| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 04 May 2012 10:34:50 +0200 From: Mike Galbraith <efault@....de> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: Andrew Morton <akpm@...ux-foundation.org>, Oleg Nesterov <oleg@...hat.com>, LKML <linux-kernel@...r.kernel.org>, Pavel Emelyanov <xemul@...allels.com>, Cyrill Gorcunov <gorcunov@...nvz.org>, Louis Rilling <louis.rilling@...labs.com> Subject: Re: [PATCH] Re: [RFC PATCH] namespaces: fix leak on fork() failure On Fri, 2012-05-04 at 00:55 -0700, Eric W. Biederman wrote: > Mike Galbraith <efault@....de> writes: > > > Namespaces have something in common with cgroups. synchronize_rcu() > > makes them somewhat less than wonderful for dynamic use. > > Well unlike cgroups namespaces were not designed for heavy dynamic use. > Although it appears that vsftp puts them to that kind of use so some > of the design decisions are with revisiting. Yeah, the testcase was distilled from vsftp, so it must be beating on namespaces pretty hard to induce a bug report. > > default flags = SIGCHLD > > > > -namespace: flag |= CLONE_NEWPID > > -all: flags |= CLONE_NEWIPC | CLONE_NEWNET | CLONE_NEWUSER > > > > marge:/usr/local/tmp/starvation # ./hackbench > > Running with 10*40 (== 400) tasks. > > Time: 2.636 > > marge:/usr/local/tmp/starvation # ./hackbench -namespace > > Running with 10*40 (== 400) tasks. > > Time: 11.624 > > marge:/usr/local/tmp/starvation # ./hackbench -namespace -all > > Running with 10*40 (== 400) tasks. > > Time: 51.474 > > CLONE_NEWUSER? I presume you have applied my latest user namespace > patches? Otherwise you are running completely half baked code. I was testing in mainline. While fiddling with the testcase and leakage monitor script, I decided to see what happens with all namespace flags. The others didn't cause any leakage, but did make things slow down. > hackbench? Which kernel are you running. Hackbench in some kernels is > really good at triggering cache ping-pong effects with pids, and creds. > So I'm not certain what to say there. In the latest kernels things > should be better with unix domain sockets as long as you don't actually > ask to pass your creds but hackbench is still a pretty ridiculous > benchmark. Oversharing is always going to be bad for performance. Hackbench was just to show the price of hefty namespace usage. > > You can create trash quickly, but you have to haul it away. > > Well synchronize_rcu is much better in that respect than call_rcu, which > let's the trash build up but is never carried away. > > The core design assumption with namespaces is that they will be used > much more than they will be created/destroyed, and as long as there are > progress guarantees in place I don't have a problem with that. At the > same time if there are easy things we can do to make things go faster > I am in favor of that notion. > > Still especially in the case of hackbench I think it is worth asking the > question how much of the slow down is due to cache ping-pong due to > oversharing. Dunno, and doubt I'll have time to tinker with it more. Darn bugzilla thing keeps knocking on my mailbox with interesting bugs in places I know _diddly spit_ about.. like namespaces. -Mike -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists