| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAVpQUB-xnx_29Hw-_Z4EbtJKkJT1_BCfXcQM7OpCO09goF+ew@mail.gmail.com> Date: Wed, 13 Aug 2025 11:43:15 -0700 From: Kuniyuki Iwashima <kuniyu@...gle.com> To: Johannes Weiner <hannes@...xchg.org> Cc: "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Neal Cardwell <ncardwell@...gle.com>, Paolo Abeni <pabeni@...hat.com>, Willem de Bruijn <willemb@...gle.com>, Matthieu Baerts <matttbe@...nel.org>, Mat Martineau <martineau@...nel.org>, Michal Hocko <mhocko@...nel.org>, Roman Gushchin <roman.gushchin@...ux.dev>, Shakeel Butt <shakeel.butt@...ux.dev>, Andrew Morton <akpm@...ux-foundation.org>, Michal Koutný <mkoutny@...e.com>, Tejun Heo <tj@...nel.org>, Simon Horman <horms@...nel.org>, Geliang Tang <geliang@...nel.org>, Muchun Song <muchun.song@...ux.dev>, Mina Almasry <almasrymina@...gle.com>, Kuniyuki Iwashima <kuni1840@...il.com>, netdev@...r.kernel.org, mptcp@...ts.linux.dev, cgroups@...r.kernel.org, linux-mm@...ck.org Subject: Re: [PATCH v3 net-next 12/12] net-memcg: Decouple controlled memcg from global protocol memory accounting. On Wed, Aug 13, 2025 at 6:00 AM Johannes Weiner <hannes@...xchg.org> wrote: > > On Tue, Aug 12, 2025 at 05:58:30PM +0000, Kuniyuki Iwashima wrote: > > If all workloads were guaranteed to be controlled under memcg, the issue > > could be worked around by setting tcp_mem[0~2] to UINT_MAX. > > > > In reality, this assumption does not always hold, and processes that > > belong to the root cgroup or opt out of memcg can consume memory up to > > the global limit, becoming a noisy neighbour. > > As per the last thread, this is not a supported usecase. Opting out of > memcg coverage for individual cgroups is a self-inflicted problem and > misconfiguration. There is *no* memory isolation *at all* on such > containers. I think the commit message needs to be improved, but could you read throughout the patch again ? I think you have the same misunderstanding that Shakeel had and corrected here. https://lore.kernel.org/netdev/jmbszz4m7xkw7fzolpusjesbreaczmr4i64kynbs3zcoehrkpj@lwso5soc4dh3/ ---8<--- Initially, I thought the series introduced multiple modes, including an option to exclude network memory from memcg accounting. However, if I understand correctly, that is not the case—the opt-out applies only to the global TCP/UDP accounting. That’s a relief, and I apologize for the misunderstanding. ---8<--- This patch does NOT change how memcg is applied to sockets but changes how _another_ memory accounting in the networking layer is applied to sockets. Currently, memcg AND the other mem accounting are applied to socket buffers. With/without this patch, memcg is _always_ applied to socket buffers. Also, there is _no_ behavioural change for _uncontrolled containers_ that have been subject to the two memory accounting. This behaviour hasn't been changed since you added memcg support for the networking stack in e805605c72102, and we want to _preserve_ this behaviour. This change stop double-charging by opting out of _the networking layer one_ because it interferes with memcg and complicates configuration of memory.max and the global networking limit. > Maybe their socket buffers is the only thing that happens > to matter to *you*, but this is in no way a generic, universal, > upstreamable solution. Knob or auto-detection is not the issue. > > Nacked-by: Johannes Weiner <hannes@...xchg.org> Please let me know if this nack still applies with the explanation above.
Powered by blists - more mailing lists