| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJuCfpFUBkNQS_851=L3PKH231VPKpAL7CRNEKj0_3Nhpxsysg@mail.gmail.com> Date: Tue, 29 Apr 2025 16:01:52 -0700 From: Suren Baghdasaryan <surenb@...gle.com> To: Roman Gushchin <roman.gushchin@...ux.dev> Cc: Michal Hocko <mhocko@...e.com>, linux-kernel@...r.kernel.org, Andrew Morton <akpm@...ux-foundation.org>, Alexei Starovoitov <ast@...nel.org>, Johannes Weiner <hannes@...xchg.org>, Shakeel Butt <shakeel.butt@...ux.dev>, David Rientjes <rientjes@...gle.com>, Josh Don <joshdon@...gle.com>, Chuyi Zhou <zhouchuyi@...edance.com>, cgroups@...r.kernel.org, linux-mm@...ck.org, bpf@...r.kernel.org Subject: Re: [PATCH rfc 00/12] mm: BPF OOM On Tue, Apr 29, 2025 at 7:45 AM Roman Gushchin <roman.gushchin@...ux.dev> wrote: > > Michal Hocko <mhocko@...e.com> writes: > > > On Mon 28-04-25 03:36:05, Roman Gushchin wrote: > >> This patchset adds an ability to customize the out of memory > >> handling using bpf. > >> > >> It focuses on two parts: > >> 1) OOM handling policy, > >> 2) PSI-based OOM invocation. > >> > >> The idea to use bpf for customizing the OOM handling is not new, but > >> unlike the previous proposal [1], which augmented the existing task > >> ranking-based policy, this one tries to be as generic as possible and > >> leverage the full power of the modern bpf. > >> > >> It provides a generic hook which is called before the existing OOM > >> killer code and allows implementing any policy, e.g. picking a victim > >> task or memory cgroup or potentially even releasing memory in other > >> ways, e.g. deleting tmpfs files (the last one might require some > >> additional but relatively simple changes). > > > > Makes sense to me. I still have a slight concern though. We have 3 > > different oom handlers smashed into a single one with special casing > > involved. This is manageable (although not great) for the in kernel > > code but I am wondering whether we should do better for BPF based OOM > > implementations. Would it make sense to have different callbacks for > > cpuset, memcg and global oom killer handlers? > > Yes, it's certainly possible. If we go struct_ops path, we can even > have both the common hook which handles all types of OOM's and separate > hooks for each type. The user then can choose what's more convenient. > Good point. > > > > > I can see you have already added some helper functions to deal with > > memcgs but I do not see anything to iterate processes or find a process to > > kill etc. Is that functionality generally available (sorry I am not > > really familiar with BPF all that much so please bear with me)? > > Yes, task iterator is available since v6.7: > https://docs.ebpf.io/linux/kfuncs/bpf_iter_task_new/ > > > > > I like the way how you naturalely hooked into existing OOM primitives > > like oom_kill_process but I do not see tsk_is_oom_victim exposed. Are > > you waiting for a first user that needs to implement oom victim > > synchronization or do you plan to integrate that into tasks iterators? > > It can be implemented in bpf directly, but I agree that it probably > deserves at least an example in the test or a separate in-kernel helper. > In-kernel helper is probably a better idea. > > > I am mostly asking because it is exactly these kind of details that > > make the current in kernel oom handler quite complex and it would be > > great if custom ones do not have to reproduce that complexity and only > > focus on the high level policy. > > Totally agree. > > > > >> The second part is related to the fundamental question on when to > >> declare the OOM event. It's a trade-off between the risk of > >> unnecessary OOM kills and associated work losses and the risk of > >> infinite trashing and effective soft lockups. In the last few years > >> several PSI-based userspace solutions were developed (e.g. OOMd [3] or > >> systemd-OOMd [4]). The common idea was to use userspace daemons to > >> implement custom OOM logic as well as rely on PSI monitoring to avoid > >> stalls. > > > > This makes sense to me as well. I have to admit I am not fully familiar > > with PSI integration into sched code but from what I can see the > > evaluation is done on regular bases from the worker context kicked off > > from the scheduler code. There shouldn't be any locking constrains which > > is good. Is there any risk if the oom handler took too long though? > > It's a good question. In theory yes, it can affect the timing of other > PSI events. An option here is to move it into a separate work, however > I'm not sure if it worth the added complexity. I actually tried this > approach in an earlier version of this patchset, but the problem was > that the code for scheduling this work should be dynamically turned > on/off when a bpf program is attached/detached, otherwise it's an > obvious cpu overhead. > It's doable, but Idk if it's justified. I think this is a legitimate concern. bpf_handle_psi_event() can block update_triggers() and delay other PSI triggers. > > > > > Also an important question. I can see selftests which are using the > > infrastructure. But have you tried to implement a real OOM handler with > > this proposed infrastructure? > > Not yet. Given the size and complexity of the infrastructure of my > current employer, it's not a short process. But we're working on it. > > > > >> [1]: https://lwn.net/ml/linux-kernel/20230810081319.65668-1-zhouchuyi@bytedance.com/ > >> [2]: https://lore.kernel.org/lkml/20171130152824.1591-1-guro@fb.com/ > >> [3]: https://github.com/facebookincubator/oomd > >> [4]: https://www.freedesktop.org/software/systemd/man/latest/systemd-oomd.service.html > >> > >> ---- > >> > >> This is an RFC version, which is not intended to be merged in the current form. > >> Open questions/TODOs: > >> 1) Program type/attachment type for the bpf_handle_out_of_memory() hook. > >> It has to be able to return a value, to be sleepable (to use cgroup iterators) > >> and to have trusted arguments to pass oom_control down to bpf_oom_kill_process(). > >> Current patchset has a workaround (patch "bpf: treat fmodret tracing program's > >> arguments as trusted"), which is not safe. One option is to fake acquire/release > >> semantics for the oom_control pointer. Other option is to introduce a completely > >> new attachment or program type, similar to lsm hooks. > >> 2) Currently lockdep complaints about a potential circular dependency because > >> sleepable bpf_handle_out_of_memory() hook calls might_fault() under oom_lock. > >> One way to fix it is to make it non-sleepable, but then it will require some > >> additional work to allow it using cgroup iterators. It's intervened with 1). > > > > I cannot see this in the code. Could you be more specific please? Where > > is this might_fault coming from? Is this BPF constrain? > > It's in __bpf_prog_enter_sleepable(). But I hope I can make this hook > non-sleepable (by going struct_ops path) and the problem will go away. > > > > >> 3) What kind of hierarchical features are required? Do we want to nest oom policies? > >> Do we want to attach oom policies to cgroups? I think it's too complicated, > >> but if we want a full hierarchical support, it might be required. > >> Patch "mm: introduce bpf_get_root_mem_cgroup() bpf kfunc" exposes the true root > >> memcg, which is potentially outside of the ns of the loading process. Does > >> it require some additional capabilities checks? Should it be removed? > > > > Yes, let's start simple and see where we get from there. > > Agree. > > Thank you for taking a look and your comments/ideas! >
Powered by blists - more mailing lists