From: Shakeel Butt <shakeelb@google.com>
To: Michal Hocko <mhocko@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Roman Gushchin <guro@fb.com>, Linux MM <linux-mm@kvack.org>,
Johannes Weiner <hannes@cmpxchg.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] memcg: account security cred as well to kmemcg
Date: Fri, 6 Dec 2019 08:51:21 -0800 [thread overview]
Message-ID: <CALvZod4VgNJOXy+bMLvzDhpYUu8tBe-63aDA842LH4-O5f5zKw@mail.gmail.com> (raw)
In-Reply-To: <20191206081710.GK28317@dhcp22.suse.cz>
On Fri, Dec 6, 2019 at 12:17 AM Michal Hocko <mhocko@kernel.org> wrote:
>
> On Thu 05-12-19 14:37:21, Shakeel Butt wrote:
> > The cred_jar kmem_cache is already memcg accounted in the current
> > kernel but cred->security is not. Account cred->security to kmemcg.
> >
> > Recently we saw high root slab usage on our production and on further
> > inspection, we found a buggy application leaking processes. Though that
> > buggy application was contained within its memcg but we observe much
> > more system memory overhead, couple of GiBs, during that period. This
> > overhead can adversely impact the isolation on the system. One of source
> > of high overhead, we found was cred->secuity objects.
>
> I am not familiar with this area much. What is the timelife of these
> objects? Do they go away with a task allocating them?
>
Lifetime is at least the life of the process allocating them.
> > Signed-off-by: Shakeel Butt <shakeelb@google.com>
> >
> > ---
> > kernel/cred.c | 6 +++---
> > 1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/kernel/cred.c b/kernel/cred.c
> > index c0a4c12d38b2..9ed51b70ed80 100644
> > --- a/kernel/cred.c
> > +++ b/kernel/cred.c
> > @@ -223,7 +223,7 @@ struct cred *cred_alloc_blank(void)
> > new->magic = CRED_MAGIC;
> > #endif
> >
> > - if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
> > + if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0)
> > goto error;
> >
> > return new;
> > @@ -282,7 +282,7 @@ struct cred *prepare_creds(void)
> > new->security = NULL;
> > #endif
> >
> > - if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
> > + if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
> > goto error;
> > validate_creds(new);
> > return new;
> > @@ -715,7 +715,7 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
> > #ifdef CONFIG_SECURITY
> > new->security = NULL;
> > #endif
> > - if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
> > + if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
> > goto error;
> >
> > put_cred(old);
> > --
> > 2.24.0.393.g34dc348eaf-goog
> >
>
> --
> Michal Hocko
> SUSE Labs
next prev parent reply other threads:[~2019-12-06 16:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-05 22:37 Shakeel Butt
2019-12-05 23:16 ` Chris Down
2019-12-05 23:23 ` Roman Gushchin
2019-12-06 8:17 ` Michal Hocko
2019-12-06 16:51 ` Shakeel Butt [this message]
2019-12-09 14:43 ` Michal Hocko
2019-12-07 0:13 ` Andrew Morton
2019-12-07 5:06 ` Shakeel Butt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALvZod4VgNJOXy+bMLvzDhpYUu8tBe-63aDA842LH4-O5f5zKw@mail.gmail.com \
--to=shakeelb@google.com \
--cc=akpm@linux-foundation.org \
--cc=guro@fb.com \
--cc=hannes@cmpxchg.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox