From: Shakeel Butt <shakeelb@google.com>
To: Michal Hocko <mhocko@kernel.org>
Cc: Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
Roopa Prabhu <roopa@cumulusnetworks.com>,
Nikolay Aleksandrov <nikolay@cumulusnetworks.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linux MM <linux-mm@kvack.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
bridge@lists.linux-foundation.org,
LKML <linux-kernel@vger.kernel.org>,
syzbot+7713f3aa67be76b1552c@syzkaller.appspotmail.com
Subject: Re: [PATCH] netfilter: account ebt_table_info to kmemcg
Date: Thu, 3 Jan 2019 12:52:54 -0800 [thread overview]
Message-ID: <CALvZod4sQ7ZEwfEefoNUeso2Va255x0jNgwOVZSU-b7+CevQuQ@mail.gmail.com> (raw)
In-Reply-To: <20181231101158.GC22445@dhcp22.suse.cz>
On Mon, Dec 31, 2018 at 2:12 AM Michal Hocko <mhocko@kernel.org> wrote:
>
> On Sun 30-12-18 19:59:53, Shakeel Butt wrote:
> > On Sun, Dec 30, 2018 at 12:00 AM Michal Hocko <mhocko@kernel.org> wrote:
> > >
> > > On Sun 30-12-18 08:45:13, Michal Hocko wrote:
> > > > On Sat 29-12-18 11:34:29, Shakeel Butt wrote:
> > > > > On Sat, Dec 29, 2018 at 2:06 AM Michal Hocko <mhocko@kernel.org> wrote:
> > > > > >
> > > > > > On Sat 29-12-18 10:52:15, Florian Westphal wrote:
> > > > > > > Michal Hocko <mhocko@kernel.org> wrote:
> > > > > > > > On Fri 28-12-18 17:55:24, Shakeel Butt wrote:
> > > > > > > > > The [ip,ip6,arp]_tables use x_tables_info internally and the underlying
> > > > > > > > > memory is already accounted to kmemcg. Do the same for ebtables. The
> > > > > > > > > syzbot, by using setsockopt(EBT_SO_SET_ENTRIES), was able to OOM the
> > > > > > > > > whole system from a restricted memcg, a potential DoS.
> > > > > > > >
> > > > > > > > What is the lifetime of these objects? Are they bound to any process?
> > > > > > >
> > > > > > > No, they are not.
> > > > > > > They are free'd only when userspace requests it or the netns is
> > > > > > > destroyed.
> > > > > >
> > > > > > Then this is problematic, because the oom killer is not able to
> > > > > > guarantee the hard limit and so the excessive memory consumption cannot
> > > > > > be really contained. As a result the memcg will be basically useless
> > > > > > until somebody tears down the charged objects by other means. The memcg
> > > > > > oom killer will surely kill all the existing tasks in the cgroup and
> > > > > > this could somehow reduce the problem. Maybe this is sufficient for
> > > > > > some usecases but that should be properly analyzed and described in the
> > > > > > changelog.
> > > > > >
> > > > >
> > > > > Can you explain why you think the memcg hard limit will not be
> > > > > enforced? From what I understand, the memcg oom-killer will kill the
> > > > > allocating processes as you have mentioned. We do force charging for
> > > > > very limited conditions but here the memcg oom-killer will take care
> > > > > of
> > > >
> > > > I was talking about the force charge part. Depending on a specific
> > > > allocation and its life time this can gradually get us over hard limit
> > > > without any bound theoretically.
> > >
> > > Forgot to mention. Since b8c8a338f75e ("Revert "vmalloc: back off when
> > > the current task is killed"") there is no way to bail out from the
> > > vmalloc allocation loop so if the request is really large then the memcg
> > > oom will not help. Is that a problem here?
> > >
> >
> > Yes, I think it will be an issue here.
> >
> > > Maybe it is time to revisit fatal_signal_pending check.
> >
> > Yes, we will need something to handle the memcg OOM. I will think more
> > on that front or if you have any ideas, please do propose.
>
> I can see three options here:
> - do not force charge on memcg oom or introduce a limited charge
> overflow (reserves basically).
> - revert the revert and reintroduce the fatal_signal_pending
> check into vmalloc
> - be more specific and check tsk_is_oom_victim in vmalloc and
> fail
>
I think for the long term solution we might need something similar to
memcg oom reserves (1) but for quick fix I think we can do the
combination of (2) and (3).
