Re: [PATCH] memcg: account security cred as well to kmemcg

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Michal Hocko <mhocko@kernel.org>
To: Shakeel Butt <shakeelb@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Roman Gushchin <guro@fb.com>, Linux MM <linux-mm@kvack.org>,
	Johannes Weiner <hannes@cmpxchg.org>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] memcg: account security cred as well to kmemcg
Date: Mon, 9 Dec 2019 15:43:32 +0100	[thread overview]
Message-ID: <20191209144332.GA24368@dhcp22.suse.cz> (raw)
In-Reply-To: <CALvZod4VgNJOXy+bMLvzDhpYUu8tBe-63aDA842LH4-O5f5zKw@mail.gmail.com>

On Fri 06-12-19 08:51:21, Shakeel Butt wrote:
> On Fri, Dec 6, 2019 at 12:17 AM Michal Hocko <mhocko@kernel.org> wrote:
> >
> > On Thu 05-12-19 14:37:21, Shakeel Butt wrote:
> > > The cred_jar kmem_cache is already memcg accounted in the current
> > > kernel but cred->security is not. Account cred->security to kmemcg.
> > >
> > > Recently we saw high root slab usage on our production and on further
> > > inspection, we found a buggy application leaking processes. Though that
> > > buggy application was contained within its memcg but we observe much
> > > more system memory overhead, couple of GiBs, during that period. This
> > > overhead can adversely impact the isolation on the system. One of source
> > > of high overhead, we found was cred->secuity objects.
> >
> > I am not familiar with this area much. What is the timelife of these
> > objects? Do they go away with a task allocating them?
> >
> 
> Lifetime is at least the life of the process allocating them.

Thanks for the clarification! It is better to be explicit about this in
the changelog I believe because it would make a review much easier.
Accounting for objects which are not bound to a user process context is
more complex and requires much more considerations.

> > > Signed-off-by: Shakeel Butt <shakeelb@google.com>

With that clarification
Acked-by: Michal Hocko <mhocko@suse.com>

> > >
> > > ---
> > >  kernel/cred.c | 6 +++---
> > >  1 file changed, 3 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/kernel/cred.c b/kernel/cred.c
> > > index c0a4c12d38b2..9ed51b70ed80 100644
> > > --- a/kernel/cred.c
> > > +++ b/kernel/cred.c
> > > @@ -223,7 +223,7 @@ struct cred *cred_alloc_blank(void)
> > >       new->magic = CRED_MAGIC;
> > >  #endif
> > >
> > > -     if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
> > > +     if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0)
> > >               goto error;
> > >
> > >       return new;
> > > @@ -282,7 +282,7 @@ struct cred *prepare_creds(void)
> > >       new->security = NULL;
> > >  #endif
> > >
> > > -     if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
> > > +     if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
> > >               goto error;
> > >       validate_creds(new);
> > >       return new;
> > > @@ -715,7 +715,7 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
> > >  #ifdef CONFIG_SECURITY
> > >       new->security = NULL;
> > >  #endif
> > > -     if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
> > > +     if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
> > >               goto error;
> > >
> > >       put_cred(old);
> > > --
> > > 2.24.0.393.g34dc348eaf-goog
> > >
> >
> > --
> > Michal Hocko
> > SUSE Labs

-- 
Michal Hocko
SUSE Labs

next prev parent reply	other threads:[~2019-12-09 14:43 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-05 22:37 Shakeel Butt
2019-12-05 23:16 ` Chris Down
2019-12-05 23:23 ` Roman Gushchin
2019-12-06  8:17 ` Michal Hocko
2019-12-06 16:51   ` Shakeel Butt
2019-12-09 14:43     ` Michal Hocko [this message]
2019-12-07  0:13 ` Andrew Morton
2019-12-07  5:06   ` Shakeel Butt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191209144332.GA24368@dhcp22.suse.cz \
    --to=mhocko@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=guro@fb.com \
    --cc=hannes@cmpxchg.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=shakeelb@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox