2005-04-17 02:20:36 +04:00
/*
* Copyright ( C ) 2001 Momchil Velikov
* Portions Copyright ( C ) 2001 Christoph Hellwig
2008-07-04 20:59:22 +04:00
* Copyright ( C ) 2005 SGI , Christoph Lameter
2006-12-07 07:33:44 +03:00
* Copyright ( C ) 2006 Nick Piggin
2012-03-29 01:42:53 +04:00
* Copyright ( C ) 2012 Konstantin Khlebnikov
2016-05-21 03:02:58 +03:00
* Copyright ( C ) 2016 Intel , Matthew Wilcox
* Copyright ( C ) 2016 Intel , Ross Zwisler
2005-04-17 02:20:36 +04:00
*
* This program is free software ; you can redistribute it and / or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation ; either version 2 , or ( at
* your option ) any later version .
*
* This program is distributed in the hope that it will be useful , but
* WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the GNU
* General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program ; if not , write to the Free Software
* Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
2016-12-15 02:09:01 +03:00
# include <linux/cpu.h>
2005-04-17 02:20:36 +04:00
# include <linux/errno.h>
# include <linux/init.h>
# include <linux/kernel.h>
2011-11-17 06:29:17 +04:00
# include <linux/export.h>
2005-04-17 02:20:36 +04:00
# include <linux/radix-tree.h>
# include <linux/percpu.h>
# include <linux/slab.h>
2014-06-07 01:38:18 +04:00
# include <linux/kmemleak.h>
2005-04-17 02:20:36 +04:00
# include <linux/cpu.h>
# include <linux/string.h>
# include <linux/bitops.h>
2006-12-07 07:33:44 +03:00
# include <linux/rcupdate.h>
sched/preempt: Merge preempt_mask.h into preempt.h
preempt_mask.h defines all the preempt_count semantics and related
symbols: preempt, softirq, hardirq, nmi, preempt active, need resched,
etc...
preempt.h defines the accessors and mutators of preempt_count.
But there is a messy dependency game around those two header files:
* preempt_mask.h includes preempt.h in order to access preempt_count()
* preempt_mask.h defines all preempt_count semantic and symbols
except PREEMPT_NEED_RESCHED that is needed by asm/preempt.h
Thus we need to define it from preempt.h, right before including
asm/preempt.h, instead of defining it to preempt_mask.h with the
other preempt_count symbols. Therefore the preempt_count semantics
happen to be spread out.
* We plan to introduce preempt_active_[enter,exit]() to consolidate
preempt_schedule*() code. But we'll need to access both preempt_count
mutators (preempt_count_add()) and preempt_count symbols
(PREEMPT_ACTIVE, PREEMPT_OFFSET). The usual place to define preempt
operations is in preempt.h but then we'll need symbols in
preempt_mask.h which already includes preempt.h. So we end up with
a ressource circle dependency.
Lets merge preempt_mask.h into preempt.h to solve these dependency issues.
This way we gather semantic symbols and operation definition of
preempt_count in a single file.
This is a dumb copy-paste merge. Further merge re-arrangments are
performed in a subsequent patch to ease review.
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/1431441711-29753-2-git-send-email-fweisbec@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2015-05-12 17:41:46 +03:00
# include <linux/preempt.h> /* in_interrupt() */
2005-04-17 02:20:36 +04:00
2016-07-27 01:26:02 +03:00
/* Number of nodes in fully populated tree of given height */
static unsigned long height_to_maxnodes [ RADIX_TREE_MAX_PATH + 1 ] __read_mostly ;
2005-04-17 02:20:36 +04:00
/*
* Radix tree node cache .
*/
2006-12-07 07:33:20 +03:00
static struct kmem_cache * radix_tree_node_cachep ;
2005-04-17 02:20:36 +04:00
2012-05-30 02:07:34 +04:00
/*
* The radix tree is variable - height , so an insert operation not only has
* to build the branch to its corresponding item , it also has to build the
* branch to existing items if the size has to be increased ( by
* radix_tree_extend ) .
*
* The worst case is a zero height tree with just a single item at index 0 ,
* and then inserting an item at index ULONG_MAX . This requires 2 new branches
* of RADIX_TREE_MAX_PATH size to be created , with only the root node shared .
* Hence :
*/
# define RADIX_TREE_PRELOAD_SIZE (RADIX_TREE_MAX_PATH * 2 - 1)
2005-04-17 02:20:36 +04:00
/*
* Per - cpu pool of preloaded nodes
*/
struct radix_tree_preload {
2016-05-21 03:03:04 +03:00
unsigned nr ;
2015-06-26 01:02:19 +03:00
/* nodes->private_data points to next preallocated node */
struct radix_tree_node * nodes ;
2005-04-17 02:20:36 +04:00
} ;
2009-01-07 01:40:50 +03:00
static DEFINE_PER_CPU ( struct radix_tree_preload , radix_tree_preloads ) = { 0 , } ;
2005-04-17 02:20:36 +04:00
2016-12-15 02:08:49 +03:00
static inline struct radix_tree_node * entry_to_node ( void * ptr )
{
return ( void * ) ( ( unsigned long ) ptr & ~ RADIX_TREE_INTERNAL_NODE ) ;
}
2016-05-21 03:03:24 +03:00
static inline void * node_to_entry ( void * ptr )
2010-11-12 01:05:19 +03:00
{
2016-05-21 03:03:22 +03:00
return ( void * ) ( ( unsigned long ) ptr | RADIX_TREE_INTERNAL_NODE ) ;
2010-11-12 01:05:19 +03:00
}
2016-05-21 03:03:24 +03:00
# define RADIX_TREE_RETRY node_to_entry(NULL)
2016-05-21 03:02:17 +03:00
2016-05-21 03:01:57 +03:00
# ifdef CONFIG_RADIX_TREE_MULTIORDER
/* Sibling slots point directly to another slot in the same node */
static inline bool is_sibling_entry ( struct radix_tree_node * parent , void * node )
{
void * * ptr = node ;
return ( parent - > slots < = ptr ) & &
( ptr < parent - > slots + RADIX_TREE_MAP_SIZE ) ;
}
# else
static inline bool is_sibling_entry ( struct radix_tree_node * parent , void * node )
{
return false ;
}
# endif
static inline unsigned long get_slot_offset ( struct radix_tree_node * parent ,
void * * slot )
{
return slot - parent - > slots ;
}
2016-05-21 03:03:48 +03:00
static unsigned int radix_tree_descend ( struct radix_tree_node * parent ,
struct radix_tree_node * * nodep , unsigned long index )
2016-05-21 03:01:57 +03:00
{
2016-05-21 03:03:48 +03:00
unsigned int offset = ( index > > parent - > shift ) & RADIX_TREE_MAP_MASK ;
2016-05-21 03:01:57 +03:00
void * * entry = rcu_dereference_raw ( parent - > slots [ offset ] ) ;
# ifdef CONFIG_RADIX_TREE_MULTIORDER
2016-05-21 03:03:30 +03:00
if ( radix_tree_is_internal_node ( entry ) ) {
2016-09-25 23:32:46 +03:00
if ( is_sibling_entry ( parent , entry ) ) {
void * * sibentry = ( void * * ) entry_to_node ( entry ) ;
offset = get_slot_offset ( parent , sibentry ) ;
entry = rcu_dereference_raw ( * sibentry ) ;
2016-05-21 03:01:57 +03:00
}
}
# endif
* nodep = ( void * ) entry ;
return offset ;
}
2006-06-23 13:03:22 +04:00
static inline gfp_t root_gfp_mask ( struct radix_tree_root * root )
{
return root - > gfp_mask & __GFP_BITS_MASK ;
}
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-13 02:21:52 +04:00
static inline void tag_set ( struct radix_tree_node * node , unsigned int tag ,
int offset )
{
__set_bit ( offset , node - > tags [ tag ] ) ;
}
static inline void tag_clear ( struct radix_tree_node * node , unsigned int tag ,
int offset )
{
__clear_bit ( offset , node - > tags [ tag ] ) ;
}
static inline int tag_get ( struct radix_tree_node * node , unsigned int tag ,
int offset )
{
return test_bit ( offset , node - > tags [ tag ] ) ;
}
static inline void root_tag_set ( struct radix_tree_root * root , unsigned int tag )
{
root - > gfp_mask | = ( __force gfp_t ) ( 1 < < ( tag + __GFP_BITS_SHIFT ) ) ;
}
2016-05-21 03:03:04 +03:00
static inline void root_tag_clear ( struct radix_tree_root * root , unsigned tag )
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-13 02:21:52 +04:00
{
root - > gfp_mask & = ( __force gfp_t ) ~ ( 1 < < ( tag + __GFP_BITS_SHIFT ) ) ;
}
static inline void root_tag_clear_all ( struct radix_tree_root * root )
{
root - > gfp_mask & = __GFP_BITS_MASK ;
}
static inline int root_tag_get ( struct radix_tree_root * root , unsigned int tag )
{
2016-05-21 03:03:04 +03:00
return ( __force int ) root - > gfp_mask & ( 1 < < ( tag + __GFP_BITS_SHIFT ) ) ;
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-13 02:21:52 +04:00
}
2016-05-21 03:02:23 +03:00
static inline unsigned root_tags_get ( struct radix_tree_root * root )
{
return ( __force unsigned ) root - > gfp_mask > > __GFP_BITS_SHIFT ;
}
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-13 02:21:52 +04:00
/*
* Returns 1 if any slot in the node has this tag set .
* Otherwise returns 0.
*/
static inline int any_tag_set ( struct radix_tree_node * node , unsigned int tag )
{
2016-05-21 03:03:04 +03:00
unsigned idx ;
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-13 02:21:52 +04:00
for ( idx = 0 ; idx < RADIX_TREE_TAG_LONGS ; idx + + ) {
if ( node - > tags [ tag ] [ idx ] )
return 1 ;
}
return 0 ;
}
2012-03-29 01:42:53 +04:00
/**
* radix_tree_find_next_bit - find the next set bit in a memory region
*
* @ addr : The address to base the search on
* @ size : The bitmap size in bits
* @ offset : The bitnumber to start searching at
*
* Unrollable variant of find_next_bit ( ) for constant size arrays .
* Tail bits starting from size to roundup ( size , BITS_PER_LONG ) must be zero .
* Returns next bit offset , or size if nothing found .
*/
static __always_inline unsigned long
2016-12-15 02:08:40 +03:00
radix_tree_find_next_bit ( struct radix_tree_node * node , unsigned int tag ,
unsigned long offset )
2012-03-29 01:42:53 +04:00
{
2016-12-15 02:08:40 +03:00
const unsigned long * addr = node - > tags [ tag ] ;
2012-03-29 01:42:53 +04:00
2016-12-15 02:08:40 +03:00
if ( offset < RADIX_TREE_MAP_SIZE ) {
2012-03-29 01:42:53 +04:00
unsigned long tmp ;
addr + = offset / BITS_PER_LONG ;
tmp = * addr > > ( offset % BITS_PER_LONG ) ;
if ( tmp )
return __ffs ( tmp ) + offset ;
offset = ( offset + BITS_PER_LONG ) & ~ ( BITS_PER_LONG - 1 ) ;
2016-12-15 02:08:40 +03:00
while ( offset < RADIX_TREE_MAP_SIZE ) {
2012-03-29 01:42:53 +04:00
tmp = * + + addr ;
if ( tmp )
return __ffs ( tmp ) + offset ;
offset + = BITS_PER_LONG ;
}
}
2016-12-15 02:08:40 +03:00
return RADIX_TREE_MAP_SIZE ;
2012-03-29 01:42:53 +04:00
}
2016-12-15 02:08:55 +03:00
static unsigned int iter_offset ( const struct radix_tree_iter * iter )
{
return ( iter - > index > > iter_shift ( iter ) ) & RADIX_TREE_MAP_MASK ;
}
2016-12-15 02:08:43 +03:00
/*
* The maximum index which can be stored in a radix tree
*/
static inline unsigned long shift_maxindex ( unsigned int shift )
{
return ( RADIX_TREE_MAP_SIZE < < shift ) - 1 ;
}
static inline unsigned long node_maxindex ( struct radix_tree_node * node )
{
return shift_maxindex ( node - > shift ) ;
}
2016-05-21 03:02:55 +03:00
# ifndef __KERNEL__
2016-05-21 03:03:19 +03:00
static void dump_node ( struct radix_tree_node * node , unsigned long index )
2016-03-18 00:21:57 +03:00
{
2016-05-21 03:02:55 +03:00
unsigned long i ;
2016-03-18 00:21:57 +03:00
2016-12-15 02:08:43 +03:00
pr_debug ( " radix node: %p offset %d indices %lu-%lu parent %p tags %lx %lx %lx shift %d count %d exceptional %d \n " ,
node , node - > offset , index , index | node_maxindex ( node ) ,
node - > parent ,
2016-05-21 03:02:55 +03:00
node - > tags [ 0 ] [ 0 ] , node - > tags [ 1 ] [ 0 ] , node - > tags [ 2 ] [ 0 ] ,
2016-12-15 02:08:43 +03:00
node - > shift , node - > count , node - > exceptional ) ;
2016-05-21 03:02:55 +03:00
for ( i = 0 ; i < RADIX_TREE_MAP_SIZE ; i + + ) {
2016-05-21 03:03:19 +03:00
unsigned long first = index | ( i < < node - > shift ) ;
unsigned long last = first | ( ( 1UL < < node - > shift ) - 1 ) ;
2016-05-21 03:02:55 +03:00
void * entry = node - > slots [ i ] ;
if ( ! entry )
continue ;
2016-12-15 02:08:43 +03:00
if ( entry = = RADIX_TREE_RETRY ) {
pr_debug ( " radix retry offset %ld indices %lu-%lu parent %p \n " ,
i , first , last , node ) ;
2016-05-21 03:03:30 +03:00
} else if ( ! radix_tree_is_internal_node ( entry ) ) {
2016-12-15 02:08:43 +03:00
pr_debug ( " radix entry %p offset %ld indices %lu-%lu parent %p \n " ,
entry , i , first , last , node ) ;
} else if ( is_sibling_entry ( node , entry ) ) {
pr_debug ( " radix sblng %p offset %ld indices %lu-%lu parent %p val %p \n " ,
entry , i , first , last , node ,
* ( void * * ) entry_to_node ( entry ) ) ;
2016-05-21 03:02:55 +03:00
} else {
2016-05-21 03:03:27 +03:00
dump_node ( entry_to_node ( entry ) , first ) ;
2016-05-21 03:02:55 +03:00
}
}
2016-03-18 00:21:57 +03:00
}
/* For debug */
static void radix_tree_dump ( struct radix_tree_root * root )
{
2016-05-21 03:03:19 +03:00
pr_debug ( " radix root: %p rnode %p tags %x \n " ,
root , root - > rnode ,
2016-03-18 00:21:57 +03:00
root - > gfp_mask > > __GFP_BITS_SHIFT ) ;
2016-05-21 03:03:30 +03:00
if ( ! radix_tree_is_internal_node ( root - > rnode ) )
2016-03-18 00:21:57 +03:00
return ;
2016-05-21 03:03:27 +03:00
dump_node ( entry_to_node ( root - > rnode ) , 0 ) ;
2016-03-18 00:21:57 +03:00
}
# endif
2005-04-17 02:20:36 +04:00
/*
* This assumes that the caller has performed appropriate preallocation , and
* that the caller has pinned this thread of control to the current CPU .
*/
static struct radix_tree_node *
2016-12-15 02:09:31 +03:00
radix_tree_node_alloc ( struct radix_tree_root * root ,
struct radix_tree_node * parent ,
unsigned int shift , unsigned int offset ,
unsigned int count , unsigned int exceptional )
2005-04-17 02:20:36 +04:00
{
2008-02-05 09:29:10 +03:00
struct radix_tree_node * ret = NULL ;
2006-06-23 13:03:22 +04:00
gfp_t gfp_mask = root_gfp_mask ( root ) ;
2005-04-17 02:20:36 +04:00
2013-09-12 01:26:05 +04:00
/*
2016-05-21 03:03:04 +03:00
* Preload code isn ' t irq safe and it doesn ' t make sense to use
* preloading during an interrupt anyway as all the allocations have
* to be atomic . So just do normal allocation when in interrupt .
2013-09-12 01:26:05 +04:00
*/
2015-11-07 03:28:21 +03:00
if ( ! gfpflags_allow_blocking ( gfp_mask ) & & ! in_interrupt ( ) ) {
2005-04-17 02:20:36 +04:00
struct radix_tree_preload * rtp ;
2016-03-18 00:18:36 +03:00
/*
* Even if the caller has preloaded , try to allocate from the
2016-08-03 00:03:01 +03:00
* cache first for the new node to get accounted to the memory
* cgroup .
2016-03-18 00:18:36 +03:00
*/
ret = kmem_cache_alloc ( radix_tree_node_cachep ,
2016-08-03 00:03:01 +03:00
gfp_mask | __GFP_NOWARN ) ;
2016-03-18 00:18:36 +03:00
if ( ret )
goto out ;
2008-02-05 09:29:10 +03:00
/*
* Provided the caller has preloaded here , we will always
* succeed in getting a node here ( and never reach
* kmem_cache_alloc )
*/
2014-06-05 03:07:56 +04:00
rtp = this_cpu_ptr ( & radix_tree_preloads ) ;
2005-04-17 02:20:36 +04:00
if ( rtp - > nr ) {
2015-06-26 01:02:19 +03:00
ret = rtp - > nodes ;
rtp - > nodes = ret - > private_data ;
ret - > private_data = NULL ;
2005-04-17 02:20:36 +04:00
rtp - > nr - - ;
}
2014-06-07 01:38:18 +04:00
/*
* Update the allocation stack trace as this is more useful
* for debugging .
*/
kmemleak_update_trace ( ret ) ;
2016-03-18 00:18:36 +03:00
goto out ;
2005-04-17 02:20:36 +04:00
}
2016-08-03 00:03:01 +03:00
ret = kmem_cache_alloc ( radix_tree_node_cachep , gfp_mask ) ;
2016-03-18 00:18:36 +03:00
out :
2016-05-21 03:03:30 +03:00
BUG_ON ( radix_tree_is_internal_node ( ret ) ) ;
2016-12-15 02:09:31 +03:00
if ( ret ) {
ret - > parent = parent ;
ret - > shift = shift ;
ret - > offset = offset ;
ret - > count = count ;
ret - > exceptional = exceptional ;
}
2005-04-17 02:20:36 +04:00
return ret ;
}
2006-12-07 07:33:44 +03:00
static void radix_tree_node_rcu_free ( struct rcu_head * head )
{
struct radix_tree_node * node =
container_of ( head , struct radix_tree_node , rcu_head ) ;
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-13 02:21:52 +04:00
/*
2016-12-15 02:08:58 +03:00
* Must only free zeroed nodes into the slab . We can be left with
* non - NULL entries by radix_tree_free_nodes , so clear the entries
* and tags here .
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-13 02:21:52 +04:00
*/
2016-12-15 02:08:58 +03:00
memset ( node - > slots , 0 , sizeof ( node - > slots ) ) ;
memset ( node - > tags , 0 , sizeof ( node - > tags ) ) ;
2016-12-15 02:08:34 +03:00
INIT_LIST_HEAD ( & node - > private_list ) ;
radix-tree: fix small lockless radix-tree bug
We shrink a radix tree when its root node has only one child, in the left
most slot. The child becomes the new root node. To perform this
operation in a manner compatible with concurrent lockless lookups, we
atomically switch the root pointer from the parent to its child.
However a concurrent lockless lookup may now have loaded a pointer to the
parent (and is presently deciding what to do next). For this reason, we
also have to keep the parent node in a valid state after shrinking the
tree, until the next RCU grace period -- otherwise this lookup with the
parent pointer may not do the right thing. Notably, we need to keep the
child in the left most slot there in case that is requested by the lookup.
This is all pretty standard RCU stuff. It is worth repeating because in
my eagerness to obey the radix tree node constructor scheme, I had broken
it by zeroing the radix tree node before the grace period.
What could happen is that a lookup can load the parent pointer, then
decide it wants to follow the left most child slot, only to find the slot
contained NULL due to the concurrent shrinker having zeroed the parent
node before waiting for a grace period. The lookup would return a false
negative as a result.
Fix it by doing that clearing in the RCU callback. I would normally want
to rip out the constructor entirely, but radix tree nodes are one of those
places where they make sense (only few cachelines will be touched soon
after allocation).
This was never actually found in any lockless pagecache testing or by the
test harness, but by seeing the odd problem with my scalable vmap rewrite.
I have not tickled the test harness into reproducing it yet, but I'll
keep working at it.
Fortunately, it is not a problem anywhere lockless pagecache is used in
mainline kernels (pagecache probe is not a guarantee, and brd does not
have concurrent lookups and deletes).
Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: "Paul E. McKenney" <paulmck@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-06-13 02:21:52 +04:00
2006-12-07 07:33:44 +03:00
kmem_cache_free ( radix_tree_node_cachep , node ) ;
}
2005-04-17 02:20:36 +04:00
static inline void
radix_tree_node_free ( struct radix_tree_node * node )
{
2006-12-07 07:33:44 +03:00
call_rcu ( & node - > rcu_head , radix_tree_node_rcu_free ) ;
2005-04-17 02:20:36 +04:00
}
/*
* Load up this CPU ' s radix_tree_node buffer with sufficient objects to
* ensure that the addition of a single element in the tree cannot fail . On
* success , return zero , with preemption disabled . On error , return - ENOMEM
* with preemption not disabled .
FS-Cache: Use radix tree preload correctly in tracking of pages to be stored
__fscache_write_page() attempts to load the radix tree preallocation pool for
the CPU it is on before calling radix_tree_insert(), as the insertion must be
done inside a pair of spinlocks.
Use of the preallocation pool, however, is contingent on the radix tree being
initialised without __GFP_WAIT specified. __fscache_acquire_cookie() was
passing GFP_NOFS to INIT_RADIX_TREE() - but that includes __GFP_WAIT.
The solution is to AND out __GFP_WAIT.
Additionally, the banner comment to radix_tree_preload() is altered to make
note of this prerequisite. Possibly there should be a WARN_ON() too.
Without this fix, I have seen the following recursive deadlock caused by
radix_tree_insert() attempting to allocate memory inside the spinlocked
region, which resulted in FS-Cache being called back into to release memory -
which required the spinlock already held.
=============================================
[ INFO: possible recursive locking detected ]
2.6.32-rc6-cachefs #24
---------------------------------------------
nfsiod/7916 is trying to acquire lock:
(&cookie->lock){+.+.-.}, at: [<ffffffffa0076872>] __fscache_uncache_page+0xdb/0x160 [fscache]
but task is already holding lock:
(&cookie->lock){+.+.-.}, at: [<ffffffffa0076acc>] __fscache_write_page+0x15c/0x3f3 [fscache]
other info that might help us debug this:
5 locks held by nfsiod/7916:
#0: (nfsiod){+.+.+.}, at: [<ffffffff81048290>] worker_thread+0x19a/0x2e2
#1: (&task->u.tk_work#2){+.+.+.}, at: [<ffffffff81048290>] worker_thread+0x19a/0x2e2
#2: (&cookie->lock){+.+.-.}, at: [<ffffffffa0076acc>] __fscache_write_page+0x15c/0x3f3 [fscache]
#3: (&object->lock#2){+.+.-.}, at: [<ffffffffa0076b07>] __fscache_write_page+0x197/0x3f3 [fscache]
#4: (&cookie->stores_lock){+.+...}, at: [<ffffffffa0076b0f>] __fscache_write_page+0x19f/0x3f3 [fscache]
stack backtrace:
Pid: 7916, comm: nfsiod Not tainted 2.6.32-rc6-cachefs #24
Call Trace:
[<ffffffff8105ac7f>] __lock_acquire+0x1649/0x16e3
[<ffffffff81059ded>] ? __lock_acquire+0x7b7/0x16e3
[<ffffffff8100e27d>] ? dump_trace+0x248/0x257
[<ffffffff8105ad70>] lock_acquire+0x57/0x6d
[<ffffffffa0076872>] ? __fscache_uncache_page+0xdb/0x160 [fscache]
[<ffffffff8135467c>] _spin_lock+0x2c/0x3b
[<ffffffffa0076872>] ? __fscache_uncache_page+0xdb/0x160 [fscache]
[<ffffffffa0076872>] __fscache_uncache_page+0xdb/0x160 [fscache]
[<ffffffffa0077eb7>] ? __fscache_check_page_write+0x0/0x71 [fscache]
[<ffffffffa00b4755>] nfs_fscache_release_page+0x86/0xc4 [nfs]
[<ffffffffa00907f0>] nfs_release_page+0x3c/0x41 [nfs]
[<ffffffff81087ffb>] try_to_release_page+0x32/0x3b
[<ffffffff81092c2b>] shrink_page_list+0x316/0x4ac
[<ffffffff81058a9b>] ? mark_held_locks+0x52/0x70
[<ffffffff8135451b>] ? _spin_unlock_irq+0x2b/0x31
[<ffffffff81093153>] shrink_inactive_list+0x392/0x67c
[<ffffffff81058a9b>] ? mark_held_locks+0x52/0x70
[<ffffffff810934ca>] shrink_list+0x8d/0x8f
[<ffffffff81093744>] shrink_zone+0x278/0x33c
[<ffffffff81052c70>] ? ktime_get_ts+0xad/0xba
[<ffffffff8109453b>] try_to_free_pages+0x22e/0x392
[<ffffffff8109184c>] ? isolate_pages_global+0x0/0x212
[<ffffffff8108e16b>] __alloc_pages_nodemask+0x3dc/0x5cf
[<ffffffff810ae24a>] cache_alloc_refill+0x34d/0x6c1
[<ffffffff811bcf74>] ? radix_tree_node_alloc+0x52/0x5c
[<ffffffff810ae929>] kmem_cache_alloc+0xb2/0x118
[<ffffffff811bcf74>] radix_tree_node_alloc+0x52/0x5c
[<ffffffff811bcfd5>] radix_tree_insert+0x57/0x19c
[<ffffffffa0076b53>] __fscache_write_page+0x1e3/0x3f3 [fscache]
[<ffffffffa00b4248>] __nfs_readpage_to_fscache+0x58/0x11e [nfs]
[<ffffffffa009bb77>] nfs_readpage_release+0x34/0x9b [nfs]
[<ffffffffa009c0d9>] nfs_readpage_release_full+0x32/0x4b [nfs]
[<ffffffffa0006cff>] rpc_release_calldata+0x12/0x14 [sunrpc]
[<ffffffffa0006e2d>] rpc_free_task+0x59/0x61 [sunrpc]
[<ffffffffa0006f03>] rpc_async_release+0x10/0x12 [sunrpc]
[<ffffffff810482e5>] worker_thread+0x1ef/0x2e2
[<ffffffff81048290>] ? worker_thread+0x19a/0x2e2
[<ffffffff81352433>] ? thread_return+0x3e/0x101
[<ffffffffa0006ef3>] ? rpc_async_release+0x0/0x12 [sunrpc]
[<ffffffff8104bff5>] ? autoremove_wake_function+0x0/0x34
[<ffffffff81058d25>] ? trace_hardirqs_on+0xd/0xf
[<ffffffff810480f6>] ? worker_thread+0x0/0x2e2
[<ffffffff8104bd21>] kthread+0x7a/0x82
[<ffffffff8100beda>] child_rip+0xa/0x20
[<ffffffff8100b87c>] ? restore_args+0x0/0x30
[<ffffffff8104c2b9>] ? add_wait_queue+0x15/0x44
[<ffffffff8104bca7>] ? kthread+0x0/0x82
[<ffffffff8100bed0>] ? child_rip+0x0/0x20
Signed-off-by: David Howells <dhowells@redhat.com>
2009-11-19 21:11:14 +03:00
*
* To make use of this facility , the radix tree must be initialised without
2015-11-07 03:28:21 +03:00
* __GFP_DIRECT_RECLAIM being passed to INIT_RADIX_TREE ( ) .
2005-04-17 02:20:36 +04:00
*/
2016-12-15 02:09:04 +03:00
static int __radix_tree_preload ( gfp_t gfp_mask , unsigned nr )
2005-04-17 02:20:36 +04:00
{
struct radix_tree_preload * rtp ;
struct radix_tree_node * node ;
int ret = - ENOMEM ;
2016-08-03 00:03:01 +03:00
/*
* Nodes preloaded by one cgroup can be be used by another cgroup , so
* they should never be accounted to any particular memory cgroup .
*/
gfp_mask & = ~ __GFP_ACCOUNT ;
2005-04-17 02:20:36 +04:00
preempt_disable ( ) ;
2014-06-05 03:07:56 +04:00
rtp = this_cpu_ptr ( & radix_tree_preloads ) ;
2016-07-27 01:26:02 +03:00
while ( rtp - > nr < nr ) {
2005-04-17 02:20:36 +04:00
preempt_enable ( ) ;
2008-04-28 13:12:05 +04:00
node = kmem_cache_alloc ( radix_tree_node_cachep , gfp_mask ) ;
2005-04-17 02:20:36 +04:00
if ( node = = NULL )
goto out ;
preempt_disable ( ) ;
2014-06-05 03:07:56 +04:00
rtp = this_cpu_ptr ( & radix_tree_preloads ) ;
2016-07-27 01:26:02 +03:00
if ( rtp - > nr < nr ) {
2015-06-26 01:02:19 +03:00
node - > private_data = rtp - > nodes ;
rtp - > nodes = node ;
rtp - > nr + + ;
} else {
2005-04-17 02:20:36 +04:00
kmem_cache_free ( radix_tree_node_cachep , node ) ;
2015-06-26 01:02:19 +03:00
}
2005-04-17 02:20:36 +04:00
}
ret = 0 ;
out :
return ret ;
}
2013-09-12 01:26:05 +04:00
/*
* Load up this CPU ' s radix_tree_node buffer with sufficient objects to
* ensure that the addition of a single element in the tree cannot fail . On
* success , return zero , with preemption disabled . On error , return - ENOMEM
* with preemption not disabled .
*
* To make use of this facility , the radix tree must be initialised without
2015-11-07 03:28:21 +03:00
* __GFP_DIRECT_RECLAIM being passed to INIT_RADIX_TREE ( ) .
2013-09-12 01:26:05 +04:00
*/
int radix_tree_preload ( gfp_t gfp_mask )
{
/* Warn on non-sensical use... */
2015-11-07 03:28:21 +03:00
WARN_ON_ONCE ( ! gfpflags_allow_blocking ( gfp_mask ) ) ;
2016-07-27 01:26:02 +03:00
return __radix_tree_preload ( gfp_mask , RADIX_TREE_PRELOAD_SIZE ) ;
2013-09-12 01:26:05 +04:00
}
2007-07-14 10:05:04 +04:00
EXPORT_SYMBOL ( radix_tree_preload ) ;
2005-04-17 02:20:36 +04:00
2013-09-12 01:26:05 +04:00
/*
* The same as above function , except we don ' t guarantee preloading happens .
* We do it , if we decide it helps . On success , return zero with preemption
* disabled . On error , return - ENOMEM with preemption not disabled .
*/
int radix_tree_maybe_preload ( gfp_t gfp_mask )
{
2015-11-07 03:28:21 +03:00
if ( gfpflags_allow_blocking ( gfp_mask ) )
2016-07-27 01:26:02 +03:00
return __radix_tree_preload ( gfp_mask , RADIX_TREE_PRELOAD_SIZE ) ;
2013-09-12 01:26:05 +04:00
/* Preloading doesn't help anything with this gfp mask, skip it */
preempt_disable ( ) ;
return 0 ;
}
EXPORT_SYMBOL ( radix_tree_maybe_preload ) ;
2016-12-15 02:09:04 +03:00
# ifdef CONFIG_RADIX_TREE_MULTIORDER
/*
* Preload with enough objects to ensure that we can split a single entry
* of order @ old_order into many entries of size @ new_order
*/
int radix_tree_split_preload ( unsigned int old_order , unsigned int new_order ,
gfp_t gfp_mask )
{
unsigned top = 1 < < ( old_order % RADIX_TREE_MAP_SHIFT ) ;
unsigned layers = ( old_order / RADIX_TREE_MAP_SHIFT ) -
( new_order / RADIX_TREE_MAP_SHIFT ) ;
unsigned nr = 0 ;
WARN_ON_ONCE ( ! gfpflags_allow_blocking ( gfp_mask ) ) ;
BUG_ON ( new_order > = old_order ) ;
while ( layers - - )
nr = nr * RADIX_TREE_MAP_SIZE + 1 ;
return __radix_tree_preload ( gfp_mask , top * nr ) ;
}
# endif
2016-07-27 01:26:02 +03:00
/*
* The same as function above , but preload number of nodes required to insert
* ( 1 < < order ) continuous naturally - aligned elements .
*/
int radix_tree_maybe_preload_order ( gfp_t gfp_mask , int order )
{
unsigned long nr_subtrees ;
int nr_nodes , subtree_height ;
/* Preloading doesn't help anything with this gfp mask, skip it */
if ( ! gfpflags_allow_blocking ( gfp_mask ) ) {
preempt_disable ( ) ;
return 0 ;
}
/*
* Calculate number and height of fully populated subtrees it takes to
* store ( 1 < < order ) elements .
*/
nr_subtrees = 1 < < order ;
for ( subtree_height = 0 ; nr_subtrees > RADIX_TREE_MAP_SIZE ;
subtree_height + + )
nr_subtrees > > = RADIX_TREE_MAP_SHIFT ;
/*
* The worst case is zero height tree with a single item at index 0 and
* then inserting items starting at ULONG_MAX - ( 1 < < order ) .
*
* This requires RADIX_TREE_MAX_PATH nodes to build branch from root to
* 0 - index item .
*/
nr_nodes = RADIX_TREE_MAX_PATH ;
/* Plus branch to fully populated subtrees. */
nr_nodes + = RADIX_TREE_MAX_PATH - subtree_height ;
/* Root node is shared. */
nr_nodes - - ;
/* Plus nodes required to build subtrees. */
nr_nodes + = nr_subtrees * height_to_maxnodes [ subtree_height ] ;
return __radix_tree_preload ( gfp_mask , nr_nodes ) ;
}
2016-05-21 03:02:08 +03:00
static unsigned radix_tree_load_root ( struct radix_tree_root * root ,
struct radix_tree_node * * nodep , unsigned long * maxindex )
{
struct radix_tree_node * node = rcu_dereference_raw ( root - > rnode ) ;
* nodep = node ;
2016-05-21 03:03:30 +03:00
if ( likely ( radix_tree_is_internal_node ( node ) ) ) {
2016-05-21 03:03:27 +03:00
node = entry_to_node ( node ) ;
2016-05-21 03:02:08 +03:00
* maxindex = node_maxindex ( node ) ;
2016-05-21 03:03:10 +03:00
return node - > shift + RADIX_TREE_MAP_SHIFT ;
2016-05-21 03:02:08 +03:00
}
* maxindex = 0 ;
return 0 ;
}
2005-04-17 02:20:36 +04:00
/*
* Extend a radix tree so it can store key @ index .
*/
2016-03-18 00:21:54 +03:00
static int radix_tree_extend ( struct radix_tree_root * root ,
2016-05-21 03:03:19 +03:00
unsigned long index , unsigned int shift )
2005-04-17 02:20:36 +04:00
{
radix_tree: take radix_tree_path off stack
Down, down in the deepest depths of GFP_NOIO page reclaim, we have
shrink_page_list() calling __remove_mapping() calling __delete_from_
swap_cache() or __delete_from_page_cache().
You would not expect those to need much stack, but in fact they call
radix_tree_delete(): which declares a 192-byte radix_tree_path array on
its stack (to record the node,offsets it visits when descending, in case
it needs to ascend to update them). And if any tag is still set [1],
that calls radix_tree_tag_clear(), which declares a further such
192-byte radix_tree_path array on the stack. (At least we have
interrupts disabled here, so won't then be pushing registers too.)
That was probably a good choice when most users were 32-bit (array of
half the size), and adding fields to radix_tree_node would have bloated
it unnecessarily. But nowadays many are 64-bit, and each
radix_tree_node contains a struct rcu_head, which is only used when
freeing; whereas the radix_tree_path info is only used for updating the
tree (deleting, clearing tags or setting tags if tagged) when a lock
must be held, of no interest when accessing the tree locklessly.
So add a parent pointer to the radix_tree_node, in union with the
rcu_head, and remove all uses of the radix_tree_path. There would be
space in that union to save the offset when descending as before (we can
argue that a lock must already be held to exclude other users), but
recalculating it when ascending is both easy (a constant shift and a
constant mask) and uncommon, so it seems better just to do that.
Two little optimizations: no need to decrement height when descending,
adjusting shift is enough; and once radix_tree_tag_if_tagged() has set
tag on a node and its ancestors, it need not ascend from that node
again.
perf on the radix tree test harness reports radix_tree_insert() as 2%
slower (now having to set parent), but radix_tree_delete() 24% faster.
Surely that's an exaggeration from rtth's artificially low map shift 3,
but forcing it back to 6 still rates radix_tree_delete() 8% faster.
[1] Can a pagecache tag (dirty, writeback or towrite) actually still be
set at the time of radix_tree_delete()? Perhaps not if the filesystem is
well-behaved. But although I've not tracked any stack overflow down to
this cause, I have observed a curious case in which a dirty tag is set
and left set on tmpfs: page migration's migrate_page_copy() happens to
use __set_page_dirty_nobuffers() to set PageDirty on the newpage, and
that sets PAGECACHE_TAG_DIRTY as a side-effect - harmless to a
filesystem which doesn't use tags, except for this stack depth issue.
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Nai Xia <nai.xia@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-13 05:20:41 +04:00
struct radix_tree_node * slot ;
2016-05-21 03:03:19 +03:00
unsigned int maxshift ;
2005-04-17 02:20:36 +04:00
int tag ;
2016-05-21 03:03:19 +03:00
/* Figure out what the shift should be. */
maxshift = shift ;
while ( index > shift_maxindex ( maxshift ) )
maxshift + = RADIX_TREE_MAP_SHIFT ;
2005-04-17 02:20:36 +04:00
2016-05-21 03:03:19 +03:00
slot = root - > rnode ;
if ( ! slot )
2005-04-17 02:20:36 +04:00
goto out ;
do {
2016-12-15 02:09:31 +03:00
struct radix_tree_node * node = radix_tree_node_alloc ( root ,
NULL , shift , 0 , 1 , 0 ) ;
2016-05-21 03:03:04 +03:00
if ( ! node )
2005-04-17 02:20:36 +04:00
return - ENOMEM ;
/* Propagate the aggregated tag info into the new root */
2006-03-25 14:08:05 +03:00
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + ) {
2006-06-23 13:03:22 +04:00
if ( root_tag_get ( root , tag ) )
2005-04-17 02:20:36 +04:00
tag_set ( node , tag , 0 ) ;
}
2016-05-21 03:03:19 +03:00
BUG_ON ( shift > BITS_PER_LONG ) ;
2016-12-13 03:43:41 +03:00
if ( radix_tree_is_internal_node ( slot ) ) {
2016-05-21 03:03:27 +03:00
entry_to_node ( slot ) - > parent = node ;
2016-12-15 02:09:31 +03:00
} else if ( radix_tree_exceptional_entry ( slot ) ) {
2016-12-13 03:43:41 +03:00
/* Moving an exceptional root->rnode to a node */
2016-12-15 02:09:31 +03:00
node - > exceptional = 1 ;
2016-12-13 03:43:41 +03:00
}
radix_tree: take radix_tree_path off stack
Down, down in the deepest depths of GFP_NOIO page reclaim, we have
shrink_page_list() calling __remove_mapping() calling __delete_from_
swap_cache() or __delete_from_page_cache().
You would not expect those to need much stack, but in fact they call
radix_tree_delete(): which declares a 192-byte radix_tree_path array on
its stack (to record the node,offsets it visits when descending, in case
it needs to ascend to update them). And if any tag is still set [1],
that calls radix_tree_tag_clear(), which declares a further such
192-byte radix_tree_path array on the stack. (At least we have
interrupts disabled here, so won't then be pushing registers too.)
That was probably a good choice when most users were 32-bit (array of
half the size), and adding fields to radix_tree_node would have bloated
it unnecessarily. But nowadays many are 64-bit, and each
radix_tree_node contains a struct rcu_head, which is only used when
freeing; whereas the radix_tree_path info is only used for updating the
tree (deleting, clearing tags or setting tags if tagged) when a lock
must be held, of no interest when accessing the tree locklessly.
So add a parent pointer to the radix_tree_node, in union with the
rcu_head, and remove all uses of the radix_tree_path. There would be
space in that union to save the offset when descending as before (we can
argue that a lock must already be held to exclude other users), but
recalculating it when ascending is both easy (a constant shift and a
constant mask) and uncommon, so it seems better just to do that.
Two little optimizations: no need to decrement height when descending,
adjusting shift is enough; and once radix_tree_tag_if_tagged() has set
tag on a node and its ancestors, it need not ascend from that node
again.
perf on the radix tree test harness reports radix_tree_insert() as 2%
slower (now having to set parent), but radix_tree_delete() 24% faster.
Surely that's an exaggeration from rtth's artificially low map shift 3,
but forcing it back to 6 still rates radix_tree_delete() 8% faster.
[1] Can a pagecache tag (dirty, writeback or towrite) actually still be
set at the time of radix_tree_delete()? Perhaps not if the filesystem is
well-behaved. But although I've not tracked any stack overflow down to
this cause, I have observed a curious case in which a dirty tag is set
and left set on tmpfs: page migration's migrate_page_copy() happens to
use __set_page_dirty_nobuffers() to set PageDirty on the newpage, and
that sets PAGECACHE_TAG_DIRTY as a side-effect - harmless to a
filesystem which doesn't use tags, except for this stack depth issue.
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Nai Xia <nai.xia@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-13 05:20:41 +04:00
node - > slots [ 0 ] = slot ;
2016-05-21 03:03:24 +03:00
slot = node_to_entry ( node ) ;
rcu_assign_pointer ( root - > rnode , slot ) ;
2016-05-21 03:03:19 +03:00
shift + = RADIX_TREE_MAP_SHIFT ;
} while ( shift < = maxshift ) ;
2005-04-17 02:20:36 +04:00
out :
2016-05-21 03:03:19 +03:00
return maxshift + RADIX_TREE_MAP_SHIFT ;
2005-04-17 02:20:36 +04:00
}
2016-12-13 03:43:46 +03:00
/**
* radix_tree_shrink - shrink radix tree to minimum height
* @ root radix tree root
*/
2016-12-13 03:43:52 +03:00
static inline void radix_tree_shrink ( struct radix_tree_root * root ,
2016-12-13 03:43:49 +03:00
radix_tree_update_node_t update_node ,
void * private )
2016-12-13 03:43:46 +03:00
{
for ( ; ; ) {
struct radix_tree_node * node = root - > rnode ;
struct radix_tree_node * child ;
if ( ! radix_tree_is_internal_node ( node ) )
break ;
node = entry_to_node ( node ) ;
/*
* The candidate node has more than one child , or its child
* is not at the leftmost slot , or the child is a multiorder
* entry , we cannot shrink .
*/
if ( node - > count ! = 1 )
break ;
child = node - > slots [ 0 ] ;
if ( ! child )
break ;
if ( ! radix_tree_is_internal_node ( child ) & & node - > shift )
break ;
if ( radix_tree_is_internal_node ( child ) )
entry_to_node ( child ) - > parent = NULL ;
/*
* We don ' t need rcu_assign_pointer ( ) , since we are simply
* moving the node from one part of the tree to another : if it
* was safe to dereference the old pointer to it
* ( node - > slots [ 0 ] ) , it will be safe to dereference the new
* one ( root - > rnode ) as far as dependent read barriers go .
*/
root - > rnode = child ;
/*
* We have a dilemma here . The node ' s slot [ 0 ] must not be
* NULLed in case there are concurrent lookups expecting to
* find the item . However if this was a bottom - level node ,
* then it may be subject to the slot pointer being visible
* to callers dereferencing it . If item corresponding to
* slot [ 0 ] is subsequently deleted , these callers would expect
* their slot to become empty sooner or later .
*
* For example , lockless pagecache will look up a slot , deref
* the page pointer , and if the page has 0 refcount it means it
* was concurrently deleted from pagecache so try the deref
* again . Fortunately there is already a requirement for logic
* to retry the entire slot lookup - - the indirect pointer
* problem ( replacing direct root node with an indirect pointer
* also results in a stale slot ) . So tag the slot as indirect
* to force callers to retry .
*/
2016-12-13 03:43:49 +03:00
node - > count = 0 ;
if ( ! radix_tree_is_internal_node ( child ) ) {
2016-12-13 03:43:46 +03:00
node - > slots [ 0 ] = RADIX_TREE_RETRY ;
2016-12-13 03:43:49 +03:00
if ( update_node )
update_node ( node , private ) ;
}
2016-12-13 03:43:46 +03:00
mm: workingset: fix use-after-free in shadow node shrinker
Several people report seeing warnings about inconsistent radix tree
nodes followed by crashes in the workingset code, which all looked like
use-after-free access from the shadow node shrinker.
Dave Jones managed to reproduce the issue with a debug patch applied,
which confirmed that the radix tree shrinking indeed frees shadow nodes
while they are still linked to the shadow LRU:
WARNING: CPU: 2 PID: 53 at lib/radix-tree.c:643 delete_node+0x1e4/0x200
CPU: 2 PID: 53 Comm: kswapd0 Not tainted 4.10.0-rc2-think+ #3
Call Trace:
delete_node+0x1e4/0x200
__radix_tree_delete_node+0xd/0x10
shadow_lru_isolate+0xe6/0x220
__list_lru_walk_one.isra.4+0x9b/0x190
list_lru_walk_one+0x23/0x30
scan_shadow_nodes+0x2e/0x40
shrink_slab.part.44+0x23d/0x5d0
shrink_node+0x22c/0x330
kswapd+0x392/0x8f0
This is the WARN_ON_ONCE(!list_empty(&node->private_list)) placed in the
inlined radix_tree_shrink().
The problem is with 14b468791fa9 ("mm: workingset: move shadow entry
tracking to radix tree exceptional tracking"), which passes an update
callback into the radix tree to link and unlink shadow leaf nodes when
tree entries change, but forgot to pass the callback when reclaiming a
shadow node.
While the reclaimed shadow node itself is unlinked by the shrinker, its
deletion from the tree can cause the left-most leaf node in the tree to
be shrunk. If that happens to be a shadow node as well, we don't unlink
it from the LRU as we should.
Consider this tree, where the s are shadow entries:
root->rnode
|
[0 n]
| |
[s ] [sssss]
Now the shadow node shrinker reclaims the rightmost leaf node through
the shadow node LRU:
root->rnode
|
[0 ]
|
[s ]
Because the parent of the deleted node is the first level below the
root and has only one child in the left-most slot, the intermediate
level is shrunk and the node containing the single shadow is put in
its place:
root->rnode
|
[s ]
The shrinker again sees a single left-most slot in a first level node
and thus decides to store the shadow in root->rnode directly and free
the node - which is a leaf node on the shadow node LRU.
root->rnode
|
s
Without the update callback, the freed node remains on the shadow LRU,
where it causes later shrinker runs to crash.
Pass the node updater callback into __radix_tree_delete_node() in case
the deletion causes the left-most branch in the tree to collapse too.
Also add warnings when linked nodes are freed right away, rather than
wait for the use-after-free when the list is scanned much later.
Fixes: 14b468791fa9 ("mm: workingset: move shadow entry tracking to radix tree exceptional tracking")
Reported-by: Dave Chinner <david@fromorbit.com>
Reported-by: Hugh Dickins <hughd@google.com>
Reported-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-and-tested-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Chris Leech <cleech@redhat.com>
Cc: Lee Duncan <lduncan@suse.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Matthew Wilcox <mawilcox@linuxonhyperv.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-01-07 03:21:43 +03:00
WARN_ON_ONCE ( ! list_empty ( & node - > private_list ) ) ;
2016-12-13 03:43:46 +03:00
radix_tree_node_free ( node ) ;
}
}
2016-12-13 03:43:52 +03:00
static void delete_node ( struct radix_tree_root * root ,
2016-12-13 03:43:49 +03:00
struct radix_tree_node * node ,
radix_tree_update_node_t update_node , void * private )
2016-12-13 03:43:46 +03:00
{
do {
struct radix_tree_node * parent ;
if ( node - > count ) {
if ( node = = entry_to_node ( root - > rnode ) )
2016-12-13 03:43:52 +03:00
radix_tree_shrink ( root , update_node , private ) ;
return ;
2016-12-13 03:43:46 +03:00
}
parent = node - > parent ;
if ( parent ) {
parent - > slots [ node - > offset ] = NULL ;
parent - > count - - ;
} else {
root_tag_clear_all ( root ) ;
root - > rnode = NULL ;
}
mm: workingset: fix use-after-free in shadow node shrinker
Several people report seeing warnings about inconsistent radix tree
nodes followed by crashes in the workingset code, which all looked like
use-after-free access from the shadow node shrinker.
Dave Jones managed to reproduce the issue with a debug patch applied,
which confirmed that the radix tree shrinking indeed frees shadow nodes
while they are still linked to the shadow LRU:
WARNING: CPU: 2 PID: 53 at lib/radix-tree.c:643 delete_node+0x1e4/0x200
CPU: 2 PID: 53 Comm: kswapd0 Not tainted 4.10.0-rc2-think+ #3
Call Trace:
delete_node+0x1e4/0x200
__radix_tree_delete_node+0xd/0x10
shadow_lru_isolate+0xe6/0x220
__list_lru_walk_one.isra.4+0x9b/0x190
list_lru_walk_one+0x23/0x30
scan_shadow_nodes+0x2e/0x40
shrink_slab.part.44+0x23d/0x5d0
shrink_node+0x22c/0x330
kswapd+0x392/0x8f0
This is the WARN_ON_ONCE(!list_empty(&node->private_list)) placed in the
inlined radix_tree_shrink().
The problem is with 14b468791fa9 ("mm: workingset: move shadow entry
tracking to radix tree exceptional tracking"), which passes an update
callback into the radix tree to link and unlink shadow leaf nodes when
tree entries change, but forgot to pass the callback when reclaiming a
shadow node.
While the reclaimed shadow node itself is unlinked by the shrinker, its
deletion from the tree can cause the left-most leaf node in the tree to
be shrunk. If that happens to be a shadow node as well, we don't unlink
it from the LRU as we should.
Consider this tree, where the s are shadow entries:
root->rnode
|
[0 n]
| |
[s ] [sssss]
Now the shadow node shrinker reclaims the rightmost leaf node through
the shadow node LRU:
root->rnode
|
[0 ]
|
[s ]
Because the parent of the deleted node is the first level below the
root and has only one child in the left-most slot, the intermediate
level is shrunk and the node containing the single shadow is put in
its place:
root->rnode
|
[s ]
The shrinker again sees a single left-most slot in a first level node
and thus decides to store the shadow in root->rnode directly and free
the node - which is a leaf node on the shadow node LRU.
root->rnode
|
s
Without the update callback, the freed node remains on the shadow LRU,
where it causes later shrinker runs to crash.
Pass the node updater callback into __radix_tree_delete_node() in case
the deletion causes the left-most branch in the tree to collapse too.
Also add warnings when linked nodes are freed right away, rather than
wait for the use-after-free when the list is scanned much later.
