From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7541CC433B4 for ; Wed, 21 Apr 2021 17:06:00 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id D1E8E61450 for ; Wed, 21 Apr 2021 17:05:59 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D1E8E61450 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=sony.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id E3C1C6B0036; Wed, 21 Apr 2021 13:05:58 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E11A76B006E; Wed, 21 Apr 2021 13:05:58 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CFFDF6B0070; Wed, 21 Apr 2021 13:05:58 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0221.hostedemail.com [216.40.44.221]) by kanga.kvack.org (Postfix) with ESMTP id B20D06B0036 for ; Wed, 21 Apr 2021 13:05:58 -0400 (EDT) Received: from smtpin15.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 71D7B180F9859 for ; Wed, 21 Apr 2021 17:05:58 +0000 (UTC) X-FDA: 78057001596.15.81653AA Received: from JPTOSEGREL01.sonyericsson.com (jptosegrel01.sonyericsson.com [124.215.201.71]) by imf28.hostedemail.com (Postfix) with ESMTP id 9D5FF2000266 for ; Wed, 21 Apr 2021 17:05:59 +0000 (UTC) Subject: Re: [RFC] memory reserve for userspace oom-killer To: Shakeel Butt , Johannes Weiner , Roman Gushchin , Michal Hocko , Linux MM , Andrew Morton , Cgroups , David Rientjes , LKML , Suren Baghdasaryan CC: Greg Thelen , Dragos Sbirlea , Priya Duraisamy References: From: peter enderborg Message-ID: <699e51ba-825d-b243-8205-4d8cff478a66@sony.com> Date: Wed, 21 Apr 2021 19:05:49 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Language: en-GB X-SEG-SpamProfiler-Analysis: v=2.3 cv=DLnxHBFb c=1 sm=1 tr=0 a=9drRLWArJOlETflmpfiyCA==:117 a=IkcTkHD0fZMA:10 a=3YhXtTcJ-WEA:10 a=DDOyTI_5AAAA:8 a=upAolG9lt1D93ADSiFAA:9 a=7Zwj6sZBwVKJAoWSPKxL6X1jA+E=:19 a=QEXdDO2ut3YA:10 a=i4HhKqK894AA:10 a=_BcfOz0m4U4ohdxiHPKc:22 X-SEG-SpamProfiler-Score: 0 X-Rspamd-Queue-Id: 9D5FF2000266 X-Stat-Signature: rupnspafax9qmk4cg4c11qoocatknukb X-Rspamd-Server: rspam02 Received-SPF: none (sony.com>: No applicable sender policy available) receiver=imf28; identity=mailfrom; envelope-from=""; helo=JPTOSEGREL01.sonyericsson.com; client-ip=124.215.201.71 X-HE-DKIM-Result: none/none X-HE-Tag: 1619024759-736910 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 4/20/21 3:44 AM, Shakeel Butt wrote: > Proposal: Provide memory guarantees to userspace oom-killer. > > Background: > > Issues with kernel oom-killer: > 1. Very conservative and prefer to reclaim. Applications can suffer > for a long time. > 2. Borrows the context of the allocator which can be resource limited > (low sched priority or limited CPU quota). > 3. Serialized by global lock. > 4. Very simplistic oom victim selection policy. > > These issues are resolved through userspace oom-killer by: > 1. Ability to monitor arbitrary metrics (PSI, vmstat, memcg stats) to > early detect suffering. > 2. Independent process context which can be given dedicated CPU quota > and high scheduling priority. > 3. Can be more aggressive as required. > 4. Can implement sophisticated business logic/policies. > > Android's LMKD and Facebook's oomd are the prime examples of userspace > oom-killers. One of the biggest challenges for userspace oom-killers > is to potentially function under intense memory pressure and are prone > to getting stuck in memory reclaim themselves. Current userspace > oom-killers aim to avoid this situation by preallocating user memory > and protecting themselves from global reclaim by either mlocking or > memory.min. However a new allocation from userspace oom-killer can > still get stuck in the reclaim and policy rich oom-killer do trigger > new allocations through syscalls or even heap. > > Our attempt of userspace oom-killer faces similar challenges. > Particularly at the tail on the very highly utilized machines we have > observed userspace oom-killer spectacularly failing in many possible > ways in the direct reclaim. We have seen oom-killer stuck in direct > reclaim throttling, stuck in reclaim and allocations from interrupts > keep stealing reclaimed memory. We have even observed systems where > all the processes were stuck in throttle_direct_reclaim() and only > kswapd was running and the interrupts kept stealing the memory > reclaimed by kswapd. > > To reliably solve this problem, we need to give guaranteed memory to > the userspace oom-killer. At the moment we are contemplating between > the following options and I would like to get some feedback. > > 1. prctl(PF_MEMALLOC) > > The idea is to give userspace oom-killer (just one thread which is > finding the appropriate victims and will be sending SIGKILLs) access > to MEMALLOC reserves. Most of the time the preallocation, mlock and > memory.min will be good enough but for rare occasions, when the > userspace oom-killer needs to allocate, the PF_MEMALLOC flag will > protect it from reclaim and let the allocation dip into the memory > reserves. > > The misuse of this feature would be risky but it can be limited to > privileged applications. Userspace oom-killer is the only appropriate > user of this feature. This option is simple to implement. > > 2. Mempool > > The idea is to preallocate mempool with a given amount of memory for > userspace oom-killer. Preferably this will be per-thread and > oom-killer can preallocate mempool for its specific threads. The core > page allocator can check before going to the reclaim path if the task > has private access to the mempool and return page from it if yes. > > This option would be more complicated than the previous option as the > lifecycle of the page from the mempool would be more sophisticated. > Additionally the current mempool does not handle higher order pages > and we might need to extend it to allow such allocations. Though this > feature might have more use-cases and it would be less risky than the > previous option. > > Another idea I had was to use kthread based oom-killer and provide the > policies through eBPF program. Though I am not sure how to make it > monitor arbitrary metrics and if that can be done without any > allocations. > > Please do provide feedback on these approaches. > > thanks, > Shakeel I think this is the wrong way to go. I sent a patch for android lowmemorykiller some years ago. http://driverdev.linuxdriverproject.org/pipermail/driverdev-devel/2017-Febr= uary/100319.html It has been improved since than, so it can act handle oom callbacks, it can= act on vmpressure and psi and as a shrinker. The patches has not been ported to resent kernels though= . I don't think vmpressure and psi is that relevant now. (They are what users= pace act on)=C2=A0 But the basic idea is to have a priority queue within the kernel. It need pick up new processes and dying process.=C2=A0 A= nd then it has a order, and that is set with oom adj values by activity manager in android.=C2=A0 I see this= model can be reused for something that is between a standard oom and userspace.=C2=A0 Instead of vm= pressure and psi a watchdog might be a better way.=C2=A0 If userspace (in android the activi= ty manager or lmkd) does not kick the watchdog, the watchdog bite the task according to the priority and kills it.=C2=A0 Th= is priority list does not have to be a list generated=C2=A0 within kernel. But it has the advantage that you inherent parents propertie= s.=C2=A0 We use a rb-tree for that. All that is missing is the watchdog.