lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Wed, 29 Jul 2015 22:20:03 +0900
From:	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To:	mhocko@...nel.org
Cc:	linux-mm@...ck.org, rientjes@...gle.com, hannes@...xchg.org,
	tj@...nel.org, akpm@...ux-foundation.org,
	linux-kernel@...r.kernel.org
Subject: Re: [RFC -v2] panic_on_oom_timeout

Michal Hocko wrote:
> On Wed 17-06-15 15:24:27, Michal Hocko wrote:
> > On Wed 17-06-15 14:51:27, Michal Hocko wrote:
> > [...]
> > > The important thing is to decide what is the reasonable way forward. We
> > > have two two implementations of panic based timeout. So we should decide
> > 
> > And the most obvious question, of course.
> > - Should we add a panic timeout at all?
> > 
> > > - Should be the timeout bound to panic_on_oom?
> > > - Should we care about constrained OOM contexts?
> > > - If yes should they use the same timeout?
> > > - If yes should each memcg be able to define its own timeout?
> >        ^ no
> >  
> > > My thinking is that it should be bound to panic_on_oom=1 only until we
> > > hear from somebody actually asking for a constrained oom and even then
> > > do not allow for too large configuration space (e.g. no per-memcg
> > > timeout) or have separate mempolicy vs. memcg timeouts.
> > > 
> > > Let's start simple and make things more complicated later!
> 
> Any more ideas/thoughts on this?

No ideas/thoughts from my side.



By the way, the "set TIF_MEMDIE upon calling out_of_memory() when TIF_MEMDIE
was not set by previous out_of_memory() because oom_kill_process() chose a
different thread" logic

    if (current->mm &&
        (fatal_signal_pending(current) || task_will_free_mem(current))) {
            mark_oom_victim(current);
            goto out;
    }

sounds broken for me, for GFP_NOFS allocations do not call
out_of_memory() from the beginning.

Say, Process1 has two threads called Thread1 and Thread2. Thread1 was blocked
at unkillable lock and Thread2 was doing GFP_NOFS allocation from syscall
context (e.g. codes under security/ directory) when TIF_MEMDIE was set on
Thread1.

While failing GFP_NOFS allocation for ext4 filesystem's operations damages
the filesystem, failing GFP_NOFS allocation from syscall context will not
damage the filesystem. Therefore, Thread2 should be able to fail GFP_NOFS
allocations than wait for TIF_MEMDIE forever (which will never be set
because the logic above does not apply to GFP_NOFS allocation).

I didn't imagine kmalloc_killable() when I wrote "(3) Replace kmalloc()
with kmalloc_nofail() and kmalloc_noretry()." at
http://marc.info/?l=linux-mm&m=142408937117294 . But I came to feel that
introducing GFP_KILLABLE (retry unless fatal_signal_pending()) which is
between GFP_NORETRY (don't retry) and GFP_NOFAIL (retry forever) might help
reducing the possibility of stalling multi-threaded OOM victim process.



Other than that, my ideas/thoughts are staying at
http://marc.info/?l=linux-mm&m=143239200805478 .

Please continue CC'ing me because I'm not subscribed to linux-mm ML.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