[I am not suggesting to redo the patch, only discussing the possible approaches].

I somewhat dislike per-page USER_WIRE flag which require so much hand-holding. By definition, user wire count is exactly equal to the count of pages in wired user map entries. Can we simply account there, in vm_map_wire(), vm_map_entry_wire_failure(), and vm_map_unwire(), without even doing anything with the page wire attribute ?

It would somewhat over-count for private read-only mappings, like libc text mapped into more than one vmspace, and cannot distinguish between managed (that you count now) and unmanaged pages. But isn't it much simpler so that the difference does not matter ?

In D19390#416489, @kib wrote:

[I am not suggesting to redo the patch, only discussing the possible approaches].

I'm happy to rewrite the patch if the result may be cleaner.

I somewhat dislike per-page USER_WIRE flag which require so much hand-holding. By definition, user wire count is exactly equal to the count of pages in wired user map entries. Can we simply account there, in vm_map_wire(), vm_map_entry_wire_failure(), and vm_map_unwire(), without even doing anything with the page wire attribute ?

I don't disagree that it is somewhat ugly, but is it really that much hand-holding? The only places that require modification are the fault handler and code paths which (un)wire pages according to a user's request. Most of the complexity is in CoW paths where the user-wiring state must be propagated, and even there is it not too bad.

It would somewhat over-count for private read-only mappings, like libc text mapped into more than one vmspace, and cannot distinguish between managed (that you count now) and unmanaged pages. But isn't it much simpler so that the difference does not matter ?

That would be fine for the immediate goal from D19247, but I don't really like it - I believe there is value in providing accurate system-wide accounting for mlock().

Looking further ahead, I would like us to stop counting wired pages (i.e., v_wire_count) directly. The reason is that I want struct vm_page's wire_count to become a reference counter, and it makes no sense to touch the per-CPU v_wire_count cacheline every time a transient reference is obtained or released. For accounting purposes, kernel memory usage can be defined to be v_page_count - sum(pagequeue sizes) - v_user_wire_count. Moreover, the notion of wiring for kernel pages is ambiguous: a page allocated with vm_page_alloc() is non-pageable regardless of whether VM_ALLOC_WIRED is specified. (For example, the amd64 pmap allocates some pages without VM_ALLOC_WIRED.) So what exactly does it mean for a page to be wired? IMO the concept should be defined at the mapping level, not at the level of the physical page; to effect wiring, the VM can use the reference counter to ensure that the page is not reclaimable, and the PG_USER_WIRED flag caches the information that at least one non-kernel mapping of the page is wired. This is similar in principle to, e.g., PGA_WRITEABLE.

If you still prefer the simpler route, I will implement it, but I am also trying to influence the long-term direction here.

In D19390#416570, @markj wrote:

IMO the concept should be defined at the mapping level, not at the level of the physical page; to effect wiring, the VM can use the reference counter to ensure that the page is not reclaimable, and the PG_USER_WIRED flag caches the information that at least one non-kernel mapping of the page is wired. This is similar in principle to, e.g., PGA_WRITEABLE.

This could be interpreted as an argument for maintaining PG_USER_WIRE in the pmap layer rather than MI code. That would probably be cleaner, though the diff would be larger.

1. To get accurate user wiring accounting at the pmap layer, you need both the page flag (PG_USER_WIRED ?) and the mapping flag (PG_W), or yet another counter on the page. This seems to be too intrusive for such small feature.
2. Your formula for 'kernel-used pages' (v_page_count - sum(pagequeue sizes) - v_user_wire_count) does not account for the pageable kernel mappings, i.e. pipe buffers and exec strings. Also it not behaves with the pages wired by the buffer cache.
3. Since I mentioned buffer cache, suppose userspace wired a file mapping which has buffers instantiated for the pages. If the file is unmapped (or the mapping is munlocked) while buffers are still not reclaimed, then it seems that the current patch could leak the user wiring.

About your notion that it is undesirable to touch v_wire_count on each transition reference, you can only do that on 0->1 and 1->0 edges, and I do not see how could you avoid that.

My impression, after listing all the items above, is that all approaches except accounting at pmap are error-prone, either by leak or by overcounting, or by both. Then I really do not see much sense in doing much more complicated patch instead of almost trivial accounting of wired map entries total size.

In D19390#416928, @kib wrote:

1. To get accurate user wiring accounting at the pmap layer, you need both the page flag (PG_USER_WIRED ?) and the mapping flag (PG_W), or yet another counter on the page. This seems to be too intrusive for such small feature.

The only entity in the kernel which creates system-wired mappings in a pmap != kernel_pmap is vslock(). I think we can either ignore this special case or change it to not be special (e.g., count vslock() wirings as user wirings).

We don't strictly need even PG_USER_WIRED. All it does is cache information available at the pmap layer.

2. Your formula for 'kernel-used pages' (v_page_count - sum(pagequeue sizes) - v_user_wire_count) does not account for the pageable kernel mappings, i.e. pipe buffers and exec strings. Also it not behaves with the pages wired by the buffer cache.

Ok, let's say "non-pageable kernel memory" instead of "kernel-used pages." Pipe buffers have their own accounting and exec strings account for only a small fraction of memory anyway.

3. Since I mentioned buffer cache, suppose userspace wired a file mapping which has buffers instantiated for the pages. If the file is unmapped (or the mapping is munlocked) while buffers are still not reclaimed, then it seems that the current patch could leak the user wiring.

How? Buffer cache mappings are not managed, and vm_object_unwire() always updates user-wiring state based on the number of wired mappings of the page. Indeed, a similar leak exists with vslock(), mentioned in the description, but because it is transient I do not think it is a major problem. Arguably pages wired by sysctl_wire_old_buffer() should be included in v_user_wire_count even if vslock() is not subject to that limit.

About your notion that it is undesirable to touch v_wire_count on each transition reference, you can only do that on 0->1 and 1->0 edges, and I do not see how could you avoid that.

I think that v_wire_count should not be updated directly. It can be computed indirectly on demand.

My impression, after listing all the items above, is that all approaches except accounting at pmap are error-prone, either by leak or by overcounting, or by both. Then I really do not see much sense in doing much more complicated patch instead of almost trivial accounting of wired map entries total size.

In D19390#416973, @markj wrote:

In D19390#416928, @kib wrote:

1. To get accurate user wiring accounting at the pmap layer, you need both the page flag (PG_USER_WIRED ?) and the mapping flag (PG_W), or yet another counter on the page. This seems to be too intrusive for such small feature.

The only entity in the kernel which creates system-wired mappings in a pmap != kernel_pmap is vslock(). I think we can either ignore this special case or change it to not be special (e.g., count vslock() wirings as user wirings).

We don't strictly need even PG_USER_WIRED. All it does is cache information available at the pmap layer.

2. Your formula for 'kernel-used pages' (v_page_count - sum(pagequeue sizes) - v_user_wire_count) does not account for the pageable kernel mappings, i.e. pipe buffers and exec strings. Also it not behaves with the pages wired by the buffer cache.

Ok, let's say "non-pageable kernel memory" instead of "kernel-used pages." Pipe buffers have their own accounting and exec strings account for only a small fraction of memory anyway.

3. Since I mentioned buffer cache, suppose userspace wired a file mapping which has buffers instantiated for the pages. If the file is unmapped (or the mapping is munlocked) while buffers are still not reclaimed, then it seems that the current patch could leak the user wiring.

How? Buffer cache mappings are not managed, and vm_object_unwire() always updates user-wiring state based on the number of wired mappings of the page. Indeed, a similar leak exists with vslock(), mentioned in the description, but because it is transient I do not think it is a major problem. Arguably pages wired by sysctl_wire_old_buffer() should be included in v_user_wire_count even if vslock() is not subject to that limit.

I see, I mis-remembered the patch as predicating vm_page_unwire_user() on m->wire_count, which it does not.

About your notion that it is undesirable to touch v_wire_count on each transition reference, you can only do that on 0->1 and 1->0 edges, and I do not see how could you avoid that.

I think that v_wire_count should not be updated directly. It can be computed indirectly on demand.

My impression, after listing all the items above, is that all approaches except accounting at pmap are error-prone, either by leak or by overcounting, or by both. Then I really do not see much sense in doing much more complicated patch instead of almost trivial accounting of wired map entries total size.

In light of r345382, I don't think this approach can work as-is: vm_page_unwire_user() uses the number of wired mappings to determine whether a page is user wired, but apparently it is possible to remove mappings of wired pages from a user pmap without unwiring.

To make progress I might have to follow the accounting approach that you suggested earlier. But, what exactly is the purpose of max_wired? Is it a seatbelt to ensure that a programming error doesn't lock all of RAM? RLIMIT_MEMLOCK serves that purpose. Is it to protect against a DoS from a malicious application? It is quite broken for that case since mlockall() does not apply the limit, and there are trivial ways for a user application to consume large amounts of kernel memory, bypassing max_wired.

max_wired is a frequent source of complains when using the ZFS ARC, since that wires a large fraction of the system's RAM. Many tutorials and scripts just set it to -1, effectively disabling it.

In D19390#421392, @markj wrote:

In light of r345382, I don't think this approach can work as-is: vm_page_unwire_user() uses the number of wired mappings to determine whether a page is user wired, but apparently it is possible to remove mappings of wired pages from a user pmap without unwiring.

To make progress I might have to follow the accounting approach that you suggested earlier. But, what exactly is the purpose of max_wired? Is it a seatbelt to ensure that a programming error doesn't lock all of RAM? RLIMIT_MEMLOCK serves that purpose. Is it to protect against a DoS from a malicious application? It is quite broken for that case since mlockall() does not apply the limit, and there are trivial ways for a user application to consume large amounts of kernel memory, bypassing max_wired.

Yes, I believe max_wired is a safety belt. RLIMIT_MEMLOCK cannot substitute max_wired, becaue RLIMIT_MEMLOCK is per-process limit. For a user, the total limit is nprocs(per user) * RLMIT_MEMLOCK, which is both too large in total, and too low for individual process.

max_wired is a frequent source of complains when using the ZFS ARC, since that wires a large fraction of the system's RAM. Many tutorials and scripts just set it to -1, effectively disabling it.