Keir Fraser
2010-Jun-10 09:46 UTC
[Xen-devel] Bug in tmem: refcount leak leaves zombie saved domains
Dan, Just doing some save/restore testing on xen-unstable tip, I noticed that: # xm create ./pv_config # xm save PV1 Would leave the saved guest as a zombie in the DOMDYING_dead state with no pages, yet with refcnt=1. This happens absolutely consistently. Just as consistently, it does not happen when I boot Xen with no-tmem. My conclusion is that tmem is leaking a domain reference count during domain save. This doesn''t happen if I merely "xm create ...; xm destroy ...". My pv_config file contains nothing exciting: kernel = "/nfs/keir/xen/xen64.hg/dist/install/boot/vmlinuz-2.6.18.8-xenU" memory = 750 name = "PV1" vcpus = 2 vif = [ ''mac=00:1a:00:00:01:01'' ] disk = [ ''phy:/dev/VG/Suse10.1_64_1,sda1,w'' ] root = "/dev/sda1 ro xencons=tty" extra = "" tsc_native = 1 on_poweroff = ''destroy'' on_reboot = ''restart'' on_crash = ''preserve'' The dom{0,U} kernels are tip of linux-2.6.18-xen, default -xen{0,U} configs. -- Keir _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Dan Magenheimer
2010-Jun-10 13:08 UTC
[Xen-devel] RE: Bug in tmem: refcount leak leaves zombie saved domains
OK, will take a look. IIRC, Jan''s work to fix the domain reference stuff just before 4.0 shipped was a heavy hammer but since it seemed to work, I didn''t want to mess with it so close to release... really there''s only a need to take a reference once on first use and release it at shutdown, rather than take/release frequently. IIRC, I had used a macro that took references when they weren''t really needed and Jan placed the matching macros that did the release. Dan> -----Original Message----- > From: Keir Fraser [mailto:keir.fraser@eu.citrix.com] > Sent: Thursday, June 10, 2010 3:47 AM > To: xen-devel@lists.xensource.com > Cc: Dan Magenheimer > Subject: Bug in tmem: refcount leak leaves zombie saved domains > > Dan, > > Just doing some save/restore testing on xen-unstable tip, I noticed > that: > # xm create ./pv_config > # xm save PV1 > > Would leave the saved guest as a zombie in the DOMDYING_dead state with > no > pages, yet with refcnt=1. This happens absolutely consistently. Just as > consistently, it does not happen when I boot Xen with no-tmem. My > conclusion > is that tmem is leaking a domain reference count during domain save. > This > doesn''t happen if I merely "xm create ...; xm destroy ...". > > My pv_config file contains nothing exciting: > kernel = "/nfs/keir/xen/xen64.hg/dist/install/boot/vmlinuz-2.6.18.8- > xenU" > memory = 750 > name = "PV1" > vcpus = 2 > vif = [ ''mac=00:1a:00:00:01:01'' ] > disk = [ ''phy:/dev/VG/Suse10.1_64_1,sda1,w'' ] > root = "/dev/sda1 ro xencons=tty" > extra = "" > tsc_native = 1 > on_poweroff = ''destroy'' > on_reboot = ''restart'' > on_crash = ''preserve'' > > The dom{0,U} kernels are tip of linux-2.6.18-xen, default -xen{0,U} > configs. > > -- Keir > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Dan Magenheimer
2010-Jun-10 15:38 UTC
RE: [Xen-devel] RE: Bug in tmem: refcount leak leaves zombie saved domains
Keir -- I''d like to do a get_domain_by_id() without doing a get_domain() as the tmem code need only get_domain() once on first use and put_domain() once when destroying, but frequently needs to lookup a domain by id. It looks like rcu_lock_domain_by_id() does what I need, but I don''t need any rcu critical sections (outside of the domain lookup itself) and am fearful that if rcu locking ever is fully implemented, my use of rcu_lock_domain_by_id() would become incorrect and I may have a problem. Should I create an equivalent get_domain_by_id_no_ref()? Or am I misunderstanding something? Semi-related, rcu_lock_domain_by_id() has a "return d" inside the for loop without an rcu_read_unlock(). I see that this is irrelevant now because rcu_read_unlock() is a no-op anyway, but maybe this should be cleaned up for the same reason -- in case rcu locking is ever fully implemented. Thanks, Dan> -----Original Message----- > From: Dan Magenheimer > Sent: Thursday, June 10, 2010 7:08 AM > To: Keir Fraser; xen-devel@lists.xensource.com > Subject: [Xen-devel] RE: Bug in tmem: refcount leak leaves zombie saved > domains > > OK, will take a look. > > IIRC, Jan''s work to fix the domain reference stuff just > before 4.0 shipped was a heavy hammer but since it seemed > to work, I didn''t want to mess with it so close to release... > really there''s only a need to take a reference once on > first use and release it at shutdown, rather than > take/release frequently. IIRC, I had used a macro that > took references when they weren''t really needed and > Jan placed the matching macros that did the release. > > Dan > > > -----Original Message----- > > From: Keir Fraser [mailto:keir.fraser@eu.citrix.com] > > Sent: Thursday, June 10, 2010 3:47 AM > > To: xen-devel@lists.xensource.com > > Cc: Dan Magenheimer > > Subject: Bug in tmem: refcount leak leaves zombie saved domains > > > > Dan, > > > > Just doing some save/restore testing on xen-unstable tip, I noticed > > that: > > # xm create ./pv_config > > # xm save PV1 > > > > Would leave the saved guest as a zombie in the DOMDYING_dead state > with > > no > > pages, yet with refcnt=1. This happens absolutely consistently. Just > as > > consistently, it does not happen when I boot Xen with no-tmem. My > > conclusion > > is that tmem is leaking a domain reference count during domain save. > > This > > doesn''t happen if I merely "xm create ...; xm destroy ...". > > > > My pv_config file contains nothing exciting: > > kernel = "/nfs/keir/xen/xen64.hg/dist/install/boot/vmlinuz-2.6.18.8- > > xenU" > > memory = 750 > > name = "PV1" > > vcpus = 2 > > vif = [ ''mac=00:1a:00:00:01:01'' ] > > disk = [ ''phy:/dev/VG/Suse10.1_64_1,sda1,w'' ] > > root = "/dev/sda1 ro xencons=tty" > > extra = "" > > tsc_native = 1 > > on_poweroff = ''destroy'' > > on_reboot = ''restart'' > > on_crash = ''preserve'' > > > > The dom{0,U} kernels are tip of linux-2.6.18-xen, default -xen{0,U} > > configs. > > > > -- Keir > > > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Keir Fraser
2010-Jun-10 16:12 UTC
Re: [Xen-devel] RE: Bug in tmem: refcount leak leaves zombie saved domains
On 10/06/2010 16:38, "Dan Magenheimer" <dan.magenheimer@oracle.com> wrote:> Keir -- > > I''d like to do a get_domain_by_id() without doing a get_domain() > as the tmem code need only get_domain() once on first use > and put_domain() once when destroying, but frequently needs > to lookup a domain by id.If you have a handle on a domain already I wonder why you need to continually look up by domid...> It looks like rcu_lock_domain_by_id() does what I need, but > I don''t need any rcu critical sections (outside of the domain > lookup itself) and am fearful that if rcu locking ever is fully > implemented, my use of rcu_lock_domain_by_id() would become > incorrect and I may have a problem. Should I create an equivalent > get_domain_by_id_no_ref()? Or am I misunderstanding something?If you really know what you''re doing, I suggest just have your own tmh_lookup_domain() macro mapping onto rcu_lock_domain_by_id(). RCU locking is fully implemented already. It''s highly unlikely to change in future and we can work out something else for your case if that happens. I''m not keen on providing an explicitly synchronisation-free version in common code. It just encourages people not to think about synchronisation at all. -- Keir> Semi-related, rcu_lock_domain_by_id() has a "return d" inside > the for loop without an rcu_read_unlock(). I see that this > is irrelevant now because rcu_read_unlock() is a no-op anyway, > but maybe this should be cleaned up for the same reason -- > in case rcu locking is ever fully implemented. > > Thanks, > Dan > >> -----Original Message----- >> From: Dan Magenheimer >> Sent: Thursday, June 10, 2010 7:08 AM >> To: Keir Fraser; xen-devel@lists.xensource.com >> Subject: [Xen-devel] RE: Bug in tmem: refcount leak leaves zombie saved >> domains >> >> OK, will take a look. >> >> IIRC, Jan''s work to fix the domain reference stuff just >> before 4.0 shipped was a heavy hammer but since it seemed >> to work, I didn''t want to mess with it so close to release... >> really there''s only a need to take a reference once on >> first use and release it at shutdown, rather than >> take/release frequently. IIRC, I had used a macro that >> took references when they weren''t really needed and >> Jan placed the matching macros that did the release. >> >> Dan >> >>> -----Original Message----- >>> From: Keir Fraser [mailto:keir.fraser@eu.citrix.com] >>> Sent: Thursday, June 10, 2010 3:47 AM >>> To: xen-devel@lists.xensource.com >>> Cc: Dan Magenheimer >>> Subject: Bug in tmem: refcount leak leaves zombie saved domains >>> >>> Dan, >>> >>> Just doing some save/restore testing on xen-unstable tip, I noticed >>> that: >>> # xm create ./pv_config >>> # xm save PV1 >>> >>> Would leave the saved guest as a zombie in the DOMDYING_dead state >> with >>> no >>> pages, yet with refcnt=1. This happens absolutely consistently. Just >> as >>> consistently, it does not happen when I boot Xen with no-tmem. My >>> conclusion >>> is that tmem is leaking a domain reference count during domain save. >>> This >>> doesn''t happen if I merely "xm create ...; xm destroy ...". >>> >>> My pv_config file contains nothing exciting: >>> kernel = "/nfs/keir/xen/xen64.hg/dist/install/boot/vmlinuz-2.6.18.8- >>> xenU" >>> memory = 750 >>> name = "PV1" >>> vcpus = 2 >>> vif = [ ''mac=00:1a:00:00:01:01'' ] >>> disk = [ ''phy:/dev/VG/Suse10.1_64_1,sda1,w'' ] >>> root = "/dev/sda1 ro xencons=tty" >>> extra = "" >>> tsc_native = 1 >>> on_poweroff = ''destroy'' >>> on_reboot = ''restart'' >>> on_crash = ''preserve'' >>> >>> The dom{0,U} kernels are tip of linux-2.6.18-xen, default -xen{0,U} >>> configs. >>> >>> -- Keir >>> >>> >> >> _______________________________________________ >> Xen-devel mailing list >> Xen-devel@lists.xensource.com >> http://lists.xensource.com/xen-devel_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Keir Fraser
2010-Jun-10 16:34 UTC
Re: [Xen-devel] RE: Bug in tmem: refcount leak leaves zombie saved domains
On 10/06/2010 16:38, "Dan Magenheimer" <dan.magenheimer@oracle.com> wrote:> Semi-related, rcu_lock_domain_by_id() has a "return d" inside > the for loop without an rcu_read_unlock(). I see that this > is irrelevant now because rcu_read_unlock() is a no-op anyway, > but maybe this should be cleaned up for the same reason -- > in case rcu locking is ever fully implemented.The implementation is correct. The matching rcu_read_unlock() is in rcu_unlock_domain(). -- Keir _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Dan Magenheimer
2010-Jun-10 17:54 UTC
RE: [Xen-devel] RE: Bug in tmem: refcount leak leaves zombie saved domains
Could you give the attached a try on your test case? If it passes and Jan thinks it is OK (as I backed out most of his patch at cs 20918), then: Tmem: fix domain refcount leak by returning to simpler model which claims a ref once when the tmem client is first associated with the domain, and puts it once when the tmem client is destroyed. Signed-off-by: Dan Magenheimer <dan.magenheimer@oracle.com>> If you have a handle on a domain already I wonder why you need to > continually look up by domid...Nearly all tmem uses are via current->domain. The remaining (such as from the tools) are via a specified domid. I don''t keep a domid->domain lookup table around as the frequency is very low and the existing mechanism works fine (or it does if I use it correctly anyway ;-)> RCU locking > is fully implemented already. It''s highly unlikely to change in future > and we can work out something else for your case if that happens.I guess I was confused by the fact that the rcu_lock/unlock macros are no-ops. In any case, I think I understand the semantics well enough now after your second reply pointing me to rcu_unlock_domain, so I think the attached patch should avoid special cases in the future.> > I''d like to do a get_domain_by_id() without doing a get_domain() > > as the tmem code need only get_domain() once on first use > > and put_domain() once when destroying, but frequently needs > > to lookup a domain by id. > > If you have a handle on a domain already I wonder why you need to > continually look up by domid... > > > It looks like rcu_lock_domain_by_id() does what I need, but > > I don''t need any rcu critical sections (outside of the domain > > lookup itself) and am fearful that if rcu locking ever is fully > > implemented, my use of rcu_lock_domain_by_id() would become > > incorrect and I may have a problem. Should I create an equivalent > > get_domain_by_id_no_ref()? Or am I misunderstanding something? > > If you really know what you''re doing, I suggest just have your own > tmh_lookup_domain() macro mapping onto rcu_lock_domain_by_id(). RCU > locking > is fully implemented already. It''s highly unlikely to change in future > and > we can work out something else for your case if that happens. > > I''m not keen on providing an explicitly synchronisation-free version in > common code. It just encourages people not to think about > synchronisation at > all. > > -- Keir > > > Semi-related, rcu_lock_domain_by_id() has a "return d" inside > > the for loop without an rcu_read_unlock(). I see that this > > is irrelevant now because rcu_read_unlock() is a no-op anyway, > > but maybe this should be cleaned up for the same reason -- > > in case rcu locking is ever fully implemented. > > > > Thanks, > > Dan > > > >> -----Original Message----- > >> From: Dan Magenheimer > >> Sent: Thursday, June 10, 2010 7:08 AM > >> To: Keir Fraser; xen-devel@lists.xensource.com > >> Subject: [Xen-devel] RE: Bug in tmem: refcount leak leaves zombie > saved > >> domains > >> > >> OK, will take a look. > >> > >> IIRC, Jan''s work to fix the domain reference stuff just > >> before 4.0 shipped was a heavy hammer but since it seemed > >> to work, I didn''t want to mess with it so close to release... > >> really there''s only a need to take a reference once on > >> first use and release it at shutdown, rather than > >> take/release frequently. IIRC, I had used a macro that > >> took references when they weren''t really needed and > >> Jan placed the matching macros that did the release. > >> > >> Dan > >> > >>> -----Original Message----- > >>> From: Keir Fraser [mailto:keir.fraser@eu.citrix.com] > >>> Sent: Thursday, June 10, 2010 3:47 AM > >>> To: xen-devel@lists.xensource.com > >>> Cc: Dan Magenheimer > >>> Subject: Bug in tmem: refcount leak leaves zombie saved domains > >>> > >>> Dan, > >>> > >>> Just doing some save/restore testing on xen-unstable tip, I noticed > >>> that: > >>> # xm create ./pv_config > >>> # xm save PV1 > >>> > >>> Would leave the saved guest as a zombie in the DOMDYING_dead state > >> with > >>> no > >>> pages, yet with refcnt=1. This happens absolutely consistently. > Just > >> as > >>> consistently, it does not happen when I boot Xen with no-tmem. My > >>> conclusion > >>> is that tmem is leaking a domain reference count during domain > save. > >>> This > >>> doesn''t happen if I merely "xm create ...; xm destroy ...". > >>> > >>> My pv_config file contains nothing exciting: > >>> kernel = "/nfs/keir/xen/xen64.hg/dist/install/boot/vmlinuz- > 2.6.18.8- > >>> xenU" > >>> memory = 750 > >>> name = "PV1" > >>> vcpus = 2 > >>> vif = [ ''mac=00:1a:00:00:01:01'' ] > >>> disk = [ ''phy:/dev/VG/Suse10.1_64_1,sda1,w'' ] > >>> root = "/dev/sda1 ro xencons=tty" > >>> extra = "" > >>> tsc_native = 1 > >>> on_poweroff = ''destroy'' > >>> on_reboot = ''restart'' > >>> on_crash = ''preserve'' > >>> > >>> The dom{0,U} kernels are tip of linux-2.6.18-xen, default -xen{0,U} > >>> configs. > >>> > >>> -- Keir > >>> > >>> > >> > >> _______________________________________________ > >> Xen-devel mailing list > >> Xen-devel@lists.xensource.com > >> http://lists.xensource.com/xen-devel > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Keir Fraser
2010-Jun-10 20:06 UTC
Re: [Xen-devel] RE: Bug in tmem: refcount leak leaves zombie saved domains
This patch looks good, I''ll test it tomorrow. I think you don''t need to mess with reference counts *at all* however, since domain_kill()->tmem_destroy()->client_flush()->client_free()->tmh_client_des troy()->put_domain(). But domain_kill() itself holds a domain reference, hence tmem_destroy''s put_domain() is never the last domain reference. IOW, since you have a hook on the domain destruction path, you basically get a callback before a domain''s reference count falls to zero, and that''s all you need. What you *do* need to do when setting up a new tmem client is check that the associated domain is not dying. Without that check the code is in fact currently buggy: you can end up with a zombie domain that is a client of tmem and will never stop being a client because it became a client after tmem_destroy() was called on it. Does that make sense? -- Keir On 10/06/2010 18:54, "Dan Magenheimer" <dan.magenheimer@oracle.com> wrote:> Could you give the attached a try on your test case? If > it passes and Jan thinks it is OK (as I backed out most of > his patch at cs 20918), then: > > Tmem: fix domain refcount leak by returning to simpler model > which claims a ref once when the tmem client is first associated > with the domain, and puts it once when the tmem client is > destroyed. > > Signed-off-by: Dan Magenheimer <dan.magenheimer@oracle.com> > >> If you have a handle on a domain already I wonder why you need to >> continually look up by domid... > > Nearly all tmem uses are via current->domain. The remaining > (such as from the tools) are via a specified domid. I don''t > keep a domid->domain lookup table around as the frequency is > very low and the existing mechanism works fine (or it does > if I use it correctly anyway ;-) > >> RCU locking >> is fully implemented already. It''s highly unlikely to change in future >> and we can work out something else for your case if that happens. > > I guess I was confused by the fact that the rcu_lock/unlock macros > are no-ops. > > In any case, I think I understand the semantics well enough now > after your second reply pointing me to rcu_unlock_domain, so > I think the attached patch should avoid special cases in the > future. > >>> I''d like to do a get_domain_by_id() without doing a get_domain() >>> as the tmem code need only get_domain() once on first use >>> and put_domain() once when destroying, but frequently needs >>> to lookup a domain by id. >> >> If you have a handle on a domain already I wonder why you need to >> continually look up by domid... >> >>> It looks like rcu_lock_domain_by_id() does what I need, but >>> I don''t need any rcu critical sections (outside of the domain >>> lookup itself) and am fearful that if rcu locking ever is fully >>> implemented, my use of rcu_lock_domain_by_id() would become >>> incorrect and I may have a problem. Should I create an equivalent >>> get_domain_by_id_no_ref()? Or am I misunderstanding something? >> >> If you really know what you''re doing, I suggest just have your own >> tmh_lookup_domain() macro mapping onto rcu_lock_domain_by_id(). RCU >> locking >> is fully implemented already. It''s highly unlikely to change in future >> and >> we can work out something else for your case if that happens. >> >> I''m not keen on providing an explicitly synchronisation-free version in >> common code. It just encourages people not to think about >> synchronisation at >> all. >> >> -- Keir >> >>> Semi-related, rcu_lock_domain_by_id() has a "return d" inside >>> the for loop without an rcu_read_unlock(). I see that this >>> is irrelevant now because rcu_read_unlock() is a no-op anyway, >>> but maybe this should be cleaned up for the same reason -- >>> in case rcu locking is ever fully implemented. >>> >>> Thanks, >>> Dan >>> >>>> -----Original Message----- >>>> From: Dan Magenheimer >>>> Sent: Thursday, June 10, 2010 7:08 AM >>>> To: Keir Fraser; xen-devel@lists.xensource.com >>>> Subject: [Xen-devel] RE: Bug in tmem: refcount leak leaves zombie >> saved >>>> domains >>>> >>>> OK, will take a look. >>>> >>>> IIRC, Jan''s work to fix the domain reference stuff just >>>> before 4.0 shipped was a heavy hammer but since it seemed >>>> to work, I didn''t want to mess with it so close to release... >>>> really there''s only a need to take a reference once on >>>> first use and release it at shutdown, rather than >>>> take/release frequently. IIRC, I had used a macro that >>>> took references when they weren''t really needed and >>>> Jan placed the matching macros that did the release. >>>> >>>> Dan >>>> >>>>> -----Original Message----- >>>>> From: Keir Fraser [mailto:keir.fraser@eu.citrix.com] >>>>> Sent: Thursday, June 10, 2010 3:47 AM >>>>> To: xen-devel@lists.xensource.com >>>>> Cc: Dan Magenheimer >>>>> Subject: Bug in tmem: refcount leak leaves zombie saved domains >>>>> >>>>> Dan, >>>>> >>>>> Just doing some save/restore testing on xen-unstable tip, I noticed >>>>> that: >>>>> # xm create ./pv_config >>>>> # xm save PV1 >>>>> >>>>> Would leave the saved guest as a zombie in the DOMDYING_dead state >>>> with >>>>> no >>>>> pages, yet with refcnt=1. This happens absolutely consistently. >> Just >>>> as >>>>> consistently, it does not happen when I boot Xen with no-tmem. My >>>>> conclusion >>>>> is that tmem is leaking a domain reference count during domain >> save. >>>>> This >>>>> doesn''t happen if I merely "xm create ...; xm destroy ...". >>>>> >>>>> My pv_config file contains nothing exciting: >>>>> kernel = "/nfs/keir/xen/xen64.hg/dist/install/boot/vmlinuz- >> 2.6.18.8- >>>>> xenU" >>>>> memory = 750 >>>>> name = "PV1" >>>>> vcpus = 2 >>>>> vif = [ ''mac=00:1a:00:00:01:01'' ] >>>>> disk = [ ''phy:/dev/VG/Suse10.1_64_1,sda1,w'' ] >>>>> root = "/dev/sda1 ro xencons=tty" >>>>> extra = "" >>>>> tsc_native = 1 >>>>> on_poweroff = ''destroy'' >>>>> on_reboot = ''restart'' >>>>> on_crash = ''preserve'' >>>>> >>>>> The dom{0,U} kernels are tip of linux-2.6.18-xen, default -xen{0,U} >>>>> configs. >>>>> >>>>> -- Keir >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Xen-devel mailing list >>>> Xen-devel@lists.xensource.com >>>> http://lists.xensource.com/xen-devel >> >>_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Keir Fraser
2010-Jun-10 21:43 UTC
Re: [Xen-devel] RE: Bug in tmem: refcount leak leaves zombie saved domains
