On 3/6/24 17:04, Mina Almasry wrote:
On Wed, Mar 6, 2024 at 6:30 AM Pavel Begunkov asml.silence@gmail.com wrote:
On 3/5/24 22:36, Mina Almasry wrote:
On Tue, Mar 5, 2024 at 1:55 PM David Wei dw@davidwei.uk wrote:
On 2024-03-04 18:01, Mina Almasry wrote:
+struct memory_provider_ops {
int (*init)(struct page_pool *pool);
void (*destroy)(struct page_pool *pool);
struct page *(*alloc_pages)(struct page_pool *pool, gfp_t gfp);
bool (*release_page)(struct page_pool *pool, struct page *page);
For ZC Rx we added a scrub() function to memory_provider_ops that is called from page_pool_scrub(). Does TCP devmem not custom behaviour waiting for all netmem_refs to return before destroying the page pool? What happens if e.g. application crashes?
(sorry for the long reply, but he refcounting is pretty complicated to explain and I feel like we need to agree on how things currently work)
Yeah, the addition of the page_pool_scrub() function is a bit of a head scratcher for me. Here is how the (complicated) refcounting works for devmem TCP (assuming the driver is not doing its own recycling logic which complicates things further):
- When a netmem_ref is allocated by the page_pool (from dmabuf or
page), the netmem_get_pp_ref_count_ref()==1 and belongs to the page pool as long as the netmem is waiting in the pool for driver allocation.
- When a netmem is allocated by the driver, no refcounting is
changed, but the ownership of the netmem_get_pp_ref_count_ref() is implicitly transferred from the page pool to the driver. i.e. the ref now belongs to the driver until an skb is formed.
- When the driver forms an skb using skb_rx_add_frag_netmem(), no
refcounting is changed, but the ownership of the netmem_get_pp_ref_count_ref() is transferred from the driver to the TCP stack.
- When the TCP stack hands the skb to the application, the TCP stack
obtains an additional refcount, so netmem_get_pp_ref_count_ref()==2, and frees the skb using skb_frag_unref(), which drops the netmem_get_pp_ref_count_ref()==1.
- When the user is done with the skb, the user calls the
DEVMEM_DONTNEED setsockopt which calls napi_pp_put_netmem() which recycles the netmem back to the page pool. This doesn't modify any refcounting, but the refcount ownership transfers from the userspace back to the page pool, and we're back at step 1.
So all in all netmem can belong either to (a) the page pool, or (b) the driver, or (c) the TCP stack, or (d) the application depending on where exactly it is in the RX path.
When an application running devmem TCP crashes, the netmem that belong to the page pool or driver are not touched, because the page pool is not tied to the application in our case really. However, the TCP stack notices the devmem socket of the application close, and when it does, the TCP stack will:
- Free all the skbs in the sockets receive queue. This is not custom
behavior for devmem TCP, it's just standard for TCP to free all skbs waiting to be received by the application. 2. The TCP stack will free references that belong to the application. Since the application crashed, it will not call the DEVMEM_DONTNEED setsockopt, so we need to free those on behalf of the application. This is done in this diff:
@@ -2498,6 +2498,15 @@ static void tcp_md5sig_info_free_rcu(struct rcu_head *head) void tcp_v4_destroy_sock(struct sock *sk) { struct tcp_sock *tp = tcp_sk(sk);
- __maybe_unused unsigned long index;
- __maybe_unused void *netmem;
+#ifdef CONFIG_PAGE_POOL
- xa_for_each(&sk->sk_user_frags, index, netmem)
- WARN_ON_ONCE(!napi_pp_put_page((__force netmem_ref)netmem, false));
+#endif
xa_destroy(&sk->sk_user_frags);
trace_tcp_destroy_sock(sk);
To be honest, I think it makes sense for the TCP stack to be responsible for putting the references that belong to it and the application. To me, it does not make much sense for the page pool to be responsible for putting the reference that belongs to the TCP stack or driver via a page_pool_scrub() function, as those references do not belong to the page pool really. I'm not sure why there is a diff between our use cases here because I'm not an io_uring expert. Why do you need to scrub all the references on page pool destruction? Don't these belong to non-page pool components like io_uring stack or TCP stack ol otherwise?
That one is about cleaning buffers that are in b/w 4 and 5, i.e. owned by the user, which devmem does at sock destruction. io_uring could get by without scrub, dropping user refs while unregistering ifq, but then it'd need to wait for all requests to finish so there is no step 4 in the meantime. Might change, can be useful, but it was much easier to hook into the pp release loop.
Another concern is who and when can reset ifq / kill pp outside of io_uring/devmem. I assume it can happen on a whim, which is hard to handle gracefully.
If this is about dropping application refs in step 4 & step 5, then from devmem TCP perspective it must be done on socket close & skb freeing AFAIU, and not delayed until page_pool destruction.
Right, something in the kernel should take care of it. You temporarily attach it to the socket, which is fine. And you could've also stored it in the netlink socket or some other object. In case of zcrx io_uring impl, it's bound to io_uring, io_uring is responsible for cleaning them up. And we do it before __page_pool_destroy, otherwise there would be a ref dependency.
A side note, attaching to netlink or some other global object sounds conceptually better, as once you return a buffer to the user, the socket should not have any further business with the buffer. FWIW, that better resembles io_uring approach. For example allows to:
recv(sock); close(sock); process_rx_buffers();
or to return (i.e. DEVMEM_DONTNEED) buffers from different sockets in one call. However, I don't think it's important for devmem and perhaps more implementation dictated.
Think about a stupid or malicious user that does something like:
- Set up dmabuf binding using netlink api.
- While (100000):
- create devmem TCP socket.
- receive some devmem data on TCP socket.
- close TCP socket without calling DEVMEM_DONTNEED.
- clean up dmabuf binding using netlink api.
In this case, we need to drop the references in step 5 when the socket is destroyed, so the memory is freed to the page pool and available for the next socket in step 3. We cannot delay the freeing until step 6 when the rx queue is recreated and the page pool is destroyed, otherwise the net_iovs would leak in the loop and eventually the NIC would fail to find available memory. The same bug would be
By "would leak" you probably mean until step 6, right? There are always many ways to shoot yourself in the leg. Even if you clean up in 5, the user can just leak the socket and get the same result with pp starvation. I see it not as a requirement but rather a uapi choice, that's assuming netlink would be cleaned as a normal socket when the task exits.
reproducible with io_uring unless you're creating a new page pool for each new io_uring socket equivalent.
Surely we don't, but it's still the user's responsibility to return buffers back. And in case of io_uring buffers returned to the user are not attached to a socket, so even the scope / lifetime is a bit different.
But even outside of this, I think it's a bit semantically off to ask the page_pool to drop references that belong to the application IMO, because those references are not the page_pool's.
Completely agree with you, which is why it was in a callback, totally controlled by io_uring.