| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2d5ee2b9-e348-4d4e-a514-6c698f19f7e5@huawei.com>
Date: Mon, 27 Oct 2025 10:57:15 +0800
From: Baokun Li <libaokun1@...wei.com>
To: Matthew Wilcox <willy@...radead.org>
CC: "Darrick J. Wong" <djwong@...nel.org>, <linux-ext4@...r.kernel.org>,
<tytso@....edu>, <adilger.kernel@...ger.ca>, <jack@...e.cz>,
<linux-kernel@...r.kernel.org>, <kernel@...kajraghav.com>,
<mcgrof@...nel.org>, <linux-fsdevel@...r.kernel.org>, <linux-mm@...ck.org>,
<yi.zhang@...wei.com>, <yangerkun@...wei.com>, <chengzhihao1@...wei.com>,
<catherine.hoang@...cle.com>, Baokun Li <libaokun@...weicloud.com>, Linus
Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH 22/25] fs/buffer: prevent WARN_ON in
__alloc_pages_slowpath() when BS > PS
On 2025-10-26 01:56, Matthew Wilcox wrote:
> On Sat, Oct 25, 2025 at 02:32:45PM +0800, Baokun Li wrote:
>> On 2025-10-25 12:45, Matthew Wilcox wrote:
>>> On Sat, Oct 25, 2025 at 11:22:18AM +0800, libaokun@...weicloud.com wrote:
>>>> + while (1) {
>>>> + folio = __filemap_get_folio(mapping, index, fgp_flags,
>>>> + gfp & ~__GFP_NOFAIL);
>>>> + if (!IS_ERR(folio) || !(gfp & __GFP_NOFAIL))
>>>> + return folio;
>>>> +
>>>> + if (PTR_ERR(folio) != -ENOMEM && PTR_ERR(folio) != -EAGAIN)
>>>> + return folio;
>>>> +
>>>> + memalloc_retry_wait(gfp);
>>>> + }
>>> No, absolutely not. We're not having open-coded GFP_NOFAIL semantics.
>>> The right way forward is for ext4 to use iomap, not for buffer heads
>>> to support large block sizes.
>> ext4 only calls getblk_unmovable or __getblk when reading critical
>> metadata. Both of these functions set __GFP_NOFAIL to ensure that
>> metadata reads do not fail due to memory pressure.
> If filesystems actually require __GFP_NOFAIL for high-order allocations,
> then this is a new requirement that needs to be communicated to the MM
> developers, not hacked around in filesystems (or the VFS). And that
> communication needs to be a separate thread with a clear subject line
> to attract the right attention, not buried in patch 26/28.
EXT4 is not the first filesystem to support LBS. I believe other
filesystems that already support LBS, even if they manage their own
metadata, have similar requirements. A filesystem cannot afford to become
read-only, shut down, or enter an inconsistent state due to memory
allocation failures in critical paths. Large folios have been around for
some time, and the fact that this warning still exists shows that the
problem is not trivial to solve.
Therefore, following the approach of filesystems that already support LBS,
such as XFS and the soon-to-be-removed bcachefs, I avoid adding
__GFP_NOFAIL for large allocations and instead retry internally to prevent
failures.
I do not intend to hide this issue in Patch 22/25. I cc’d linux-mm@...ck.org
precisely to invite memory management experts to share their thoughts on
the current situation.
Here is my limited understanding of the history of __GFP_NOFAIL:
Originally, in commit 4923abf9f1a4 ("Don't warn about order-1 allocations
with __GFP_NOFAIL"), Linus Torvalds raised the warning order from 0 to 1,
and commented,
"Maybe we should remove this warning entirely."
We had considered removing this warning, but then saw the discussion below.
Previously we used WARN_ON_ONCE_GFP, which meant the warning could be
suppressed with __GFP_NOWARN. But with the introduction of large folios,
memory allocation and reclaim have become much more challenging.
__GFP_NOFAIL can still fail, and many callers do not check the return
value, leading to potential NULL pointer dereferences.
Linus also noted that __GFP_NOFAIL is heavily abused, and even said in [1]:
“Honestly, I'm perfectly fine with just removing that stupid useless flag
entirely.”
"Because the blame should go *there*, and it should not even remotely look
like "oh, the MM code failed". No. The caller was garbage."
[1]:
https://lore.kernel.org/linux-mm/CAHk-=wgv2-=Bm16Gtn5XHWj9J6xiqriV56yamU+iG07YrN28SQ@mail.gmail.com/
>From this, my understanding is that handling or retrying large allocation
failures in the caller is the direction going forward.
As for why retries are done in the VFS, there are two reasons: first, both
ext4 and jbd2 read metadata through blkdev, so a unified change is simpler.
Second, retrying here allows other buffer-head-based filesystems to support
LBS more easily.
For now, until large memory allocation and reclaim are properly handled,
this approach serves as a practical workaround.
> For what it's worth, I think you have a good case. This really is
> a new requirement (bs>PS) and in this scenario, we should be able to
> reclaim page cache memory of the appropriate order to satisfy the NOFAIL
> requirement. There will be concerns that other users will now be able to
> use it without warning, but I think eventually this use case will prevail.
Yeah, it would be best if the memory subsystem could add a flag like
__GFP_LBS to suppress these warnings and guide allocation and reclaim to
perform optimizations suited for this scenario.
>> Both functions eventually call grow_dev_folio(), which is why we
>> handle the __GFP_NOFAIL logic there. xfs_buf_alloc_backing_mem()
>> has similar logic, but XFS manages its own metadata, allowing it
>> to use vmalloc for memory allocation.
> The other possibility is that we switch ext4 away from the buffer cache
> entirely. This is a big job! I know Catherine has been working on
> a generic replacement for the buffer cache, but I'm not sure if it's
> ready yet.
>
The key issue is not whether ext4 uses buffer heads; even using vmalloc
with __GFP_NOFAIL for large allocations faces the same problem.
As Linus also mentioned in the link[1] above:
"It has then expanded and is now a problem. The cases using GFP_NOFAIL
for things like vmalloc() - which is by definition not a small
allocation - should be just removed as outright bugs."
Thanks,
Baokun
Powered by blists - more mailing lists