From: Michal Hocko <mhocko@kernel.org>
To: Shakeel Butt <shakeelb@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Roman Gushchin <guro@fb.com>,
linux-mm@kvack.org, Johannes Weiner <hannes@cmpxchg.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] memcg: account security cred as well to kmemcg
Date: Fri, 6 Dec 2019 09:17:10 +0100 [thread overview]
Message-ID: <20191206081710.GK28317@dhcp22.suse.cz> (raw)
In-Reply-To: <20191205223721.40034-1-shakeelb@google.com>
On Thu 05-12-19 14:37:21, Shakeel Butt wrote:
> The cred_jar kmem_cache is already memcg accounted in the current
> kernel but cred->security is not. Account cred->security to kmemcg.
>
> Recently we saw high root slab usage on our production and on further
> inspection, we found a buggy application leaking processes. Though that
> buggy application was contained within its memcg but we observe much
> more system memory overhead, couple of GiBs, during that period. This
> overhead can adversely impact the isolation on the system. One of source
> of high overhead, we found was cred->secuity objects.
I am not familiar with this area much. What is the timelife of these
objects? Do they go away with a task allocating them?
> Signed-off-by: Shakeel Butt <shakeelb@google.com>
>
> ---
> kernel/cred.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/cred.c b/kernel/cred.c
> index c0a4c12d38b2..9ed51b70ed80 100644
> --- a/kernel/cred.c
> +++ b/kernel/cred.c
> @@ -223,7 +223,7 @@ struct cred *cred_alloc_blank(void)
> new->magic = CRED_MAGIC;
> #endif
>
> - if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
> + if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0)
> goto error;
>
> return new;
> @@ -282,7 +282,7 @@ struct cred *prepare_creds(void)
> new->security = NULL;
> #endif
>
> - if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
> + if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
> goto error;
> validate_creds(new);
> return new;
> @@ -715,7 +715,7 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
> #ifdef CONFIG_SECURITY
> new->security = NULL;
> #endif
> - if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
> + if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
> goto error;
>
> put_cred(old);
> --
> 2.24.0.393.g34dc348eaf-goog
>
--
Michal Hocko
SUSE Labs
next prev parent reply other threads:[~2019-12-06 8:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-05 22:37 Shakeel Butt
2019-12-05 23:16 ` Chris Down
2019-12-05 23:23 ` Roman Gushchin
2019-12-06 8:17 ` Michal Hocko [this message]
2019-12-06 16:51 ` Shakeel Butt
2019-12-09 14:43 ` Michal Hocko
2019-12-07 0:13 ` Andrew Morton
2019-12-07 5:06 ` Shakeel Butt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191206081710.GK28317@dhcp22.suse.cz \
--to=mhocko@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=guro@fb.com \
--cc=hannes@cmpxchg.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=shakeelb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox