| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALOAHbAZ8rkeuJ_0Litax4FeyZjNbviURr6njuvuA93W66ZGcg@mail.gmail.com> Date: Tue, 13 May 2025 19:43:46 +0800 From: Yafang Shao <laoar.shao@...il.com> To: Usama Arif <usamaarif642@...il.com> Cc: David Hildenbrand <david@...hat.com>, Zi Yan <ziy@...dia.com>, Johannes Weiner <hannes@...xchg.org>, Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org, shakeel.butt@...ux.dev, riel@...riel.com, baolin.wang@...ux.alibaba.com, lorenzo.stoakes@...cle.com, Liam.Howlett@...cle.com, npache@...hat.com, ryan.roberts@....com, linux-kernel@...r.kernel.org, kernel-team@...a.com Subject: Re: [PATCH 0/1] prctl: allow overriding system THP policy to always On Sun, May 11, 2025 at 10:08 PM Usama Arif <usamaarif642@...il.com> wrote: > > > > On 11/05/2025 09:15, David Hildenbrand wrote: > > On 10.05.25 01:34, Zi Yan wrote: > >> On 9 May 2025, at 18:42, David Hildenbrand wrote: > >> > >>>>>>> - madvise > >>>>>>> The sysadmin gently encourages the use of THP, but it is only > >>>>>>> enabled when explicitly requested by the application. > >>>> > >>>> And this "user mode" or "manual mode", where applications self-manage > >>>> which parts of userspace they want to enroll. > >>>> > >>>> Both madvise() and unprivileged prctl() should work here as well, > >>>> IMO. There is no policy or security difference between them, it's just > >>>> about granularity and usability. > >>>> > >>>>>>> - never > >>>>>>> The sysadmin discourages the use of THP, and "its use is only permitted > >>>>>>> with explicit approval" . > >>>> > >>>> This one I don't quite agree with, and IMO conflicts with what David > >>>> is saying as well. > >>> > >>> Yeah ... "never" does not mean "sometimes" in my reality :) > >>> > >>>> > >>>>>> "never" so far means "no thps, no exceptions". We've had serious THP > >>>>>> issues in the past, where our workaround until we sorted out the issue > >>>>>> for affected customers was to force-disable THPs on that system during boot. > >>>>> > >>>>> Right, that reflects the current behavior. What we aim to enhance is > >>>>> by adding the requirement that "its use is only permitted with > >>>>> explicit approval." > >>>> > >>>> I think you're conflating a safety issue with a security issue. > >>>> > >>>> David is saying there can be cases where the kernel is broken, and > >>>> "never" is a production escape hatch to disable the feature until a > >>>> kernel upgrade for the fix is possible. In such a case, it doesn't > >>>> make sense to override this decision based on any sort of workload > >>>> policy, privileged or not. > >>>> > >>>> The way I understand you is that you want enrollment (and/or > >>>> self-management) only for blessed applications. Because you don't > >>>> generally trust workloads in the wild enough to switch the global > >>>> default away from "never", given the semantics of always/madvise. > >>> > >>> Assuming "never" means "never" and "always" means "always" ( crazy, right? :) ), could be make use of "madvise" mode, which essentially means "VM_HUGEPAGE" takes control? > >>> > >>> We'd need > >>> > >>> a) A way to enable THP for a process. Changing the default/vma settings to VM_HUGEPAGE as discussed using a prctl could work. > >>> > >>> b) A way to ignore VM_HUGEPAGE for processes. Maybe the existing prctl to force-disable THPs could work? > >> > >> This means process level control overrides VMA level control, which > >> overrides global control, right? > >> > >> Intuitively, it should be that VMA level control overrides process level > >> control, which overrides global control, namely finer granularly control > >> precedes coarse one. But some apps might not use VMA level control > >> (e.g., madvise) carefully, we want to override that. Maybe ignoring VMA > >> level control is what we want? > > > > Let's take a step back: > > > > Current behavior is > > > > 1) If anybody (global / process / VM) says "never" (never/PR_SET_THP_DISABLE/VM_NOHUGEPAGE), the behavior is "never". > > Just to add here to the current behavior for completeness, if we have the global system setting set to never, > but the global hugepage level setting set to madvise, we do still get a THP, i.e. if I have: > > [root@vm4 vmuser]# cat /sys/kernel/mm/transparent_hugepage/enabled > always madvise [never] > [root@vm4 vmuser]# cat /sys/kernel/mm/transparent_hugepage/hugepages-2048kB/enabled > always inherit [madvise] never > > And then MADV_HUGEPAGE some region, it still gives me a THP. > > > > > 2) In "madvise" mode, only "VM_HUGEPAGE" gets THP unless PR_SET_THP_DISABLE is set. So per-process overrides per-VMA. > > > > 3) In "always" mode, everything gets THP unless per-VMA (VM_NOHUGEPAGE) or per-process (PR_SET_THP_DISABLE) disables it. > > > > > > Interestingly, PR_SET_THP_DISABLE used to mimic exactly what I proposed for the other direction (change default of VM_HUGEPAGE), except that it wouldn't modify already existing mappings. Worth looking at 1860033237d4. Not sure if that commit was the right call, but it's the semantics we have today. > > > > That commit notes: > > > > "It should be noted, that the new implementation makes PR_SET_THP_DISABLE master override to any per-VMA setting, which was not the case previously." > > > > > > Whatever we do, we have to be careful to not create more mess or inconsistency. > > > > Especially, if anybody sets VM_NOHUGEPAGE or PR_SET_THP_DISABLE, we must not use THPs, ever. > > > > > I thought I will also summarize what the real world usecases are that we want to solve: > > 1) global system policy=madvise, process wants "always" policy for itself: We can have different types of workloads stacked on the same host, some of them benefit from always having THPs, > others will incur a regression (either its a performance regression or they are completely memory bound and even a very slight increase in memory will cause them to OOM). > So we want to selectively have "always" set for just those workloads (processes). (This is how workloads are deployed in our (Metas) fleet at this moment.) > > 2) global system policy=always, process wants "madvise" policy for itself: Same reasoning as 1, just that the host has a different default policy and we don't want the workloads (processes) that regress with always getting THPs to do so. > (We hope this is us (meta) in the future, if a majority of workloads show that they benefit from always, we flip the default host setting to "always" and workloads that regress can opt-out and be "madvise". > New services developed will then be tested with always by default. Always is also the default defconfig option upstream, so I would imagine this is faced by others as well.) > > 3) global system policy=never, process wants "madvise" policy for itself: This is what Yafang mentioned in [1]. sysadmins dont want to switch the global policy to madvise, but are willing to accept certain processes to madvise. > But David mentioned in [2] that never means no thps, no exceptions and the only way to solve some issues in the past has been to disable THPs completely. The interpretation of never as "disable THPs completely" makes sense to me, as sysadmins need a guaranteed way to disable THP. If applications could still allocate THPs in never mode, it would frustrate sysadmins. For case 3), I agree with Johannes that introducing a new mode (e.g., "blessed" or "bpf") would be ideal. This mode would allow per-task THP policy adjustments via BPF programs, defaulting to never when no BPF program is attached. [0]. https://lore.kernel.org/linux-mm/20250509164654.GA608090@cmpxchg.org/ -- Regards Yafang
Powered by blists - more mailing lists