On 10/06/2010 21:06, "Keir Fraser" <keir.fraser@eu.citrix.com> wrote:> This patch looks good, I''ll test it tomorrow.It tests okay so I applied it as xen-unstable:21595.> What you *do* need to do when setting up a new tmem client is check that the > associated domain is not dying. Without that check the code is in fact > currently buggy: you can end up with a zombie domain that is a client of > tmem and will never stop being a client because it became a client after > tmem_destroy() was called on it.I implemented this as xen-unstable:21596. Take a look. It''s pretty straightforward. I think both of these should be backported for Xen 4.0.1? -- Keir> Does that make sense? > > -- Keir > > On 10/06/2010 18:54, "Dan Magenheimer" <dan.magenheimer@oracle.com> wrote: > >> Could you give the attached a try on your test case? If >> it passes and Jan thinks it is OK (as I backed out most of >> his patch at cs 20918), then: >> >> Tmem: fix domain refcount leak by returning to simpler model >> which claims a ref once when the tmem client is first associated >> with the domain, and puts it once when the tmem client is >> destroyed. >> >> Signed-off-by: Dan Magenheimer <dan.magenheimer@oracle.com> >> >>> If you have a handle on a domain already I wonder why you need to >>> continually look up by domid... >> >> Nearly all tmem uses are via current->domain. The remaining >> (such as from the tools) are via a specified domid. I don''t >> keep a domid->domain lookup table around as the frequency is >> very low and the existing mechanism works fine (or it does >> if I use it correctly anyway ;-) >> >>> RCU locking >>> is fully implemented already. It''s highly unlikely to change in future >>> and we can work out something else for your case if that happens. >> >> I guess I was confused by the fact that the rcu_lock/unlock macros >> are no-ops. >> >> In any case, I think I understand the semantics well enough now >> after your second reply pointing me to rcu_unlock_domain, so >> I think the attached patch should avoid special cases in the >> future. >> >>>> I''d like to do a get_domain_by_id() without doing a get_domain() >>>> as the tmem code need only get_domain() once on first use >>>> and put_domain() once when destroying, but frequently needs >>>> to lookup a domain by id. >>> >>> If you have a handle on a domain already I wonder why you need to >>> continually look up by domid... >>> >>>> It looks like rcu_lock_domain_by_id() does what I need, but >>>> I don''t need any rcu critical sections (outside of the domain >>>> lookup itself) and am fearful that if rcu locking ever is fully >>>> implemented, my use of rcu_lock_domain_by_id() would become >>>> incorrect and I may have a problem. Should I create an equivalent >>>> get_domain_by_id_no_ref()? Or am I misunderstanding something? >>> >>> If you really know what you''re doing, I suggest just have your own >>> tmh_lookup_domain() macro mapping onto rcu_lock_domain_by_id(). RCU >>> locking >>> is fully implemented already. It''s highly unlikely to change in future >>> and >>> we can work out something else for your case if that happens. >>> >>> I''m not keen on providing an explicitly synchronisation-free version in >>> common code. It just encourages people not to think about >>> synchronisation at >>> all. >>> >>> -- Keir >>> >>>> Semi-related, rcu_lock_domain_by_id() has a "return d" inside >>>> the for loop without an rcu_read_unlock(). I see that this >>>> is irrelevant now because rcu_read_unlock() is a no-op anyway, >>>> but maybe this should be cleaned up for the same reason -- >>>> in case rcu locking is ever fully implemented. >>>> >>>> Thanks, >>>> Dan >>>> >>>>> -----Original Message----- >>>>> From: Dan Magenheimer >>>>> Sent: Thursday, June 10, 2010 7:08 AM >>>>> To: Keir Fraser; xen-devel@lists.xensource.com >>>>> Subject: [Xen-devel] RE: Bug in tmem: refcount leak leaves zombie >>> saved >>>>> domains >>>>> >>>>> OK, will take a look. >>>>> >>>>> IIRC, Jan''s work to fix the domain reference stuff just >>>>> before 4.0 shipped was a heavy hammer but since it seemed >>>>> to work, I didn''t want to mess with it so close to release... >>>>> really there''s only a need to take a reference once on >>>>> first use and release it at shutdown, rather than >>>>> take/release frequently. IIRC, I had used a macro that >>>>> took references when they weren''t really needed and >>>>> Jan placed the matching macros that did the release. >>>>> >>>>> Dan >>>>> >>>>>> -----Original Message----- >>>>>> From: Keir Fraser [mailto:keir.fraser@eu.citrix.com] >>>>>> Sent: Thursday, June 10, 2010 3:47 AM >>>>>> To: xen-devel@lists.xensource.com >>>>>> Cc: Dan Magenheimer >>>>>> Subject: Bug in tmem: refcount leak leaves zombie saved domains >>>>>> >>>>>> Dan, >>>>>> >>>>>> Just doing some save/restore testing on xen-unstable tip, I noticed >>>>>> that: >>>>>> # xm create ./pv_config >>>>>> # xm save PV1 >>>>>> >>>>>> Would leave the saved guest as a zombie in the DOMDYING_dead