lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 24 Jun 2024 05:57:51 -0700
From: Yosry Ahmed <yosryahmed@...gle.com>
To: Shakeel Butt <shakeel.butt@...ux.dev>
Cc: Andrew Morton <akpm@...ux-foundation.org>, Johannes Weiner <hannes@...xchg.org>, 
	Michal Hocko <mhocko@...e.com>, Roman Gushchin <roman.gushchin@...ux.dev>, 
	Jesper Dangaard Brouer <hawk@...nel.org>, Yu Zhao <yuzhao@...gle.com>, 
	Muchun Song <songmuchun@...edance.com>, Facebook Kernel Team <kernel-team@...a.com>, linux-mm@...ck.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] memcg: use ratelimited stats flush in the reclaim

> > and I will explain why below. I know it may be a necessary
> > evil, but I would like us to make sure there is no other option before
> > going forward with this.
>
> Instead of necessary evil, I would call it a pragmatic approach i.e.
> resolve the ongoing pain with good enough solution and work on long term
> solution later.

It seems like there are a few ideas for solutions that may address
longer-term concerns, let's make sure we try those out first before we
fall back to the short-term mitigation.

[..]
> >
> > - Reclaim code is an iterative process, so not updating the stats on
> > every retry is very counterintuitive. We are retrying reclaim using
> > the same stats and heuristics used by a previous iteration,
> > essentially dismissing the effects of those previous iterations.
> >
>
> I think I explained in the commit message why we don't need the precise
> metrics for this specific case but let me reiterate.
>
> The stats are needed for two specific heuristics in this case:
>
> 1. Deactivate LRUs
> 2. Cache trim mode
>
> The deactivate LRUs heuristic is to maintain a desirable inactive:active
> ratio of the LRUs. The specific stats needed are WORKINGSET_ACTIVATE*
> and the hierarchical LRU size. The WORKINGSET_ACTIVATE* is needed to
> check if there is a refault since last snapshot and the LRU size are
> needed for the desirable ratio between inactive and active LRUs. See the
> table below on how the desirable ratio is calculated.
>
> /* total     target    max
>  * memory    ratio     inactive
>  * -------------------------------------
>  *   10MB       1         5MB
>  *  100MB       1        50MB
>  *    1GB       3       250MB
>  *   10GB      10       0.9GB
>  *  100GB      31         3GB
>  *    1TB     101        10GB
>  *   10TB     320        32GB
>  */
>
> The desirable ratio only changes at the boundary of 1 GiB, 10 GiB,
> 100 GiB, 1 TiB and 10 TiB. There is no need for the precise and accurate
> LRU size information to calculate this ratio. In addition, if
> deactivation is skipped for some LRU, the kernel will force deactive on
> the severe memory pressure situation.

Thanks for explaining this in such detail. It does make me feel
better, but keep in mind that the above heuristics may change in the
future and become more sensitive to stale stats, and very likely no
one will remember that we decided that stale stats are fine
previously.

>
> For the cache trim mode, inactive file LRU size is read and the kernel
> scales it down based on the reclaim iteration (file >> sc->priority) and
> only checks if it is zero or not. Again precise information is not
> needed.

It sounds like it is possible that we enter the cache trim mode when
we shouldn't if the stats are stale. Couldn't this lead to
over-reclaiming file memory?

>
> > - Indeterministic behavior like this one is very difficult to debug if
> > it causes problems. The missing updates in the last 2s (or whatever
> > period) could be of any magnitude. We may be ignoring GBs of
> > free/allocated memory. What's worse is, if it causes any problems,
> > tracing it back to this flush will be extremely difficult.
>
> This is indeed an issue but that is common with the heuristics in
> general. They work most of the time and fail for small set of cases.
>
> Anyways, I am not arguing to remove sync flush for all cases. Rather I
> am arguing for this specific case, we don't need to be precise as I have
> explained above.
>
> >
> > What can we do?
> >
> > - Try to make more fundamental improvements to the flushing code (for
> > memcgs or cgroups in general). The per-memcg flushing thresholding is
> > an example of this. For example, if flushing is taking too long
> > because we are flushing all subsystems, it may make sense to have
> > separate rstat trees for separate subsystems.
>
> Yes separate flushing for each subsystems make sense and can be done
> orthogonally.
>
> >
> > One other thing we can try is add a mutex in the memcg flushing path.
> > I had initially had this in my subtree flushing series [1], but I
> > dropped it as we thought it's not very useful. Currently in
> > mem_cgroup_flush_stats(), we check if there are enough pending updates
> > to flush, then we call cgroup_flush_stats() and spin on the lock. It
> > is possible that while we spin, those pending updates we observed have
> > been flushed. If we add back the mutex like in [1], then once we
> > acquire the mutex we check again to make sure there are still enough
> > stats to flush.
> >
> > [1]https://lore.kernel.org/all/20231010032117.1577496-6-yosryahmed@google.com/
>
> My main beef with the global mutex is the possible priority inversion.
> Unless you agree to add try_lock() and skip flushing i.e. no one sleeps
> on the mutex, this is a no go.

Jesper is working on ways to mitigate the possible priority inversion
AFAICT. Let's see what comes out of this (I commented on Jesper's
patch).

>
> >
> > - Try to avoid the need for flushing in this path. I am not sure what
> > approach MGLRU uses to avoid the flush, but if we can do something
> > similar for classic LRUs that would be preferable. I am guessing MGLRU
> > may be maintaining its own stats outside of the rstat framework.
>
> MGLRU simply don't use these heuristics (Yu Zhao please correct me if I
> am wrong).
>
> >
> > - Try to figure out if one (or a few) update paths are regressing all
> > flushers. If one specific stat or stats update path is causing most of
> > the updates, we can try to fix that instead. Especially if it's a
> > counter that is continuously being increased and decreases (so the net
> > change is not as high as we think).
>
> This is actually a good point. I remember Jasper telling that MEMCG_KMEM
> might be the one with most updates. I can try to collect from Meta fleet
> what is the cause of most updates.

Let's also wait and see what comes out of this. It would be
interesting if we can fix this on the update side instead.

>
> >
> > At the end of the day, all of the above may not work, and we may have
> > to live with just using the ratelimited approach. But I *really* hope
> > we could actually go the other way. Fix things on a more fundamental
> > level and eventually drop the ratelimited variants completely.
> >
> > Just my 2c. Sorry for the long email :)
>
> Please note that this is not some user API which can not be changed
> later. We can change and disect however we want. My only point is not to
> wait for the perfect solution and have some intermediate and good enough
> solution.

I agree that we shouldn't wait for a perfect solution, but it also
seems like there are a few easy-ish solutions that we can discover
first (Jesper's patch, investigating update paths, etc). If none of
those pan out, we can fall back to the ratelimited flush, ideally with
a plan on next steps for a longer-term solution.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