| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250822221846.744252-1-kuniyu@google.com>
Date: Fri, 22 Aug 2025 22:17:55 +0000
From: Kuniyuki Iwashima <kuniyu@...gle.com>
To: Alexei Starovoitov <ast@...nel.org>, Andrii Nakryiko <andrii@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>, Martin KaFai Lau <martin.lau@...ux.dev>
Cc: John Fastabend <john.fastabend@...il.com>, Stanislav Fomichev <sdf@...ichev.me>,
Johannes Weiner <hannes@...xchg.org>, Michal Hocko <mhocko@...nel.org>,
Roman Gushchin <roman.gushchin@...ux.dev>, Shakeel Butt <shakeel.butt@...ux.dev>,
"David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Neal Cardwell <ncardwell@...gle.com>, Willem de Bruijn <willemb@...gle.com>,
Mina Almasry <almasrymina@...gle.com>, Kuniyuki Iwashima <kuniyu@...gle.com>,
Kuniyuki Iwashima <kuni1840@...il.com>, bpf@...r.kernel.org, netdev@...r.kernel.org
Subject: [PATCH v1 bpf-next/net 0/8] bpf: Allow decoupling memcg from sk->sk_prot->memory_allocated.
Some protocols (e.g., TCP, UDP) have their own memory accounting for
socket buffers and charge memory to global per-protocol counters such
as /proc/net/ipv4/tcp_mem.
When running under a non-root cgroup, this memory is also charged to
the memcg as sock in memory.stat.
Sockets of such protocols are still subject to the global limits,
thus affected by a noisy neighbour outside cgroup.
This makes it difficult to accurately estimate and configure appropriate
global limits.
This series allows decoupling memcg from the global memory accounting
if socket is configured as such by BPF prog.
This simplifies the memcg configuration while keeping the global limits
within a reasonable range, which is only 10% of the physical memory by
default.
Overview of the series:
patch 1 is a prep
patch 2 ~ 4 add a new bpf hook for accept()
patch 5 & 6 intorduce SK_BPF_MEMCG_SOCK_ISOLATED for bpf_setsockopt()
patch 7 decouples memcg from sk_prot->memory_allocated based on the flag
patch 8 is selftest
Kuniyuki Iwashima (8):
tcp: Save lock_sock() for memcg in inet_csk_accept().
bpf: Add a bpf hook in __inet_accept().
libbpf: Support BPF_CGROUP_INET_SOCK_ACCEPT.
bpftool: Support BPF_CGROUP_INET_SOCK_ACCEPT.
bpf: Support bpf_setsockopt() for
BPF_CGROUP_INET_SOCK_(CREATE|ACCEPT).
bpf: Introduce SK_BPF_MEMCG_FLAGS and SK_BPF_MEMCG_SOCK_ISOLATED.
net-memcg: Allow decoupling memcg from global protocol memory
accounting.
selftest: bpf: Add test for SK_BPF_MEMCG_SOCK_ISOLATED.
include/linux/bpf-cgroup-defs.h | 1 +
include/linux/bpf-cgroup.h | 4 +
include/net/proto_memory.h | 15 +-
include/net/sock.h | 48 ++++
include/net/tcp.h | 10 +-
include/uapi/linux/bpf.h | 7 +
kernel/bpf/cgroup.c | 2 +
kernel/bpf/syscall.c | 3 +
net/core/filter.c | 75 +++++-
net/core/sock.c | 64 ++++--
net/ipv4/af_inet.c | 34 +++
net/ipv4/inet_connection_sock.c | 26 +--
net/ipv4/tcp.c | 3 +-
net/ipv4/tcp_output.c | 10 +-
net/mptcp/protocol.c | 3 +-
net/tls/tls_device.c | 4 +-
tools/bpf/bpftool/cgroup.c | 6 +-
tools/include/uapi/linux/bpf.h | 7 +
tools/lib/bpf/libbpf.c | 2 +
.../selftests/bpf/prog_tests/sk_memcg.c | 214 ++++++++++++++++++
tools/testing/selftests/bpf/progs/sk_memcg.c | 29 +++
21 files changed, 508 insertions(+), 59 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/sk_memcg.c
create mode 100644 tools/testing/selftests/bpf/progs/sk_memcg.c
--
2.51.0.rc2.233.g662b1ed5c5-goog
Powered by blists - more mailing lists