From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=xZq1=Z7=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.5 required=3.0 tests=INCLUDES_PATCH,
	MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1
	autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 73527C43603
	for <linux-mm@archiver.kernel.org>; Mon,  9 Dec 2019 14:43:37 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 3D0A22068E
	for <linux-mm@archiver.kernel.org>; Mon,  9 Dec 2019 14:43:37 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3D0A22068E
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id CB0976B272E; Mon,  9 Dec 2019 09:43:36 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id C61CD6B272F; Mon,  9 Dec 2019 09:43:36 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id B031A6B2730; Mon,  9 Dec 2019 09:43:36 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0241.hostedemail.com [216.40.44.241])
	by kanga.kvack.org (Postfix) with ESMTP id 89D7E6B272E
	for <linux-mm@kvack.org>; Mon,  9 Dec 2019 09:43:36 -0500 (EST)
Received: from smtpin20.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with SMTP id 21D36181AEF15
	for <linux-mm@kvack.org>; Mon,  9 Dec 2019 14:43:36 +0000 (UTC)
X-FDA: 76245871632.20.jewel64_599158a6ef350
X-HE-Tag: jewel64_599158a6ef350
X-Filterd-Recvd-Size: 5345
Received: from mail-wm1-f65.google.com (mail-wm1-f65.google.com [209.85.128.65])
	by imf22.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Mon,  9 Dec 2019 14:43:35 +0000 (UTC)
Received: by mail-wm1-f65.google.com with SMTP id s14so15206853wmh.4
        for <linux-mm@kvack.org>; Mon, 09 Dec 2019 06:43:35 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=5GMrlDTJZgtlmwpkaFtSDadNDfv99seyl6nQwayimsA=;
        b=ezyB1QV6tFuHZLEsBVQPt4ysG1QNheH5u72BsOswKADCVb2dv4QHQ1H5UXsrNecSux
         pLQmiLQdf/FnYDuW7dNSz7qZWe78RT7Y+XziwY7ydh/uqzZfW3/ZuKkHDz7YjmeXePam
         9Xra4eknzhYH8SHRvdH1bvqWSJwVMYicIZ/eThzLoPhtiKD/9ML08lKtT5BkFOuNYAVb
         cY9OtPfrTsB17NSVGuDxMmfvga5WkEP5ui/oGV6oN4yNzbBt1QxZKklM5aHuWoWk9w3f
         0RQTvIlPgNy7Dqw+IIylOc5DsVOc3M7zsKP/Xa7P0NEEJxlv8zYDkUeu4WgehhQsEuSP
         8HnA==
X-Gm-Message-State: APjAAAW8cV1zHb2v8dUZ6ZeWCcws/PjA8wOwpQzpa5DB73PtsMndPcLT
	RrC2Eotz93qr5JAmOX/TM6E=
X-Google-Smtp-Source: APXvYqzn0eMk4JDUlv6X+P0C1L5Eb29E1giMVkZCuArPNDbgN+9AVUrkvAFe+KXAfBGHr05FLEINhw==
X-Received: by 2002:a1c:5448:: with SMTP id p8mr25624781wmi.70.1575902614236;
        Mon, 09 Dec 2019 06:43:34 -0800 (PST)
Received: from localhost (prg-ext-pat.suse.com. [213.151.95.130])
        by smtp.gmail.com with ESMTPSA id t78sm13737425wmt.24.2019.12.09.06.43.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 09 Dec 2019 06:43:33 -0800 (PST)
Date: Mon, 9 Dec 2019 15:43:32 +0100
From: Michal Hocko <mhocko@kernel.org>
To: Shakeel Butt <shakeelb@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>, Roman Gushchin <guro@fb.com>,
	Linux MM <linux-mm@kvack.org>, Johannes Weiner <hannes@cmpxchg.org>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] memcg: account security cred as well to kmemcg
Message-ID: <20191209144332.GA24368@dhcp22.suse.cz>
References: <20191205223721.40034-1-shakeelb@google.com>
 <20191206081710.GK28317@dhcp22.suse.cz>
 <CALvZod4VgNJOXy+bMLvzDhpYUu8tBe-63aDA842LH4-O5f5zKw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CALvZod4VgNJOXy+bMLvzDhpYUu8tBe-63aDA842LH4-O5f5zKw@mail.gmail.com>
User-Agent: Mutt/1.12.2 (2019-09-21)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Fri 06-12-19 08:51:21, Shakeel Butt wrote:
> On Fri, Dec 6, 2019 at 12:17 AM Michal Hocko <mhocko@kernel.org> wrote:
> >
> > On Thu 05-12-19 14:37:21, Shakeel Butt wrote:
> > > The cred_jar kmem_cache is already memcg accounted in the current
> > > kernel but cred->security is not. Account cred->security to kmemcg.
> > >
> > > Recently we saw high root slab usage on our production and on further
> > > inspection, we found a buggy application leaking processes. Though that
> > > buggy application was contained within its memcg but we observe much
> > > more system memory overhead, couple of GiBs, during that period. This
> > > overhead can adversely impact the isolation on the system. One of source
> > > of high overhead, we found was cred->secuity objects.
> >
> > I am not familiar with this area much. What is the timelife of these
> > objects? Do they go away with a task allocating them?
> >
> 
> Lifetime is at least the life of the process allocating them.

Thanks for the clarification! It is better to be explicit about this in
the changelog I believe because it would make a review much easier.
Accounting for objects which are not bound to a user process context is
more complex and requires much more considerations.

> > > Signed-off-by: Shakeel Butt <shakeelb@google.com>

With that clarification
Acked-by: Michal Hocko <mhocko@suse.com>

> > >
> > > ---
> > >  kernel/cred.c | 6 +++---
> > >  1 file changed, 3 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/kernel/cred.c b/kernel/cred.c
> > > index c0a4c12d38b2..9ed51b70ed80 100644
> > > --- a/kernel/cred.c
> > > +++ b/kernel/cred.c
> > > @@ -223,7 +223,7 @@ struct cred *cred_alloc_blank(void)
> > >       new->magic = CRED_MAGIC;
> > >  #endif
> > >
> > > -     if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
> > > +     if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0)
> > >               goto error;
> > >
> > >       return new;
> > > @@ -282,7 +282,7 @@ struct cred *prepare_creds(void)
> > >       new->security = NULL;
> > >  #endif
> > >
> > > -     if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
> > > +     if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
> > >               goto error;
> > >       validate_creds(new);
> > >       return new;
> > > @@ -715,7 +715,7 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
> > >  #ifdef CONFIG_SECURITY
> > >       new->security = NULL;
> > >  #endif
> > > -     if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
> > > +     if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
> > >               goto error;
> > >
> > >       put_cred(old);
> > > --
> > > 2.24.0.393.g34dc348eaf-goog
> > >
> >
> > --
> > Michal Hocko
> > SUSE Labs

-- 
Michal Hocko
SUSE Labs