|
|
Subscribe / Log in / New account

Revisiting "too small to fail"

Revisiting "too small to fail"

Posted May 20, 2017 14:38 UTC (Sat) by vbabka (subscriber, #91706)
In reply to: Revisiting "too small to fail" by corbet
Parent article: Revisiting "too small to fail"

It's possible we'll have to introduce __GFP_MAYFAIL after all, just so we can move forward. As much as I'll hate the churn this will cause - if we ever realize that everything is marked MAYFAIL or NOFAIL, we can change the default to MAYFAIL and drop the flag again. Is it the unavoidable price for the safest course?

to post comments

Revisiting "too small to fail"

Posted May 20, 2017 18:02 UTC (Sat) by jhoblitt (subscriber, #77733) [Link] (16 responses)

I'm not sure I'm following, isn't "may fail" the default? Are you proposing the __GFP_NOFAIL become the default behavior?

Revisiting "too small to fail"

Posted May 21, 2017 5:13 UTC (Sun) by ncm (guest, #165) [Link] (4 responses)

Are you shocked? Yes, it's shocking, as it was to many in 2014. But people can get used to anything.

Version 7 UNIX would ungracefully panic (i.e. crash) on out-of-memory, on the assumption that rebooting would get you back to working again sooner than muddling along. The code to handle failures wouldn't have fit anyway.

Nowadays the kernel is likely to be running on a hypervisor, meaning it's really just a user-space program itself, but with pretensions. Killing it and starting ("spinning up") another is a reasonable alternative to muddling along.

Note that your phone OS is almost certainly running under a hypervisor, and has no direct physical access to the radio transmitter. I don't think any phone runs multiple VMs yet, but it is only a matter of time. Then, probably each app will run in its own VM, with its own toy OS.

It will be interesting when the spooks' exploits to suborn your phone hypervisor leak out.

Revisiting "too small to fail"

Posted May 21, 2017 14:50 UTC (Sun) by excors (subscriber, #95769) [Link] (1 responses)

> Note that your phone OS is almost certainly running under a hypervisor, and has no direct physical access to the radio transmitter.

As far as I'm aware (which might not be far enough), in most cases the closest thing to a hypervisor is TrustZone running exactly two OSes - the 'non-secure' Android one with unimportant stuff like the user's highly private data, and the 'secure' one that does a few vital things like protected DRM video playback. Almost all the hardware is accessed directly by the non-secure OS and is not abstracted enough to let multiple VMs share it. The main thing separating the OS from the radio transmitter is that they're on separate chips (or separate blocks of the same chip) and the only physical connection between them is RAM and interrupts used to implement some message-passing protocol, and if you're very lucky there might be a correctly-configured IOMMU blocking the CPU from accessing the modem OS's region of RAM and vice versa; there's no hypervisor involved in their communication.

> probably each app will run in its own VM, with its own toy OS.

How would that help with out-of-memory problems? If you run out of physical memory, killing an app VM doesn't sound much easier than killing an app process. Maybe you could reduce the risk of multi-page allocation failures caused by fragmentation if you overcommit and give each VM very large amounts of guest-physical address space, so it can easily find guest-physically-contiguous pages, but that'd only really work if the guests can return unused pages to the host with single-page granularity, which I assume isn't easy. (It also seems quite hacky to use a VM just so the kernel can pretend it's doing physical allocations when really they're virtual allocations; surely it'd be better to make the kernel know it's doing virtual allocations and not need the VM at all). What real benefits would come from using per-app VMs?

Revisiting "too small to fail"

Posted May 26, 2017 7:29 UTC (Fri) by Kamilion (guest, #42576) [Link]

> The main thing separating the OS from the radio transmitter is that they're on separate chips (or separate blocks of the same chip) and the only physical connection between them is RAM and interrupts used to implement some message-passing protocol,

"Would you believe two UARTs and a pack of playing cards missing the aces and the kings?" --Agent 86

Revisiting "too small to fail"

Posted May 21, 2017 15:47 UTC (Sun) by jejb (subscriber, #6654) [Link]

> Nowadays the kernel is likely to be running on a hypervisor, meaning it's really just a user-space program itself, but with pretensions. Killing it and starting ("spinning up") another is a reasonable alternative to muddling along.

That's a cop out: while the vast majority of cloud instances (and this ignores all the phones, tablets and laptops) may be running on a hypervisor; in most cloud cases Linux *is* the hypervisor as well. Crashing the kernel on memory failure would take down the whole physical node and thus all the instances. This is seen as undesirable even in the cloud.

Revisiting "too small to fail"

Posted May 22, 2017 6:50 UTC (Mon) by JdGordy (subscriber, #70103) [Link]

> I don't think any phone runs multiple VMs yet, but it is only a matter of time. Then, probably each app will run in its own VM, with its own toy OS.

In a previous life we (ok-labs.com) were running multiple full linux VM's on a single phone, one or 2 with the full android userland and half a dozen or more doing various safety/virtualisation things (network virtualisation, virtualising and sharing the various bits of hardware).

worked pretty well until GD bought the place.

Revisiting "too small to fail"

Posted May 21, 2017 13:47 UTC (Sun) by vbabka (subscriber, #91706) [Link] (10 responses)

Yes, the default is strictly speaking "may fail", but only under very specific conditions - as Michal Hocko mentioned in the thread, e.g. when the task itself is selected as OOM victim. This makes any error handling even more rarely executed, so even less likely to trust. So statistically speaking, the default is NOFAIL. I'm not proposing NOFAIL to become the real default. I'd rather see "may fail" the real default, but just flipping the switch and making the existing error handling more likely to be executed, would be too dangerous IMHO.

Revisiting "too small to fail"

Posted May 21, 2017 22:30 UTC (Sun) by neilbrown (subscriber, #359) [Link] (9 responses)

> I'm not proposing NOFAIL to become the real default.

Sad. I think NOFAIL really should be the default (at least for PAGE_SIZE or less). Almost always kmalloc doesn't fail, so it wouldn't really be a big change in behaviour.
I don't see that an OOM victim needs special treatment. The memory that is freed when a victim is killed is mostly the user-space mappings, and those are freed independently of what the kernel code is doing (aren't they?).

I think we need clearly defined waiting behaviour, and I think the options should be:
1/ don't wait - usable in interrupts and spinlocks
2/ wait for kswapd (or whatever) to make one pass trying to free memory - used when memory would be convenient an easy fall-back is available
3/ wait indefinitely - thread eventually goes onto a (per-cpu?) queue and as memory is made available (possibly by killing mem hogs), it is given to threads on the queue. This must never be used on the write-out path or in shrinkers etc.

> would be too dangerous

ahh for the good old days of even=stable, odd=devel. Then we could break everything in the devel series and clean up the pieces as they were found. Kernel development is just too safe these days!!

Revisiting "too small to fail"

Posted May 23, 2017 8:19 UTC (Tue) by vbabka (subscriber, #91706) [Link] (8 responses)

OK, Michal has reminded me that the idea of making the default to allow fail was already shot down by Linus once, because it would propagate more -ENOMEM to existing userspace, which might be unprepared to handle it. And it's hard to make sure that all allocations that can lead to the userspace ENOMEM are properly covered, before switching the default.
On the other hand here is no issue with TIF_MEMDIE tasks failing an allocation, as that cannot propagate to userspace (the task is killed before returning). So there's no way to change the default to the full "may fail", and little incentive to change the default to the full "can't fail".

Revisiting "too small to fail"

Posted May 23, 2017 10:02 UTC (Tue) by nix (subscriber, #2304) [Link] (6 responses)

Userspace has to be able to handle -ENO-anything-for-any-reason in any case. All sorts of things can already throw errors, and userspace is usually unprepared for all of them and just dies. -ENOMEM would be just the same, only more so: if it wasn't checking, it would immediately try to use whatever it was, dereference a null pointer, and die. And it has to be able to handle -ENOMEM in any case because userspace has no idea if the kernel-side allocation is 'too big' or not, and that can of course change at any time.

Revisiting "too small to fail"

Posted May 23, 2017 12:13 UTC (Tue) by epa (subscriber, #39769) [Link] (5 responses)

It's accepted that userspace code is useless and doesn't check for or handle failure conditions, even for something as basic as reading a file from disk. The only errors handled by userspace are those which tend to occur frequently in practice, and if you add a new error which didn't often happen before, almost all existing programs will fail to deal with it. That's why we have 'hard' mounts for NFS. Even after 30 years or so userspace has not progressed to the point where it's safe to return failure if a remote file server is down. Better to hang indefinitely and hope the problem goes away. (This applies almost as much for reading as for writing.) So it is too for kernel memory allocation failures.

Revisiting "too small to fail"

Posted May 26, 2017 23:39 UTC (Fri) by nix (subscriber, #2304) [Link] (4 responses)

For disk I/O I've been told by a lot of grizzled Unix people that "no, disk I/O can never fail except -ENOSPC or -EIO if the disk is damaged", and that NFS failing is just a sign that NFS is broken.

I asked them what exactly it's meant to do if the server goes down, and they look at me, puzzled, as if this is impossible to conceive of.

(These are grizzled-enough veterans that they probably consider Unix to be what BSD did -- POSIX? Who reads that?)

Revisiting "too small to fail"

Posted May 30, 2017 1:37 UTC (Tue) by neilbrown (subscriber, #359) [Link] (3 responses)

> no, disk I/O can never fail except -ENOSPC or -EIO if the disk is damaged

This must be pre-4.3BSD (or there abouts). They clearly don't know about EDQUOT.

> I asked them what exactly it's meant to do if the server goes down

We are talking about "disk I/O" here. There is no server. NFS just pretends, fakes a lot of stuff, glosses over the differences, mostly works but sometimes doesn't do quite what you want.

If you want a new contract between the application and the storage backend, you need to write one. You cannot just assume that an old contract can magically work in a new market place.

We could invent O_REMOTE which the application uses to acknowledge that the data might be stored in a remote location, and that it is prepare to handle the errors that might be associated with that - e.g. ETIMEDOUT ???
What would it mean to memory-map a file opened with O_REMOTE? That you are happy to receive SIGBUS?
What does it mean to execveat() a file, passing AT_REMOTE?? Should it download the whole file (and libraries?) and cache them locally before succeeding?

It really doesn't help to just whine because something doesn't magically match your perceived use-case. The only sensible way forward is to provide a clear design of a set of semantics that you would like to be available. Then we can have a meaningful discussion.

Revisiting "too small to fail"

Posted May 31, 2017 13:45 UTC (Wed) by nix (subscriber, #2304) [Link] (2 responses)

> This must be pre-4.3BSD (or there abouts). They clearly don't know about EDQUOT.

I suspect they were just shocked to get -EINTR from an NFS disk and were trying to argue that you should never need to check for short reads ever. Running out of quota, rather than disk space, is a sufficiently obscure edge case that even I'd forgotten about it. (They were doubly sure that you shouldn't need to check for -ENOSPC when writing inside files, and were surprised when I mentioned sparse files... sigh.)

Note: I said these people were grizzled, not that they were skilled. This was just a common belief among at least some of the "grunts on the ground" in the Unix parts of the City of London in the late 90s, is all... if they were skilled they would not have been working where they were, but somewhere else in the City that paid a lot more!

> We are talking about "disk I/O" here. There is no server. NFS just pretends, fakes a lot of stuff, glosses over the differences, mostly works but sometimes doesn't do quite what you want.

Given the ubiquity of NFS and Samba, this seems unfortunate, but it is true that the vast majority of applications are not remotely ready to deal with simple network failures, let alone a split-brain situation in a distributed filesystem! (Given the number of errors that even distributed consensus stores make in this area, I'm not sure *anyone* is truly competent to write code that runs atop something like that.)

> It really doesn't help to just whine because something doesn't magically match your perceived use-case. The only sensible way forward is to provide a clear design of a set of semantics that you would like to be available. Then we can have a meaningful discussion.

Agreed, but I'd also like to find one that doesn't break every application out there, nor suddenly stop them working over NFS: that's harder! (My $HOME has been on NFSv3, remote from my desktop, for my entire Unix-using life, so I have a very large and angry dog in this race: without NFS I can't do anything at all. Last week I flipped to NFSv4, and unlike last time, a couple of years back, it worked perfectly.)

Something like your proposed *_REMOTE option would seem like a good idea, but even that has problems: one that springs instantly to mind is libraries that open an fd on behalf of others. That library might be ready to handle errors, but what about the other things that fd gets passed off to? (The converse also exists: maybe the library doesn't use that flag because almost all it does with it is hands the fd back, so it never gets updated, even though the whole of the rest of the application is ready to handle -ESPLITBRAIN or whatever.)

Frankly I'm wondering if we need something better than errno and the ferociously annoying short reads thing in this area: a new set of rules that allows you to guarantee no short reads / writes but comes with extras wrapped around that, perhaps that the writes might later fail and throw an error back at you over netlink or something.

That all seems very asynchronous, but frankly we need that for normal writes too: if a writeback fails it's almost impossible for an application to tell *what* failed without fsync()ing everywhere and spending ages waiting... but this probably requires proper AIO so you can submit IOs, get an fd or other handle to them, then query for the state of that handle later. And we know how good Linux is in *that* area :( just because network I/Os are even more asynchronous by nature than other I/Os, and more likely to have bus faults and the like affecting them, doesn't mean that the same isn't true of disk I/O too. Disks are on little networks, after all, and always have been, and with SANs they're on not-so-little networks too.

(This is not even getting into how much more horrible this all gets when RAID or other 1:N or N:1 stuff gets into the picture. At least RAID split across disks on different machines is relatively rare, though it has saved my bacon in the past to be able to run md partially across NBD for a while during disaster recovery!)

Revisiting "too small to fail"

Posted Jun 2, 2017 18:11 UTC (Fri) by Wol (subscriber, #4433) [Link] (1 responses)

I think a lot of people run raid-1 split over machines.

My moan at the moment is people who think that just because raid CAN detect integrity errors, then it SHOULDN'T. Never mind. I ought to use it as an exercise to learn kernel programming.

But it does appear that a lot of what the kernel does is still stuck in the POSIX mindset. It would be nice if people could sit down and say "POSIX is so last century, what should linux do today?". I think the problem is, though, as Linus said, it's like herding cats ...

Cheers,
Wol

Revisiting "too small to fail"

Posted Jun 3, 2017 21:55 UTC (Sat) by nix (subscriber, #2304) [Link]

That's not as much of a problem as I thought it was. raid6check does what's necessary (it's just, uh, not installed by default). Frankly, I'm happy to wait for the immensely rare occasion when mismatch_cnt rises above 0 on a RAID-6 array and then run raid6check on it: complete automation of events as rare as that isn't terribly important to me. (But maybe it is for others...)

Revisiting "too small to fail"

Posted May 24, 2017 1:17 UTC (Wed) by neilbrown (subscriber, #359) [Link]

> So there's no way to change the default ....

Maybe you mean "there's no easy way", but there is a way.

1/ Introduce "GFP_DEFAULT" which does the right thing, and GFP_NOFAIL which really don't fail.
2/ Mark "GFP_KERNEL" as deprecated
3/ Start changing GFP_KERNEL to something else, and nagging others to do the same.

It worked for BKL .... eventually.
We can do this. We should do this! At least we can start doing this!!


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds