Re: Tmpfs size accounting misses memory allocations

[Topi Miettinen <toiwoton@gmail.com>]

On 1.5.2020 6.14, Hugh Dickins wrote:
> On Tue, 28 Apr 2020, Topi Miettinen wrote:
>> On 28.4.2020 4.34, Hugh Dickins wrote:
>>> On Sat, 25 Apr 2020, Topi Miettinen wrote:
>>>> Hi,
>>>>
>>>> It seems that tmpfs does not count memory which is allocated for short
>>>> symlinks or xattrs towards size= limit.
>>>
>>> Yes, you are right. And that is why tmpfs does not (so far) support
>>> user xattrs, because the unprivileged user could take up too much
>>> memory that way.
>>>
>>>> I guess the fix would be to change
>>>> shmem_sb_info->{used_blocks,max_blocks} to use bytes as units (instead of
>>>> blocks) and then add accounting and checks to shmem_symlink() and
>>>> shmem_initxattrs(). Would a patch for that be acceptable?
>>>
>>> Thank you for offering, but I don't think a patch for exactly that would
>>> be acceptable. Because "size=" has just been another way of expressing
>>> "nr_blocks=" ever since it was added in 2.4.4, and tmpfs has never
>>> counted the kernel metadata towards its data blocks limit.
>>>
>>> You could certainly argue that it should have done from the start; but
>>> in order to keep the accounting suitably simple (pages rather than bytes)
>>> it never did. And I believe there are many users who expect a tmpfs of a
>>> certain size to be able to accommodate data of that size, who would not
>>> care to have to change their scripts or apps to meet a lower limitation.
>>>
>>>>
>>>> Another issue is that inodes aren't counted towards size= limit either,
>>>> but
>>>> perhaps that's intentional because there's nr_inodes= mount option for
>>>> exactly that.
>>>
>>> Yes, tmpfs lets the nr_inodes limit be used to constrain the kernel
>>> metadata (and tmpfs has a peculiarity, that it actually counts hard
>>> links out of nr_inodes, in order to limit the memory spent on dentries).
>>>
>>> I doubt the nr_inodes limit is depended upon so critically as the
>>> nr_blocks, and I think we might extend it (say, consider each 1 of
>>> nr_inodes to grant approximately 1kB of unswappable lowmem metadata)
>>> to enable limited user xattrs: a patch along those lines might well
>>> be acceptable.
>>
>> I'm interested in restricting the amount of memory allocated to tmpfs mounts
>> in the system rather than granting more. I've seen a system lock up because
>> tmpfs mounts consumed the entire memory. Possible contributing factors could
>> be use of LVM and encryption for the swap.
> 
> Yes, it is too easy to get into a terrible state that way.  With OOM
> killer doing no good at all, because it's busy killing processes, which
> does nothing to free the memory held by tmpfs files.  I've never found
> a good answer to that in general, though marking files as suitable for
> truncation on OOM has been useful in special cases.
> 
>>
>> Perhaps there should be a single system limit (sysctl) for total memory
>> consumed by all {dev,}tmpfs mounts? Setting this to for example 75% could be
>> life saving. Then also the compatibility issues would not matter and all
>> memory allocations could be counted.
> 
> It's a good suggestion, though I don't much like it. Why not? Hmm:
> I'm having difficulty expressing why not, let me sit on it for a bit,
> I may come around to your idea there.
> 
> My resistance is partly because we already have several other schemes
> for resource limiting: the nr_blocks+nr_inodes, the __vm_enough_memory()
> checks (/proc/sys/vm/overcommit*), and nowadays memory cgroups.  Adding
> yet another is likely to make some fast paths slower.
> 
> I expect you to say that this is a fundamental problem with tmpfs, which
> should not have to rely on use of MEMCG to save it: I'll agree with you.
> And I'd hoped to sell you /proc/sys/vm/overcommit_memory 2 (never
> overcommit), before realizing that offers no protection at all from an
> explosion of tmpfs inodes, only an explosion of tmpfs data.  Not sure
> why we never realized that back in the day: perhaps that is what should
> be fixed.

Memory cgroups (or something similar) could be a solution if the total 
could be kept for example at 75%, but wouldn't this leave 25% of memory 
totally unused? A new cgroup to limit only tmpfs would not have this 
problem. Either way, setting reasonable limits for each cgroup could be 
a lot of work. The mounts can be global and each mount namespace can 
have additional tmpfs mounts.

/proc/sys/vm/overcommit_memory or overcommit_ratio could also work, if 
there was a way to limit the memory use to less than 100%. Also address 
space usage by itself is not interesting but physical RAM use (perhaps 
via page tables for address spaces).

Man proc(5) also mentions /proc/sys/fs/inode-max to limit in-memory 
inodes but it no longer exists since v2.2.

Another existing candidate could be /proc/sys/kernel/shmall (system-wide 
limit on the total number of pages of System V shared memory), if SysV 
shm here was somehow reinterpreted as any shared memory including tmpfs. 
Is there any connection between SysV shm and tmpfs anymore? If there was 
a global limit (and/or cgroup limits), should shm also be counted 
towards the limits or should they be separate?

Then there's /proc/sys/vm/admin_reserve_kbytes. I suppose 'admin' means 
UID 0 here, so it would not protect the system from accidental filling 
of tmpfs mounts by UID 0 processes. It would still be something.

> I see now that whether metadata (nr_inodes space) is included in size
> or not is just a detail: you had quite reasonably expected it to be
> included, but it happens to be additional. The problem is not that it's
> additional to size, but that few of us are conscious of how high its
> default is: how much memory could be gobbled up in that way (I roughly
> estimate 1kB per inode+dentry). Though I think you need a malicious
> explosion of inodes in several tmpfs instances to get into trouble
> that way, if data sizes are already properly limited.

Half of physical memory pages allows 1/8 (50% * 1kB / 4kB pagesize) of 
the memory to be used for the inodes, so if inodes are not limited, it 
would take eight tmpfs mounts for inodes only attack. Though data block 
limits are never zero and unfortunately there could be unlimited mounts 
in the systems, so the number of mounts needed for causing trouble is 
probably lower.

>>>> If these are not bugs but intentional features, I think the manual page
>>>> tmpfs(5) should be clearer in this respect.
>>>
>>> Nobody has asked for that before, it seems to have met expectations as is.
>>> But a sentence could be added to the manpage: do you have wording in mind?
>>
>> For example addition to the size option:
>>
>> NB: Only the contents (blocks) of regular files are counted towards the size
>> limit. To limit RAM consumption also by the inodes of the directories,
>> symbolic links or device special files, option nr_inodes must be used.
> 
> Better not get into listing directories, symbolic links or device special
> files there: it's equally a weakness for regular files - if so minded,
> I think you could exhaust memory with enough 0-length regular files
> across enough tmpfs instances.
> 
> I'm holding back from sending that on to Michael Kerrisk for the man-page
> for now: if we do decide to add a protective sysctl, we shall want to
> mention that there too.
> 
> But one little change that occurred to me this morning: how about this
> patch, to stop hiding the default size and nr_inodes from /proc/mounts
> (and "mount" command), to help make people more conscious of these limits,
> and encourage them to be scaled down:
> 
> --- 5.7-rc3/mm/shmem.c	2020-04-26 16:05:25.061228461 -0700
> +++ linux/mm/shmem.c	2020-04-30 18:59:59.253865989 -0700
> @@ -3583,11 +3583,8 @@ static int shmem_show_options(struct seq
>   {
>   	struct shmem_sb_info *sbinfo = SHMEM_SB(root->d_sb);
>   
> -	if (sbinfo->max_blocks != shmem_default_max_blocks())
> -		seq_printf(seq, ",size=%luk",
> -			sbinfo->max_blocks << (PAGE_SHIFT - 10));
> -	if (sbinfo->max_inodes != shmem_default_max_inodes())
> -		seq_printf(seq, ",nr_inodes=%lu", sbinfo->max_inodes);
> +	seq_printf(seq, ",size=%luk", sbinfo->max_blocks << (PAGE_SHIFT - 10));
> +	seq_printf(seq, ",nr_inodes=%lu", sbinfo->max_inodes);
>   	if (sbinfo->mode != (0777 | S_ISVTX))
>   		seq_printf(seq, ",mode=%03ho", sbinfo->mode);
>   	if (!uid_eq(sbinfo->uid, GLOBAL_ROOT_UID))
> 

Good idea. There shouldn't be any compatibility issues since the 
applications should have been prepared to read the size and nr_inodes 
options always.

-Topi