| blob | b249d15af9dd80f8a7ba8ff8521e745e1e949b70 |
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Lockless hierarchical page accounting & limiting
4 *
5 * Copyright (C) 2014 Red Hat, Inc., Johannes Weiner
6 */
8 #include <linux/page_counter.h>
9 #include <linux/atomic.h>
10 #include <linux/kernel.h>
11 #include <linux/string.h>
12 #include <linux/sched.h>
13 #include <linux/bug.h>
14 #include <asm/page.h>
17 {
19 }
23 {
37 }
46 }
47 }
49 /**
50 * page_counter_cancel - take pages out of the local counter
51 * @counter: counter
52 * @nr_pages: number of pages to cancel
53 */
55 {
59 /* More uncharges than charges? */
64 }
67 }
69 /**
70 * page_counter_charge - hierarchically charge pages
71 * @counter: counter
72 * @nr_pages: number of pages to charge
73 *
74 * NOTE: This does not consider any configured counter limits.
75 */
77 {
87 /*
88 * This is indeed racy, but we can live with some
89 * inaccuracy in the watermark.
90 *
91 * Notably, we have two watermarks to allow for both a globally
92 * visible peak and one that can be reset at a smaller scope.
93 *
94 * Since we reset both watermarks when the global reset occurs,
95 * we can guarantee that watermark >= local_watermark, so we
96 * don't need to do both comparisons every time.
97 *
98 * On systems with branch predictors, the inner condition should
99 * be almost free.
100 */
105 }
106 }
107 }
109 /**
110 * page_counter_try_charge - try to hierarchically charge pages
111 * @counter: counter
112 * @nr_pages: number of pages to charge
113 * @fail: points first counter to hit its limit, if any
114 *
115 * Returns %true on success, or %false and @fail if the counter or one
116 * of its ancestors has hit its configured limit.
117 */
121 {
127 /*
128 * Charge speculatively to avoid an expensive CAS. If
129 * a bigger charge fails, it might falsely lock out a
130 * racing smaller charge and send it into reclaim
131 * early, but the error is limited to the difference
132 * between the two sizes, which is less than 2M/4M in
133 * case of a THP locking out a regular page charge.
134 *
135 * The atomic_long_add_return() implies a full memory
136 * barrier between incrementing the count and reading
137 * the limit. When racing with page_counter_set_max(),
138 * we either see the new limit or the setter sees the
139 * counter has changed and retries.
140 */
144 /*
145 * This is racy, but we can live with some
146 * inaccuracy in the failcnt which is only used
147 * to report stats.
148 */
152 }
156 /* see comment on page_counter_charge */
161 }
162 }
165 failed:
170 }
172 /**
173 * page_counter_uncharge - hierarchically uncharge pages
174 * @counter: counter
175 * @nr_pages: number of pages to uncharge
176 */
178 {
183 }
185 /**
186 * page_counter_set_max - set the maximum number of pages allowed
187 * @counter: counter
188 * @nr_pages: limit to set
189 *
190 * Returns 0 on success, -EBUSY if the current number of pages on the
191 * counter already exceeds the specified limit.
192 *
193 * The caller must serialize invocations on the same counter.
194 */
196 {
201 /*
202 * Update the limit while making sure that it's not
203 * below the concurrently-changing counter value.
204 *
205 * The xchg implies two full memory barriers before
206 * and after, so the read-swap-read is ordered and
207 * ensures coherency with page_counter_try_charge():
208 * that function modifies the count before checking
209 * the limit, so if it sees the old limit, we see the
210 * modified counter and retry.
211 */
224 }
225 }
227 /**
228 * page_counter_set_min - set the amount of protected memory
229 * @counter: counter
230 * @nr_pages: value to set
231 *
232 * The caller must serialize invocations on the same counter.
233 */
235 {
242 }
244 /**
245 * page_counter_set_low - set the amount of protected memory
246 * @counter: counter
247 * @nr_pages: value to set
248 *
249 * The caller must serialize invocations on the same counter.
250 */
252 {
259 }
261 /**
262 * page_counter_memparse - memparse() for page counter limits
263 * @buf: string to parse
264 * @max: string meaning maximum possible value
265 * @nr_pages: returns the result in number of pages
266 *
267 * Returns -EINVAL, or 0 and @nr_pages on success. @nr_pages will be
268 * limited to %PAGE_COUNTER_MAX.
269 */
272 {
274 u64 bytes;
279 }
288 }
291 #ifdef CONFIG_MEMCG
292 /*
293 * This function calculates an individual page counter's effective
294 * protection which is derived from its own memory.min/low, its
295 * parent's and siblings' settings, as well as the actual memory
296 * distribution in the tree.
297 *
298 * The following rules apply to the effective protection values:
299 *
300 * 1. At the first level of reclaim, effective protection is equal to
301 * the declared protection in memory.min and memory.low.
302 *
303 * 2. To enable safe delegation of the protection configuration, at
304 * subsequent levels the effective protection is capped to the
305 * parent's effective protection.
306 *
307 * 3. To make complex and dynamic subtrees easier to configure, the
308 * user is allowed to overcommit the declared protection at a given
309 * level. If that is the case, the parent's effective protection is
310 * distributed to the children in proportion to how much protection
311 * they have declared and how much of it they are utilizing.
312 *
313 * This makes distribution proportional, but also work-conserving:
314 * if one counter claims much more protection than it uses memory,
315 * the unused remainder is available to its siblings.
316 *
317 * 4. Conversely, when the declared protection is undercommitted at a
318 * given level, the distribution of the larger parental protection
319 * budget is NOT proportional. A counter's protection from a sibling
320 * is capped to its own memory.min/low setting.
321 *
322 * 5. However, to allow protecting recursive subtrees from each other
323 * without having to declare each individual counter's fixed share
324 * of the ancestor's claim to protection, any unutilized -
325 * "floating" - protection from up the tree is distributed in
326 * proportion to each counter's *usage*. This makes the protection
327 * neutral wrt sibling cgroups and lets them compete freely over
328 * the shared parental protection budget, but it protects the
329 * subtree as a whole from neighboring subtrees.
330 *
331 * Note that 4. and 5. are not in conflict: 4. is about protecting
332 * against immediate siblings whereas 5. is about protecting against
333 * neighboring subtrees.
334 */
341 {
346 /*
347 * If all cgroups at this level combined claim and use more
348 * protection than what the parent affords them, distribute
349 * shares in proportion to utilization.
350 *
351 * We are using actual utilization rather than the statically
352 * claimed protection in order to be work-conserving: claimed
353 * but unused protection is available to siblings that would
354 * otherwise get a smaller chunk than what they claimed.
355 */
359 /*
360 * Ok, utilized protection of all children is within what the
361 * parent affords them, so we know whatever this child claims
362 * and utilizes is effectively protected.
363 *
364 * If there is unprotected usage beyond this value, reclaim
365 * will apply pressure in proportion to that amount.
366 *
367 * If there is unutilized protection, the cgroup will be fully
368 * shielded from reclaim, but we do return a smaller value for
369 * protection than what the group could enjoy in theory. This
370 * is okay. With the overcommit distribution above, effective
371 * protection is always dependent on how memory is actually
372 * consumed among the siblings anyway.
373 */
376 /*
377 * If the children aren't claiming (all of) the protection
378 * afforded to them by the parent, distribute the remainder in
379 * proportion to the (unprotected) memory of each cgroup. That
380 * way, cgroups that aren't explicitly prioritized wrt each
381 * other compete freely over the allowance, but they are
382 * collectively protected from neighboring trees.
383 *
384 * We're using unprotected memory for the weight so that if
385 * some cgroups DO claim explicit protection, we don't protect
386 * the same bytes twice.
387 *
388 * Check both usage and parent_usage against the respective
389 * protected values. One should imply the other, but they
390 * aren't read atomically - make sure the division is sane.
391 */
405 }
408 }
411 /**
412 * page_counter_calculate_protection - check if memory consumption is in the normal range
413 * @root: the top ancestor of the sub-tree being checked
414 * @counter: the page_counter the counter to update
415 * @recursive_protection: Whether to use memory_recursiveprot behavior.
416 *
417 * Calculates elow/emin thresholds for given page_counter.
418 *
419 * WARNING: This function is not stateless! It can only be used as part
420 * of a top-down tree iteration, not for isolated queries.
421 */
425 {
429 /*
430 * Effective values of the reclaim targets are ignored so they
431 * can be stale. Have a look at mem_cgroup_protection for more
432 * details.
433 * TODO: calculation should be more robust so that we do not need
434 * that special casing.
435 */
447 }
455 recursive_protection));
461 recursive_protection));
462 }