lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190523195933.GA6404@cmpxchg.org>
Date:   Thu, 23 May 2019 15:59:33 -0400
From:   Johannes Weiner <hannes@...xchg.org>
To:     Matthew Wilcox <willy@...radead.org>
Cc:     Shakeel Butt <shakeelb@...gle.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Linux MM <linux-mm@...ck.org>,
        linux-fsdevel <linux-fsdevel@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Kernel Team <kernel-team@...com>
Subject: Re: xarray breaks thrashing detection and cgroup isolation

On Thu, May 23, 2019 at 12:41:30PM -0700, Matthew Wilcox wrote:
> On Thu, May 23, 2019 at 03:21:17PM -0400, Johannes Weiner wrote:
> > On Thu, May 23, 2019 at 12:00:32PM -0700, Matthew Wilcox wrote:
> > > On Thu, May 23, 2019 at 11:49:41AM -0700, Shakeel Butt wrote:
> > > > On Thu, May 23, 2019 at 11:37 AM Matthew Wilcox <willy@...radead.org> wrote:
> > > > > On Thu, May 23, 2019 at 01:43:49PM -0400, Johannes Weiner wrote:
> > > > > > I noticed that recent upstream kernels don't account the xarray nodes
> > > > > > of the page cache to the allocating cgroup, like we used to do for the
> > > > > > radix tree nodes.
> > > > > >
> > > > > > This results in broken isolation for cgrouped apps, allowing them to
> > > > > > escape their containment and harm other cgroups and the system with an
> > > > > > excessive build-up of nonresident information.
> > > > > >
> > > > > > It also breaks thrashing/refault detection because the page cache
> > > > > > lives in a different domain than the xarray nodes, and so the shadow
> > > > > > shrinker can reclaim nonresident information way too early when there
> > > > > > isn't much cache in the root cgroup.
> > > > > >
> > > > > > I'm not quite sure how to fix this, since the xarray code doesn't seem
> > > > > > to have per-tree gfp flags anymore like the radix tree did. We cannot
> > > > > > add SLAB_ACCOUNT to the radix_tree_node_cachep slab cache. And the
> > > > > > xarray api doesn't seem to really support gfp flags, either (xas_nomem
> > > > > > does, but the optimistic internal allocations have fixed gfp flags).
> > > > >
> > > > > Would it be a problem to always add __GFP_ACCOUNT to the fixed flags?
> > > > > I don't really understand cgroups.
> > > 
> > > > Also some users of xarray may not want __GFP_ACCOUNT. That's the
> > > > reason we had __GFP_ACCOUNT for page cache instead of hard coding it
> > > > in radix tree.
> > > 
> > > This is what I don't understand -- why would someone not want
> > > __GFP_ACCOUNT?  For a shared resource?  But the page cache is a shared
> > > resource.  So what is a good example of a time when an allocation should
> > > _not_ be accounted to the cgroup?
> > 
> > We used to cgroup-account every slab charge to cgroups per default,
> > until we changed it to a whitelist behavior:
> > 
> > commit b2a209ffa605994cbe3c259c8584ba1576d3310c
> > Author: Vladimir Davydov <vdavydov@...tuozzo.com>
> > Date:   Thu Jan 14 15:18:05 2016 -0800
> > 
> >     Revert "kernfs: do not account ino_ida allocations to memcg"
> >     
> >     Currently, all kmem allocations (namely every kmem_cache_alloc, kmalloc,
> >     alloc_kmem_pages call) are accounted to memory cgroup automatically.
> >     Callers have to explicitly opt out if they don't want/need accounting
> >     for some reason.  Such a design decision leads to several problems:
> >     
> >      - kmalloc users are highly sensitive to failures, many of them
> >        implicitly rely on the fact that kmalloc never fails, while memcg
> >        makes failures quite plausible.
> 
> Doesn't apply here.  The allocation under spinlock is expected to fail,
> and then we'll use xas_nomem() with the caller's specified GFP flags
> which may or may not include __GFP_ACCOUNT.
> 
> >      - A lot of objects are shared among different containers by design.
> >        Accounting such objects to one of containers is just unfair.
> >        Moreover, it might lead to pinning a dead memcg along with its kmem
> >        caches, which aren't tiny, which might result in noticeable increase
> >        in memory consumption for no apparent reason in the long run.
> 
> These objects are in the slab of radix_tree_nodes, and we'll already be
> accounting page cache nodes to the cgroup, so accounting random XArray
> nodes to the cgroups isn't going to make the problem worse.

There is no single radix_tree_nodes cache. When cgroup accounting is
requested, we clone per-cgroup instances of the slab cache each with
their own object slabs. The reclaimable page cache / shadow nodes do
not share slab pages with other radix tree users.

> >      - There are tons of short-lived objects. Accounting them to memcg will
> >        only result in slight noise and won't change the overall picture, but
> >        we still have to pay accounting overhead.
> 
> XArray nodes are generally not short-lived objects.

I'm not exactly sure what you're trying to argue.

My point is that we cannot have random drivers' internal data
structures charge to and pin cgroups indefinitely just because they
happen to do the modprobing or otherwise interact with the driver.

It makes no sense in terms of performance or cgroup semantics.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