Fixes: 14b468791fa9 ("mm: workingset: move shadow entry tracking to radix tree exceptional tracking")
Reported-by: Dave Chinner <david@fromorbit.com>
Reported-by: Hugh Dickins <hughd@google.com>
Reported-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-and-tested-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Chris Leech <cleech@redhat.com>
Cc: Lee Duncan <lduncan@suse.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Matthew Wilcox <mawilcox@linuxonhyperv.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-01-07 03:21:43 +03:00
WARN_ON_ONCE ( ! list_empty ( & node - > private_list ) ) ;
2016-12-13 03:43:46 +03:00
radix_tree_node_free ( node ) ;
node = parent ;
} while ( node ) ;
}
2005-04-17 02:20:36 +04:00
/**
2014-04-04 01:47:54 +04:00
* __radix_tree_create - create a slot in a radix tree
2005-04-17 02:20:36 +04:00
* @ root : radix tree root
* @ index : index key
2016-03-18 00:21:54 +03:00
* @ order : index occupies 2 ^ order aligned slots
2014-04-04 01:47:54 +04:00
* @ nodep : returns node
* @ slotp : returns slot
2005-04-17 02:20:36 +04:00
*
2014-04-04 01:47:54 +04:00
* Create , if necessary , and return the node and slot for an item
* at position @ index in the radix tree @ root .
*
* Until there is more than one item in the tree , no nodes are
* allocated and @ root - > rnode is used as a direct slot instead of
* pointing to a node , in which case * @ nodep will be NULL .
*
* Returns - ENOMEM , or 0 for success .
2005-04-17 02:20:36 +04:00
*/
2014-04-04 01:47:54 +04:00
int __radix_tree_create ( struct radix_tree_root * root , unsigned long index ,
2016-03-18 00:21:54 +03:00
unsigned order , struct radix_tree_node * * nodep ,
void * * * slotp )
2005-04-17 02:20:36 +04:00
{
2016-05-21 03:03:42 +03:00
struct radix_tree_node * node = NULL , * child ;
void * * slot = ( void * * ) & root - > rnode ;
2016-05-21 03:02:11 +03:00
unsigned long maxindex ;
2016-05-21 03:03:42 +03:00
unsigned int shift , offset = 0 ;
2016-05-21 03:02:11 +03:00
unsigned long max = index | ( ( 1UL < < order ) - 1 ) ;
2016-05-21 03:03:42 +03:00
shift = radix_tree_load_root ( root , & child , & maxindex ) ;
2005-04-17 02:20:36 +04:00
/* Make sure the tree is high enough. */
2016-12-15 02:08:58 +03:00
if ( order > 0 & & max = = ( ( 1UL < < order ) - 1 ) )
max + + ;
2016-05-21 03:02:11 +03:00
if ( max > maxindex ) {
2016-05-21 03:03:19 +03:00
int error = radix_tree_extend ( root , max , shift ) ;
2016-05-21 03:02:11 +03:00
if ( error < 0 )
2005-04-17 02:20:36 +04:00
return error ;
2016-05-21 03:02:11 +03:00
shift = error ;
2016-05-21 03:03:42 +03:00
child = root - > rnode ;
2005-04-17 02:20:36 +04:00
}
2016-03-18 00:21:54 +03:00
while ( shift > order ) {
2016-05-21 03:03:10 +03:00
shift - = RADIX_TREE_MAP_SHIFT ;
2016-05-21 03:03:42 +03:00
if ( child = = NULL ) {
2005-04-17 02:20:36 +04:00
/* Have to add a child node. */
2016-12-15 02:09:31 +03:00
child = radix_tree_node_alloc ( root , node , shift ,
offset , 0 , 0 ) ;
2016-05-21 03:03:42 +03:00
if ( ! child )
2005-04-17 02:20:36 +04:00
return - ENOMEM ;
2016-05-21 03:03:42 +03:00
rcu_assign_pointer ( * slot , node_to_entry ( child ) ) ;
if ( node )
2005-04-17 02:20:36 +04:00
node - > count + + ;
2016-05-21 03:03:42 +03:00
} else if ( ! radix_tree_is_internal_node ( child ) )
2016-03-18 00:21:54 +03:00
break ;
2005-04-17 02:20:36 +04:00
/* Go a level down */
2016-05-21 03:03:42 +03:00
node = entry_to_node ( child ) ;
2016-05-21 03:03:48 +03:00
offset = radix_tree_descend ( node , & child , index ) ;
2016-05-21 03:03:42 +03:00
slot = & node - > slots [ offset ] ;
2016-03-18 00:21:54 +03:00
}
2016-12-15 02:08:58 +03:00
if ( nodep )
* nodep = node ;
if ( slotp )
* slotp = slot ;
return 0 ;
}
2016-05-21 03:01:54 +03:00
# ifdef CONFIG_RADIX_TREE_MULTIORDER
2016-12-15 02:08:58 +03:00
/*
* Free any nodes below this node . The tree is presumed to not need
* shrinking , and any user data in the tree is presumed to not need a
* destructor called on it . If we need to add a destructor , we can
* add that functionality later . Note that we may not clear tags or
* slots from the tree as an RCU walker may still have a pointer into
* this subtree . We could replace the entries with RADIX_TREE_RETRY ,
* but we ' ll still have to clear those in rcu_free .
*/
static void radix_tree_free_nodes ( struct radix_tree_node * node )
{
unsigned offset = 0 ;
struct radix_tree_node * child = entry_to_node ( node ) ;
for ( ; ; ) {
void * entry = child - > slots [ offset ] ;
if ( radix_tree_is_internal_node ( entry ) & &
! is_sibling_entry ( child , entry ) ) {
child = entry_to_node ( entry ) ;
offset = 0 ;
continue ;
}
offset + + ;
while ( offset = = RADIX_TREE_MAP_SIZE ) {
struct radix_tree_node * old = child ;
offset = child - > offset + 1 ;
child = child - > parent ;
mm: workingset: fix use-after-free in shadow node shrinker
Several people report seeing warnings about inconsistent radix tree
nodes followed by crashes in the workingset code, which all looked like
use-after-free access from the shadow node shrinker.
Dave Jones managed to reproduce the issue with a debug patch applied,
which confirmed that the radix tree shrinking indeed frees shadow nodes
while they are still linked to the shadow LRU:
WARNING: CPU: 2 PID: 53 at lib/radix-tree.c:643 delete_node+0x1e4/0x200
CPU: 2 PID: 53 Comm: kswapd0 Not tainted 4.10.0-rc2-think+ #3
Call Trace:
delete_node+0x1e4/0x200
__radix_tree_delete_node+0xd/0x10
shadow_lru_isolate+0xe6/0x220
__list_lru_walk_one.isra.4+0x9b/0x190
list_lru_walk_one+0x23/0x30
scan_shadow_nodes+0x2e/0x40
shrink_slab.part.44+0x23d/0x5d0
shrink_node+0x22c/0x330
kswapd+0x392/0x8f0
This is the WARN_ON_ONCE(!list_empty(&node->private_list)) placed in the
inlined radix_tree_shrink().
The problem is with 14b468791fa9 ("mm: workingset: move shadow entry
tracking to radix tree exceptional tracking"), which passes an update
callback into the radix tree to link and unlink shadow leaf nodes when
tree entries change, but forgot to pass the callback when reclaiming a
shadow node.
While the reclaimed shadow node itself is unlinked by the shrinker, its
deletion from the tree can cause the left-most leaf node in the tree to
be shrunk. If that happens to be a shadow node as well, we don't unlink
it from the LRU as we should.
Consider this tree, where the s are shadow entries:
root->rnode
|
[0 n]
| |
[s ] [sssss]
Now the shadow node shrinker reclaims the rightmost leaf node through
the shadow node LRU:
root->rnode
|
[0 ]
|
[s ]
Because the parent of the deleted node is the first level below the
root and has only one child in the left-most slot, the intermediate
level is shrunk and the node containing the single shadow is put in
its place:
root->rnode
|
[s ]
The shrinker again sees a single left-most slot in a first level node
and thus decides to store the shadow in root->rnode directly and free
the node - which is a leaf node on the shadow node LRU.
root->rnode
|
s
Without the update callback, the freed node remains on the shadow LRU,
where it causes later shrinker runs to crash.
Pass the node updater callback into __radix_tree_delete_node() in case
the deletion causes the left-most branch in the tree to collapse too.
Also add warnings when linked nodes are freed right away, rather than
wait for the use-after-free when the list is scanned much later.
Fixes: 14b468791fa9 ("mm: workingset: move shadow entry tracking to radix tree exceptional tracking")
Reported-by: Dave Chinner <david@fromorbit.com>
Reported-by: Hugh Dickins <hughd@google.com>
Reported-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-and-tested-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Chris Leech <cleech@redhat.com>
Cc: Lee Duncan <lduncan@suse.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Matthew Wilcox <mawilcox@linuxonhyperv.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-01-07 03:21:43 +03:00
WARN_ON_ONCE ( ! list_empty ( & node - > private_list ) ) ;
2016-12-15 02:08:58 +03:00
radix_tree_node_free ( old ) ;
if ( old = = entry_to_node ( node ) )
return ;
}
}
}
static inline int insert_entries ( struct radix_tree_node * node , void * * slot ,
void * item , unsigned order , bool replace )
{
struct radix_tree_node * child ;
unsigned i , n , tag , offset , tags = 0 ;
if ( node ) {
2016-12-15 02:09:01 +03:00
if ( order > node - > shift )
n = 1 < < ( order - node - > shift ) ;
else
n = 1 ;
2016-12-15 02:08:58 +03:00
offset = get_slot_offset ( node , slot ) ;
} else {
n = 1 ;
offset = 0 ;
}
if ( n > 1 ) {
2016-03-18 00:21:54 +03:00
offset = offset & ~ ( n - 1 ) ;
2016-05-21 03:03:42 +03:00
slot = & node - > slots [ offset ] ;
2016-12-15 02:08:58 +03:00
}
child = node_to_entry ( slot ) ;
for ( i = 0 ; i < n ; i + + ) {
if ( slot [ i ] ) {
if ( replace ) {
node - > count - - ;
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
if ( tag_get ( node , tag , offset + i ) )
tags | = 1 < < tag ;
} else
2016-03-18 00:21:54 +03:00
return - EEXIST ;
}
2016-12-15 02:08:58 +03:00
}
2016-03-18 00:21:54 +03:00
2016-12-15 02:08:58 +03:00
for ( i = 0 ; i < n ; i + + ) {
struct radix_tree_node * old = slot [ i ] ;
if ( i ) {
2016-05-21 03:03:42 +03:00
rcu_assign_pointer ( slot [ i ] , child ) ;
2016-12-15 02:08:58 +03:00
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
if ( tags & ( 1 < < tag ) )
tag_clear ( node , tag , offset + i ) ;
} else {
rcu_assign_pointer ( slot [ i ] , item ) ;
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
if ( tags & ( 1 < < tag ) )
tag_set ( node , tag , offset ) ;
2016-03-18 00:21:54 +03:00
}
2016-12-15 02:08:58 +03:00
if ( radix_tree_is_internal_node ( old ) & &
2016-12-15 02:09:01 +03:00
! is_sibling_entry ( node , old ) & &
( old ! = RADIX_TREE_RETRY ) )
2016-12-15 02:08:58 +03:00
radix_tree_free_nodes ( old ) ;
if ( radix_tree_exceptional_entry ( old ) )
node - > exceptional - - ;
2006-06-23 13:03:22 +04:00
}
2016-12-15 02:08:58 +03:00
if ( node ) {
node - > count + = n ;
if ( radix_tree_exceptional_entry ( item ) )
node - > exceptional + = n ;
}
return n ;
2014-04-04 01:47:54 +04:00
}
2016-12-15 02:08:58 +03:00
# else
static inline int insert_entries ( struct radix_tree_node * node , void * * slot ,
void * item , unsigned order , bool replace )
{
if ( * slot )
return - EEXIST ;
rcu_assign_pointer ( * slot , item ) ;
if ( node ) {
node - > count + + ;
if ( radix_tree_exceptional_entry ( item ) )
node - > exceptional + + ;
}
return 1 ;
}
# endif
2014-04-04 01:47:54 +04:00
/**
2016-03-18 00:21:54 +03:00
* __radix_tree_insert - insert into a radix tree
2014-04-04 01:47:54 +04:00
* @ root : radix tree root
* @ index : index key
2016-03-18 00:21:54 +03:00
* @ order : key covers the 2 ^ order indices around index
2014-04-04 01:47:54 +04:00
* @ item : item to insert
*
* Insert an item into the radix tree at position @ index .
*/
2016-03-18 00:21:54 +03:00
int __radix_tree_insert ( struct radix_tree_root * root , unsigned long index ,
unsigned order , void * item )
2014-04-04 01:47:54 +04:00
{
struct radix_tree_node * node ;
void * * slot ;
int error ;
2016-05-21 03:03:30 +03:00
BUG_ON ( radix_tree_is_internal_node ( item ) ) ;
2014-04-04 01:47:54 +04:00
2016-03-18 00:21:54 +03:00
error = __radix_tree_create ( root , index , order , & node , & slot ) ;
2014-04-04 01:47:54 +04:00
if ( error )
return error ;
2016-12-15 02:08:58 +03:00
error = insert_entries ( node , slot , item , order , false ) ;
if ( error < 0 )
return error ;
2005-09-07 02:16:46 +04:00
2006-06-23 13:03:22 +04:00
if ( node ) {
2016-05-21 03:02:23 +03:00
unsigned offset = get_slot_offset ( node , slot ) ;
BUG_ON ( tag_get ( node , 0 , offset ) ) ;
BUG_ON ( tag_get ( node , 1 , offset ) ) ;
BUG_ON ( tag_get ( node , 2 , offset ) ) ;
2006-06-23 13:03:22 +04:00
} else {
2016-05-21 03:02:23 +03:00
BUG_ON ( root_tags_get ( root ) ) ;
2006-06-23 13:03:22 +04:00
}
2005-04-17 02:20:36 +04:00
return 0 ;
}
2016-03-18 00:21:54 +03:00
EXPORT_SYMBOL ( __radix_tree_insert ) ;
2005-04-17 02:20:36 +04:00
2014-04-04 01:47:54 +04:00
/**
* __radix_tree_lookup - lookup an item in a radix tree
* @ root : radix tree root
* @ index : index key
* @ nodep : returns node
* @ slotp : returns slot
*
* Lookup and return the item at position @ index in the radix
* tree @ root .
*
* Until there is more than one item in the tree , no nodes are
* allocated and @ root - > rnode is used as a direct slot instead of
* pointing to a node , in which case * @ nodep will be NULL .
2006-12-07 07:33:44 +03:00
*/
2014-04-04 01:47:54 +04:00
void * __radix_tree_lookup ( struct radix_tree_root * root , unsigned long index ,
struct radix_tree_node * * nodep , void * * * slotp )
2005-04-17 02:20:36 +04:00
{
2014-04-04 01:47:54 +04:00
struct radix_tree_node * node , * parent ;
2016-05-21 03:02:20 +03:00
unsigned long maxindex ;
2014-04-04 01:47:54 +04:00
void * * slot ;
2006-06-23 13:03:22 +04:00
2016-05-21 03:02:20 +03:00
restart :
parent = NULL ;
slot = ( void * * ) & root - > rnode ;
2016-05-21 03:03:48 +03:00
radix_tree_load_root ( root , & node , & maxindex ) ;
2016-05-21 03:02:20 +03:00
if ( index > maxindex )
2005-04-17 02:20:36 +04:00
return NULL ;
2016-05-21 03:03:30 +03:00
while ( radix_tree_is_internal_node ( node ) ) {
2016-05-21 03:02:20 +03:00
unsigned offset ;
2005-04-17 02:20:36 +04:00
2016-05-21 03:02:20 +03:00
if ( node = = RADIX_TREE_RETRY )
goto restart ;
2016-05-21 03:03:27 +03:00
parent = entry_to_node ( node ) ;
2016-05-21 03:03:48 +03:00
offset = radix_tree_descend ( parent , & node , index ) ;
2016-05-21 03:02:20 +03:00
slot = parent - > slots + offset ;
}
2005-04-17 02:20:36 +04:00
2014-04-04 01:47:54 +04:00
if ( nodep )
* nodep = parent ;
if ( slotp )
* slotp = slot ;
return node ;
2009-06-17 02:33:42 +04:00
}
/**
* radix_tree_lookup_slot - lookup a slot in a radix tree
* @ root : radix tree root
* @ index : index key
*
* Returns : the slot corresponding to the position @ index in the
* radix tree @ root . This is useful for update - if - exists operations .
*
* This function can be called under rcu_read_lock iff the slot is not
* modified by radix_tree_replace_slot , otherwise it must be called
* exclusive from other writers . Any dereference of the slot must be done
* using radix_tree_deref_slot .
*/
void * * radix_tree_lookup_slot ( struct radix_tree_root * root , unsigned long index )
{
2014-04-04 01:47:54 +04:00
void * * slot ;
if ( ! __radix_tree_lookup ( root , index , NULL , & slot ) )
return NULL ;
return slot ;
2005-11-07 11:59:29 +03:00
}
EXPORT_SYMBOL ( radix_tree_lookup_slot ) ;
/**
* radix_tree_lookup - perform lookup operation on a radix tree
* @ root : radix tree root
* @ index : index key
*
* Lookup the item at the position @ index in the radix tree @ root .
2006-12-07 07:33:44 +03:00
*
* This function can be called under rcu_read_lock , however the caller
* must manage lifetimes of leaf nodes ( eg . RCU may also be used to free
* them safely ) . No RCU barriers are required to access or modify the
* returned item , however .
2005-11-07 11:59:29 +03:00
*/
void * radix_tree_lookup ( struct radix_tree_root * root , unsigned long index )
{
2014-04-04 01:47:54 +04:00
return __radix_tree_lookup ( root , index , NULL , NULL ) ;
2005-04-17 02:20:36 +04:00
}
EXPORT_SYMBOL ( radix_tree_lookup ) ;
2016-12-15 02:09:07 +03:00
static inline int slot_count ( struct radix_tree_node * node ,
void * * slot )
{
int n = 1 ;
# ifdef CONFIG_RADIX_TREE_MULTIORDER
void * ptr = node_to_entry ( slot ) ;
unsigned offset = get_slot_offset ( node , slot ) ;
int i ;
for ( i = 1 ; offset + i < RADIX_TREE_MAP_SIZE ; i + + ) {
if ( node - > slots [ offset + i ] ! = ptr )
break ;
n + + ;
}
# endif
return n ;
}
2016-12-13 03:43:43 +03:00
static void replace_slot ( struct radix_tree_root * root ,
struct radix_tree_node * node ,
void * * slot , void * item ,
bool warn_typeswitch )
2016-12-13 03:43:41 +03:00
{
void * old = rcu_dereference_raw ( * slot ) ;
2016-12-13 03:43:46 +03:00
int count , exceptional ;
2016-12-13 03:43:41 +03:00
WARN_ON_ONCE ( radix_tree_is_internal_node ( item ) ) ;
2016-12-13 03:43:46 +03:00
count = ! ! item - ! ! old ;
2016-12-13 03:43:41 +03:00
exceptional = ! ! radix_tree_exceptional_entry ( item ) -
! ! radix_tree_exceptional_entry ( old ) ;
2016-12-13 03:43:46 +03:00
WARN_ON_ONCE ( warn_typeswitch & & ( count | | exceptional ) ) ;
2016-12-13 03:43:41 +03:00
2016-12-13 03:43:46 +03:00
if ( node ) {
node - > count + = count ;
2016-12-15 02:09:07 +03:00
if ( exceptional ) {
exceptional * = slot_count ( node , slot ) ;
node - > exceptional + = exceptional ;
}
2016-12-13 03:43:46 +03:00
}
2016-12-13 03:43:41 +03:00
rcu_assign_pointer ( * slot , item ) ;
}
2016-12-15 02:09:07 +03:00
static inline void delete_sibling_entries ( struct radix_tree_node * node ,
void * * slot )
{
# ifdef CONFIG_RADIX_TREE_MULTIORDER
bool exceptional = radix_tree_exceptional_entry ( * slot ) ;
void * ptr = node_to_entry ( slot ) ;
unsigned offset = get_slot_offset ( node , slot ) ;
int i ;
for ( i = 1 ; offset + i < RADIX_TREE_MAP_SIZE ; i + + ) {
if ( node - > slots [ offset + i ] ! = ptr )
break ;
node - > slots [ offset + i ] = NULL ;
node - > count - - ;
if ( exceptional )
node - > exceptional - - ;
}
# endif
}
2016-12-13 03:43:43 +03:00
/**
* __radix_tree_replace - replace item in a slot
2016-12-13 03:43:49 +03:00
* @ root : radix tree root
* @ node : pointer to tree node
* @ slot : pointer to slot in @ node
* @ item : new item to store in the slot .
* @ update_node : callback for changing leaf nodes
* @ private : private data to pass to @ update_node
2016-12-13 03:43:43 +03:00
*
* For use with __radix_tree_lookup ( ) . Caller must hold tree write locked
* across slot lookup and replacement .
*/
void __radix_tree_replace ( struct radix_tree_root * root ,
struct radix_tree_node * node ,
2016-12-13 03:43:49 +03:00
void * * slot , void * item ,
radix_tree_update_node_t update_node , void * private )
2016-12-13 03:43:43 +03:00
{
2016-12-15 02:09:07 +03:00
if ( ! item )
delete_sibling_entries ( node , slot ) ;
2016-12-13 03:43:43 +03:00
/*
2016-12-13 03:43:46 +03:00
* This function supports replacing exceptional entries and
* deleting entries , but that needs accounting against the
* node unless the slot is root - > rnode .
2016-12-13 03:43:43 +03:00
*/
replace_slot ( root , node , slot , item ,
! node & & slot ! = ( void * * ) & root - > rnode ) ;
2016-12-13 03:43:46 +03:00
2016-12-13 03:43:49 +03:00
if ( ! node )
return ;
if ( update_node )
update_node ( node , private ) ;
delete_node ( root , node , update_node , private ) ;
2016-12-13 03:43:43 +03:00
}
/**
* radix_tree_replace_slot - replace item in a slot
* @ root : radix tree root
* @ slot : pointer to slot
* @ item : new item to store in the slot .
*
* For use with radix_tree_lookup_slot ( ) , radix_tree_gang_lookup_slot ( ) ,
* radix_tree_gang_lookup_tag_slot ( ) . Caller must hold tree write locked
* across slot lookup and replacement .
*
* NOTE : This cannot be used to switch between non - entries ( empty slots ) ,
* regular entries , and exceptional entries , as that requires accounting
2016-12-13 03:43:46 +03:00
* inside the radix tree node . When switching from one type of entry or
2016-12-15 02:09:01 +03:00
* deleting , use __radix_tree_lookup ( ) and __radix_tree_replace ( ) or
* radix_tree_iter_replace ( ) .
2016-12-13 03:43:43 +03:00
*/
void radix_tree_replace_slot ( struct radix_tree_root * root ,
void * * slot , void * item )
{
replace_slot ( root , NULL , slot , item , true ) ;
}
2016-12-15 02:09:01 +03:00
/**
* radix_tree_iter_replace - replace item in a slot
* @ root : radix tree root
* @ slot : pointer to slot
* @ item : new item to store in the slot .
*
* For use with radix_tree_split ( ) and radix_tree_for_each_slot ( ) .
* Caller must hold tree write locked across split and replacement .
*/
void radix_tree_iter_replace ( struct radix_tree_root * root ,
const struct radix_tree_iter * iter , void * * slot , void * item )
{
__radix_tree_replace ( root , iter - > node , slot , item , NULL , NULL ) ;
}
2016-12-15 02:08:58 +03:00
# ifdef CONFIG_RADIX_TREE_MULTIORDER
/**
* radix_tree_join - replace multiple entries with one multiorder entry
* @ root : radix tree root
* @ index : an index inside the new entry
* @ order : order of the new entry
* @ item : new entry
*
* Call this function to replace several entries with one larger entry .
* The existing entries are presumed to not need freeing as a result of
* this call .
*
* The replacement entry will have all the tags set on it that were set
* on any of the entries it is replacing .
*/
int radix_tree_join ( struct radix_tree_root * root , unsigned long index ,
unsigned order , void * item )
{
struct radix_tree_node * node ;
void * * slot ;
int error ;
BUG_ON ( radix_tree_is_internal_node ( item ) ) ;
error = __radix_tree_create ( root , index , order , & node , & slot ) ;
if ( ! error )
error = insert_entries ( node , slot , item , order , true ) ;
if ( error > 0 )
error = 0 ;
return error ;
}
2016-12-15 02:09:01 +03:00
/**
* radix_tree_split - Split an entry into smaller entries
* @ root : radix tree root
* @ index : An index within the large entry
* @ order : Order of new entries
*
* Call this function as the first step in replacing a multiorder entry
* with several entries of lower order . After this function returns ,
* loop over the relevant portion of the tree using radix_tree_for_each_slot ( )
* and call radix_tree_iter_replace ( ) to set up each new entry .
*
* The tags from this entry are replicated to all the new entries .
*
* The radix tree should be locked against modification during the entire
* replacement operation . Lock - free lookups will see RADIX_TREE_RETRY which
* should prompt RCU walkers to restart the lookup from the root .
*/
int radix_tree_split ( struct radix_tree_root * root , unsigned long index ,
unsigned order )
{
struct radix_tree_node * parent , * node , * child ;
void * * slot ;
unsigned int offset , end ;
unsigned n , tag , tags = 0 ;
if ( ! __radix_tree_lookup ( root , index , & parent , & slot ) )
return - ENOENT ;
if ( ! parent )
return - ENOENT ;
offset = get_slot_offset ( parent , slot ) ;
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
if ( tag_get ( parent , tag , offset ) )
tags | = 1 < < tag ;
for ( end = offset + 1 ; end < RADIX_TREE_MAP_SIZE ; end + + ) {
if ( ! is_sibling_entry ( parent , parent - > slots [ end ] ) )
break ;
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
if ( tags & ( 1 < < tag ) )
tag_set ( parent , tag , end ) ;
/* rcu_assign_pointer ensures tags are set before RETRY */
rcu_assign_pointer ( parent - > slots [ end ] , RADIX_TREE_RETRY ) ;
}
rcu_assign_pointer ( parent - > slots [ offset ] , RADIX_TREE_RETRY ) ;
parent - > exceptional - = ( end - offset ) ;
if ( order = = parent - > shift )
return 0 ;
if ( order > parent - > shift ) {
while ( offset < end )
offset + = insert_entries ( parent , & parent - > slots [ offset ] ,
RADIX_TREE_RETRY , order , true ) ;
return 0 ;
}
node = parent ;
for ( ; ; ) {
if ( node - > shift > order ) {
2016-12-15 02:09:31 +03:00
child = radix_tree_node_alloc ( root , node ,
node - > shift - RADIX_TREE_MAP_SHIFT ,
offset , 0 , 0 ) ;
2016-12-15 02:09:01 +03:00
if ( ! child )
goto nomem ;
if ( node ! = parent ) {
node - > count + + ;
node - > slots [ offset ] = node_to_entry ( child ) ;
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
if ( tags & ( 1 < < tag ) )
tag_set ( node , tag , offset ) ;
}
node = child ;
offset = 0 ;
continue ;
}
n = insert_entries ( node , & node - > slots [ offset ] ,
RADIX_TREE_RETRY , order , false ) ;
BUG_ON ( n > RADIX_TREE_MAP_SIZE ) ;
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
if ( tags & ( 1 < < tag ) )
tag_set ( node , tag , offset ) ;
offset + = n ;
while ( offset = = RADIX_TREE_MAP_SIZE ) {
if ( node = = parent )
break ;
offset = node - > offset ;
child = node ;
node = node - > parent ;
rcu_assign_pointer ( node - > slots [ offset ] ,
node_to_entry ( child ) ) ;
offset + + ;
}
if ( ( node = = parent ) & & ( offset = = end ) )
return 0 ;
}
nomem :
/* Shouldn't happen; did user forget to preload? */
/* TODO: free all the allocated nodes */
WARN_ON ( 1 ) ;
return - ENOMEM ;
}
2016-12-15 02:08:58 +03:00
# endif
2005-04-17 02:20:36 +04:00
/**
* radix_tree_tag_set - set a tag on a radix tree node
* @ root : radix tree root
* @ index : index key
2016-05-21 03:03:04 +03:00
* @ tag : tag index
2005-04-17 02:20:36 +04:00
*
2006-03-25 14:08:05 +03:00
* Set the search tag ( which must be < RADIX_TREE_MAX_TAGS )
* corresponding to @ index in the radix tree . From
2005-04-17 02:20:36 +04:00
* the root all the way down to the leaf node .
*
2016-05-21 03:03:04 +03:00
* Returns the address of the tagged item . Setting a tag on a not - present
2005-04-17 02:20:36 +04:00
* item is a bug .
*/
void * radix_tree_tag_set ( struct radix_tree_root * root ,
2006-03-25 14:08:05 +03:00
unsigned long index , unsigned int tag )
2005-04-17 02:20:36 +04:00
{
2016-05-21 03:02:32 +03:00
struct radix_tree_node * node , * parent ;
unsigned long maxindex ;
2005-04-17 02:20:36 +04:00
2016-05-21 03:03:48 +03:00
radix_tree_load_root ( root , & node , & maxindex ) ;
2016-05-21 03:02:32 +03:00
BUG_ON ( index > maxindex ) ;
2005-04-17 02:20:36 +04:00
2016-05-21 03:03:30 +03:00
while ( radix_tree_is_internal_node ( node ) ) {
2016-05-21 03:02:32 +03:00
unsigned offset ;
2005-04-17 02:20:36 +04:00
2016-05-21 03:03:27 +03:00
parent = entry_to_node ( node ) ;
2016-05-21 03:03:48 +03:00
offset = radix_tree_descend ( parent , & node , index ) ;
2016-05-21 03:02:32 +03:00
BUG_ON ( ! node ) ;
if ( ! tag_get ( parent , tag , offset ) )
tag_set ( parent , tag , offset ) ;
2005-04-17 02:20:36 +04:00
}
2006-06-23 13:03:22 +04:00
/* set the root's tag bit */
2016-05-21 03:02:32 +03:00
if ( ! root_tag_get ( root , tag ) )
2006-06-23 13:03:22 +04:00
root_tag_set ( root , tag ) ;
2016-05-21 03:02:32 +03:00
return node ;
2005-04-17 02:20:36 +04:00
}
EXPORT_SYMBOL ( radix_tree_tag_set ) ;
2016-05-21 03:03:45 +03:00
static void node_tag_clear ( struct radix_tree_root * root ,
struct radix_tree_node * node ,
unsigned int tag , unsigned int offset )
{
while ( node ) {
if ( ! tag_get ( node , tag , offset ) )
return ;
tag_clear ( node , tag , offset ) ;
if ( any_tag_set ( node , tag ) )
return ;
offset = node - > offset ;
node = node - > parent ;
}
/* clear the root's tag bit */
if ( root_tag_get ( root , tag ) )
root_tag_clear ( root , tag ) ;
}
2016-12-15 02:08:37 +03:00
static void node_tag_set ( struct radix_tree_root * root ,
struct radix_tree_node * node ,
unsigned int tag , unsigned int offset )
{
while ( node ) {
if ( tag_get ( node , tag , offset ) )
return ;
tag_set ( node , tag , offset ) ;
offset = node - > offset ;
node = node - > parent ;
}
if ( ! root_tag_get ( root , tag ) )
root_tag_set ( root , tag ) ;
}
2016-12-15 02:08:55 +03:00
/**
* radix_tree_iter_tag_set - set a tag on the current iterator entry
* @ root : radix tree root
* @ iter : iterator state
* @ tag : tag to set
*/
void radix_tree_iter_tag_set ( struct radix_tree_root * root ,
const struct radix_tree_iter * iter , unsigned int tag )
{
node_tag_set ( root , iter - > node , tag , iter_offset ( iter ) ) ;
}
2005-04-17 02:20:36 +04:00
/**
* radix_tree_tag_clear - clear a tag on a radix tree node
* @ root : radix tree root
* @ index : index key
2016-05-21 03:03:04 +03:00
* @ tag : tag index
2005-04-17 02:20:36 +04:00
*
2006-03-25 14:08:05 +03:00
* Clear the search tag ( which must be < RADIX_TREE_MAX_TAGS )
2016-05-21 03:03:04 +03:00
* corresponding to @ index in the radix tree . If this causes
* the leaf node to have no tags set then clear the tag in the
2005-04-17 02:20:36 +04:00
* next - to - leaf node , etc .
*
* Returns the address of the tagged item on success , else NULL . ie :
* has the same return value and semantics as radix_tree_lookup ( ) .
*/
void * radix_tree_tag_clear ( struct radix_tree_root * root ,
2006-03-25 14:08:05 +03:00
unsigned long index , unsigned int tag )
2005-04-17 02:20:36 +04:00
{
2016-05-21 03:02:35 +03:00
struct radix_tree_node * node , * parent ;
unsigned long maxindex ;
radix_tree: take radix_tree_path off stack
Down, down in the deepest depths of GFP_NOIO page reclaim, we have
shrink_page_list() calling __remove_mapping() calling __delete_from_
swap_cache() or __delete_from_page_cache().
You would not expect those to need much stack, but in fact they call
radix_tree_delete(): which declares a 192-byte radix_tree_path array on
its stack (to record the node,offsets it visits when descending, in case
it needs to ascend to update them). And if any tag is still set [1],
that calls radix_tree_tag_clear(), which declares a further such
192-byte radix_tree_path array on the stack. (At least we have
interrupts disabled here, so won't then be pushing registers too.)
That was probably a good choice when most users were 32-bit (array of
half the size), and adding fields to radix_tree_node would have bloated
it unnecessarily. But nowadays many are 64-bit, and each
radix_tree_node contains a struct rcu_head, which is only used when
freeing; whereas the radix_tree_path info is only used for updating the
tree (deleting, clearing tags or setting tags if tagged) when a lock
must be held, of no interest when accessing the tree locklessly.
So add a parent pointer to the radix_tree_node, in union with the
rcu_head, and remove all uses of the radix_tree_path. There would be
space in that union to save the offset when descending as before (we can
argue that a lock must already be held to exclude other users), but
recalculating it when ascending is both easy (a constant shift and a
constant mask) and uncommon, so it seems better just to do that.
Two little optimizations: no need to decrement height when descending,
adjusting shift is enough; and once radix_tree_tag_if_tagged() has set
tag on a node and its ancestors, it need not ascend from that node
again.
perf on the radix tree test harness reports radix_tree_insert() as 2%
slower (now having to set parent), but radix_tree_delete() 24% faster.
Surely that's an exaggeration from rtth's artificially low map shift 3,
but forcing it back to 6 still rates radix_tree_delete() 8% faster.
[1] Can a pagecache tag (dirty, writeback or towrite) actually still be
set at the time of radix_tree_delete()? Perhaps not if the filesystem is
well-behaved. But although I've not tracked any stack overflow down to
this cause, I have observed a curious case in which a dirty tag is set
and left set on tmpfs: page migration's migrate_page_copy() happens to
use __set_page_dirty_nobuffers() to set PageDirty on the newpage, and
that sets PAGECACHE_TAG_DIRTY as a side-effect - harmless to a
filesystem which doesn't use tags, except for this stack depth issue.
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Nai Xia <nai.xia@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-13 05:20:41 +04:00
int uninitialized_var ( offset ) ;
2005-04-17 02:20:36 +04:00
2016-05-21 03:03:48 +03:00
radix_tree_load_root ( root , & node , & maxindex ) ;
2016-05-21 03:02:35 +03:00
if ( index > maxindex )
return NULL ;
2005-04-17 02:20:36 +04:00
2016-05-21 03:02:35 +03:00
parent = NULL ;
2005-04-17 02:20:36 +04:00
2016-05-21 03:03:30 +03:00
while ( radix_tree_is_internal_node ( node ) ) {
2016-05-21 03:03:27 +03:00
parent = entry_to_node ( node ) ;
2016-05-21 03:03:48 +03:00
offset = radix_tree_descend ( parent , & node , index ) ;
2005-04-17 02:20:36 +04:00
}
2016-05-21 03:03:45 +03:00
if ( node )
node_tag_clear ( root , parent , tag , offset ) ;
2005-04-17 02:20:36 +04:00
2016-05-21 03:02:35 +03:00
return node ;
2005-04-17 02:20:36 +04:00
}
EXPORT_SYMBOL ( radix_tree_tag_clear ) ;
/**
2005-09-07 02:16:48 +04:00
* radix_tree_tag_get - get a tag on a radix tree node
* @ root : radix tree root
* @ index : index key
2016-05-21 03:03:04 +03:00
* @ tag : tag index ( < RADIX_TREE_MAX_TAGS )
2005-04-17 02:20:36 +04:00
*
2005-09-07 02:16:48 +04:00
* Return values :
2005-04-17 02:20:36 +04:00
*
2006-06-23 13:03:22 +04:00
* 0 : tag not present or not set
* 1 : tag set
radix_tree_tag_get() is not as safe as the docs make out [ver #2]
radix_tree_tag_get() is not safe to use concurrently with radix_tree_tag_set()
or radix_tree_tag_clear(). The problem is that the double tag_get() in
radix_tree_tag_get():
if (!tag_get(node, tag, offset))
saw_unset_tag = 1;
if (height == 1) {
int ret = tag_get(node, tag, offset);
may see the value change due to the action of set/clear. RCU is no protection
against this as no pointers are being changed, no nodes are being replaced
according to a COW protocol - set/clear alter the node directly.
The documentation in linux/radix-tree.h, however, says that
radix_tree_tag_get() is an exception to the rule that "any function modifying
the tree or tags (...) must exclude other modifications, and exclude any
functions reading the tree".
The problem is that the next statement in radix_tree_tag_get() checks that the
tag doesn't vary over time:
BUG_ON(ret && saw_unset_tag);
This has been seen happening in FS-Cache:
https://www.redhat.com/archives/linux-cachefs/2010-April/msg00013.html
To this end, remove the BUG_ON() from radix_tree_tag_get() and note in various
comments that the value of the tag may change whilst the RCU read lock is held,
and thus that the return value of radix_tree_tag_get() may not be relied upon
unless radix_tree_tag_set/clear() and radix_tree_delete() are excluded from
running concurrently with it.
Reported-by: Romain DEGEZ <romain.degez@smartjog.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-04-07 01:36:20 +04:00
*
* Note that the return value of this function may not be relied on , even if
* the RCU lock is held , unless tag modification and node deletion are excluded
* from concurrency .
2005-04-17 02:20:36 +04:00
*/
int radix_tree_tag_get ( struct radix_tree_root * root ,
2006-03-25 14:08:05 +03:00
unsigned long index , unsigned int tag )
2005-04-17 02:20:36 +04:00
{
2016-05-21 03:02:38 +03:00
struct radix_tree_node * node , * parent ;
unsigned long maxindex ;
2005-04-17 02:20:36 +04:00
2006-06-23 13:03:22 +04:00
if ( ! root_tag_get ( root , tag ) )
return 0 ;
2016-05-21 03:03:48 +03:00
radix_tree_load_root ( root , & node , & maxindex ) ;
2016-05-21 03:02:38 +03:00
if ( index > maxindex )
return 0 ;
2006-12-07 07:33:44 +03:00
if ( node = = NULL )
return 0 ;
2016-05-21 03:03:30 +03:00
while ( radix_tree_is_internal_node ( node ) ) {
2016-05-21 03:03:48 +03:00
unsigned offset ;
2005-04-17 02:20:36 +04:00
2016-05-21 03:03:27 +03:00
parent = entry_to_node ( node ) ;
2016-05-21 03:03:48 +03:00
offset = radix_tree_descend ( parent , & node , index ) ;
2005-04-17 02:20:36 +04:00
2016-05-21 03:02:38 +03:00
if ( ! node )
2005-04-17 02:20:36 +04:00
return 0 ;
2016-05-21 03:02:38 +03:00
if ( ! tag_get ( parent , tag , offset ) )
2011-11-01 04:07:02 +04:00
return 0 ;
2016-05-21 03:02:38 +03:00
if ( node = = RADIX_TREE_RETRY )
break ;
2005-04-17 02:20:36 +04:00
}
2016-05-21 03:02:38 +03:00
return 1 ;
2005-04-17 02:20:36 +04:00
}
EXPORT_SYMBOL ( radix_tree_tag_get ) ;
2016-05-21 03:02:26 +03:00
static inline void __set_iter_shift ( struct radix_tree_iter * iter ,
unsigned int shift )
{
# ifdef CONFIG_RADIX_TREE_MULTIORDER
iter - > shift = shift ;
# endif
}
2016-12-15 02:08:49 +03:00
/* Construct iter->tags bit-mask from node->tags[tag] array */
static void set_iter_tags ( struct radix_tree_iter * iter ,
struct radix_tree_node * node , unsigned offset ,
unsigned tag )
{
unsigned tag_long = offset / BITS_PER_LONG ;
unsigned tag_bit = offset % BITS_PER_LONG ;
iter - > tags = node - > tags [ tag ] [ tag_long ] > > tag_bit ;
/* This never happens if RADIX_TREE_TAG_LONGS == 1 */
if ( tag_long < RADIX_TREE_TAG_LONGS - 1 ) {
/* Pick tags from next element */
if ( tag_bit )
iter - > tags | = node - > tags [ tag ] [ tag_long + 1 ] < <
( BITS_PER_LONG - tag_bit ) ;
/* Clip chunk size, here only BITS_PER_LONG tags */
iter - > next_index = __radix_tree_iter_add ( iter , BITS_PER_LONG ) ;
}
}
# ifdef CONFIG_RADIX_TREE_MULTIORDER
static void * * skip_siblings ( struct radix_tree_node * * nodep ,
void * * slot , struct radix_tree_iter * iter )
{
void * sib = node_to_entry ( slot - 1 ) ;
while ( iter - > index < iter - > next_index ) {
* nodep = rcu_dereference_raw ( * slot ) ;
if ( * nodep & & * nodep ! = sib )
return slot ;
slot + + ;
iter - > index = __radix_tree_iter_add ( iter , 1 ) ;
iter - > tags > > = 1 ;
}
* nodep = NULL ;
return NULL ;
}
void * * __radix_tree_next_slot ( void * * slot , struct radix_tree_iter * iter ,
unsigned flags )
{
unsigned tag = flags & RADIX_TREE_ITER_TAG_MASK ;
struct radix_tree_node * node = rcu_dereference_raw ( * slot ) ;
slot = skip_siblings ( & node , slot , iter ) ;
while ( radix_tree_is_internal_node ( node ) ) {
unsigned offset ;
unsigned long next_index ;
if ( node = = RADIX_TREE_RETRY )
return slot ;
node = entry_to_node ( node ) ;
2016-12-15 02:08:55 +03:00
iter - > node = node ;
2016-12-15 02:08:49 +03:00
iter - > shift = node - > shift ;
if ( flags & RADIX_TREE_ITER_TAGGED ) {
offset = radix_tree_find_next_bit ( node , tag , 0 ) ;
if ( offset = = RADIX_TREE_MAP_SIZE )
return NULL ;
slot = & node - > slots [ offset ] ;
iter - > index = __radix_tree_iter_add ( iter , offset ) ;
set_iter_tags ( iter , node , offset , tag ) ;
node = rcu_dereference_raw ( * slot ) ;
} else {
offset = 0 ;
slot = & node - > slots [ 0 ] ;
for ( ; ; ) {
node = rcu_dereference_raw ( * slot ) ;
if ( node )
break ;
slot + + ;
offset + + ;
if ( offset = = RADIX_TREE_MAP_SIZE )
return NULL ;
}
iter - > index = __radix_tree_iter_add ( iter , offset ) ;
}
if ( ( flags & RADIX_TREE_ITER_CONTIG ) & & ( offset > 0 ) )
goto none ;
next_index = ( iter - > index | shift_maxindex ( iter - > shift ) ) + 1 ;
if ( next_index < iter - > next_index )
iter - > next_index = next_index ;
}
return slot ;
none :
iter - > next_index = 0 ;
return NULL ;
}
EXPORT_SYMBOL ( __radix_tree_next_slot ) ;
# else
static void * * skip_siblings ( struct radix_tree_node * * nodep ,
void * * slot , struct radix_tree_iter * iter )
{
return slot ;
}
# endif
void * * radix_tree_iter_resume ( void * * slot , struct radix_tree_iter * iter )
{
struct radix_tree_node * node ;
slot + + ;
iter - > index = __radix_tree_iter_add ( iter , 1 ) ;
node = rcu_dereference_raw ( * slot ) ;
skip_siblings ( & node , slot , iter ) ;
iter - > next_index = iter - > index ;
iter - > tags = 0 ;
return NULL ;
}
EXPORT_SYMBOL ( radix_tree_iter_resume ) ;
2012-03-29 01:42:53 +04:00
/**
* radix_tree_next_chunk - find next chunk of slots for iteration
*
* @ root : radix tree root
* @ iter : iterator state
* @ flags : RADIX_TREE_ITER_ * flags and tag index
* Returns : pointer to chunk first slot , or NULL if iteration is over
*/
void * * radix_tree_next_chunk ( struct radix_tree_root * root ,
struct radix_tree_iter * iter , unsigned flags )
{
2016-05-21 03:03:48 +03:00
unsigned tag = flags & RADIX_TREE_ITER_TAG_MASK ;
2016-05-21 03:03:36 +03:00
struct radix_tree_node * node , * child ;
2016-05-21 03:02:26 +03:00
unsigned long index , offset , maxindex ;
2012-03-29 01:42:53 +04:00
if ( ( flags & RADIX_TREE_ITER_TAGGED ) & & ! root_tag_get ( root , tag ) )
return NULL ;
/*
* Catch next_index overflow after ~ 0UL . iter - > index never overflows
* during iterating ; it can be zero only at the beginning .
* And we cannot overflow iter - > next_index in a single step ,
* because RADIX_TREE_MAP_SHIFT < BITS_PER_LONG .
2012-06-05 21:36:33 +04:00
*
* This condition also used by radix_tree_next_slot ( ) to stop
2016-12-15 02:08:31 +03:00
* contiguous iterating , and forbid switching to the next chunk .
2012-03-29 01:42:53 +04:00
*/
index = iter - > next_index ;
if ( ! index & & iter - > index )
return NULL ;
2016-05-21 03:02:26 +03:00
restart :
2016-05-21 03:03:48 +03:00
radix_tree_load_root ( root , & child , & maxindex ) ;
2016-05-21 03:02:26 +03:00
if ( index > maxindex )
return NULL ;
2016-05-21 03:03:36 +03:00
if ( ! child )
return NULL ;
2016-05-21 03:02:26 +03:00
2016-05-21 03:03:36 +03:00
if ( ! radix_tree_is_internal_node ( child ) ) {
2012-03-29 01:42:53 +04:00
/* Single-slot tree */
2016-05-21 03:02:26 +03:00
iter - > index = index ;
iter - > next_index = maxindex + 1 ;
2012-03-29 01:42:53 +04:00
iter - > tags = 1 ;
2016-12-15 02:08:55 +03:00
iter - > node = NULL ;
2016-05-21 03:03:36 +03:00
__set_iter_shift ( iter , 0 ) ;
2012-03-29 01:42:53 +04:00
return ( void * * ) & root - > rnode ;
2016-05-21 03:03:36 +03:00
}
2016-05-21 03:02:26 +03:00
2016-05-21 03:03:36 +03:00
do {
node = entry_to_node ( child ) ;
2016-05-21 03:03:48 +03:00
offset = radix_tree_descend ( node , & child , index ) ;
2016-05-21 03:02:26 +03:00
2012-03-29 01:42:53 +04:00
if ( ( flags & RADIX_TREE_ITER_TAGGED ) ?
2016-05-21 03:03:36 +03:00
! tag_get ( node , tag , offset ) : ! child ) {
2012-03-29 01:42:53 +04:00
/* Hole detected */
if ( flags & RADIX_TREE_ITER_CONTIG )
return NULL ;
if ( flags & RADIX_TREE_ITER_TAGGED )
2016-12-15 02:08:40 +03:00
offset = radix_tree_find_next_bit ( node , tag ,
2012-03-29 01:42:53 +04:00
offset + 1 ) ;
else
while ( + + offset < RADIX_TREE_MAP_SIZE ) {
2016-05-21 03:02:26 +03:00
void * slot = node - > slots [ offset ] ;
if ( is_sibling_entry ( node , slot ) )
continue ;
if ( slot )
2012-03-29 01:42:53 +04:00
break ;
}
2016-05-21 03:03:36 +03:00
index & = ~ node_maxindex ( node ) ;
2016-05-21 03:03:48 +03:00
index + = offset < < node - > shift ;
2012-03-29 01:42:53 +04:00
/* Overflow after ~0UL */
if ( ! index )
return NULL ;
if ( offset = = RADIX_TREE_MAP_SIZE )
goto restart ;
2016-05-21 03:03:36 +03:00
child = rcu_dereference_raw ( node - > slots [ offset ] ) ;
2012-03-29 01:42:53 +04:00
}
2016-12-15 02:09:01 +03:00
if ( ! child )
2012-03-29 01:42:53 +04:00
goto restart ;
2016-12-15 02:09:01 +03:00
if ( child = = RADIX_TREE_RETRY )
break ;
2016-05-21 03:03:36 +03:00
} while ( radix_tree_is_internal_node ( child ) ) ;
2012-03-29 01:42:53 +04:00
/* Update the iterator state */
2016-05-21 03:03:36 +03:00
iter - > index = ( index & ~ node_maxindex ( node ) ) | ( offset < < node - > shift ) ;
iter - > next_index = ( index | node_maxindex ( node ) ) + 1 ;
2016-12-15 02:08:55 +03:00
iter - > node = node ;
2016-05-21 03:03:48 +03:00
__set_iter_shift ( iter , node - > shift ) ;
2012-03-29 01:42:53 +04:00
2016-12-15 02:08:49 +03:00
if ( flags & RADIX_TREE_ITER_TAGGED )
set_iter_tags ( iter , node , offset , tag ) ;
2012-03-29 01:42:53 +04:00
return node - > slots + offset ;
}
EXPORT_SYMBOL ( radix_tree_next_chunk ) ;
2005-04-17 02:20:36 +04:00
/**
* radix_tree_gang_lookup - perform multiple lookup on a radix tree
* @ root : radix tree root
* @ results : where the results of the lookup are placed
* @ first_index : start the lookup from this key
* @ max_items : place up to this many items at * results
*
* Performs an index - ascending scan of the tree for present items . Places
* them at * @ results and returns the number of items which were placed at
* * @ results .
*
* The implementation is naive .
2006-12-07 07:33:44 +03:00
*
* Like radix_tree_lookup , radix_tree_gang_lookup may be called under
* rcu_read_lock . In this case , rather than the returned results being
2016-05-21 03:03:04 +03:00
* an atomic snapshot of the tree at a single point in time , the
* semantics of an RCU protected gang lookup are as though multiple
* radix_tree_lookups have been issued in individual locks , and results
* stored in ' results ' .
2005-04-17 02:20:36 +04:00
*/
unsigned int
radix_tree_gang_lookup ( struct radix_tree_root * root , void * * results ,
unsigned long first_index , unsigned int max_items )
{
2012-03-29 01:42:53 +04:00
struct radix_tree_iter iter ;
void * * slot ;
unsigned int ret = 0 ;
2006-12-07 07:33:44 +03:00
2012-03-29 01:42:53 +04:00
if ( unlikely ( ! max_items ) )
2006-12-07 07:33:44 +03:00
return 0 ;
2005-04-17 02:20:36 +04:00
2012-03-29 01:42:53 +04:00
radix_tree_for_each_slot ( slot , root , & iter , first_index ) {
2016-02-03 03:57:52 +03:00
results [ ret ] = rcu_dereference_raw ( * slot ) ;
2012-03-29 01:42:53 +04:00
if ( ! results [ ret ] )
continue ;
2016-05-21 03:03:30 +03:00
if ( radix_tree_is_internal_node ( results [ ret ] ) ) {
2016-02-03 03:57:52 +03:00
slot = radix_tree_iter_retry ( & iter ) ;
continue ;
}
2012-03-29 01:42:53 +04:00
if ( + + ret = = max_items )
2005-04-17 02:20:36 +04:00
break ;
}
2006-12-07 07:33:44 +03:00
2005-04-17 02:20:36 +04:00
return ret ;
}
EXPORT_SYMBOL ( radix_tree_gang_lookup ) ;
2008-07-26 06:45:29 +04:00
/**
* radix_tree_gang_lookup_slot - perform multiple slot lookup on radix tree
* @ root : radix tree root
* @ results : where the results of the lookup are placed
radix_tree: exceptional entries and indices
A patchset to extend tmpfs to MAX_LFS_FILESIZE by abandoning its
peculiar swap vector, instead keeping a file's swap entries in the same
radix tree as its struct page pointers: thus saving memory, and
simplifying its code and locking.
This patch:
The radix_tree is used by several subsystems for different purposes. A
major use is to store the struct page pointers of a file's pagecache for
memory management. But what if mm wanted to store something other than
page pointers there too?
The low bit of a radix_tree entry is already used to denote an indirect
pointer, for internal use, and the unlikely radix_tree_deref_retry()
case.
Define the next bit as denoting an exceptional entry, and supply inline
functions radix_tree_exception() to return non-0 in either unlikely
case, and radix_tree_exceptional_entry() to return non-0 in the second
case.
If a subsystem already uses radix_tree with that bit set, no problem: it
does not affect internal workings at all, but is defined for the
convenience of those storing well-aligned pointers in the radix_tree.
The radix_tree_gang_lookups have an implicit assumption that the caller
can deduce the offset of each entry returned e.g. by the page->index of
a struct page. But that may not be feasible for some kinds of item to
be stored there.
radix_tree_gang_lookup_slot() allow for an optional indices argument,
output array in which to return those offsets. The same could be added
to other radix_tree_gang_lookups, but for now keep it to the only one
for which we need it.
Signed-off-by: Hugh Dickins <hughd@google.com>
Acked-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-08-04 03:21:18 +04:00
* @ indices : where their indices should be placed ( but usually NULL )
2008-07-26 06:45:29 +04:00
* @ first_index : start the lookup from this key
* @ max_items : place up to this many items at * results
*
* Performs an index - ascending scan of the tree for present items . Places
* their slots at * @ results and returns the number of items which were
* placed at * @ results .
*
* The implementation is naive .
*
* Like radix_tree_gang_lookup as far as RCU and locking goes . Slots must
* be dereferenced with radix_tree_deref_slot , and if using only RCU
* protection , radix_tree_deref_slot may fail requiring a retry .
*/
unsigned int
radix_tree: exceptional entries and indices
A patchset to extend tmpfs to MAX_LFS_FILESIZE by abandoning its
peculiar swap vector, instead keeping a file's swap entries in the same
radix tree as its struct page pointers: thus saving memory, and
simplifying its code and locking.
This patch:
The radix_tree is used by several subsystems for different purposes. A
major use is to store the struct page pointers of a file's pagecache for
memory management. But what if mm wanted to store something other than
page pointers there too?
The low bit of a radix_tree entry is already used to denote an indirect
pointer, for internal use, and the unlikely radix_tree_deref_retry()
case.
Define the next bit as denoting an exceptional entry, and supply inline
functions radix_tree_exception() to return non-0 in either unlikely
case, and radix_tree_exceptional_entry() to return non-0 in the second
case.
If a subsystem already uses radix_tree with that bit set, no problem: it
does not affect internal workings at all, but is defined for the
convenience of those storing well-aligned pointers in the radix_tree.
The radix_tree_gang_lookups have an implicit assumption that the caller
can deduce the offset of each entry returned e.g. by the page->index of
a struct page. But that may not be feasible for some kinds of item to
be stored there.
radix_tree_gang_lookup_slot() allow for an optional indices argument,
output array in which to return those offsets. The same could be added
to other radix_tree_gang_lookups, but for now keep it to the only one
for which we need it.
Signed-off-by: Hugh Dickins <hughd@google.com>
Acked-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-08-04 03:21:18 +04:00
radix_tree_gang_lookup_slot ( struct radix_tree_root * root ,
void * * * results , unsigned long * indices ,
2008-07-26 06:45:29 +04:00
unsigned long first_index , unsigned int max_items )
{
2012-03-29 01:42:53 +04:00
struct radix_tree_iter iter ;
void * * slot ;
unsigned int ret = 0 ;
2008-07-26 06:45:29 +04:00
2012-03-29 01:42:53 +04:00
if ( unlikely ( ! max_items ) )
2008-07-26 06:45:29 +04:00
return 0 ;
2012-03-29 01:42:53 +04:00
radix_tree_for_each_slot ( slot , root , & iter , first_index ) {
results [ ret ] = slot ;
radix_tree: exceptional entries and indices
A patchset to extend tmpfs to MAX_LFS_FILESIZE by abandoning its
peculiar swap vector, instead keeping a file's swap entries in the same
radix tree as its struct page pointers: thus saving memory, and
simplifying its code and locking.
This patch:
The radix_tree is used by several subsystems for different purposes. A
major use is to store the struct page pointers of a file's pagecache for
memory management. But what if mm wanted to store something other than
page pointers there too?
The low bit of a radix_tree entry is already used to denote an indirect
pointer, for internal use, and the unlikely radix_tree_deref_retry()
case.
Define the next bit as denoting an exceptional entry, and supply inline
functions radix_tree_exception() to return non-0 in either unlikely
case, and radix_tree_exceptional_entry() to return non-0 in the second
case.
If a subsystem already uses radix_tree with that bit set, no problem: it
does not affect internal workings at all, but is defined for the
convenience of those storing well-aligned pointers in the radix_tree.
The radix_tree_gang_lookups have an implicit assumption that the caller
can deduce the offset of each entry returned e.g. by the page->index of
a struct page. But that may not be feasible for some kinds of item to
be stored there.
radix_tree_gang_lookup_slot() allow for an optional indices argument,
output array in which to return those offsets. The same could be added
to other radix_tree_gang_lookups, but for now keep it to the only one
for which we need it.
Signed-off-by: Hugh Dickins <hughd@google.com>
Acked-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-08-04 03:21:18 +04:00
if ( indices )
2012-03-29 01:42:53 +04:00
indices [ ret ] = iter . index ;
if ( + + ret = = max_items )
2008-07-26 06:45:29 +04:00
break ;
}
return ret ;
}
EXPORT_SYMBOL ( radix_tree_gang_lookup_slot ) ;
2005-04-17 02:20:36 +04:00
/**
* radix_tree_gang_lookup_tag - perform multiple lookup on a radix tree
* based on a tag
* @ root : radix tree root
* @ results : where the results of the lookup are placed
* @ first_index : start the lookup from this key
* @ max_items : place up to this many items at * results
2006-03-25 14:08:05 +03:00
* @ tag : the tag index ( < RADIX_TREE_MAX_TAGS )
2005-04-17 02:20:36 +04:00
*
* Performs an index - ascending scan of the tree for present items which
* have the tag indexed by @ tag set . Places the items at * @ results and
* returns the number of items which were placed at * @ results .
*/
unsigned int
radix_tree_gang_lookup_tag ( struct radix_tree_root * root , void * * results ,
2006-03-25 14:08:05 +03:00
unsigned long first_index , unsigned int max_items ,
unsigned int tag )
2005-04-17 02:20:36 +04:00
{
2012-03-29 01:42:53 +04:00
struct radix_tree_iter iter ;
void * * slot ;
unsigned int ret = 0 ;
2006-06-23 13:03:22 +04:00
2012-03-29 01:42:53 +04:00
if ( unlikely ( ! max_items ) )
2006-12-07 07:33:44 +03:00
return 0 ;
2012-03-29 01:42:53 +04:00
radix_tree_for_each_tagged ( slot , root , & iter , first_index , tag ) {
2016-02-03 03:57:52 +03:00
results [ ret ] = rcu_dereference_raw ( * slot ) ;
2012-03-29 01:42:53 +04:00
if ( ! results [ ret ] )
continue ;
2016-05-21 03:03:30 +03:00
if ( radix_tree_is_internal_node ( results [ ret ] ) ) {
2016-02-03 03:57:52 +03:00
slot = radix_tree_iter_retry ( & iter ) ;
continue ;
}
2012-03-29 01:42:53 +04:00
if ( + + ret = = max_items )
2005-04-17 02:20:36 +04:00
break ;
}
2006-12-07 07:33:44 +03:00
2005-04-17 02:20:36 +04:00
return ret ;
}
EXPORT_SYMBOL ( radix_tree_gang_lookup_tag ) ;
2008-07-26 06:45:29 +04:00
/**
* radix_tree_gang_lookup_tag_slot - perform multiple slot lookup on a
* radix tree based on a tag
* @ root : radix tree root
* @ results : where the results of the lookup are placed
* @ first_index : start the lookup from this key
* @ max_items : place up to this many items at * results
* @ tag : the tag index ( < RADIX_TREE_MAX_TAGS )
*
* Performs an index - ascending scan of the tree for present items which
* have the tag indexed by @ tag set . Places the slots at * @ results and
* returns the number of slots which were placed at * @ results .
*/
unsigned int
radix_tree_gang_lookup_tag_slot ( struct radix_tree_root * root , void * * * results ,
unsigned long first_index , unsigned int max_items ,
unsigned int tag )
{
2012-03-29 01:42:53 +04:00
struct radix_tree_iter iter ;
void * * slot ;
unsigned int ret = 0 ;
2008-07-26 06:45:29 +04:00
2012-03-29 01:42:53 +04:00
if ( unlikely ( ! max_items ) )
2008-07-26 06:45:29 +04:00
return 0 ;
2012-03-29 01:42:53 +04:00
radix_tree_for_each_tagged ( slot , root , & iter , first_index , tag ) {
results [ ret ] = slot ;
if ( + + ret = = max_items )
2008-07-26 06:45:29 +04:00
break ;
}
return ret ;
}
EXPORT_SYMBOL ( radix_tree_gang_lookup_tag_slot ) ;
2014-04-04 01:47:54 +04:00
/**
* __radix_tree_delete_node - try to free node after clearing a slot
* @ root : radix tree root
* @ node : node containing @ index
mm: workingset: fix use-after-free in shadow node shrinker
Several people report seeing warnings about inconsistent radix tree
nodes followed by crashes in the workingset code, which all looked like
use-after-free access from the shadow node shrinker.
Dave Jones managed to reproduce the issue with a debug patch applied,
which confirmed that the radix tree shrinking indeed frees shadow nodes
while they are still linked to the shadow LRU:
WARNING: CPU: 2 PID: 53 at lib/radix-tree.c:643 delete_node+0x1e4/0x200
CPU: 2 PID: 53 Comm: kswapd0 Not tainted 4.10.0-rc2-think+ #3
Call Trace:
delete_node+0x1e4/0x200
__radix_tree_delete_node+0xd/0x10
shadow_lru_isolate+0xe6/0x220
__list_lru_walk_one.isra.4+0x9b/0x190
list_lru_walk_one+0x23/0x30
scan_shadow_nodes+0x2e/0x40
shrink_slab.part.44+0x23d/0x5d0
shrink_node+0x22c/0x330
kswapd+0x392/0x8f0
This is the WARN_ON_ONCE(!list_empty(&node->private_list)) placed in the
inlined radix_tree_shrink().
The problem is with 14b468791fa9 ("mm: workingset: move shadow entry
tracking to radix tree exceptional tracking"), which passes an update
callback into the radix tree to link and unlink shadow leaf nodes when
tree entries change, but forgot to pass the callback when reclaiming a
shadow node.
While the reclaimed shadow node itself is unlinked by the shrinker, its
deletion from the tree can cause the left-most leaf node in the tree to
be shrunk. If that happens to be a shadow node as well, we don't unlink
it from the LRU as we should.
Consider this tree, where the s are shadow entries:
root->rnode
|
[0 n]
| |
[s ] [sssss]
Now the shadow node shrinker reclaims the rightmost leaf node through
the shadow node LRU:
root->rnode
|
[0 ]
|
[s ]
Because the parent of the deleted node is the first level below the
root and has only one child in the left-most slot, the intermediate
level is shrunk and the node containing the single shadow is put in
its place:
root->rnode
|
[s ]
The shrinker again sees a single left-most slot in a first level node
and thus decides to store the shadow in root->rnode directly and free
the node - which is a leaf node on the shadow node LRU.
root->rnode
|
s
Without the update callback, the freed node remains on the shadow LRU,
where it causes later shrinker runs to crash.
Pass the node updater callback into __radix_tree_delete_node() in case
the deletion causes the left-most branch in the tree to collapse too.
Also add warnings when linked nodes are freed right away, rather than
wait for the use-after-free when the list is scanned much later.
Fixes: 14b468791fa9 ("mm: workingset: move shadow entry tracking to radix tree exceptional tracking")
Reported-by: Dave Chinner <david@fromorbit.com>
Reported-by: Hugh Dickins <hughd@google.com>
Reported-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-and-tested-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Chris Leech <cleech@redhat.com>
Cc: Lee Duncan <lduncan@suse.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Matthew Wilcox <mawilcox@linuxonhyperv.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-01-07 03:21:43 +03:00
* @ update_node : callback for changing leaf nodes
* @ private : private data to pass to @ update_node
2014-04-04 01:47:54 +04:00
*
* After clearing the slot at @ index in @ node from radix tree
* rooted at @ root , call this function to attempt freeing the
* node and shrinking the tree .
*/
2016-12-13 03:43:52 +03:00
void __radix_tree_delete_node ( struct radix_tree_root * root ,
mm: workingset: fix use-after-free in shadow node shrinker
Several people report seeing warnings about inconsistent radix tree
nodes followed by crashes in the workingset code, which all looked like
use-after-free access from the shadow node shrinker.
Dave Jones managed to reproduce the issue with a debug patch applied,
which confirmed that the radix tree shrinking indeed frees shadow nodes
while they are still linked to the shadow LRU:
WARNING: CPU: 2 PID: 53 at lib/radix-tree.c:643 delete_node+0x1e4/0x200
CPU: 2 PID: 53 Comm: kswapd0 Not tainted 4.10.0-rc2-think+ #3
Call Trace:
delete_node+0x1e4/0x200
__radix_tree_delete_node+0xd/0x10
shadow_lru_isolate+0xe6/0x220
__list_lru_walk_one.isra.4+0x9b/0x190
list_lru_walk_one+0x23/0x30
scan_shadow_nodes+0x2e/0x40
shrink_slab.part.44+0x23d/0x5d0
shrink_node+0x22c/0x330
kswapd+0x392/0x8f0
This is the WARN_ON_ONCE(!list_empty(&node->private_list)) placed in the
inlined radix_tree_shrink().
The problem is with 14b468791fa9 ("mm: workingset: move shadow entry
tracking to radix tree exceptional tracking"), which passes an update
callback into the radix tree to link and unlink shadow leaf nodes when
tree entries change, but forgot to pass the callback when reclaiming a
shadow node.
While the reclaimed shadow node itself is unlinked by the shrinker, its
deletion from the tree can cause the left-most leaf node in the tree to
be shrunk. If that happens to be a shadow node as well, we don't unlink
it from the LRU as we should.
Consider this tree, where the s are shadow entries:
root->rnode
|
[0 n]
| |
[s ] [sssss]
Now the shadow node shrinker reclaims the rightmost leaf node through
the shadow node LRU:
root->rnode
|
[0 ]
|
[s ]
Because the parent of the deleted node is the first level below the
root and has only one child in the left-most slot, the intermediate
level is shrunk and the node containing the single shadow is put in
its place:
root->rnode
|
[s ]
The shrinker again sees a single left-most slot in a first level node
and thus decides to store the shadow in root->rnode directly and free
the node - which is a leaf node on the shadow node LRU.
root->rnode
|
s
Without the update callback, the freed node remains on the shadow LRU,
where it causes later shrinker runs to crash.
Pass the node updater callback into __radix_tree_delete_node() in case
the deletion causes the left-most branch in the tree to collapse too.
Also add warnings when linked nodes are freed right away, rather than
wait for the use-after-free when the list is scanned much later.
Fixes: 14b468791fa9 ("mm: workingset: move shadow entry tracking to radix tree exceptional tracking")
Reported-by: Dave Chinner <david@fromorbit.com>
Reported-by: Hugh Dickins <hughd@google.com>
Reported-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-and-tested-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Chris Leech <cleech@redhat.com>
Cc: Lee Duncan <lduncan@suse.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Matthew Wilcox <mawilcox@linuxonhyperv.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-01-07 03:21:43 +03:00
struct radix_tree_node * node ,
radix_tree_update_node_t update_node ,
void * private )
2014-04-04 01:47:54 +04:00
{
mm: workingset: fix use-after-free in shadow node shrinker
Several people report seeing warnings about inconsistent radix tree
nodes followed by crashes in the workingset code, which all looked like
use-after-free access from the shadow node shrinker.
Dave Jones managed to reproduce the issue with a debug patch applied,
which confirmed that the radix tree shrinking indeed frees shadow nodes
while they are still linked to the shadow LRU:
WARNING: CPU: 2 PID: 53 at lib/radix-tree.c:643 delete_node+0x1e4/0x200
CPU: 2 PID: 53 Comm: kswapd0 Not tainted 4.10.0-rc2-think+ #3
Call Trace:
delete_node+0x1e4/0x200
__radix_tree_delete_node+0xd/0x10
shadow_lru_isolate+0xe6/0x220
__list_lru_walk_one.isra.4+0x9b/0x190
list_lru_walk_one+0x23/0x30
scan_shadow_nodes+0x2e/0x40
shrink_slab.part.44+0x23d/0x5d0
shrink_node+0x22c/0x330
kswapd+0x392/0x8f0
This is the WARN_ON_ONCE(!list_empty(&node->private_list)) placed in the
inlined radix_tree_shrink().
The problem is with 14b468791fa9 ("mm: workingset: move shadow entry
tracking to radix tree exceptional tracking"), which passes an update
callback into the radix tree to link and unlink shadow leaf nodes when
tree entries change, but forgot to pass the callback when reclaiming a
shadow node.
While the reclaimed shadow node itself is unlinked by the shrinker, its
deletion from the tree can cause the left-most leaf node in the tree to
be shrunk. If that happens to be a shadow node as well, we don't unlink
it from the LRU as we should.
Consider this tree, where the s are shadow entries:
root->rnode
|
[0 n]
| |
[s ] [sssss]
Now the shadow node shrinker reclaims the rightmost leaf node through
the shadow node LRU:
root->rnode
|
[0 ]
|
[s ]
Because the parent of the deleted node is the first level below the
root and has only one child in the left-most slot, the intermediate
level is shrunk and the node containing the single shadow is put in
its place:
root->rnode
|
[s ]
The shrinker again sees a single left-most slot in a first level node
and thus decides to store the shadow in root->rnode directly and free
the node - which is a leaf node on the shadow node LRU.
root->rnode
|
s
Without the update callback, the freed node remains on the shadow LRU,
where it causes later shrinker runs to crash.
Pass the node updater callback into __radix_tree_delete_node() in case
the deletion causes the left-most branch in the tree to collapse too.
Also add warnings when linked nodes are freed right away, rather than
wait for the use-after-free when the list is scanned much later.
Fixes: 14b468791fa9 ("mm: workingset: move shadow entry tracking to radix tree exceptional tracking")
Reported-by: Dave Chinner <david@fromorbit.com>
Reported-by: Hugh Dickins <hughd@google.com>
Reported-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-and-tested-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Chris Leech <cleech@redhat.com>
Cc: Lee Duncan <lduncan@suse.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Matthew Wilcox <mawilcox@linuxonhyperv.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-01-07 03:21:43 +03:00
delete_node ( root , node , update_node , private ) ;
2014-04-04 01:47:54 +04:00
}
2005-04-17 02:20:36 +04:00
/**
2014-04-04 01:47:39 +04:00
* radix_tree_delete_item - delete an item from a radix tree
2005-04-17 02:20:36 +04:00
* @ root : radix tree root
* @ index : index key
2014-04-04 01:47:39 +04:00
* @ item : expected item
2005-04-17 02:20:36 +04:00
*
2014-04-04 01:47:39 +04:00
* Remove @ item at @ index from the radix tree rooted at @ root .
2005-04-17 02:20:36 +04:00
*
2014-04-04 01:47:39 +04:00
* Returns the address of the deleted item , or NULL if it was not present
* or the entry at the given @ index was not @ item .
2005-04-17 02:20:36 +04:00
*/
2014-04-04 01:47:39 +04:00
void * radix_tree_delete_item ( struct radix_tree_root * root ,
unsigned long index , void * item )
2005-04-17 02:20:36 +04:00
{
2014-04-04 01:47:54 +04:00
struct radix_tree_node * node ;
2016-05-21 03:01:54 +03:00
unsigned int offset ;
2014-04-04 01:47:54 +04:00
void * * slot ;
void * entry ;
2006-01-08 12:01:41 +03:00
int tag ;
2005-04-17 02:20:36 +04:00
2014-04-04 01:47:54 +04:00
entry = __radix_tree_lookup ( root , index , & node , & slot ) ;
if ( ! entry )
return NULL ;
2005-04-17 02:20:36 +04:00
2014-04-04 01:47:54 +04:00
if ( item & & entry ! = item )
return NULL ;
if ( ! node ) {
2006-06-23 13:03:22 +04:00
root_tag_clear_all ( root ) ;
root - > rnode = NULL ;
2014-04-04 01:47:54 +04:00
return entry ;
2006-06-23 13:03:22 +04:00
}
2005-04-17 02:20:36 +04:00
2016-05-21 03:02:02 +03:00
offset = get_slot_offset ( node , slot ) ;
2014-04-04 01:47:39 +04:00
2016-05-21 03:03:45 +03:00
/* Clear all tags associated with the item to be deleted. */
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
node_tag_clear ( root , node , tag , offset ) ;
2005-04-17 02:20:36 +04:00
2016-12-13 03:43:49 +03:00
__radix_tree_replace ( root , node , slot , NULL , NULL , NULL ) ;
2006-06-23 13:03:22 +04:00
2014-04-04 01:47:54 +04:00
return entry ;
2005-04-17 02:20:36 +04:00
}
2014-04-04 01:47:39 +04:00
EXPORT_SYMBOL ( radix_tree_delete_item ) ;
/**
* radix_tree_delete - delete an item from a radix tree
* @ root : radix tree root
* @ index : index key
*
* Remove the item at @ index from the radix tree rooted at @ root .
*
* Returns the address of the deleted item , or NULL if it was not present .
*/
void * radix_tree_delete ( struct radix_tree_root * root , unsigned long index )
{
return radix_tree_delete_item ( root , index , NULL ) ;
}
2005-04-17 02:20:36 +04:00
EXPORT_SYMBOL ( radix_tree_delete ) ;
mm: filemap: don't plant shadow entries without radix tree node
When the underflow checks were added to workingset_node_shadow_dec(),
they triggered immediately:
kernel BUG at ./include/linux/swap.h:276!
invalid opcode: 0000 [#1] SMP
Modules linked in: isofs usb_storage fuse xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_REJECT nf_reject_ipv6
soundcore wmi acpi_als pinctrl_sunrisepoint kfifo_buf tpm_tis industrialio acpi_pad pinctrl_intel tpm_tis_core tpm nfsd auth_rpcgss nfs_acl lockd grace sunrpc dm_crypt
CPU: 0 PID: 20929 Comm: blkid Not tainted 4.8.0-rc8-00087-gbe67d60ba944 #1
Hardware name: System manufacturer System Product Name/Z170-K, BIOS 1803 05/06/2016
task: ffff8faa93ecd940 task.stack: ffff8faa7f478000
RIP: page_cache_tree_insert+0xf1/0x100
Call Trace:
__add_to_page_cache_locked+0x12e/0x270
add_to_page_cache_lru+0x4e/0xe0
mpage_readpages+0x112/0x1d0
blkdev_readpages+0x1d/0x20
__do_page_cache_readahead+0x1ad/0x290
force_page_cache_readahead+0xaa/0x100
page_cache_sync_readahead+0x3f/0x50
generic_file_read_iter+0x5af/0x740
blkdev_read_iter+0x35/0x40
__vfs_read+0xe1/0x130
vfs_read+0x96/0x130
SyS_read+0x55/0xc0
entry_SYSCALL_64_fastpath+0x13/0x8f
Code: 03 00 48 8b 5d d8 65 48 33 1c 25 28 00 00 00 44 89 e8 75 19 48 83 c4 18 5b 41 5c 41 5d 41 5e 5d c3 0f 0b 41 bd ef ff ff ff eb d7 <0f> 0b e8 88 68 ef ff 0f 1f 84 00
RIP page_cache_tree_insert+0xf1/0x100
This is a long-standing bug in the way shadow entries are accounted in
the radix tree nodes. The shrinker needs to know when radix tree nodes
contain only shadow entries, no pages, so node->count is split in half
to count shadows in the upper bits and pages in the lower bits.
Unfortunately, the radix tree implementation doesn't know of this and
assumes all entries are in node->count. When there is a shadow entry
directly in root->rnode and the tree is later extended, the radix tree
implementation will copy that entry into the new node and and bump its
node->count, i.e. increases the page count bits. Once the shadow gets
removed and we subtract from the upper counter, node->count underflows
and triggers the warning. Afterwards, without node->count reaching 0
again, the radix tree node is leaked.
Limit shadow entries to when we have actual radix tree nodes and can
count them properly. That means we lose the ability to detect refaults
from files that had only the first page faulted in at eviction time.
Fixes: 449dd6984d0e ("mm: keep page cache radix tree nodes in check")
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Reported-and-tested-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-04 23:02:08 +03:00
void radix_tree_clear_tags ( struct radix_tree_root * root ,
struct radix_tree_node * node ,
void * * slot )
2016-05-21 03:03:45 +03:00
{
if ( node ) {
unsigned int tag , offset = get_slot_offset ( node , slot ) ;
for ( tag = 0 ; tag < RADIX_TREE_MAX_TAGS ; tag + + )
node_tag_clear ( root , node , tag , offset ) ;
} else {
/* Clear root node tags */
root - > gfp_mask & = __GFP_BITS_MASK ;
}
}
2005-04-17 02:20:36 +04:00
/**
* radix_tree_tagged - test whether any items in the tree are tagged
* @ root : radix tree root
* @ tag : tag to test
*/
2006-03-25 14:08:05 +03:00
int radix_tree_tagged ( struct radix_tree_root * root , unsigned int tag )
2005-04-17 02:20:36 +04:00
{
2006-06-23 13:03:22 +04:00
return root_tag_get ( root , tag ) ;
2005-04-17 02:20:36 +04:00
}
EXPORT_SYMBOL ( radix_tree_tagged ) ;
static void
mm: keep page cache radix tree nodes in check
Previously, page cache radix tree nodes were freed after reclaim emptied
out their page pointers. But now reclaim stores shadow entries in their
place, which are only reclaimed when the inodes themselves are
reclaimed. This is problematic for bigger files that are still in use
after they have a significant amount of their cache reclaimed, without
any of those pages actually refaulting. The shadow entries will just
sit there and waste memory. In the worst case, the shadow entries will
accumulate until the machine runs out of memory.
To get this under control, the VM will track radix tree nodes
exclusively containing shadow entries on a per-NUMA node list. Per-NUMA
rather than global because we expect the radix tree nodes themselves to
be allocated node-locally and we want to reduce cross-node references of
otherwise independent cache workloads. A simple shrinker will then
reclaim these nodes on memory pressure.
A few things need to be stored in the radix tree node to implement the
shadow node LRU and allow tree deletions coming from the list:
1. There is no index available that would describe the reverse path
from the node up to the tree root, which is needed to perform a
deletion. To solve this, encode in each node its offset inside the
parent. This can be stored in the unused upper bits of the same
member that stores the node's height at no extra space cost.
2. The number of shadow entries needs to be counted in addition to the
regular entries, to quickly detect when the node is ready to go to
the shadow node LRU list. The current entry count is an unsigned
int but the maximum number of entries is 64, so a shadow counter
can easily be stored in the unused upper bits.
3. Tree modification needs tree lock and tree root, which are located
in the address space, so store an address_space backpointer in the
node. The parent pointer of the node is in a union with the 2-word
rcu_head, so the backpointer comes at no extra cost as well.
4. The node needs to be linked to an LRU list, which requires a list
head inside the node. This does increase the size of the node, but
it does not change the number of objects that fit into a slab page.
[akpm@linux-foundation.org: export the right function]
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Reviewed-by: Rik van Riel <riel@redhat.com>
Reviewed-by: Minchan Kim <minchan@kernel.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Bob Liu <bob.liu@oracle.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Luigi Semenzato <semenzato@google.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Metin Doslu <metin@citusdata.com>
Cc: Michel Lespinasse <walken@google.com>
Cc: Ozgun Erdogan <ozgun@citusdata.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Roman Gushchin <klamm@yandex-team.ru>
Cc: Ryan Mallon <rmallon@gmail.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-04-04 01:47:56 +04:00
radix_tree_node_ctor ( void * arg )
2005-04-17 02:20:36 +04:00
{
mm: keep page cache radix tree nodes in check
Previously, page cache radix tree nodes were freed after reclaim emptied
out their page pointers. But now reclaim stores shadow entries in their
place, which are only reclaimed when the inodes themselves are
reclaimed. This is problematic for bigger files that are still in use
after they have a significant amount of their cache reclaimed, without
any of those pages actually refaulting. The shadow entries will just
sit there and waste memory. In the worst case, the shadow entries will
accumulate until the machine runs out of memory.
To get this under control, the VM will track radix tree nodes
exclusively containing shadow entries on a per-NUMA node list. Per-NUMA
rather than global because we expect the radix tree nodes themselves to
be allocated node-locally and we want to reduce cross-node references of
otherwise independent cache workloads. A simple shrinker will then
reclaim these nodes on memory pressure.
A few things need to be stored in the radix tree node to implement the
shadow node LRU and allow tree deletions coming from the list:
1. There is no index available that would describe the reverse path
from the node up to the tree root, which is needed to perform a
deletion. To solve this, encode in each node its offset inside the
parent. This can be stored in the unused upper bits of the same
member that stores the node's height at no extra space cost.
2. The number of shadow entries needs to be counted in addition to the
regular entries, to quickly detect when the node is ready to go to
the shadow node LRU list. The current entry count is an unsigned
int but the maximum number of entries is 64, so a shadow counter
can easily be stored in the unused upper bits.
3. Tree modification needs tree lock and tree root, which are located
in the address space, so store an address_space backpointer in the
node. The parent pointer of the node is in a union with the 2-word
rcu_head, so the backpointer comes at no extra cost as well.
4. The node needs to be linked to an LRU list, which requires a list
head inside the node. This does increase the size of the node, but
it does not change the number of objects that fit into a slab page.
[akpm@linux-foundation.org: export the right function]
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Reviewed-by: Rik van Riel <riel@redhat.com>
Reviewed-by: Minchan Kim <minchan@kernel.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Bob Liu <bob.liu@oracle.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Jan Kara <jack@suse.cz>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Luigi Semenzato <semenzato@google.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Metin Doslu <metin@citusdata.com>
Cc: Michel Lespinasse <walken@google.com>
Cc: Ozgun Erdogan <ozgun@citusdata.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Roman Gushchin <klamm@yandex-team.ru>
Cc: Ryan Mallon <rmallon@gmail.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-04-04 01:47:56 +04:00
struct radix_tree_node * node = arg ;
memset ( node , 0 , sizeof ( * node ) ) ;
INIT_LIST_HEAD ( & node - > private_list ) ;
2005-04-17 02:20:36 +04:00
}
2016-07-27 01:26:02 +03:00
static __init unsigned long __maxindex ( unsigned int height )
{
unsigned int width = height * RADIX_TREE_MAP_SHIFT ;
int shift = RADIX_TREE_INDEX_BITS - width ;
if ( shift < 0 )
return ~ 0UL ;
if ( shift > = BITS_PER_LONG )
return 0UL ;
return ~ 0UL > > shift ;
}
static __init void radix_tree_init_maxnodes ( void )
{
unsigned long height_to_maxindex [ RADIX_TREE_MAX_PATH + 1 ] ;
unsigned int i , j ;
for ( i = 0 ; i < ARRAY_SIZE ( height_to_maxindex ) ; i + + )
height_to_maxindex [ i ] = __maxindex ( i ) ;
for ( i = 0 ; i < ARRAY_SIZE ( height_to_maxnodes ) ; i + + ) {
for ( j = i ; j > 0 ; j - - )
height_to_maxnodes [ i ] + = height_to_maxindex [ j - 1 ] + 1 ;
}
}
2016-11-03 17:50:01 +03:00
static int radix_tree_cpu_dead ( unsigned int cpu )
2005-04-17 02:20:36 +04:00
{
2016-05-21 03:03:04 +03:00
struct radix_tree_preload * rtp ;
struct radix_tree_node * node ;
/* Free per-cpu pool of preloaded nodes */
2016-11-03 17:50:01 +03:00
rtp = & per_cpu ( radix_tree_preloads , cpu ) ;
while ( rtp - > nr ) {
node = rtp - > nodes ;
rtp - > nodes = node - > private_data ;
kmem_cache_free ( radix_tree_node_cachep , node ) ;
rtp - > nr - - ;
2016-05-21 03:03:04 +03:00
}
2016-11-03 17:50:01 +03:00
return 0 ;
2005-04-17 02:20:36 +04:00
}
void __init radix_tree_init ( void )
{
2016-11-03 17:50:01 +03:00
int ret ;
2005-04-17 02:20:36 +04:00
radix_tree_node_cachep = kmem_cache_create ( " radix_tree_node " ,
sizeof ( struct radix_tree_node ) , 0 ,
2008-04-28 13:12:05 +04:00
SLAB_PANIC | SLAB_RECLAIM_ACCOUNT ,
radix_tree_node_ctor ) ;
2016-07-27 01:26:02 +03:00
radix_tree_init_maxnodes ( ) ;
2016-11-03 17:50:01 +03:00
ret = cpuhp_setup_state_nocalls ( CPUHP_RADIX_DEAD , " lib/radix:dead " ,
NULL , radix_tree_cpu_dead ) ;
WARN_ON ( ret < 0 ) ;
2005-04-17 02:20:36 +04:00
}