state >>>>> with >>>>>> no >>>>>> pages, yet with refcnt=1. This happens absolutely consistently. >>> Just >>>>> as >>>>>> consistently, it does not happen when I boot Xen with no-tmem. My >>>>>> conclusion >>>>>> is that tmem is leaking a domain reference count during domain >>> save. >>>>>> This >>>>>> doesn''t happen if I merely "xm create ...; xm destroy ...". >>>>>> >>>>>> My pv_config file contains nothing exciting: >>>>>> kernel = "/nfs/keir/xen/xen64.hg/dist/install/boot/vmlinuz- >>> 2.6.18.8- >>>>>> xenU" >>>>>> memory = 750 >>>>>> name = "PV1" >>>>>> vcpus = 2 >>>>>> vif = [ ''mac=00:1a:00:00:01:01'' ] >>>>>> disk = [ ''phy:/dev/VG/Suse10.1_64_1,sda1,w'' ] >>>>>> root = "/dev/sda1 ro xencons=tty" >>>>>> extra = "" >>>>>> tsc_native = 1 >>>>>> on_poweroff = ''destroy'' >>>>>> on_reboot = ''restart'' >>>>>> on_crash = ''preserve'' >>>>>> >>>>>> The dom{0,U} kernels are tip of linux-2.6.18-xen, default -xen{0,U} >>>>>> configs. >>>>>> >>>>>> -- Keir >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Xen-devel mailing list >>>>> Xen-devel@lists.xensource.com >>>>> http://lists.xensource.com/xen-devel >>> >>> > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Dan Magenheimer
2010-Jun-10 22:34 UTC
RE: [Xen-devel] RE: Bug in tmem: refcount leak leaves zombie saved domains
> I think both of these should be backported for Xen 4.0.1?Thanks for handling it. I agree it should go into Xen 4.0.1, but I won''t be able to give it much testing before that releases (unless it takes a few more RC''s) so if you are confident and Jan doesn''t see any problems, go for it.> -----Original Message----- > From: Keir Fraser [mailto:keir.fraser@eu.citrix.com] > Sent: Thursday, June 10, 2010 3:43 PM > To: Dan Magenheimer; xen-devel@lists.xensource.com > Cc: JBeulich@novell.com > Subject: Re: [Xen-devel] RE: Bug in tmem: refcount leak leaves zombie > saved domains > > On 10/06/2010 21:06, "Keir Fraser" <keir.fraser@eu.citrix.com> wrote: > > > This patch looks good, I''ll test it tomorrow. > > It tests okay so I applied it as xen-unstable:21595. > > > What you *do* need to do when setting up a new tmem client is check > that the > > associated domain is not dying. Without that check the code is in > fact > > currently buggy: you can end up with a zombie domain that is a client > of > > tmem and will never stop being a client because it became a client > after > > tmem_destroy() was called on it. > > I implemented this as xen-unstable:21596. Take a look. It''s pretty > straightforward. > > I think both of these should be backported for Xen 4.0.1? > > -- Keir > > > Does that make sense? > > > > -- Keir > > > > On 10/06/2010 18:54, "Dan Magenheimer" <dan.magenheimer@oracle.com> > wrote: > > > >> Could you give the attached a try on your test case? If > >> it passes and Jan thinks it is OK (as I backed out most of > >> his patch at cs 20918), then: > >> > >> Tmem: fix domain refcount leak by returning to simpler model > >> which claims a ref once when the tmem client is first associated > >> with the domain, and puts it once when the tmem client is > >> destroyed. > >> > >> Signed-off-by: Dan Magenheimer <dan.magenheimer@oracle.com> > >> > >>> If you have a handle on a domain already I wonder why you need to > >>> continually look up by domid... > >> > >> Nearly all tmem uses are via current->domain. The remaining > >> (such as from the tools) are via a specified domid. I don''t > >> keep a domid->domain lookup table around as the frequency is > >> very low and the existing mechanism works fine (or it does > >> if I use it correctly anyway ;-) > >> > >>> RCU locking > >>> is fully implemented already. It''s highly unlikely to change in > future > >>> and we can work out something else for your case if that happens. > >> > >> I guess I was confused by the fact that the rcu_lock/unlock macros > >> are no-ops. > >> > >> In any case, I think I understand the semantics well enough now > >> after your second reply pointing me to rcu_unlock_domain, so > >> I think the attached patch should avoid special cases in the > >> future. > >> > >>>> I''d like to do a get_domain_by_id() without doing a get_domain() > >>>> as the tmem code need only get_domain() once on first use > >>>> and put_domain() once when destroying, but frequently needs > >>>> to lookup a domain by id. > >>> > >>> If you have a handle on a domain already I wonder why you need to > >>> continually look up by domid... > >>> > >>>> It looks like rcu_lock_domain_by_id() does what I need, but > >>>> I don''t need any rcu critical sections (outside of