Re: [PATCH v2] mm: mglru: fix stale batch updates after memcg reparenting

[Qi Zheng]

Hi Harry,

On 6/23/26 2:17 PM, Harry Yoo wrote:
> On 6/23/26 11:42 AM, Qi Zheng wrote:
> > From: Qi Zheng <zhengqi.arch@xxxxxxxxxxxxx>
> >
> > The mglru page table walker batches per-generation size deltas in
> > walk->nr_pages while walking page tables without holding the lruvec lock.
> > The reset_batch_size() later folds those deltas into walk->lruvec under
> > the lruvec lock.
>
> Ouch.
>
> IIRC the user-visible impact of underestimated nr_pages in MGLRU
> was premature OOMs because MGLRU does not try to reclaim memory when
> nr_pages reaches zero, but there are still more pages.
>
> Perhaps worth mentioning in the changelog?

Maybe this should be placed before "To fix it...".

> > The page table walker can run concurrently with the memcg reparenting path
> > as follows:
> >
> > CPU0                           CPU1
> > ====                           ====
> >
> > walk_mm
> > --> walk_page_range
> >      --> update_batch_size
> >          --> walk->nr_pages += delta
> >
> >                                mem_cgroup_css_offline
> >                                --> memcg_reparent_objcgs
> >                                    --> lock lruvec
> >                                        lru_gen_reparent_memcg
> >                                        --> reparent child folios to parent
> >                                        unlock lruvec
> >
> >      lock lruvec
> >      reset_batch_size
> >      --> child lrugen->nr_pages += delta
>
> The problem here is that, while grabbing a reference to memcg
> (via mem_cgroup_iter(), for example) makes sure that the memcg is not
> freed, it does not prevent offlining happening, and reset_batch_size()
> doesn't check whether the lruvec has been reparented, or the lruvec
> is going to be reparented.
>
> > This will trigger the following warning in lru_gen_exit_memcg():
> >
> > 	VM_WARN_ON_ONCE(memchr_inv(lruvec->lrugen.nr_pages, 0,
> > 				   sizeof(lruvec->lrugen.nr_pages)));
> >
> > To fix it, add lrugen->reparented to remember the new owner of a
> > reparented lruvec, and make reset_batch_size() charge pending deltas to
> > that owner.
>
> Could you please explain why it is unavoidable to introduce the new
> field and why checking whether the cgroup is dying (and charging deltas
> to non-dying parent) doesn't work?

Peiyang tried doing this [1], but it doesn't work because
ss->css_offline() is called before clearing the CSS_ONLINE flag. I
also considered using mem_cgroup_tryget_online(), but that only prevent
the memcg from being freed. It's doesn't prevent the offlining.

So in the end, I chose the approach used in this patch. Simply adding
a new field to mglru to track its reparenting status seems to be the
most straightforward and effective approach.

Thanks,
Qi

[1]. 
https://lore.kernel.org/all/5A9E929D82717101+12fcf643-efb8-4b9a-a53a-1e28cc894f0b@xxxxxxxxxxxxxxxx

> > Reported-by: Peiyang He <peiyang_he@xxxxxxxxxxxxxxxx>
> > Closes: https://lore.kernel.org/all/5A9E929D82717101+12fcf643-efb8-4b9a-a53a-1e28cc894f0b@xxxxxxxxxxxxxxxx
> > Fixes: f304652609ea ("mm: vmscan: prepare for reparenting MGLRU folios")
> > Cc: <stable@xxxxxxxxxxxxxxx>
> > Signed-off-by: Qi Zheng <zhengqi.arch@xxxxxxxxxxxxx>
> > Reviewed-by: Barry Song <baohua@xxxxxxxxxx>
> > ---