0x9b/0x190
list_lru_walk_one+0x23/0x30
scan_shadow_nodes+0x2e/0x40
shrink_slab.part.44+0x23d/0x5d0
shrink_node+0x22c/0x330
kswapd+0x392/0x8f0
This is the WARN_ON_ONCE(!list_empty(&node->private_list)) placed in the
inlined radix_tree_shrink().
The problem is with 14b468791fa9 ("mm: workingset: move shadow entry
tracking to radix tree exceptional tracking"), which passes an update
callback into the radix tree to link and unlink shadow leaf nodes when
tree entries change, but forgot to pass the callback when reclaiming a
shadow node.
While the reclaimed shadow node itself is unlinked by the shrinker, its
deletion from the tree can cause the left-most leaf node in the tree to
be shrunk. If that happens to be a shadow node as well, we don't unlink
it from the LRU as we should.
Consider this tree, where the s are shadow entries:
root->rnode
|
[0 n]
| |
[s ] [sssss]
Now the shadow node shrinker reclaims the rightmost leaf node through
the shadow node LRU:
root->rnode
|
[0 ]
|
[s ]
Because the parent of the deleted node is the first level below the
root and has only one child in the left-most slot, the intermediate
level is shrunk and the node containing the single shadow is put in
its place:
root->rnode
|
[s ]
The shrinker again sees a single left-most slot in a first level node
and thus decides to store the shadow in root->rnode directly and free
the node - which is a leaf node on the shadow node LRU.
root->rnode
|
s
Without the update callback, the freed node remains on the shadow LRU,
where it causes later shrinker runs to crash.
Pass the node updater callback into __radix_tree_delete_node() in case
the deletion causes the left-most branch in the tree to collapse too.
Also add warnings when linked nodes are freed right away, rather than
wait for the use-after-free when the list is scanned much later.
Fixes: 14b468791fa9 ("mm: workingset: move shadow entry tracking to radix tree exceptional tracking")
Reported-by: Dave Chinner <david@fromorbit.com>
Reported-by: Hugh Dickins <hughd@google.com>
Reported-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-and-tested-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Chris Leech <cleech@redhat.com>
Cc: Lee Duncan <lduncan@suse.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Matthew Wilcox <mawilcox@linuxonhyperv.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-01-06 19:21:43 -05:00
WARN_ON_ONCE ( ! list_empty ( & node - > private_list ) ) ;
2016-12-12 16:43:46 -08:00
radix_tree_node_free ( node ) ;
2017-01-28 09:56:22 -05:00
deleted = true ;
2016-12-12 16:43:46 -08:00
node = parent ;
} while ( node ) ;
2017-01-28 09:56:22 -05:00
return deleted ;
2016-12-12 16:43:46 -08:00
}
2005-04-16 15:20:36 -07:00
/**
2014-04-03 14:47:54 -07:00
* __radix_tree_create - create a slot in a radix tree
2005-04-16 15:20:36 -07:00
* @ root : radix tree root
* @ index : index key
2016-03-17 14:21:54 -07:00
* @ order : index occupies 2 ^ order aligned slots
2014-04-03 14:47:54 -07:00
* @ nodep : returns node
* @ slotp : returns slot
2005-04-16 15:20:36 -07:00
*
2014-04-03 14:47:54 -07:00
* Create , if necessary , and return the node and slot for an item
* at position @ index in the radix tree @ root .
*
* Until there is more than one item in the tree , no nodes are
* allocated and @ root - > rnode is used as a direct slot instead of
* pointing to a node , in which case * @ nodep will be NULL .
*
* Returns - ENOMEM , or 0 for success .
2005-04-16 15:20:36 -07:00
*/
2014-04-03 14:47:54 -07:00
int __radix_tree_create ( struct radix_tree_root * root , unsigned long index ,
2016-03-17 14:21:54 -07:00
unsigned order , struct radix_tree_node * * nodep ,
2017-02-13 15:58:24 -05:00
void __rcu * * * slotp )
2005-04-16 15:20:36 -07:00
{
2016-05-20 17:03:42 -07:00
struct radix_tree_node * node = NULL , * child ;
2017-02-13 15:58:24 -05:00
void __rcu * * slot = ( void __rcu * * ) & root - > rnode ;
2016-05-20 17:02:11 -07:00
unsigned long maxindex ;
2016-05-20 17:03:42 -07:00
unsigned int shift , offset = 0 ;
2016-05-20 17:02:11 -07:00
unsigned long max = index | ( ( 1UL < < order ) - 1 ) ;
2016-12-20 10:27:56 -05:00
gfp_t gfp = root_gfp_mask ( root ) ;
2016-05-20 17:02:11 -07:00
2016-05-20 17:03:42 -07:00
shift = radix_tree_load_root ( root , & child , & maxindex ) ;
2005-04-16 15:20:36 -07:00
/* Make sure the tree is high enough. */
2016-12-14 15:08:58 -08:00
if ( order > 0 & & max = = ( ( 1UL < < order ) - 1 ) )
max + + ;
2016-05-20 17:02:11 -07:00
if ( max > maxindex ) {
2016-12-20 10:27:56 -05:00
int error = radix_tree_extend ( root , gfp , max , shift ) ;
2016-05-20 17:02:11 -07:00
if ( error < 0 )
2005-04-16 15:20:36 -07:00
return error ;
2016-05-20 17:02:11 -07:00
shift = error ;
2017-02-13 15:22:48 -05:00
child = rcu_dereference_raw ( root - > rnode ) ;
2005-04-16 15:20:36 -07:00
}
2016-03-17 14:21:54 -07:00
while ( shift > order ) {
2016-05-20 17:03:10 -07:00
shift - = RADIX_TREE_MAP_SHIFT ;
2016-05-20 17:03:42 -07:00
if ( child = = NULL ) {
2005-04-16 15:20:36 -07:00
/* Have to add a child node. */
2017-01-16 17:10:21 -05:00
child = radix_tree_node_alloc ( gfp , node , root , shift ,
2016-12-14 15:09:31 -08:00
offset , 0 , 0 ) ;
2016-05-20 17:03:42 -07:00
if ( ! child )
2005-04-16 15:20:36 -07:00
return - ENOMEM ;
2016-05-20 17:03:42 -07:00
rcu_assign_pointer ( * slot , node_to_entry ( child ) ) ;
if ( node )
2005-04-16 15:20:36 -07:00
node - > count + + ;
2016-05-20 17:03:42 -07:00
} else if ( ! radix_tree_is_internal_node ( child ) )
2016-03-17 14:21:54 -07:00
break ;
2005-04-16 15:20:36 -07:00
/* Go a level down */
2016-05-20 17:03:42 -07:00
node = entry_to_node ( child ) ;
2016-05-20 17:03:48 -07:00
offset = radix_tree_descend ( node , & child , index ) ;
2016-05-20 17:03:42 -07:00
slot = & node - > slots [ offset ] ;
2016-03-17 14:21:54 -07:00
}
2016-12-14 15:08:58 -08:00
if ( nodep )
* nodep = node ;
if ( slotp )
* slotp = slot ;
return 0 ;
}
/*
* Free any nodes below this node . The tree is presumed to not need
* shrinking , and any user data in the tree is presumed to not need a
* destructor called on it . If we need to add a destructor , we can
* add that functionality later . Note that we may not clear tags or
* slots from the tree as an RCU walker may still have a pointer into
* this subtree . We could replace the entries with RADIX_TREE_RETRY ,
* but we ' ll still have to clear those in rcu_free .
*/
static void radix_tree_free_nodes ( struct radix_tree_node * node )
{
unsigned offset = 0 ;
struct radix_tree_node * child = entry_to_node ( node ) ;
for ( ; ; ) {
2017-02-13 15:22:48 -05:00
void * entry = rcu_dereference_raw ( child - > slots [ offset ] ) ;
2016-12-14 15:08:58 -08:00
if ( radix_tree_is_internal_node ( entry ) & &
! is_sibling_entry ( child , entry ) ) {
child = entry_to_node ( entry ) ;
offset = 0 ;
continue ;
}
offset + + ;
while ( offset = = RADIX_TREE_MAP_SIZE ) {
struct radix_tree_node * old = child ;
offset = child - > offset + 1 ;
child = child - > parent ;
2017-01-24 15:18:16 -08:00
WARN_ON_ONCE ( ! list_empty ( & old - > private_list ) ) ;
2016-12-14 15:08:58 -08:00
radix_tree_node_free ( old ) ;
if ( old = = entry_to_node ( node ) )
return ;
}
}
}
2016-12-20 10:27:56 -05:00
# ifdef CONFIG_RADIX_TREE_MULTIORDER
2017-02-13 15:58:24 -05:00
static inline int insert_entries ( struct radix_tree_node * node ,
void __rcu * * slot , void * item , unsigned order , bool replace )
2016-12-14 15:08:58 -08:00
{
struct radix_tree_node * child ;
unsigned i , n , tag , offset , tags = 0 ;
if ( node ) {
2016-12-14 15:09:01 -08:00
if ( order > node - > shift )
n = 1 < < ( order - node - > shift ) ;
else
n = 1 ;
2016-12-14 15:08:58 -08:00
offset = get_slot_offset ( node , slot ) ;
} else {
n = 1 ;
offset = 0 ;
}
if ( n > 1 ) {
2016-03-17 14:21:54 -07:00
offset = offset & ~ ( n - 1 ) ;
2016-05-20 17:03:42 -07:00
slot = & node - > slots [ offset ] ;
2016-12-14 15:08:58 -08:00
}
child = node_to_entry ( slot ) ;
for ( i = 0 ; i < n ; i + + ) {
if ( slot [ i ] ) {
if ( replace ) {
node - > count - - ;
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
if ( tag_get ( node , tag , offset + i ) )
tags | = 1 < < tag ;
} else
2016-03-17 14:21:54 -07:00
return - EEXIST ;
}
2016-12-14 15:08:58 -08:00
}
2016-03-17 14:21:54 -07:00
2016-12-14 15:08:58 -08:00
for ( i = 0 ; i < n ; i + + ) {
2017-02-13 15:22:48 -05:00
struct radix_tree_node * old = rcu_dereference_raw ( slot [ i ] ) ;
2016-12-14 15:08:58 -08:00
if ( i ) {
2016-05-20 17:03:42 -07:00
rcu_assign_pointer ( slot [ i ] , child ) ;
2016-12-14 15:08:58 -08:00
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
if ( tags & ( 1 < < tag ) )
tag_clear ( node , tag , offset + i ) ;
} else {
rcu_assign_pointer ( slot [ i ] , item ) ;
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
if ( tags & ( 1 < < tag ) )
tag_set ( node , tag , offset ) ;
2016-03-17 14:21:54 -07:00
}
2016-12-14 15:08:58 -08:00
if ( radix_tree_is_internal_node ( old ) & &
2016-12-14 15:09:01 -08:00
! is_sibling_entry ( node , old ) & &
( old ! = RADIX_TREE_RETRY ) )
2016-12-14 15:08:58 -08:00
radix_tree_free_nodes ( old ) ;
if ( radix_tree_exceptional_entry ( old ) )
node - > exceptional - - ;
2006-06-23 02:03:22 -07:00
}
2016-12-14 15:08:58 -08:00
if ( node ) {
node - > count + = n ;
if ( radix_tree_exceptional_entry ( item ) )
node - > exceptional + = n ;
}
return n ;
2014-04-03 14:47:54 -07:00
}
2016-12-14 15:08:58 -08:00
# else
2017-02-13 15:58:24 -05:00
static inline int insert_entries ( struct radix_tree_node * node ,
void __rcu * * slot , void * item , unsigned order , bool replace )
2016-12-14 15:08:58 -08:00
{
if ( * slot )
return - EEXIST ;
rcu_assign_pointer ( * slot , item ) ;
if ( node ) {
node - > count + + ;
if ( radix_tree_exceptional_entry ( item ) )
node - > exceptional + + ;
}
return 1 ;
}
# endif
2014-04-03 14:47:54 -07:00
/**
2016-03-17 14:21:54 -07:00
* __radix_tree_insert - insert into a radix tree
2014-04-03 14:47:54 -07:00
* @ root : radix tree root
* @ index : index key
2016-03-17 14:21:54 -07:00
* @ order : key covers the 2 ^ order indices around index
2014-04-03 14:47:54 -07:00
* @ item : item to insert
*
* Insert an item into the radix tree at position @ index .
*/
2016-03-17 14:21:54 -07:00
int __radix_tree_insert ( struct radix_tree_root * root , unsigned long index ,
unsigned order , void * item )
2014-04-03 14:47:54 -07:00
{
struct radix_tree_node * node ;
2017-02-13 15:58:24 -05:00
void __rcu * * slot ;
2014-04-03 14:47:54 -07:00
int error ;
2016-05-20 17:03:30 -07:00
BUG_ON ( radix_tree_is_internal_node ( item ) ) ;
2014-04-03 14:47:54 -07:00
2016-03-17 14:21:54 -07:00
error = __radix_tree_create ( root , index , order , & node , & slot ) ;
2014-04-03 14:47:54 -07:00
if ( error )
return error ;
2016-12-14 15:08:58 -08:00
error = insert_entries ( node , slot , item , order , false ) ;
if ( error < 0 )
return error ;
2005-09-06 15:16:46 -07:00
2006-06-23 02:03:22 -07:00
if ( node ) {
2016-05-20 17:02:23 -07:00
unsigned offset = get_slot_offset ( node , slot ) ;
BUG_ON ( tag_get ( node , 0 , offset ) ) ;
BUG_ON ( tag_get ( node , 1 , offset ) ) ;
BUG_ON ( tag_get ( node , 2 , offset ) ) ;
2006-06-23 02:03:22 -07:00
} else {
2016-05-20 17:02:23 -07:00
BUG_ON ( root_tags_get ( root ) ) ;
2006-06-23 02:03:22 -07:00
}
2005-04-16 15:20:36 -07:00
return 0 ;
}
2016-03-17 14:21:54 -07:00
EXPORT_SYMBOL ( __radix_tree_insert ) ;
2005-04-16 15:20:36 -07:00
2014-04-03 14:47:54 -07:00
/**
* __radix_tree_lookup - lookup an item in a radix tree
* @ root : radix tree root
* @ index : index key
* @ nodep : returns node
* @ slotp : returns slot
*
* Lookup and return the item at position @ index in the radix
* tree @ root .
*
* Until there is more than one item in the tree , no nodes are
* allocated and @ root - > rnode is used as a direct slot instead of
* pointing to a node , in which case * @ nodep will be NULL .
2006-12-06 20:33:44 -08:00
*/
2016-12-19 17:43:19 -05:00
void * __radix_tree_lookup ( const struct radix_tree_root * root ,
unsigned long index , struct radix_tree_node * * nodep ,
2017-02-13 15:58:24 -05:00
void __rcu * * * slotp )
2005-04-16 15:20:36 -07:00
{
2014-04-03 14:47:54 -07:00
struct radix_tree_node * node , * parent ;
2016-05-20 17:02:20 -07:00
unsigned long maxindex ;
2017-02-13 15:58:24 -05:00
void __rcu * * slot ;
2006-06-23 02:03:22 -07:00
2016-05-20 17:02:20 -07:00
restart :
parent = NULL ;
2017-02-13 15:58:24 -05:00
slot = ( void __rcu * * ) & root - > rnode ;
2016-05-20 17:03:48 -07:00
radix_tree_load_root ( root , & node , & maxindex ) ;
2016-05-20 17:02:20 -07:00
if ( index > maxindex )
2005-04-16 15:20:36 -07:00
return NULL ;
2016-05-20 17:03:30 -07:00
while ( radix_tree_is_internal_node ( node ) ) {
2016-05-20 17:02:20 -07:00
unsigned offset ;
2005-04-16 15:20:36 -07:00
2016-05-20 17:02:20 -07:00
if ( node = = RADIX_TREE_RETRY )
goto restart ;
2016-05-20 17:03:27 -07:00
parent = entry_to_node ( node ) ;
2016-05-20 17:03:48 -07:00
offset = radix_tree_descend ( parent , & node , index ) ;
2016-05-20 17:02:20 -07:00
slot = parent - > slots + offset ;
}
2005-04-16 15:20:36 -07:00
2014-04-03 14:47:54 -07:00
if ( nodep )
* nodep = parent ;
if ( slotp )
* slotp = slot ;
return node ;
2009-06-16 15:33:42 -07:00
}
/**
* radix_tree_lookup_slot - lookup a slot in a radix tree
* @ root : radix tree root
* @ index : index key
*
* Returns : the slot corresponding to the position @ index in the
* radix tree @ root . This is useful for update - if - exists operations .
*
* This function can be called under rcu_read_lock iff the slot is not
* modified by radix_tree_replace_slot , otherwise it must be called
* exclusive from other writers . Any dereference of the slot must be done
* using radix_tree_deref_slot .
*/
2017-02-13 15:58:24 -05:00
void __rcu * * radix_tree_lookup_slot ( const struct radix_tree_root * root ,
2016-12-19 17:43:19 -05:00
unsigned long index )
2009-06-16 15:33:42 -07:00
{
2017-02-13 15:58:24 -05:00
void __rcu * * slot ;
2014-04-03 14:47:54 -07:00
if ( ! __radix_tree_lookup ( root , index , NULL , & slot ) )
return NULL ;
return slot ;
2005-11-07 00:59:29 -08:00
}
EXPORT_SYMBOL ( radix_tree_lookup_slot ) ;
/**
* radix_tree_lookup - perform lookup operation on a radix tree
* @ root : radix tree root
* @ index : index key
*
* Lookup the item at the position @ index in the radix tree @ root .
2006-12-06 20:33:44 -08:00
*
* This function can be called under rcu_read_lock , however the caller
* must manage lifetimes of leaf nodes ( eg . RCU may also be used to free
* them safely ) . No RCU barriers are required to access or modify the
* returned item , however .
2005-11-07 00:59:29 -08:00
*/
2016-12-19 17:43:19 -05:00
void * radix_tree_lookup ( const struct radix_tree_root * root , unsigned long index )
2005-11-07 00:59:29 -08:00
{
2014-04-03 14:47:54 -07:00
return __radix_tree_lookup ( root , index , NULL , NULL ) ;
2005-04-16 15:20:36 -07:00
}
EXPORT_SYMBOL ( radix_tree_lookup ) ;
2016-12-20 10:27:56 -05:00
static inline void replace_sibling_entries ( struct radix_tree_node * node ,
2017-02-13 15:58:24 -05:00
void __rcu * * slot , int count , int exceptional )
2016-12-14 15:09:07 -08:00
{
# ifdef CONFIG_RADIX_TREE_MULTIORDER
void * ptr = node_to_entry ( slot ) ;
2016-12-20 10:27:56 -05:00
unsigned offset = get_slot_offset ( node , slot ) + 1 ;
2016-12-14 15:09:07 -08:00
2016-12-20 10:27:56 -05:00
while ( offset < RADIX_TREE_MAP_SIZE ) {
2017-02-13 15:22:48 -05:00
if ( rcu_dereference_raw ( node - > slots [ offset ] ) ! = ptr )
2016-12-14 15:09:07 -08:00
break ;
2016-12-20 10:27:56 -05:00
if ( count < 0 ) {
node - > slots [ offset ] = NULL ;
node - > count - - ;
}
node - > exceptional + = exceptional ;
offset + + ;
2016-12-14 15:09:07 -08:00
}
# endif
}
2017-02-13 15:58:24 -05:00
static void replace_slot ( void __rcu * * slot , void * item ,
struct radix_tree_node * node , int count , int exceptional )
2016-12-12 16:43:41 -08:00
{
2016-12-20 10:27:56 -05:00
if ( WARN_ON_ONCE ( radix_tree_is_internal_node ( item ) ) )
return ;
2016-12-12 16:43:41 -08:00
2016-12-20 10:27:56 -05:00
if ( node & & ( count | | exceptional ) ) {
2016-12-12 16:43:46 -08:00
node - > count + = count ;
2016-12-20 10:27:56 -05:00
node - > exceptional + = exceptional ;
replace_sibling_entries ( node , slot , count , exceptional ) ;
2016-12-12 16:43:46 -08:00
}
2016-12-12 16:43:41 -08:00
rcu_assign_pointer ( * slot , item ) ;
}
2016-12-20 10:27:56 -05:00
static bool node_tag_get ( const struct radix_tree_root * root ,
const struct radix_tree_node * node ,
unsigned int tag , unsigned int offset )
2016-12-14 15:09:07 -08:00
{
2016-12-20 10:27:56 -05:00
if ( node )
return tag_get ( node , tag , offset ) ;
return root_tag_get ( root , tag ) ;
}
2016-12-14 15:09:07 -08:00
2016-12-20 10:27:56 -05:00
/*
* IDR users want to be able to store NULL in the tree , so if the slot isn ' t
* free , don ' t adjust the count , even if it ' s transitioning between NULL and
* non - NULL . For the IDA , we mark slots as being IDR_FREE while they still
* have empty bits , but it only stores NULL in slots when they ' re being
* deleted .
*/
static int calculate_count ( struct radix_tree_root * root ,
2017-02-13 15:58:24 -05:00
struct radix_tree_node * node , void __rcu * * slot ,
2016-12-20 10:27:56 -05:00
void * item , void * old )
{
if ( is_idr ( root ) ) {
unsigned offset = get_slot_offset ( node , slot ) ;
bool free = node_tag_get ( root , node , IDR_FREE , offset ) ;
if ( ! free )
return 0 ;
if ( ! old )
return 1 ;
2016-12-14 15:09:07 -08:00
}
2016-12-20 10:27:56 -05:00
return ! ! item - ! ! old ;
2016-12-14 15:09:07 -08:00
}
2016-12-12 16:43:43 -08:00
/**
* __radix_tree_replace - replace item in a slot
2016-12-12 16:43:49 -08:00
* @ root : radix tree root
* @ node : pointer to tree node
* @ slot : pointer to slot in @ node
* @ item : new item to store in the slot .
* @ update_node : callback for changing leaf nodes
2016-12-12 16:43:43 -08:00
*
* For use with __radix_tree_lookup ( ) . Caller must hold tree write locked
* across slot lookup and replacement .
*/
void __radix_tree_replace ( struct radix_tree_root * root ,
struct radix_tree_node * node ,
2017-02-13 15:58:24 -05:00
void __rcu * * slot , void * item ,
2017-11-15 17:37:41 -08:00
radix_tree_update_node_t update_node )
2016-12-12 16:43:43 -08:00
{
2016-12-20 10:27:56 -05:00
void * old = rcu_dereference_raw ( * slot ) ;
int exceptional = ! ! radix_tree_exceptional_entry ( item ) -
! ! radix_tree_exceptional_entry ( old ) ;
int count = calculate_count ( root , node , slot , item , old ) ;
2016-12-12 16:43:43 -08:00
/*
2016-12-12 16:43:46 -08:00
* This function supports replacing exceptional entries and
* deleting entries , but that needs accounting against the
* node unless the slot is root - > rnode .
2016-12-12 16:43:43 -08:00
*/
2017-02-13 15:58:24 -05:00
WARN_ON_ONCE ( ! node & & ( slot ! = ( void __rcu * * ) & root - > rnode ) & &
2016-12-20 10:27:56 -05:00
( count | | exceptional ) ) ;
replace_slot ( slot , item , node , count , exceptional ) ;
2016-12-12 16:43:46 -08:00
2016-12-12 16:43:49 -08:00
if ( ! node )
return ;
if ( update_node )
2017-11-15 17:37:41 -08:00
update_node ( node ) ;
2016-12-12 16:43:49 -08:00
2017-11-15 17:37:41 -08:00
delete_node ( root , node , update_node ) ;
2016-12-12 16:43:43 -08:00
}
/**
* radix_tree_replace_slot - replace item in a slot
* @ root : radix tree root
* @ slot : pointer to slot
* @ item : new item to store in the slot .
*
* For use with radix_tree_lookup_slot ( ) , radix_tree_gang_lookup_slot ( ) ,
* radix_tree_gang_lookup_tag_slot ( ) . Caller must hold tree write locked
* across slot lookup and replacement .
*
* NOTE : This cannot be used to switch between non - entries ( empty slots ) ,
* regular entries , and exceptional entries , as that requires accounting
2016-12-12 16:43:46 -08:00
* inside the radix tree node . When switching from one type of entry or
2016-12-14 15:09:01 -08:00
* deleting , use __radix_tree_lookup ( ) and __radix_tree_replace ( ) or
* radix_tree_iter_replace ( ) .
2016-12-12 16:43:43 -08:00
*/
void radix_tree_replace_slot ( struct radix_tree_root * root ,
2017-02-13 15:58:24 -05:00
void __rcu * * slot , void * item )
2016-12-12 16:43:43 -08:00
{
2017-11-15 17:37:41 -08:00
__radix_tree_replace ( root , NULL , slot , item , NULL ) ;
2016-12-12 16:43:43 -08:00
}
2017-01-11 10:00:51 -08:00
EXPORT_SYMBOL ( radix_tree_replace_slot ) ;
2016-12-12 16:43:43 -08:00
2016-12-14 15:09:01 -08:00
/**
* radix_tree_iter_replace - replace item in a slot
* @ root : radix tree root
* @ slot : pointer to slot
* @ item : new item to store in the slot .
*
* For use with radix_tree_split ( ) and radix_tree_for_each_slot ( ) .
* Caller must hold tree write locked across split and replacement .
*/
void radix_tree_iter_replace ( struct radix_tree_root * root ,
2017-02-13 15:58:24 -05:00
const struct radix_tree_iter * iter ,
void __rcu * * slot , void * item )
2016-12-14 15:09:01 -08:00
{
2017-11-15 17:37:41 -08:00
__radix_tree_replace ( root , iter - > node , slot , item , NULL ) ;
2016-12-14 15:09:01 -08:00
}
2016-12-14 15:08:58 -08:00
# ifdef CONFIG_RADIX_TREE_MULTIORDER
/**
* radix_tree_join - replace multiple entries with one multiorder entry
* @ root : radix tree root
* @ index : an index inside the new entry
* @ order : order of the new entry
* @ item : new entry
*
* Call this function to replace several entries with one larger entry .
* The existing entries are presumed to not need freeing as a result of
* this call .
*
* The replacement entry will have all the tags set on it that were set
* on any of the entries it is replacing .
*/
int radix_tree_join ( struct radix_tree_root * root , unsigned long index ,
unsigned order , void * item )
{
struct radix_tree_node * node ;
2017-02-13 15:58:24 -05:00
void __rcu * * slot ;
2016-12-14 15:08:58 -08:00
int error ;
BUG_ON ( radix_tree_is_internal_node ( item ) ) ;
error = __radix_tree_create ( root , index , order , & node , & slot ) ;
if ( ! error )
error = insert_entries ( node , slot , item , order , true ) ;
if ( error > 0 )
error = 0 ;
return error ;
}
2016-12-14 15:09:01 -08:00
/**
* radix_tree_split - Split an entry into smaller entries
* @ root : radix tree root
* @ index : An index within the large entry
* @ order : Order of new entries
*
* Call this function as the first step in replacing a multiorder entry
* with several entries of lower order . After this function returns ,
* loop over the relevant portion of the tree using radix_tree_for_each_slot ( )
* and call radix_tree_iter_replace ( ) to set up each new entry .
*
* The tags from this entry are replicated to all the new entries .
*
* The radix tree should be locked against modification during the entire
* replacement operation . Lock - free lookups will see RADIX_TREE_RETRY which
* should prompt RCU walkers to restart the lookup from the root .
*/
int radix_tree_split ( struct radix_tree_root * root , unsigned long index ,
unsigned order )
{
struct radix_tree_node * parent , * node , * child ;
2017-02-13 15:58:24 -05:00
void __rcu * * slot ;
2016-12-14 15:09:01 -08:00
unsigned int offset , end ;
unsigned n , tag , tags = 0 ;
2016-12-20 10:27:56 -05:00
gfp_t gfp = root_gfp_mask ( root ) ;
2016-12-14 15:09:01 -08:00
if ( ! __radix_tree_lookup ( root , index , & parent , & slot ) )
return - ENOENT ;
if ( ! parent )
return - ENOENT ;
offset = get_slot_offset ( parent , slot ) ;
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
if ( tag_get ( parent , tag , offset ) )
tags | = 1 < < tag ;
for ( end = offset + 1 ; end < RADIX_TREE_MAP_SIZE ; end + + ) {
2017-02-13 15:22:48 -05:00
if ( ! is_sibling_entry ( parent ,
rcu_dereference_raw ( parent - > slots [ end ] ) ) )
2016-12-14 15:09:01 -08:00
break ;
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
if ( tags & ( 1 < < tag ) )
tag_set ( parent , tag , end ) ;
/* rcu_assign_pointer ensures tags are set before RETRY */
rcu_assign_pointer ( parent - > slots [ end ] , RADIX_TREE_RETRY ) ;
}
rcu_assign_pointer ( parent - > slots [ offset ] , RADIX_TREE_RETRY ) ;
parent - > exceptional - = ( end - offset ) ;
if ( order = = parent - > shift )
return 0 ;
if ( order > parent - > shift ) {
while ( offset < end )
offset + = insert_entries ( parent , & parent - > slots [ offset ] ,
RADIX_TREE_RETRY , order , true ) ;
return 0 ;
}
node = parent ;
for ( ; ; ) {
if ( node - > shift > order ) {
2017-01-16 17:10:21 -05:00
child = radix_tree_node_alloc ( gfp , node , root ,
2016-12-14 15:09:31 -08:00
node - > shift - RADIX_TREE_MAP_SHIFT ,
offset , 0 , 0 ) ;
2016-12-14 15:09:01 -08:00
if ( ! child )
goto nomem ;
if ( node ! = parent ) {
node - > count + + ;
2017-02-13 15:22:48 -05:00
rcu_assign_pointer ( node - > slots [ offset ] ,
node_to_entry ( child ) ) ;
2016-12-14 15:09:01 -08:00
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
if ( tags & ( 1 < < tag ) )
tag_set ( node , tag , offset ) ;
}
node = child ;
offset = 0 ;
continue ;
}
n = insert_entries ( node , & node - > slots [ offset ] ,
RADIX_TREE_RETRY , order , false ) ;
BUG_ON ( n > RADIX_TREE_MAP_SIZE ) ;
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
if ( tags & ( 1 < < tag ) )
tag_set ( node , tag , offset ) ;
offset + = n ;
while ( offset = = RADIX_TREE_MAP_SIZE ) {
if ( node = = parent )
break ;
offset = node - > offset ;
child = node ;
node = node - > parent ;
rcu_assign_pointer ( node - > slots [ offset ] ,
node_to_entry ( child ) ) ;
offset + + ;
}
if ( ( node = = parent ) & & ( offset = = end ) )
return 0 ;
}
nomem :
/* Shouldn't happen; did user forget to preload? */
/* TODO: free all the allocated nodes */
WARN_ON ( 1 ) ;
return - ENOMEM ;
}
2016-12-14 15:08:58 -08:00
# endif
2017-01-28 09:55:20 -05:00
static void node_tag_set ( struct radix_tree_root * root ,
struct radix_tree_node * node ,
unsigned int tag , unsigned int offset )
{
while ( node ) {
if ( tag_get ( node , tag , offset ) )
return ;
tag_set ( node , tag , offset ) ;
offset = node - > offset ;
node = node - > parent ;
}
if ( ! root_tag_get ( root , tag ) )
root_tag_set ( root , tag ) ;
}
2005-04-16 15:20:36 -07:00
/**
* radix_tree_tag_set - set a tag on a radix tree node
* @ root : radix tree root
* @ index : index key
2016-05-20 17:03:04 -07:00
* @ tag : tag index
2005-04-16 15:20:36 -07:00
*
2006-03-25 03:08:05 -08:00
* Set the search tag ( which must be < RADIX_TREE_MAX_TAGS )
* corresponding to @ index in the radix tree . From
2005-04-16 15:20:36 -07:00
* the root all the way down to the leaf node .
*
2016-05-20 17:03:04 -07:00
* Returns the address of the tagged item . Setting a tag on a not - present
2005-04-16 15:20:36 -07:00
* item is a bug .
*/
void * radix_tree_tag_set ( struct radix_tree_root * root ,
2006-03-25 03:08:05 -08:00
unsigned long index , unsigned int tag )
2005-04-16 15:20:36 -07:00
{
2016-05-20 17:02:32 -07:00
struct radix_tree_node * node , * parent ;
unsigned long maxindex ;
2005-04-16 15:20:36 -07:00
2016-05-20 17:03:48 -07:00
radix_tree_load_root ( root , & node , & maxindex ) ;
2016-05-20 17:02:32 -07:00
BUG_ON ( index > maxindex ) ;
2005-04-16 15:20:36 -07:00
2016-05-20 17:03:30 -07:00
while ( radix_tree_is_internal_node ( node ) ) {
2016-05-20 17:02:32 -07:00
unsigned offset ;
2005-04-16 15:20:36 -07:00
2016-05-20 17:03:27 -07:00
parent = entry_to_node ( node ) ;
2016-05-20 17:03:48 -07:00
offset = radix_tree_descend ( parent , & node , index ) ;
2016-05-20 17:02:32 -07:00
BUG_ON ( ! node ) ;
if ( ! tag_get ( parent , tag , offset ) )
tag_set ( parent , tag , offset ) ;
2005-04-16 15:20:36 -07:00
}
2006-06-23 02:03:22 -07:00
/* set the root's tag bit */
2016-05-20 17:02:32 -07:00
if ( ! root_tag_get ( root , tag ) )
2006-06-23 02:03:22 -07:00
root_tag_set ( root , tag ) ;
2016-05-20 17:02:32 -07:00
return node ;
2005-04-16 15:20:36 -07:00
}
EXPORT_SYMBOL ( radix_tree_tag_set ) ;
2017-01-28 09:55:20 -05:00
/**
* radix_tree_iter_tag_set - set a tag on the current iterator entry
* @ root : radix tree root
* @ iter : iterator state
* @ tag : tag to set
*/
void radix_tree_iter_tag_set ( struct radix_tree_root * root ,
const struct radix_tree_iter * iter , unsigned int tag )
{
node_tag_set ( root , iter - > node , tag , iter_offset ( iter ) ) ;
}
2016-05-20 17:03:45 -07:00
static void node_tag_clear ( struct radix_tree_root * root ,
struct radix_tree_node * node ,
unsigned int tag , unsigned int offset )
{
while ( node ) {
if ( ! tag_get ( node , tag , offset ) )
return ;
tag_clear ( node , tag , offset ) ;
if ( any_tag_set ( node , tag ) )
return ;
offset = node - > offset ;
node = node - > parent ;
}
/* clear the root's tag bit */
if ( root_tag_get ( root , tag ) )
root_tag_clear ( root , tag ) ;
}
2005-04-16 15:20:36 -07:00
/**
* radix_tree_tag_clear - clear a tag on a radix tree node
* @ root : radix tree root
* @ index : index key
2016-05-20 17:03:04 -07:00
* @ tag : tag index
2005-04-16 15:20:36 -07:00
*
2006-03-25 03:08:05 -08:00
* Clear the search tag ( which must be < RADIX_TREE_MAX_TAGS )
2016-05-20 17:03:04 -07:00
* corresponding to @ index in the radix tree . If this causes
* the leaf node to have no tags set then clear the tag in the
2005-04-16 15:20:36 -07:00
* next - to - leaf node , etc .
*
* Returns the address of the tagged item on success , else NULL . ie :
* has the same return value and semantics as radix_tree_lookup ( ) .
*/
void * radix_tree_tag_clear ( struct radix_tree_root * root ,
2006-03-25 03:08:05 -08:00
unsigned long index , unsigned int tag )
2005-04-16 15:20:36 -07:00
{
2016-05-20 17:02:35 -07:00
struct radix_tree_node * node , * parent ;
unsigned long maxindex ;
radix_tree: take radix_tree_path off stack
Down, down in the deepest depths of GFP_NOIO page reclaim, we have
shrink_page_list() calling __remove_mapping() calling __delete_from_
swap_cache() or __delete_from_page_cache().
You would not expect those to need much stack, but in fact they call
radix_tree_delete(): which declares a 192-byte radix_tree_path array on
its stack (to record the node,offsets it visits when descending, in case
it needs to ascend to update them). And if any tag is still set [1],
that calls radix_tree_tag_clear(), which declares a further such
192-byte radix_tree_path array on the stack. (At least we have
interrupts disabled here, so won't then be pushing registers too.)
That was probably a good choice when most users were 32-bit (array of
half the size), and adding fields to radix_tree_node would have bloated
it unnecessarily. But nowadays many are 64-bit, and each
radix_tree_node contains a struct rcu_head, which is only used when
freeing; whereas the radix_tree_path info is only used for updating the
tree (deleting, clearing tags or setting tags if tagged) when a lock
must be held, of no interest when accessing the tree locklessly.
So add a parent pointer to the radix_tree_node, in union with the
rcu_head, and remove all uses of the radix_tree_path. There would be
space in that union to save the offset when descending as before (we can
argue that a lock must already be held to exclude other users), but
recalculating it when ascending is both easy (a constant shift and a
constant mask) and uncommon, so it seems better just to do that.
Two little optimizations: no need to decrement height when descending,
adjusting shift is enough; and once radix_tree_tag_if_tagged() has set
tag on a node and its ancestors, it need not ascend from that node
again.
perf on the radix tree test harness reports radix_tree_insert() as 2%
slower (now having to set parent), but radix_tree_delete() 24% faster.
Surely that's an exaggeration from rtth's artificially low map shift 3,
but forcing it back to 6 still rates radix_tree_delete() 8% faster.
[1] Can a pagecache tag (dirty, writeback or towrite) actually still be
set at the time of radix_tree_delete()? Perhaps not if the filesystem is
well-behaved. But although I've not tracked any stack overflow down to
this cause, I have observed a curious case in which a dirty tag is set
and left set on tmpfs: page migration's migrate_page_copy() happens to
use __set_page_dirty_nobuffers() to set PageDirty on the newpage, and
that sets PAGECACHE_TAG_DIRTY as a side-effect - harmless to a
filesystem which doesn't use tags, except for this stack depth issue.
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Nai Xia <nai.xia@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-12 17:20:41 -08:00
int uninitialized_var ( offset ) ;
2005-04-16 15:20:36 -07:00
2016-05-20 17:03:48 -07:00
radix_tree_load_root ( root , & node , & maxindex ) ;
2016-05-20 17:02:35 -07:00
if ( index > maxindex )
return NULL ;
2005-04-16 15:20:36 -07:00
2016-05-20 17:02:35 -07:00
parent = NULL ;
2005-04-16 15:20:36 -07:00
2016-05-20 17:03:30 -07:00
while ( radix_tree_is_internal_node ( node ) ) {
2016-05-20 17:03:27 -07:00
parent = entry_to_node ( node ) ;
2016-05-20 17:03:48 -07:00
offset = radix_tree_descend ( parent , & node , index ) ;
2005-04-16 15:20:36 -07:00
}
2016-05-20 17:03:45 -07:00
if ( node )
node_tag_clear ( root , parent , tag , offset ) ;
2005-04-16 15:20:36 -07:00
2016-05-20 17:02:35 -07:00
return node ;
2005-04-16 15:20:36 -07:00
}
EXPORT_SYMBOL ( radix_tree_tag_clear ) ;
2017-01-28 09:55:20 -05:00
/**
* radix_tree_iter_tag_clear - clear a tag on the current iterator entry
* @ root : radix tree root
* @ iter : iterator state
* @ tag : tag to clear
*/
void radix_tree_iter_tag_clear ( struct radix_tree_root * root ,
const struct radix_tree_iter * iter , unsigned int tag )
{
node_tag_clear ( root , iter - > node , tag , iter_offset ( iter ) ) ;
}
2005-04-16 15:20:36 -07:00
/**
2005-09-06 15:16:48 -07:00
* radix_tree_tag_get - get a tag on a radix tree node
* @ root : radix tree root
* @ index : index key
2016-05-20 17:03:04 -07:00
* @ tag : tag index ( < RADIX_TREE_MAX_TAGS )
2005-04-16 15:20:36 -07:00
*
2005-09-06 15:16:48 -07:00
* Return values :
2005-04-16 15:20:36 -07:00
*
2006-06-23 02:03:22 -07:00
* 0 : tag not present or not set
* 1 : tag set
radix_tree_tag_get() is not as safe as the docs make out [ver #2]
radix_tree_tag_get() is not safe to use concurrently with radix_tree_tag_set()
or radix_tree_tag_clear(). The problem is that the double tag_get() in
radix_tree_tag_get():
if (!tag_get(node, tag, offset))
saw_unset_tag = 1;
if (height == 1) {
int ret = tag_get(node, tag, offset);
may see the value change due to the action of set/clear. RCU is no protection
against this as no pointers are being changed, no nodes are being replaced
according to a COW protocol - set/clear alter the node directly.
The documentation in linux/radix-tree.h, however, says that
radix_tree_tag_get() is an exception to the rule that "any function modifying
the tree or tags (...) must exclude other modifications, and exclude any
functions reading the tree".
The problem is that the next statement in radix_tree_tag_get() checks that the
tag doesn't vary over time:
BUG_ON(ret && saw_unset_tag);
This has been seen happening in FS-Cache:
https://www.redhat.com/archives/linux-cachefs/2010-April/msg00013.html
To this end, remove the BUG_ON() from radix_tree_tag_get() and note in various
comments that the value of the tag may change whilst the RCU read lock is held,
and thus that the return value of radix_tree_tag_get() may not be relied upon
unless radix_tree_tag_set/clear() and radix_tree_delete() are excluded from
running concurrently with it.
Reported-by: Romain DEGEZ <romain.degez@smartjog.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-04-06 22:36:20 +01:00
*
* Note that the return value of this function may not be relied on , even if
* the RCU lock is held , unless tag modification and node deletion are excluded
* from concurrency .
2005-04-16 15:20:36 -07:00
*/
2016-12-19 17:43:19 -05:00
int radix_tree_tag_get ( const struct radix_tree_root * root ,
2006-03-25 03:08:05 -08:00
unsigned long index , unsigned int tag )
2005-04-16 15:20:36 -07:00
{
2016-05-20 17:02:38 -07:00
struct radix_tree_node * node , * parent ;
unsigned long maxindex ;
2005-04-16 15:20:36 -07:00
2006-06-23 02:03:22 -07:00
if ( ! root_tag_get ( root , tag ) )
return 0 ;
2016-05-20 17:03:48 -07:00
radix_tree_load_root ( root , & node , & maxindex ) ;
2016-05-20 17:02:38 -07:00
if ( index > maxindex )
return 0 ;
2006-12-06 20:33:44 -08:00
2016-05-20 17:03:30 -07:00
while ( radix_tree_is_internal_node ( node ) ) {
2016-05-20 17:03:48 -07:00
unsigned offset ;
2005-04-16 15:20:36 -07:00
2016-05-20 17:03:27 -07:00
parent = entry_to_node ( node ) ;
2016-05-20 17:03:48 -07:00
offset = radix_tree_descend ( parent , & node , index ) ;
2005-04-16 15:20:36 -07:00
2016-05-20 17:02:38 -07:00
if ( ! tag_get ( parent , tag , offset ) )
2011-10-31 17:07:02 -07:00
return 0 ;
2016-05-20 17:02:38 -07:00
if ( node = = RADIX_TREE_RETRY )
break ;
2005-04-16 15:20:36 -07:00
}
2016-05-20 17:02:38 -07:00
return 1 ;
2005-04-16 15:20:36 -07:00
}
EXPORT_SYMBOL ( radix_tree_tag_get ) ;
2016-05-20 17:02:26 -07:00
static inline void __set_iter_shift ( struct radix_tree_iter * iter ,
unsigned int shift )
{
# ifdef CONFIG_RADIX_TREE_MULTIORDER
iter - > shift = shift ;
# endif
}
2016-12-14 15:08:49 -08:00
/* Construct iter->tags bit-mask from node->tags[tag] array */
static void set_iter_tags ( struct radix_tree_iter * iter ,
struct radix_tree_node * node , unsigned offset ,
unsigned tag )
{
unsigned tag_long = offset / BITS_PER_LONG ;
unsigned tag_bit = offset % BITS_PER_LONG ;
2016-12-20 10:27:56 -05:00
if ( ! node ) {
iter - > tags = 1 ;
return ;
}
2016-12-14 15:08:49 -08:00
iter - > tags = node - > tags [ tag ] [ tag_long ] > > tag_bit ;
/* This never happens if RADIX_TREE_TAG_LONGS == 1 */
if ( tag_long < RADIX_TREE_TAG_LONGS - 1 ) {
/* Pick tags from next element */
if ( tag_bit )
iter - > tags | = node - > tags [ tag ] [ tag_long + 1 ] < <
( BITS_PER_LONG - tag_bit ) ;
/* Clip chunk size, here only BITS_PER_LONG tags */
iter - > next_index = __radix_tree_iter_add ( iter , BITS_PER_LONG ) ;
}
}
# ifdef CONFIG_RADIX_TREE_MULTIORDER
2017-02-13 15:58:24 -05:00
static void __rcu * * skip_siblings ( struct radix_tree_node * * nodep ,
void __rcu * * slot , struct radix_tree_iter * iter )
2016-12-14 15:08:49 -08:00
{
while ( iter - > index < iter - > next_index ) {
* nodep = rcu_dereference_raw ( * slot ) ;
radix tree: fix multi-order iteration race
Fix a race in the multi-order iteration code which causes the kernel to
hit a GP fault. This was first seen with a production v4.15 based
kernel (4.15.6-300.fc27.x86_64) utilizing a DAX workload which used
order 9 PMD DAX entries.
The race has to do with how we tear down multi-order sibling entries
when we are removing an item from the tree. Remember for example that
an order 2 entry looks like this:
struct radix_tree_node.slots[] = [entry][sibling][sibling][sibling]
where 'entry' is in some slot in the struct radix_tree_node, and the
three slots following 'entry' contain sibling pointers which point back
to 'entry.'
When we delete 'entry' from the tree, we call :
radix_tree_delete()
radix_tree_delete_item()
__radix_tree_delete()
replace_slot()
replace_slot() first removes the siblings in order from the first to the
last, then at then replaces 'entry' with NULL. This means that for a
brief period of time we end up with one or more of the siblings removed,
so:
struct radix_tree_node.slots[] = [entry][NULL][sibling][sibling]
This causes an issue if you have a reader iterating over the slots in
the tree via radix_tree_for_each_slot() while only under
rcu_read_lock()/rcu_read_unlock() protection. This is a common case in
mm/filemap.c.
The issue is that when __radix_tree_next_slot() => skip_siblings() tries
to skip over the sibling entries in the slots, it currently does so with
an exact match on the slot directly preceding our current slot.
Normally this works:
V preceding slot
struct radix_tree_node.slots[] = [entry][sibling][sibling][sibling]
^ current slot
This lets you find the first sibling, and you skip them all in order.
But in the case where one of the siblings is NULL, that slot is skipped
and then our sibling detection is interrupted:
V preceding slot
struct radix_tree_node.slots[] = [entry][NULL][sibling][sibling]
^ current slot
This means that the sibling pointers aren't recognized since they point
all the way back to 'entry', so we think that they are normal internal
radix tree pointers. This causes us to think we need to walk down to a
struct radix_tree_node starting at the address of 'entry'.
In a real running kernel this will crash the thread with a GP fault when
you try and dereference the slots in your broken node starting at
'entry'.
We fix this race by fixing the way that skip_siblings() detects sibling
nodes. Instead of testing against the preceding slot we instead look
for siblings via is_sibling_entry() which compares against the position
of the struct radix_tree_node.slots[] array. This ensures that sibling
entries are properly identified, even if they are no longer contiguous
with the 'entry' they point to.
Link: http://lkml.kernel.org/r/20180503192430.7582-6-ross.zwisler@linux.intel.com
Fixes: 148deab223b2 ("radix-tree: improve multiorder iterators")
Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
Reported-by: CR, Sapthagirish <sapthagirish.cr@intel.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Dave Chinner <david@fromorbit.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2018-05-18 16:09:06 -07:00
if ( * nodep & & ! is_sibling_entry ( iter - > node , * nodep ) )
2016-12-14 15:08:49 -08:00
return slot ;
slot + + ;
iter - > index = __radix_tree_iter_add ( iter , 1 ) ;
iter - > tags > > = 1 ;
}
* nodep = NULL ;
return NULL ;
}
2017-02-13 15:58:24 -05:00
void __rcu * * __radix_tree_next_slot ( void __rcu * * slot ,
struct radix_tree_iter * iter , unsigned flags )
2016-12-14 15:08:49 -08:00
{
unsigned tag = flags & RADIX_TREE_ITER_TAG_MASK ;
radix tree: fix multi-order iteration race
Fix a race in the multi-order iteration code which causes the kernel to
hit a GP fault. This was first seen with a production v4.15 based
kernel (4.15.6-300.fc27.x86_64) utilizing a DAX workload which used
order 9 PMD DAX entries.
The race has to do with how we tear down multi-order sibling entries
when we are removing an item from the tree. Remember for example that
an order 2 entry looks like this:
struct radix_tree_node.slots[] = [entry][sibling][sibling][sibling]
where 'entry' is in some slot in the struct radix_tree_node, and the
three slots following 'entry' contain sibling pointers which point back
to 'entry.'
When we delete 'entry' from the tree, we call :
radix_tree_delete()
radix_tree_delete_item()
__radix_tree_delete()
replace_slot()
replace_slot() first removes the siblings in order from the first to the
last, then at then replaces 'entry' with NULL. This means that for a
brief period of time we end up with one or more of the siblings removed,
so:
struct radix_tree_node.slots[] = [entry][NULL][sibling][sibling]
This causes an issue if you have a reader iterating over the slots in
the tree via radix_tree_for_each_slot() while only under
rcu_read_lock()/rcu_read_unlock() protection. This is a common case in
mm/filemap.c.
The issue is that when __radix_tree_next_slot() => skip_siblings() tries
to skip over the sibling entries in the slots, it currently does so with
an exact match on the slot directly preceding our current slot.
Normally this works:
V preceding slot
struct radix_tree_node.slots[] = [entry][sibling][sibling][sibling]
^ current slot
This lets you find the first sibling, and you skip them all in order.
But in the case where one of the siblings is NULL, that slot is skipped
and then our sibling detection is interrupted:
V preceding slot
struct radix_tree_node.slots[] = [entry][NULL][sibling][sibling]
^ current slot
This means that the sibling pointers aren't recognized since they point
all the way back to 'entry', so we think that they are normal internal
radix tree pointers. This causes us to think we need to walk down to a
struct radix_tree_node starting at the address of 'entry'.
In a real running kernel this will crash the thread with a GP fault when
you try and dereference the slots in your broken node starting at
'entry'.
We fix this race by fixing the way that skip_siblings() detects sibling
nodes. Instead of testing against the preceding slot we instead look
for siblings via is_sibling_entry() which compares against the position
of the struct radix_tree_node.slots[] array. This ensures that sibling
entries are properly identified, even if they are no longer contiguous
with the 'entry' they point to.
Link: http://lkml.kernel.org/r/20180503192430.7582-6-ross.zwisler@linux.intel.com
Fixes: 148deab223b2 ("radix-tree: improve multiorder iterators")
Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
Reported-by: CR, Sapthagirish <sapthagirish.cr@intel.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Dave Chinner <david@fromorbit.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2018-05-18 16:09:06 -07:00
struct radix_tree_node * node ;
2016-12-14 15:08:49 -08:00
slot = skip_siblings ( & node , slot , iter ) ;
while ( radix_tree_is_internal_node ( node ) ) {
unsigned offset ;
unsigned long next_index ;
if ( node = = RADIX_TREE_RETRY )
return slot ;
node = entry_to_node ( node ) ;
2016-12-14 15:08:55 -08:00
iter - > node = node ;
2016-12-14 15:08:49 -08:00
iter - > shift = node - > shift ;
if ( flags & RADIX_TREE_ITER_TAGGED ) {
offset = radix_tree_find_next_bit ( node , tag , 0 ) ;
if ( offset = = RADIX_TREE_MAP_SIZE )
return NULL ;
slot = & node - > slots [ offset ] ;
iter - > index = __radix_tree_iter_add ( iter , offset ) ;
set_iter_tags ( iter , node , offset , tag ) ;
node = rcu_dereference_raw ( * slot ) ;
} else {
offset = 0 ;
slot = & node - > slots [ 0 ] ;
for ( ; ; ) {
node = rcu_dereference_raw ( * slot ) ;
if ( node )
break ;
slot + + ;
offset + + ;
if ( offset = = RADIX_TREE_MAP_SIZE )
return NULL ;
}
iter - > index = __radix_tree_iter_add ( iter , offset ) ;
}
if ( ( flags & RADIX_TREE_ITER_CONTIG ) & & ( offset > 0 ) )
goto none ;
next_index = ( iter - > index | shift_maxindex ( iter - > shift ) ) + 1 ;
if ( next_index < iter - > next_index )
iter - > next_index = next_index ;
}
return slot ;
none :
iter - > next_index = 0 ;
return NULL ;
}
EXPORT_SYMBOL ( __radix_tree_next_slot ) ;
# else
2017-02-13 15:58:24 -05:00
static void __rcu * * skip_siblings ( struct radix_tree_node * * nodep ,
void __rcu * * slot , struct radix_tree_iter * iter )
2016-12-14 15:08:49 -08:00
{
return slot ;
}
# endif
2017-02-13 15:58:24 -05:00
void __rcu * * radix_tree_iter_resume ( void __rcu * * slot ,
struct radix_tree_iter * iter )
2016-12-14 15:08:49 -08:00
{
struct radix_tree_node * node ;
slot + + ;
iter - > index = __radix_tree_iter_add ( iter , 1 ) ;
skip_siblings ( & node , slot , iter ) ;
iter - > next_index = iter - > index ;
iter - > tags = 0 ;
return NULL ;
}
EXPORT_SYMBOL ( radix_tree_iter_resume ) ;
2012-03-28 14:42:53 -07:00
/**
* radix_tree_next_chunk - find next chunk of slots for iteration
*
* @ root : radix tree root
* @ iter : iterator state
* @ flags : RADIX_TREE_ITER_ * flags and tag index
* Returns : pointer to chunk first slot , or NULL if iteration is over
*/
2017-02-13 15:58:24 -05:00
void __rcu * * radix_tree_next_chunk ( const struct radix_tree_root * root ,
2012-03-28 14:42:53 -07:00
struct radix_tree_iter * iter , unsigned flags )
{
2016-05-20 17:03:48 -07:00
unsigned tag = flags & RADIX_TREE_ITER_TAG_MASK ;
2016-05-20 17:03:36 -07:00
struct radix_tree_node * node , * child ;
2016-05-20 17:02:26 -07:00
unsigned long index , offset , maxindex ;
2012-03-28 14:42:53 -07:00
if ( ( flags & RADIX_TREE_ITER_TAGGED ) & & ! root_tag_get ( root , tag ) )
return NULL ;
/*
* Catch next_index overflow after ~ 0UL . iter - > index never overflows
* during iterating ; it can be zero only at the beginning .
* And we cannot overflow iter - > next_index in a single step ,
* because RADIX_TREE_MAP_SHIFT < BITS_PER_LONG .
2012-06-05 21:36:33 +04:00
*
* This condition also used by radix_tree_next_slot ( ) to stop
2016-12-14 15:08:31 -08:00
* contiguous iterating , and forbid switching to the next chunk .
2012-03-28 14:42:53 -07:00
*/
index = iter - > next_index ;
if ( ! index & & iter - > index )
return NULL ;
2016-05-20 17:02:26 -07:00
restart :
2016-05-20 17:03:48 -07:00
radix_tree_load_root ( root , & child , & maxindex ) ;
2016-05-20 17:02:26 -07:00
if ( index > maxindex )
return NULL ;
2016-05-20 17:03:36 -07:00
if ( ! child )
return NULL ;
2016-05-20 17:02:26 -07:00
2016-05-20 17:03:36 -07:00
if ( ! radix_tree_is_internal_node ( child ) ) {
2012-03-28 14:42:53 -07:00
/* Single-slot tree */
2016-05-20 17:02:26 -07:00
iter - > index = index ;
iter - > next_index = maxindex + 1 ;
2012-03-28 14:42:53 -07:00
iter - > tags = 1 ;
2016-12-14 15:08:55 -08:00
iter - > node = NULL ;
2016-05-20 17:03:36 -07:00
__set_iter_shift ( iter , 0 ) ;
2017-02-13 15:58:24 -05:00
return ( void __rcu * * ) & root - > rnode ;
2016-05-20 17:03:36 -07:00
}
2016-05-20 17:02:26 -07:00
2016-05-20 17:03:36 -07:00
do {
node = entry_to_node ( child ) ;
2016-05-20 17:03:48 -07:00
offset = radix_tree_descend ( node , & child , index ) ;
2016-05-20 17:02:26 -07:00
2012-03-28 14:42:53 -07:00
if ( ( flags & RADIX_TREE_ITER_TAGGED ) ?
2016-05-20 17:03:36 -07:00
! tag_get ( node , tag , offset ) : ! child ) {
2012-03-28 14:42:53 -07:00
/* Hole detected */
if ( flags & RADIX_TREE_ITER_CONTIG )
return NULL ;
if ( flags & RADIX_TREE_ITER_TAGGED )
2016-12-14 15:08:40 -08:00
offset = radix_tree_find_next_bit ( node , tag ,
2012-03-28 14:42:53 -07:00
offset + 1 ) ;
else
while ( + + offset < RADIX_TREE_MAP_SIZE ) {
2017-02-13 15:22:48 -05:00
void * slot = rcu_dereference_raw (
node - > slots [ offset ] ) ;
2016-05-20 17:02:26 -07:00
if ( is_sibling_entry ( node , slot ) )
continue ;
if ( slot )
2012-03-28 14:42:53 -07:00
break ;
}
2016-05-20 17:03:36 -07:00
index & = ~ node_maxindex ( node ) ;
2016-05-20 17:03:48 -07:00
index + = offset < < node - > shift ;
2012-03-28 14:42:53 -07:00
/* Overflow after ~0UL */
if ( ! index )
return NULL ;
if ( offset = = RADIX_TREE_MAP_SIZE )
goto restart ;
2016-05-20 17:03:36 -07:00
child = rcu_dereference_raw ( node - > slots [ offset ] ) ;
2012-03-28 14:42:53 -07:00
}
2016-12-14 15:09:01 -08:00
if ( ! child )
2012-03-28 14:42:53 -07:00
goto restart ;
2016-12-14 15:09:01 -08:00
if ( child = = RADIX_TREE_RETRY )
break ;
2016-05-20 17:03:36 -07:00
} while ( radix_tree_is_internal_node ( child ) ) ;
2012-03-28 14:42:53 -07:00
/* Update the iterator state */
2016-05-20 17:03:36 -07:00
iter - > index = ( index & ~ node_maxindex ( node ) ) | ( offset < < node - > shift ) ;
iter - > next_index = ( index | node_maxindex ( node ) ) + 1 ;
2016-12-14 15:08:55 -08:00
iter - > node = node ;
2016-05-20 17:03:48 -07:00
__set_iter_shift ( iter , node - > shift ) ;
2012-03-28 14:42:53 -07:00
2016-12-14 15:08:49 -08:00
if ( flags & RADIX_TREE_ITER_TAGGED )
set_iter_tags ( iter , node , offset , tag ) ;
2012-03-28 14:42:53 -07:00
return node - > slots + offset ;
}
EXPORT_SYMBOL ( radix_tree_next_chunk ) ;
2005-04-16 15:20:36 -07:00
/**
* radix_tree_gang_lookup - perform multiple lookup on a radix tree
* @ root : radix tree root
* @ results : where the results of the lookup are placed
* @ first_index : start the lookup from this key
* @ max_items : place up to this many items at * results
*
* Performs an index - ascending scan of the tree for present items . Places
* them at * @ results and returns the number of items which were placed at
* * @ results .
*
* The implementation is naive .
2006-12-06 20:33:44 -08:00
*
* Like radix_tree_lookup , radix_tree_gang_lookup may be called under
* rcu_read_lock . In this case , rather than the returned results being
2016-05-20 17:03:04 -07:00
* an atomic snapshot of the tree at a single point in time , the
* semantics of an RCU protected gang lookup are as though multiple
* radix_tree_lookups have been issued in individual locks , and results
* stored in ' results ' .
2005-04-16 15:20:36 -07:00
*/
unsigned int
2016-12-19 17:43:19 -05:00
radix_tree_gang_lookup ( const struct radix_tree_root * root , void * * results ,
2005-04-16 15:20:36 -07:00
unsigned long first_index , unsigned int max_items )
{
2012-03-28 14:42:53 -07:00
struct radix_tree_iter iter ;
2017-02-13 15:58:24 -05:00
void __rcu * * slot ;
2012-03-28 14:42:53 -07:00
unsigned int ret = 0 ;
2006-12-06 20:33:44 -08:00
2012-03-28 14:42:53 -07:00
if ( unlikely ( ! max_items ) )
2006-12-06 20:33:44 -08:00
return 0 ;
2005-04-16 15:20:36 -07:00
2012-03-28 14:42:53 -07:00
radix_tree_for_each_slot ( slot , root , & iter , first_index ) {
2016-02-02 16:57:52 -08:00
results [ ret ] = rcu_dereference_raw ( * slot ) ;
2012-03-28 14:42:53 -07:00
if ( ! results [ ret ] )
continue ;
2016-05-20 17:03:30 -07:00
if ( radix_tree_is_internal_node ( results [ ret ] ) ) {
2016-02-02 16:57:52 -08:00
slot = radix_tree_iter_retry ( & iter ) ;
continue ;
}
2012-03-28 14:42:53 -07:00
if ( + + ret = = max_items )
2005-04-16 15:20:36 -07:00
break ;
}
2006-12-06 20:33:44 -08:00
2005-04-16 15:20:36 -07:00
return ret ;
}
EXPORT_SYMBOL ( radix_tree_gang_lookup ) ;
2008-07-25 19:45:29 -07:00
/**
* radix_tree_gang_lookup_slot - perform multiple slot lookup on radix tree
* @ root : radix tree root
* @ results : where the results of the lookup are placed
radix_tree: exceptional entries and indices
A patchset to extend tmpfs to MAX_LFS_FILESIZE by abandoning its
peculiar swap vector, instead keeping a file's swap entries in the same
radix tree as its struct page pointers: thus saving memory, and
simplifying its code and locking.
This patch:
The radix_tree is used by several subsystems for different purposes. A
major use is to store the struct page pointers of a file's pagecache for
memory management. But what if mm wanted to store something other than
page pointers there too?
The low bit of a radix_tree entry is already used to denote an indirect
pointer, for internal use, and the unlikely radix_tree_deref_retry()
case.
Define the next bit as denoting an exceptional entry, and supply inline
functions radix_tree_exception() to return non-0 in either unlikely
case, and radix_tree_exceptional_entry() to return non-0 in the second
case.
If a subsystem already uses radix_tree with that bit set, no problem: it
does not affect internal workings at all, but is defined for the
convenience of those storing well-aligned pointers in the radix_tree.
The radix_tree_gang_lookups have an implicit assumption that the caller
can deduce the offset of each entry returned e.g. by the page->index of
a struct page. But that may not be feasible for some kinds of item to
be stored there.
radix_tree_gang_lookup_slot() allow for an optional indices argument,
output array in which to return those offsets. The same could be added
to other radix_tree_gang_lookups, but for now keep it to the only one
for which we need it.
Signed-off-by: Hugh Dickins <hughd@google.com>
Acked-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-08-03 16:21:18 -07:00
* @ indices : where their indices should be placed ( but usually NULL )
2008-07-25 19:45:29 -07:00
* @ first_index : start the lookup from this key
* @ max_items : place up to this many items at * results
*
* Performs an index - ascending scan of the tree for present items . Places
* their slots at * @ results and returns the number of items which were
* placed at * @ results .
*
* The implementation is naive .
*
* Like radix_tree_gang_lookup as far as RCU and locking goes . Slots must
* be dereferenced with radix_tree_deref_slot , and if using only RCU
* protection , radix_tree_deref_slot may fail requiring a retry .
*/
unsigned int
2016-12-19 17:43:19 -05:00
radix_tree_gang_lookup_slot ( const struct radix_tree_root * root ,
2017-02-13 15:58:24 -05:00
void __rcu * * * results , unsigned long * indices ,
2008-07-25 19:45:29 -07:00
unsigned long first_index , unsigned int max_items )
{
2012-03-28 14:42:53 -07:00
struct radix_tree_iter iter ;
2017-02-13 15:58:24 -05:00
void __rcu * * slot ;
2012-03-28 14:42:53 -07:00
unsigned int ret = 0 ;
2008-07-25 19:45:29 -07:00
2012-03-28 14:42:53 -07:00
if ( unlikely ( ! max_items ) )
2008-07-25 19:45:29 -07:00
return 0 ;
2012-03-28 14:42:53 -07:00
radix_tree_for_each_slot ( slot , root , & iter , first_index ) {
results [ ret ] = slot ;
radix_tree: exceptional entries and indices
A patchset to extend tmpfs to MAX_LFS_FILESIZE by abandoning its
peculiar swap vector, instead keeping a file's swap entries in the same
radix tree as its struct page pointers: thus saving memory, and
simplifying its code and locking.
This patch:
The radix_tree is used by several subsystems for different purposes. A
major use is to store the struct page pointers of a file's pagecache for
memory management. But what if mm wanted to store something other than
page pointers there too?
The low bit of a radix_tree entry is already used to denote an indirect
pointer, for internal use, and the unlikely radix_tree_deref_retry()
case.
Define the next bit as denoting an exceptional entry, and supply inline
functions radix_tree_exception() to return non-0 in either unlikely
case, and radix_tree_exceptional_entry() to return non-0 in the second
case.
If a subsystem already uses radix_tree with that bit set, no problem: it
does not affect internal workings at all, but is defined for the
convenience of those storing well-aligned pointers in the radix_tree.
The radix_tree_gang_lookups have an implicit assumption that the caller
can deduce the offset of each entry returned e.g. by the page->index of
a struct page. But that may not be feasible for some kinds of item to
be stored there.
radix_tree_gang_lookup_slot() allow for an optional indices argument,
output array in which to return those offsets. The same could be added
to other radix_tree_gang_lookups, but for now keep it to the only one
for which we need it.
Signed-off-by: Hugh Dickins <hughd@google.com>
Acked-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-08-03 16:21:18 -07:00
if ( indices )
2012-03-28 14:42:53 -07:00
indices [ ret ] = iter . index ;
if ( + + ret = = max_items )
2008-07-25 19:45:29 -07:00
break ;
}
return ret ;
}
EXPORT_SYMBOL ( radix_tree_gang_lookup_slot ) ;
2005-04-16 15:20:36 -07:00
/**
* radix_tree_gang_lookup_tag - perform multiple lookup on a radix tree
* based on a tag
* @ root : radix tree root
* @ results : where the results of the lookup are placed
* @ first_index : start the lookup from this key
* @ max_items : place up to this many items at * results
2006-03-25 03:08:05 -08:00
* @ tag : the tag index ( < RADIX_TREE_MAX_TAGS )
2005-04-16 15:20:36 -07:00
*
* Performs an index - ascending scan of the tree for present items which
* have the tag indexed by @ tag set . Places the items at * @ results and
* returns the number of items which were placed at * @ results .
*/
unsigned int
2016-12-19 17:43:19 -05:00
radix_tree_gang_lookup_tag ( const struct radix_tree_root * root , void * * results ,
2006-03-25 03:08:05 -08:00
unsigned long first_index , unsigned int max_items ,
unsigned int tag )
2005-04-16 15:20:36 -07:00
{
2012-03-28 14:42:53 -07:00
struct radix_tree_iter iter ;
2017-02-13 15:58:24 -05:00
void __rcu * * slot ;
2012-03-28 14:42:53 -07:00
unsigned int ret = 0 ;
2006-06-23 02:03:22 -07:00
2012-03-28 14:42:53 -07:00
if ( unlikely ( ! max_items ) )
2006-12-06 20:33:44 -08:00
return 0 ;
2012-03-28 14:42:53 -07:00
radix_tree_for_each_tagged ( slot , root , & iter , first_index , tag ) {
2016-02-02 16:57:52 -08:00
results [ ret ] = rcu_dereference_raw ( * slot ) ;
2012-03-28 14:42:53 -07:00
if ( ! results [ ret ] )
continue ;
2016-05-20 17:03:30 -07:00
if ( radix_tree_is_internal_node ( results [ ret ] ) ) {
2016-02-02 16:57:52 -08:00
slot = radix_tree_iter_retry ( & iter ) ;
continue ;
}
2012-03-28 14:42:53 -07:00
if ( + + ret = = max_items )
2005-04-16 15:20:36 -07:00
break ;
}
2006-12-06 20:33:44 -08:00
2005-04-16 15:20:36 -07:00
return ret ;
}
EXPORT_SYMBOL ( radix_tree_gang_lookup_tag ) ;
2008-07-25 19:45:29 -07:00
/**
* radix_tree_gang_lookup_tag_slot - perform multiple slot lookup on a
* radix tree based on a tag
* @ root : radix tree root
* @ results : where the results of the lookup are placed
* @ first_index : start the lookup from this key
* @ max_items : place up to this many items at * results
* @ tag : the tag index ( < RADIX_TREE_MAX_TAGS )
*
* Performs an index - ascending scan of the tree for present items which
* have the tag indexed by @ tag set . Places the slots at * @ results and
* returns the number of slots which were placed at * @ results .
*/
unsigned int
2016-12-19 17:43:19 -05:00
radix_tree_gang_lookup_tag_slot ( const struct radix_tree_root * root ,
2017-02-13 15:58:24 -05:00
void __rcu * * * results , unsigned long first_index ,
2016-12-19 17:43:19 -05:00
unsigned int max_items , unsigned int tag )
2008-07-25 19:45:29 -07:00
{
2012-03-28 14:42:53 -07:00
struct radix_tree_iter iter ;
2017-02-13 15:58:24 -05:00
void __rcu * * slot ;
2012-03-28 14:42:53 -07:00
unsigned int ret = 0 ;
2008-07-25 19:45:29 -07:00
2012-03-28 14:42:53 -07:00
if ( unlikely ( ! max_items ) )
2008-07-25 19:45:29 -07:00
return 0 ;
2012-03-28 14:42:53 -07:00
radix_tree_for_each_tagged ( slot , root , & iter , first_index , tag ) {
results [ ret ] = slot ;
if ( + + ret = = max_items )
2008-07-25 19:45:29 -07:00
break ;
}
return ret ;
}
EXPORT_SYMBOL ( radix_tree_gang_lookup_tag_slot ) ;
2014-04-03 14:47:54 -07:00
/**
* __radix_tree_delete_node - try to free node after clearing a slot
* @ root : radix tree root
* @ node : node containing @ index
mm: workingset: fix use-after-free in shadow node shrinker
Several people report seeing warnings about inconsistent radix tree
nodes followed by crashes in the workingset code, which all looked like
use-after-free access from the shadow node shrinker.
Dave Jones managed to reproduce the issue with a debug patch applied,
which confirmed that the radix tree shrinking indeed frees shadow nodes
while they are still linked to the shadow LRU:
WARNING: CPU: 2 PID: 53 at lib/radix-tree.c:643 delete_node+0x1e4/0x200
CPU: 2 PID: 53 Comm: kswapd0 Not tainted 4.10.0-rc2-think+ #3
Call Trace:
delete_node+0x1e4/0x200
__radix_tree_delete_node+0xd/0x10
shadow_lru_isolate+0xe6/0x220
__list_lru_walk_one.isra.4+0x9b/0x190
list_lru_walk_one+0x23/0x30
scan_shadow_nodes+0x2e/0x40
shrink_slab.part.44+0x23d/0x5d0
shrink_node+0x22c/0x330
kswapd+0x392/0x8f0
This is the WARN_ON_ONCE(!list_empty(&node->private_list)) placed in the
inlined radix_tree_shrink().
The problem is with 14b468791fa9 ("mm: workingset: move shadow entry
tracking to radix tree exceptional tracking"), which passes an update
callback into the radix tree to link and unlink shadow leaf nodes when
tree entries change, but forgot to pass the callback when reclaiming a
shadow node.
While the reclaimed shadow node itself is unlinked by the shrinker, its
deletion from the tree can cause the left-most leaf node in the tree to
be shrunk. If that happens to be a shadow node as well, we don't unlink
it from the LRU as we should.
Consider this tree, where the s are shadow entries:
root->rnode
|
[0 n]
| |
[s ] [sssss]
Now the shadow node shrinker reclaims the rightmost leaf node through
the shadow node LRU:
root->rnode
|
[0 ]
|
[s ]
Because the parent of the deleted node is the first level below the
root and has only one child in the left-most slot, the intermediate
level is shrunk and the node containing the single shadow is put in
its place:
root->rnode
|
[s ]
The shrinker again sees a single left-most slot in a first level node
and thus decides to store the shadow in root->rnode directly and free
the node - which is a leaf node on the shadow node LRU.
root->rnode
|
s
Without the update callback, the freed node remains on the shadow LRU,
where it causes later shrinker runs to crash.
Pass the node updater callback into __radix_tree_delete_node() in case
the deletion causes the left-most branch in the tree to collapse too.
Also add warnings when linked nodes are freed right away, rather than
wait for the use-after-free when the list is scanned much later.
Fixes: 14b468791fa9 ("mm: workingset: move shadow entry tracking to radix tree exceptional tracking")
Reported-by: Dave Chinner <david@fromorbit.com>
Reported-by: Hugh Dickins <hughd@google.com>
Reported-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-and-tested-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Chris Leech <cleech@redhat.com>
Cc: Lee Duncan <lduncan@suse.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Matthew Wilcox <mawilcox@linuxonhyperv.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-01-06 19:21:43 -05:00
* @ update_node : callback for changing leaf nodes
2014-04-03 14:47:54 -07:00
*
* After clearing the slot at @ index in @ node from radix tree
* rooted at @ root , call this function to attempt freeing the
* node and shrinking the tree .
*/
2016-12-12 16:43:52 -08:00
void __radix_tree_delete_node ( struct radix_tree_root * root ,
mm: workingset: fix use-after-free in shadow node shrinker
Several people report seeing warnings about inconsistent radix tree
nodes followed by crashes in the workingset code, which all looked like
use-after-free access from the shadow node shrinker.
Dave Jones managed to reproduce the issue with a debug patch applied,
which confirmed that the radix tree shrinking indeed frees shadow nodes
while they are still linked to the shadow LRU:
WARNING: CPU: 2 PID: 53 at lib/radix-tree.c:643 delete_node+0x1e4/0x200
CPU: 2 PID: 53 Comm: kswapd0 Not tainted 4.10.0-rc2-think+ #3
Call Trace:
delete_node+0x1e4/0x200
__radix_tree_delete_node+0xd/0x10
shadow_lru_isolate+0xe6/0x220
__list_lru_walk_one.isra.4+0x9b/0x190
list_lru_walk_one+0x23/0x30
scan_shadow_nodes+0x2e/0x40
shrink_slab.part.44+0x23d/0x5d0
shrink_node+0x22c/0x330
kswapd+0x392/0x8f0
This is the WARN_ON_ONCE(!list_empty(&node->private_list)) placed in the
inlined radix_tree_shrink().
The problem is with 14b468791fa9 ("mm: workingset: move shadow entry
tracking to radix tree exceptional tracking"), which passes an update
callback into the radix tree to link and unlink shadow leaf nodes when
tree entries change, but forgot to pass the callback when reclaiming a
shadow node.
While the reclaimed shadow node itself is unlinked by the shrinker, its
deletion from the tree can cause the left-most leaf node in the tree to
be shrunk. If that happens to be a shadow node as well, we don't unlink
it from the LRU as we should.
Consider this tree, where the s are shadow entries:
root->rnode
|
[0 n]
| |
[s ] [sssss]
Now the shadow node shrinker reclaims the rightmost leaf node through
the shadow node LRU:
root->rnode
|
[0 ]
|
[s ]
Because the parent of the deleted node is the first level below the
root and has only one child in the left-most slot, the intermediate
level is shrunk and the node containing the single shadow is put in
its place:
root->rnode
|
[s ]
The shrinker again sees a single left-most slot in a first level node
and thus decides to store the shadow in root->rnode directly and free
the node - which is a leaf node on the shadow node LRU.
root->rnode
|
s
Without the update callback, the freed node remains on the shadow LRU,
where it causes later shrinker runs to crash.
Pass the node updater callback into __radix_tree_delete_node() in case
the deletion causes the left-most branch in the tree to collapse too.
Also add warnings when linked nodes are freed right away, rather than
wait for the use-after-free when the list is scanned much later.
Fixes: 14b468791fa9 ("mm: workingset: move shadow entry tracking to radix tree exceptional tracking")
Reported-by: Dave Chinner <david@fromorbit.com>
Reported-by: Hugh Dickins <hughd@google.com>
Reported-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-and-tested-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Chris Leech <cleech@redhat.com>
Cc: Lee Duncan <lduncan@suse.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Matthew Wilcox <mawilcox@linuxonhyperv.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-01-06 19:21:43 -05:00
struct radix_tree_node * node ,
2017-11-15 17:37:41 -08:00
radix_tree_update_node_t update_node )
2014-04-03 14:47:54 -07:00
{
2017-11-15 17:37:41 -08:00
delete_node ( root , node , update_node ) ;
2014-04-03 14:47:54 -07:00
}
2017-01-28 09:56:22 -05:00
static bool __radix_tree_delete ( struct radix_tree_root * root ,
2017-02-13 15:58:24 -05:00
struct radix_tree_node * node , void __rcu * * slot )
2017-01-28 09:56:22 -05:00
{
2016-12-20 10:27:56 -05:00
void * old = rcu_dereference_raw ( * slot ) ;
int exceptional = radix_tree_exceptional_entry ( old ) ? - 1 : 0 ;
2017-01-28 09:56:22 -05:00
unsigned offset = get_slot_offset ( node , slot ) ;
int tag ;
2016-12-20 10:27:56 -05:00
if ( is_idr ( root ) )
node_tag_set ( root , node , IDR_FREE , offset ) ;
else
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
node_tag_clear ( root , node , tag , offset ) ;
2017-01-28 09:56:22 -05:00
2016-12-20 10:27:56 -05:00
replace_slot ( slot , NULL , node , - 1 , exceptional ) ;
2017-11-15 17:37:41 -08:00
return node & & delete_node ( root , node , NULL ) ;
2017-01-28 09:56:22 -05:00
}
2005-04-16 15:20:36 -07:00
/**
2017-01-28 09:56:22 -05:00
* radix_tree_iter_delete - delete the entry at this iterator position
* @ root : radix tree root
* @ iter : iterator state
* @ slot : pointer to slot
2005-04-16 15:20:36 -07:00
*
2017-01-28 09:56:22 -05:00
* Delete the entry at the position currently pointed to by the iterator .
* This may result in the current node being freed ; if it is , the iterator
* is advanced so that it will not reference the freed memory . This
* function may be called without any locking if there are no other threads
* which can access this tree .
*/
void radix_tree_iter_delete ( struct radix_tree_root * root ,
2017-02-13 15:58:24 -05:00
struct radix_tree_iter * iter , void __rcu * * slot )
2017-01-28 09:56:22 -05:00
{
if ( __radix_tree_delete ( root , iter - > node , slot ) )
iter - > index = iter - > next_index ;
}
2017-08-16 09:52:08 +01:00
EXPORT_SYMBOL ( radix_tree_iter_delete ) ;
2017-01-28 09:56:22 -05:00
/**
* radix_tree_delete_item - delete an item from a radix tree
* @ root : radix tree root
* @ index : index key
* @ item : expected item
2005-04-16 15:20:36 -07:00
*
2017-01-28 09:56:22 -05:00
* Remove @ item at @ index from the radix tree rooted at @ root .
2005-04-16 15:20:36 -07:00
*
2017-01-28 09:56:22 -05:00
* Return : the deleted entry , or % NULL if it was not present
* or the entry at the given @ index was not @ item .
2005-04-16 15:20:36 -07:00
*/
2014-04-03 14:47:39 -07:00
void * radix_tree_delete_item ( struct radix_tree_root * root ,
unsigned long index , void * item )
2005-04-16 15:20:36 -07:00
{
2016-12-20 10:27:56 -05:00
struct radix_tree_node * node = NULL ;
2018-05-25 14:47:24 -07:00
void __rcu * * slot = NULL ;
2014-04-03 14:47:54 -07:00
void * entry ;
2005-04-16 15:20:36 -07:00
2014-04-03 14:47:54 -07:00
entry = __radix_tree_lookup ( root , index , & node , & slot ) ;
2018-05-25 14:47:24 -07:00
if ( ! slot )
return NULL ;
2016-12-20 10:27:56 -05:00
if ( ! entry & & ( ! is_idr ( root ) | | node_tag_get ( root , node , IDR_FREE ,
get_slot_offset ( node , slot ) ) ) )
2014-04-03 14:47:54 -07:00
return NULL ;
2005-04-16 15:20:36 -07:00
2014-04-03 14:47:54 -07:00
if ( item & & entry ! = item )
return NULL ;
2017-01-28 09:56:22 -05:00
__radix_tree_delete ( root , node , slot ) ;
2006-06-23 02:03:22 -07:00
2014-04-03 14:47:54 -07:00
return entry ;
2005-04-16 15:20:36 -07:00
}
2014-04-03 14:47:39 -07:00
EXPORT_SYMBOL ( radix_tree_delete_item ) ;
/**
2017-01-28 09:56:22 -05:00
* radix_tree_delete - delete an entry from a radix tree
* @ root : radix tree root
* @ index : index key
2014-04-03 14:47:39 -07:00
*
2017-01-28 09:56:22 -05:00
* Remove the entry at @ index from the radix tree rooted at @ root .
2014-04-03 14:47:39 -07:00
*
2017-01-28 09:56:22 -05:00
* Return : The deleted entry , or % NULL if it was not present .
2014-04-03 14:47:39 -07:00
*/
void * radix_tree_delete ( struct radix_tree_root * root , unsigned long index )
{
return radix_tree_delete_item ( root , index , NULL ) ;
}
2005-04-16 15:20:36 -07:00
EXPORT_SYMBOL ( radix_tree_delete ) ;
mm: filemap: don't plant shadow entries without radix tree node
When the underflow checks were added to workingset_node_shadow_dec(),
they triggered immediately:
kernel BUG at ./include/linux/swap.h:276!
invalid opcode: 0000 [#1] SMP
Modules linked in: isofs usb_storage fuse xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_REJECT nf_reject_ipv6
soundcore wmi acpi_als pinctrl_sunrisepoint kfifo_buf tpm_tis industrialio acpi_pad pinctrl_intel tpm_tis_core tpm nfsd auth_rpcgss nfs_acl lockd grace sunrpc dm_crypt
CPU: 0 PID: 20929 Comm: blkid Not tainted 4.8.0-rc8-00087-gbe67d60ba944 #1
Hardware name: System manufacturer System Product Name/Z170-K, BIOS 1803 05/06/2016
task: ffff8faa93ecd940 task.stack: ffff8faa7f478000
RIP: page_cache_tree_insert+0xf1/0x100
Call Trace:
__add_to_page_cache_locked+0x12e/0x270
add_to_page_cache_lru+0x4e/0xe0
mpage_readpages+0x112/0x1d0
blkdev_readpages+0x1d/0x20
__do_page_cache_readahead+0x1ad/0x290
force_page_cache_readahead+0xaa/0x100
page_cache_sync_readahead+0x3f/0x50
generic_file_read_iter+0x5af/0x740
blkdev_read_iter+0x35/0x40
__vfs_read+0xe1/0x130
vfs_read+0x96/0x130
SyS_read+0x55/0xc0
entry_SYSCALL_64_fastpath+0x13/0x8f
Code: 03 00 48 8b 5d d8 65 48 33 1c 25 28 00 00 00 44 89 e8 75 19 48 83 c4 18 5b 41 5c 41 5d 41 5e 5d c3 0f 0b 41 bd ef ff ff ff eb d7 <0f> 0b e8 88 68 ef ff 0f 1f 84 00
RIP page_cache_tree_insert+0xf1/0x100
This is a long-standing bug in the way shadow entries are accounted in
the radix tree nodes. The shrinker needs to know when radix tree nodes
contain only shadow entries, no pages, so node->count is split in half
to count shadows in the upper bits and pages in the lower bits.
Unfortunately, the radix tree implementation doesn't know of this and
assumes all entries are in node->count. When there is a shadow entry
directly in root->rnode and the tree is later extended, the radix tree
implementation will copy that entry into the new node and and bump its
node->count, i.e. increases the page count bits. Once the shadow gets
removed and we subtract from the upper counter, node->count underflows
and triggers the warning. Afterwards, without node->count reaching 0
again, the radix tree node is leaked.
Limit shadow entries to when we have actual radix tree nodes and can
count them properly. That means we lose the ability to detect refaults
from files that had only the first page faulted in at eviction time.
Fixes: 449dd6984d0e ("mm: keep page cache radix tree nodes in check")
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Reported-and-tested-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-04 22:02:08 +02:00
void radix_tree_clear_tags ( struct radix_tree_root * root ,
struct radix_tree_node * node ,
2017-02-13 15:58:24 -05:00
void __rcu * * slot )
2016-05-20 17:03:45 -07:00
{
if ( node ) {
unsigned int tag , offset = get_slot_offset ( node , slot ) ;
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
node_tag_clear ( root , node , tag , offset ) ;
} else {
2016-12-20 10:27:56 -05:00
root_tag_clear_all ( root ) ;
2016-05-20 17:03:45 -07:00
}
}
2005-04-16 15:20:36 -07:00
/**
* radix_tree_tagged - test whether any items in the tree are tagged
* @ root : radix tree root
* @ tag : tag to test
*/
2016-12-19 17:43:19 -05:00
int radix_tree_tagged ( const struct radix_tree_root * root , unsigned int tag )
2005-04-16 15:20:36 -07:00
{
2006-06-23 02:03:22 -07:00
return root_tag_get ( root , tag ) ;
2005-04-16 15:20:36 -07:00
}
EXPORT_SYMBOL ( radix_tree_tagged ) ;
2016-12-20 10:27:56 -05:00
/**
* idr_preload - preload for idr_alloc ( )
* @ gfp_mask : allocation mask to use for preloading
*
* Preallocate memory to use for the next call to idr_alloc ( ) . This function
* returns with preemption disabled . It will be enabled by idr_preload_end ( ) .
*/
void idr_preload ( gfp_t gfp_mask )
{
2017-09-08 16:15:54 -07:00
if ( __radix_tree_preload ( gfp_mask , IDR_PRELOAD_SIZE ) )
preempt_disable ( ) ;
2016-12-20 10:27:56 -05:00
}
EXPORT_SYMBOL ( idr_preload ) ;
2016-12-16 11:55:56 -05:00
/**
* ida_pre_get - reserve resources for ida allocation
* @ ida : ida handle
* @ gfp : memory allocation flags
*
* This function should be called before calling ida_get_new_above ( ) . If it
* is unable to allocate memory , it will return % 0. On success , it returns % 1.
*/
int ida_pre_get ( struct ida * ida , gfp_t gfp )
{
/*
* The IDA API has no preload_end ( ) equivalent . Instead ,
* ida_get_new ( ) can return - EAGAIN , prompting the caller
* to return to the ida_pre_get ( ) step .
*/
2017-09-08 16:15:54 -07:00
if ( ! __radix_tree_preload ( gfp , IDA_PRELOAD_SIZE ) )
preempt_enable ( ) ;
2016-12-16 11:55:56 -05:00
if ( ! this_cpu_read ( ida_bitmap ) ) {
2018-02-21 14:45:43 -08:00
struct ida_bitmap * bitmap = kzalloc ( sizeof ( * bitmap ) , gfp ) ;
2016-12-16 11:55:56 -05:00
if ( ! bitmap )
return 0 ;
2017-03-03 12:16:10 -05:00
if ( this_cpu_cmpxchg ( ida_bitmap , NULL , bitmap ) )
kfree ( bitmap ) ;
2016-12-16 11:55:56 -05:00
}
return 1 ;
}
EXPORT_SYMBOL ( ida_pre_get ) ;
2017-11-28 15:16:24 -05:00
void __rcu * * idr_get_free ( struct radix_tree_root * root ,
idr: Add new APIs to support unsigned long
The following new APIs are added:
int idr_alloc_ext(struct idr *idr, void *ptr, unsigned long *index,
unsigned long start, unsigned long end, gfp_t gfp);
void *idr_remove_ext(struct idr *idr, unsigned long id);
void *idr_find_ext(const struct idr *idr, unsigned long id);
void *idr_replace_ext(struct idr *idr, void *ptr, unsigned long id);
void *idr_get_next_ext(struct idr *idr, unsigned long *nextid);
Signed-off-by: Chris Mi <chrism@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-30 02:31:57 -04:00
struct radix_tree_iter * iter , gfp_t gfp ,
unsigned long max )
2016-12-20 10:27:56 -05:00
{
struct radix_tree_node * node = NULL , * child ;
2017-02-13 15:58:24 -05:00
void __rcu * * slot = ( void __rcu * * ) & root - > rnode ;
2016-12-20 10:27:56 -05:00
unsigned long maxindex , start = iter - > next_index ;
unsigned int shift , offset = 0 ;
grow :
shift = radix_tree_load_root ( root , & child , & maxindex ) ;
if ( ! radix_tree_tagged ( root , IDR_FREE ) )
start = max ( start , maxindex + 1 ) ;
if ( start > max )
return ERR_PTR ( - ENOSPC ) ;
if ( start > maxindex ) {
int error = radix_tree_extend ( root , gfp , start , shift ) ;
if ( error < 0 )
return ERR_PTR ( error ) ;
shift = error ;
child = rcu_dereference_raw ( root - > rnode ) ;
}
while ( shift ) {
shift - = RADIX_TREE_MAP_SHIFT ;
if ( child = = NULL ) {
/* Have to add a child node. */
2017-01-16 17:10:21 -05:00
child = radix_tree_node_alloc ( gfp , node , root , shift ,
offset , 0 , 0 ) ;
2016-12-20 10:27:56 -05:00
if ( ! child )
return ERR_PTR ( - ENOMEM ) ;
all_tag_set ( child , IDR_FREE ) ;
rcu_assign_pointer ( * slot , node_to_entry ( child ) ) ;
if ( node )
node - > count + + ;
} else if ( ! radix_tree_is_internal_node ( child ) )
break ;
node = entry_to_node ( child ) ;
offset = radix_tree_descend ( node , & child , start ) ;
if ( ! tag_get ( node , IDR_FREE , offset ) ) {
offset = radix_tree_find_next_bit ( node , IDR_FREE ,
offset + 1 ) ;
start = next_index ( start , node , offset ) ;
if ( start > max )
return ERR_PTR ( - ENOSPC ) ;
while ( offset = = RADIX_TREE_MAP_SIZE ) {
offset = node - > offset + 1 ;
node = node - > parent ;
if ( ! node )
goto grow ;
shift = node - > shift ;
}
child = rcu_dereference_raw ( node - > slots [ offset ] ) ;
}
slot = & node - > slots [ offset ] ;
}
iter - > index = start ;
if ( node )
iter - > next_index = 1 + min ( max , ( start | node_maxindex ( node ) ) ) ;
else
iter - > next_index = 1 ;
iter - > node = node ;
__set_iter_shift ( iter , shift ) ;
set_iter_tags ( iter , node , offset , IDR_FREE ) ;
return slot ;
}
/**
* idr_destroy - release all internal memory from an IDR
* @ idr : idr handle
*
* After this function is called , the IDR is empty , and may be reused or
* the data structure containing it may be freed .
*
* A typical clean - up sequence for objects stored in an idr tree will use
* idr_for_each ( ) to free all objects , if necessary , then idr_destroy ( ) to
* free the memory used to keep track of those objects .
*/
void idr_destroy ( struct idr * idr )
{
struct radix_tree_node * node = rcu_dereference_raw ( idr - > idr_rt . rnode ) ;
if ( radix_tree_is_internal_node ( node ) )
radix_tree_free_nodes ( node ) ;
idr - > idr_rt . rnode = NULL ;
root_tag_set ( & idr - > idr_rt , IDR_FREE ) ;
}
EXPORT_SYMBOL ( idr_destroy ) ;
2005-04-16 15:20:36 -07:00
static void
mm: keep page cache radix tree nodes in check
Previously, page cache radix tree nodes were freed after reclaim emptied
out their page pointers. But now reclaim stores shadow entries in their
place, which are only reclaimed when the inodes themselves are
reclaimed. This is problematic for bigger files that are still in use
after they have a significant amount of their cache reclaimed, without
any of those pages actually refaulting. The shadow entries will just
sit there and waste memory. In the worst case, the shadow entries will
accumulate until the machine runs out of memory.
To get this under control, the VM will track radix tree nodes
exclusively containing shadow entries on a per-NUMA node list. Per-NUMA
rather than global because we expect the radix tree nodes themselves to
be allocated node-locally and we want to reduce cross-node references of
otherwise independent cache workloads. A simple shrinker will then
reclaim these nodes on memory pressure.
A few things need to be stored in the radix tree node to implement the
shadow node LRU and allow tree deletions coming from the list:
1. There is no index available that would describe the reverse path
from the node up to the tree root, which is needed to perform a
deletion. To solve this, encode in each node its offset inside the
parent. This can be stored in the unused upper bits of the same
member that stores the node's height at no extra space cost.
2. The number of shadow entries needs to be counted in addition to the
regular entries, to quickly detect when the node is ready to go to
the shadow node LRU list. The current entry count is an unsigned
int but the maximum number of entries is 64, so a shadow counter
can easily be stored in the unused upper bits.
3. Tree modification needs tree lock and tree root, which are located
in the address space, so store an address_space backpointer in the
node. The parent pointer of the node is in a union with the 2-word
rcu_head, so the backpointer comes at no extra cost as well.
4. The node needs to be linked to an LRU list, which requires a list
head inside the node. This does increase the size of the node, but
it does not change the number of objects that fit into a slab page.
[akpm@linux-foundation.org: export the right function]
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Reviewed-by: Rik van Riel <riel@redhat.com>
Reviewed-by: Minchan Kim <minchan@kernel.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Bob Liu <bob.liu@oracle.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Luigi Semenzato <semenzato@google.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Metin Doslu <metin@citusdata.com>
Cc: Michel Lespinasse <walken@google.com>
Cc: Ozgun Erdogan <ozgun@citusdata.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Roman Gushchin <klamm@yandex-team.ru>
Cc: Ryan Mallon <rmallon@gmail.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-04-03 14:47:56 -07:00
radix_tree_node_ctor ( void * arg )
2005-04-16 15:20:36 -07:00
{
mm: keep page cache radix tree nodes in check
Previously, page cache radix tree nodes were freed after reclaim emptied
out their page pointers. But now reclaim stores shadow entries in their
place, which are only reclaimed when the inodes themselves are
reclaimed. This is problematic for bigger files that are still in use
after they have a significant amount of their cache reclaimed, without
any of those pages actually refaulting. The shadow entries will just
sit there and waste memory. In the worst case, the shadow entries will
accumulate until the machine runs out of memory.
To get this under control, the VM will track radix tree nodes
exclusively containing shadow entries on a per-NUMA node list. Per-NUMA
rather than global because we expect the radix tree nodes themselves to
be allocated node-locally and we want to reduce cross-node references of
otherwise independent cache workloads. A simple shrinker will then
reclaim these nodes on memory pressure.
A few things need to be stored in the radix tree node to implement the
shadow node LRU and allow tree deletions coming from the list:
1. There is no index available that would describe the reverse path
from the node up to the tree root, which is needed to perform a
deletion. To solve this, encode in each node its offset inside the
parent. This can be stored in the unused upper bits of the same
member that stores the node's height at no extra space cost.
2. The number of shadow entries needs to be counted in addition to the
regular entries, to quickly detect when the node is ready to go to
the shadow node LRU list. The current entry count is an unsigned
int but the maximum number of entries is 64, so a shadow counter
can easily be stored in the unused upper bits.
3. Tree modification needs tree lock and tree root, which are located
in the address space, so store an address_space backpointer in the
node. The parent pointer of the node is in a union with the 2-word
rcu_head, so the backpointer comes at no extra cost as well.
4. The node needs to be linked to an LRU list, which requires a list
head inside the node. This does increase the size of the node, but
it does not change the number of objects that fit into a slab page.
[akpm@linux-foundation.org: export the right function]
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Reviewed-by: Rik van Riel <riel@redhat.com>
Reviewed-by: Minchan Kim <minchan@kernel.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Bob Liu <bob.liu@oracle.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Luigi Semenzato <semenzato@google.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Metin Doslu <metin@citusdata.com>
Cc: Michel Lespinasse <walken@google.com>
Cc: Ozgun Erdogan <ozgun@citusdata.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Roman Gushchin <klamm@yandex-team.ru>
Cc: Ryan Mallon <rmallon@gmail.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-04-03 14:47:56 -07:00
struct radix_tree_node * node = arg ;
memset ( node , 0 , sizeof ( * node ) ) ;
INIT_LIST_HEAD ( & node - > private_list ) ;
2005-04-16 15:20:36 -07:00
}
2016-07-26 15:26:02 -07:00
static __init unsigned long __maxindex ( unsigned int height )
{
unsigned int width = height * RADIX_TREE_MAP_SHIFT ;
int shift = RADIX_TREE_INDEX_BITS - width ;
if ( shift < 0 )
return ~ 0UL ;
if ( shift > = BITS_PER_LONG )
return 0UL ;
return ~ 0UL > > shift ;
}
static __init void radix_tree_init_maxnodes ( void )
{
unsigned long height_to_maxindex [ RADIX_TREE_MAX_PATH + 1 ] ;
unsigned int i , j ;
for ( i = 0 ; i < ARRAY_SIZE ( height_to_maxindex ) ; i + + )
height_to_maxindex [ i ] = __maxindex ( i ) ;
for ( i = 0 ; i < ARRAY_SIZE ( height_to_maxnodes ) ; i + + ) {
for ( j = i ; j > 0 ; j - - )
height_to_maxnodes [ i ] + = height_to_maxindex [ j - 1 ] + 1 ;
}
}
2016-11-03 15:50:01 +01:00
static int radix_tree_cpu_dead ( unsigned int cpu )
2005-04-16 15:20:36 -07:00
{
2016-05-20 17:03:04 -07:00
struct radix_tree_preload * rtp ;
struct radix_tree_node * node ;
/* Free per-cpu pool of preloaded nodes */
2016-11-03 15:50:01 +01:00
rtp = & per_cpu ( radix_tree_preloads , cpu ) ;
while ( rtp - > nr ) {
node = rtp - > nodes ;
2017-01-16 16:41:29 -05:00
rtp - > nodes = node - > parent ;
2016-11-03 15:50:01 +01:00
kmem_cache_free ( radix_tree_node_cachep , node ) ;
rtp - > nr - - ;
2016-05-20 17:03:04 -07:00
}
2016-12-16 11:55:56 -05:00
kfree ( per_cpu ( ida_bitmap , cpu ) ) ;
per_cpu ( ida_bitmap , cpu ) = NULL ;
2016-11-03 15:50:01 +01:00
return 0 ;
2005-04-16 15:20:36 -07:00
}
void __init radix_tree_init ( void )
{
2016-11-03 15:50:01 +01:00
int ret ;
2017-05-03 14:53:09 -07:00
BUILD_BUG_ON ( RADIX_TREE_MAX_TAGS + __GFP_BITS_SHIFT > 32 ) ;
radix tree: use GFP_ZONEMASK bits of gfp_t for flags
Patch series "XArray", v9. (First part thereof).
This patchset is, I believe, appropriate for merging for 4.17. It
contains the XArray implementation, to eventually replace the radix
tree, and converts the page cache to use it.
This conversion keeps the radix tree and XArray data structures in sync
at all times. That allows us to convert the page cache one function at
a time and should allow for easier bisection. Other than renaming some
elements of the structures, the data structures are fundamentally
unchanged; a radix tree walk and an XArray walk will touch the same
number of cachelines. I have changes planned to the XArray data
structure, but those will happen in future patches.
Improvements the XArray has over the radix tree:
- The radix tree provides operations like other trees do; 'insert' and
'delete'. But what most users really want is an automatically
resizing array, and so it makes more sense to give users an API that
is like an array -- 'load' and 'store'. We still have an 'insert'
operation for users that really want that semantic.
- The XArray considers locking as part of its API. This simplifies a
lot of users who formerly had to manage their own locking just for
the radix tree. It also improves code generation as we can now tell
RCU that we're holding a lock and it doesn't need to generate as much
fencing code. The other advantage is that tree nodes can be moved
(not yet implemented).
- GFP flags are now parameters to calls which may need to allocate
memory. The radix tree forced users to decide what the allocation
flags would be at creation time. It's much clearer to specify them at
allocation time.
- Memory is not preloaded; we don't tie up dozens of pages on the off
chance that the slab allocator fails. Instead, we drop the lock,
allocate a new node and retry the operation. We have to convert all
the radix tree, IDA and IDR preload users before we can realise this
benefit, but I have not yet found a user which cannot be converted.
- The XArray provides a cmpxchg operation. The radix tree forces users
to roll their own (and at least four have).
- Iterators take a 'max' parameter. That simplifies many users and will
reduce the amount of iteration done.
- Iteration can proceed backwards. We only have one user for this, but
since it's called as part of the pagefault readahead algorithm, that
seemed worth mentioning.
- RCU-protected pointers are not exposed as part of the API. There are
some fun bugs where the page cache forgets to use rcu_dereference()
in the current codebase.
- Value entries gain an extra bit compared to radix tree exceptional
entries. That gives us the extra bit we need to put huge page swap
entries in the page cache.
- Some iterators now take a 'filter' argument instead of having
separate iterators for tagged/untagged iterations.
The page cache is improved by this:
- Shorter, easier to read code
- More efficient iterations
- Reduction in size of struct address_space
- Fewer walks from the top of the data structure; the XArray API
encourages staying at the leaf node and conducting operations there.
This patch (of 8):
None of these bits may be used for slab allocations, so we can use them
as radix tree flags as long as we mask them off before passing them to
the slab allocator. Move the IDR flag from the high bits to the
GFP_ZONEMASK bits.
Link: http://lkml.kernel.org/r/20180313132639.17387-3-willy@infradead.org
Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
Acked-by: Jeff Layton <jlayton@kernel.org>
Cc: Darrick J. Wong <darrick.wong@oracle.com>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2018-04-10 16:36:28 -07:00
BUILD_BUG_ON ( ROOT_IS_IDR & ~ GFP_ZONEMASK ) ;
2005-04-16 15:20:36 -07:00
radix_tree_node_cachep = kmem_cache_create ( " radix_tree_node " ,
sizeof ( struct radix_tree_node ) , 0 ,
2008-04-28 02:12:05 -07:00
SLAB_PANIC | SLAB_RECLAIM_ACCOUNT ,
radix_tree_node_ctor ) ;
2016-07-26 15:26:02 -07:00
radix_tree_init_maxnodes ( ) ;
2016-11-03 15:50:01 +01:00
ret = cpuhp_setup_state_nocalls ( CPUHP_RADIX_DEAD , " lib/radix:dead " ,
NULL , radix_tree_cpu_dead ) ;
WARN_ON ( ret < 0 ) ;
2005-04-16 15:20:36 -07:00
}