the domain > >>>> lookup itself) and am fearful that if rcu locking ever is fully > >>>> implemented, my use of rcu_lock_domain_by_id() would become > >>>> incorrect and I may have a problem. Should I create an equivalent > >>>> get_domain_by_id_no_ref()? Or am I misunderstanding something? > >>> > >>> If you really know what you''re doing, I suggest just have your own > >>> tmh_lookup_domain() macro mapping onto rcu_lock_domain_by_id(). RCU > >>> locking > >>> is fully implemented already. It''s highly unlikely to change in > future > >>> and > >>> we can work out something else for your case if that happens. > >>> > >>> I''m not keen on providing an explicitly synchronisation-free > version in > >>> common code. It just encourages people not to think about > >>> synchronisation at > >>> all. > >>> > >>> -- Keir > >>> > >>>> Semi-related, rcu_lock_domain_by_id() has a "return d" inside > >>>> the for loop without an rcu_read_unlock(). I see that this > >>>> is irrelevant now because rcu_read_unlock() is a no-op anyway, > >>>> but maybe this should be cleaned up for the same reason -- > >>>> in case rcu locking is ever fully implemented. > >>>> > >>>> Thanks, > >>>> Dan > >>>> > >>>>> -----Original Message----- > >>>>> From: Dan Magenheimer > >>>>> Sent: Thursday, June 10, 2010 7:08 AM > >>>>> To: Keir Fraser; xen-devel@lists.xensource.com > >>>>> Subject: [Xen-devel] RE: Bug in tmem: refcount leak leaves zombie > >>> saved > >>>>> domains > >>>>> > >>>>> OK, will take a look. > >>>>> > >>>>> IIRC, Jan''s work to fix the domain reference stuff just > >>>>> before 4.0 shipped was a heavy hammer but since it seemed > >>>>> to work, I didn''t want to mess with it so close to release... > >>>>> really there''s only a need to take a reference once on > >>>>> first use and release it at shutdown, rather than > >>>>> take/release frequently. IIRC, I had used a macro that > >>>>> took references when they weren''t really needed and > >>>>> Jan placed the matching macros that did the release. > >>>>> > >>>>> Dan > >>>>> > >>>>>> -----Original Message----- > >>>>>> From: Keir Fraser [mailto:keir.fraser@eu.citrix.com] > >>>>>> Sent: Thursday, June 10, 2010 3:47 AM > >>>>>> To: xen-devel@lists.xensource.com > >>>>>> Cc: Dan Magenheimer > >>>>>> Subject: Bug in tmem: refcount leak leaves zombie saved domains > >>>>>> > >>>>>> Dan, > >>>>>> > >>>>>> Just doing some save/restore testing on xen-unstable tip, I > noticed > >>>>>> that: > >>>>>> # xm create ./pv_config > >>>>>> # xm save PV1 > >>>>>> > >>>>>> Would leave the saved guest as a zombie in the DOMDYING_dead > state > >>>>> with > >>>>>> no > >>>>>> pages, yet with refcnt=1. This happens absolutely consistently. > >>> Just > >>>>> as > >>>>>> consistently, it does not happen when I boot Xen with no-tmem. > My > >>>>>> conclusion > >>>>>> is that tmem is leaking a domain reference count during domain > >>> save. > >>>>>> This > >>>>>> doesn''t happen if I merely "xm create ...; xm destroy ...". > >>>>>> > >>>>>> My pv_config file contains nothing exciting: > >>>>>> kernel = "/nfs/keir/xen/xen64.hg/dist/install/boot/vmlinuz- > >>> 2.6.18.8- > >>>>>> xenU" > >>>>>> memory = 750 > >>>>>> name = "PV1" > >>>>>> vcpus = 2 > >>>>>> vif = [ ''mac=00:1a:00:00:01:01'' ] > >>>>>> disk = [ ''phy:/dev/VG/Suse10.1_64_1,sda1,w'' ] > >>>>>> root = "/dev/sda1 ro xencons=tty" > >>>>>> extra = "" > >>>>>> tsc_native = 1 > >>>>>> on_poweroff = ''destroy'' > >>>>>> on_reboot = ''restart'' > >>>>>> on_crash = ''preserve'' > >>>>>> > >>>>>> The dom{0,U} kernels are tip of linux-2.6.18-xen, default - > xen{0,U} > >>>>>> configs. > >>>>>> > >>>>>> -- Keir > >>>>>> > >>>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> Xen-devel mailing list > >>>>> Xen-devel@lists.xensource.com > >>>>> http://lists.xensource.com/xen-devel > >>> > >>> > > > > > > > > _______________________________________________ > > Xen-devel mailing list > > Xen-devel@lists.xensource.com > > http://lists.xensource.com/xen-devel > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Jan Beulich
2010-Jun-11 07:39 UTC
RE: [Xen-devel] RE: Bug in tmem: refcount leak leaves zombie saved domains
>>> On 10.06.10 at 19:54, Dan Magenheimer <dan.magenheimer@oracle.com> wrote: > Could you give the attached a try on your test case? If > it passes and Jan thinks it is OK (as I backed out most of > his patch at cs 20918), then:The combination of the two patches looks okay to me in any case; I didn''t bother checking whether 21595 alone would have been okay too. Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel