| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aBC7E487qDSDTdBH@tiehlicka> Date: Tue, 29 Apr 2025 13:42:11 +0200 From: Michal Hocko <mhocko@...e.com> To: Roman Gushchin <roman.gushchin@...ux.dev> Cc: linux-kernel@...r.kernel.org, Andrew Morton <akpm@...ux-foundation.org>, Alexei Starovoitov <ast@...nel.org>, Johannes Weiner <hannes@...xchg.org>, Shakeel Butt <shakeel.butt@...ux.dev>, Suren Baghdasaryan <surenb@...gle.com>, David Rientjes <rientjes@...gle.com>, Josh Don <joshdon@...gle.com>, Chuyi Zhou <zhouchuyi@...edance.com>, cgroups@...r.kernel.org, linux-mm@...ck.org, bpf@...r.kernel.org Subject: Re: [PATCH rfc 00/12] mm: BPF OOM On Mon 28-04-25 03:36:05, Roman Gushchin wrote: > This patchset adds an ability to customize the out of memory > handling using bpf. > > It focuses on two parts: > 1) OOM handling policy, > 2) PSI-based OOM invocation. > > The idea to use bpf for customizing the OOM handling is not new, but > unlike the previous proposal [1], which augmented the existing task > ranking-based policy, this one tries to be as generic as possible and > leverage the full power of the modern bpf. > > It provides a generic hook which is called before the existing OOM > killer code and allows implementing any policy, e.g. picking a victim > task or memory cgroup or potentially even releasing memory in other > ways, e.g. deleting tmpfs files (the last one might require some > additional but relatively simple changes). Makes sense to me. I still have a slight concern though. We have 3 different oom handlers smashed into a single one with special casing involved. This is manageable (although not great) for the in kernel code but I am wondering whether we should do better for BPF based OOM implementations. Would it make sense to have different callbacks for cpuset, memcg and global oom killer handlers? I can see you have already added some helper functions to deal with memcgs but I do not see anything to iterate processes or find a process to kill etc. Is that functionality generally available (sorry I am not really familiar with BPF all that much so please bear with me)? I like the way how you naturalely hooked into existing OOM primitives like oom_kill_process but I do not see tsk_is_oom_victim exposed. Are you waiting for a first user that needs to implement oom victim synchronization or do you plan to integrate that into tasks iterators? I am mostly asking because it is exactly these kind of details that make the current in kernel oom handler quite complex and it would be great if custom ones do not have to reproduce that complexity and only focus on the high level policy. > The second part is related to the fundamental question on when to > declare the OOM event. It's a trade-off between the risk of > unnecessary OOM kills and associated work losses and the risk of > infinite trashing and effective soft lockups. In the last few years > several PSI-based userspace solutions were developed (e.g. OOMd [3] or > systemd-OOMd [4]). The common idea was to use userspace daemons to > implement custom OOM logic as well as rely on PSI monitoring to avoid > stalls. This makes sense to me as well. I have to admit I am not fully familiar with PSI integration into sched code but from what I can see the evaluation is done on regular bases from the worker context kicked off from the scheduler code. There shouldn't be any locking constrains which is good. Is there any risk if the oom handler took too long though? Also an important question. I can see selftests which are using the infrastructure. But have you tried to implement a real OOM handler with this proposed infrastructure? > [1]: https://lwn.net/ml/linux-kernel/20230810081319.65668-1-zhouchuyi@bytedance.com/ > [2]: https://lore.kernel.org/lkml/20171130152824.1591-1-guro@fb.com/ > [3]: https://github.com/facebookincubator/oomd > [4]: https://www.freedesktop.org/software/systemd/man/latest/systemd-oomd.service.html > > ---- > > This is an RFC version, which is not intended to be merged in the current form. > Open questions/TODOs: > 1) Program type/attachment type for the bpf_handle_out_of_memory() hook. > It has to be able to return a value, to be sleepable (to use cgroup iterators) > and to have trusted arguments to pass oom_control down to bpf_oom_kill_process(). > Current patchset has a workaround (patch "bpf: treat fmodret tracing program's > arguments as trusted"), which is not safe. One option is to fake acquire/release > semantics for the oom_control pointer. Other option is to introduce a completely > new attachment or program type, similar to lsm hooks. > 2) Currently lockdep complaints about a potential circular dependency because > sleepable bpf_handle_out_of_memory() hook calls might_fault() under oom_lock. > One way to fix it is to make it non-sleepable, but then it will require some > additional work to allow it using cgroup iterators. It's intervened with 1). I cannot see this in the code. Could you be more specific please? Where is this might_fault coming from? Is this BPF constrain? > 3) What kind of hierarchical features are required? Do we want to nest oom policies? > Do we want to attach oom policies to cgroups? I think it's too complicated, > but if we want a full hierarchical support, it might be required. > Patch "mm: introduce bpf_get_root_mem_cgroup() bpf kfunc" exposes the true root > memcg, which is potentially outside of the ns of the loading process. Does > it require some additional capabilities checks? Should it be removed? Yes, let's start simple and see where we get from there. > 4) Documentation is lacking and will be added in the next version. +1 Thanks! -- Michal Hocko SUSE Labs
Powered by blists - more mailing lists