Shakeel
WARNING: multiple messages have this Message-ID (diff)
From: Shakeel Butt <shakeelb@google.com>
To: Michal Hocko <mhocko@kernel.org>
Cc: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>,
Roopa Prabhu <roopa@cumulusnetworks.com>,
bridge@lists.linux-foundation.org,
Florian Westphal <fw@strlen.de>,
LKML <linux-kernel@vger.kernel.org>,
Linux MM <linux-mm@kvack.org>,
coreteam@netfilter.org, netfilter-devel@vger.kernel.org,
syzbot+7713f3aa67be76b1552c@syzkaller.appspotmail.com,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
Andrew Morton <akpm@linux-foundation.org>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: [Bridge] [PATCH] netfilter: account ebt_table_info to kmemcg
Date: Thu, 3 Jan 2019 12:52:54 -0800 [thread overview]
Message-ID: <CALvZod4sQ7ZEwfEefoNUeso2Va255x0jNgwOVZSU-b7+CevQuQ@mail.gmail.com> (raw)
In-Reply-To: <20181231101158.GC22445@dhcp22.suse.cz>
On Mon, Dec 31, 2018 at 2:12 AM Michal Hocko <mhocko@kernel.org> wrote:
>
> On Sun 30-12-18 19:59:53, Shakeel Butt wrote:
> > On Sun, Dec 30, 2018 at 12:00 AM Michal Hocko <mhocko@kernel.org> wrote:
> > >
> > > On Sun 30-12-18 08:45:13, Michal Hocko wrote:
> > > > On Sat 29-12-18 11:34:29, Shakeel Butt wrote:
> > > > > On Sat, Dec 29, 2018 at 2:06 AM Michal Hocko <mhocko@kernel.org> wrote:
> > > > > >
> > > > > > On Sat 29-12-18 10:52:15, Florian Westphal wrote:
> > > > > > > Michal Hocko <mhocko@kernel.org> wrote:
> > > > > > > > On Fri 28-12-18 17:55:24, Shakeel Butt wrote:
> > > > > > > > > The [ip,ip6,arp]_tables use x_tables_info internally and the underlying
> > > > > > > > > memory is already accounted to kmemcg. Do the same for ebtables. The
> > > > > > > > > syzbot, by using setsockopt(EBT_SO_SET_ENTRIES), was able to OOM the
> > > > > > > > > whole system from a restricted memcg, a potential DoS.
> > > > > > > >
> > > > > > > > What is the lifetime of these objects? Are they bound to any process?
> > > > > > >
> > > > > > > No, they are not.
> > > > > > > They are free'd only when userspace requests it or the netns is
> > > > > > > destroyed.
> > > > > >
> > > > > > Then this is problematic, because the oom killer is not able to
> > > > > > guarantee the hard limit and so the excessive memory consumption cannot
> > > > > > be really contained. As a result the memcg will be basically useless
> > > > > > until somebody tears down the charged objects by other means. The memcg
> > > > > > oom killer will surely kill all the existing tasks in the cgroup and
> > > > > > this could somehow reduce the problem. Maybe this is sufficient for
> > > > > > some usecases but that should be properly analyzed and described in the
> > > > > > changelog.
> > > > > >
> > > > >
> > > > > Can you explain why you think the memcg hard limit will not be
> > > > > enforced? From what I understand, the memcg oom-killer will kill the
> > > > > allocating processes as you have mentioned. We do force charging for
> > > > > very limited conditions but here the memcg oom-killer will take care
> > > > > of
> > > >
> > > > I was talking about the force charge part. Depending on a specific
> > > > allocation and its life time this can gradually get us over hard limit
> > > > without any bound theoretically.
> > >
> > > Forgot to mention. Since b8c8a338f75e ("Revert "vmalloc: back off when
> > > the current task is killed"") there is no way to bail out from the
> > > vmalloc allocation loop so if the request is really large then the memcg
> > > oom will not help. Is that a problem here?
> > >
> >
> > Yes, I think it will be an issue here.
> >
> > > Maybe it is time to revisit fatal_signal_pending check.
> >
> > Yes, we will need something to handle the memcg OOM. I will think more
> > on that front or if you have any ideas, please do propose.
>
> I can see three options here:
> - do not force charge on memcg oom or introduce a limited charge
> overflow (reserves basically).
> - revert the revert and reintroduce the fatal_signal_pending
> check into vmalloc
> - be more specific and check tsk_is_oom_victim in vmalloc and
> fail
>
I think for the long term solution we might need something similar to
memcg oom reserves (1) but for quick fix I think we can do the
combination of (2) and (3).
Shakeel
next prev parent reply other threads:[~2019-01-03 20:53 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-29 1:55 [PATCH] netfilter: account ebt_table_info to kmemcg Shakeel Butt
2018-12-29 1:55 ` [Bridge] " Shakeel Butt
2018-12-29 1:55 ` Shakeel Butt
2018-12-29 7:33 ` Michal Hocko
2018-12-29 7:33 ` [Bridge] " Michal Hocko
2018-12-29 9:52 ` Florian Westphal
2018-12-29 9:52 ` [Bridge] " Florian Westphal
2018-12-29 10:06 ` Michal Hocko
2018-12-29 10:06 ` [Bridge] " Michal Hocko
2018-12-29 19:34 ` Shakeel Butt
2018-12-29 19:34 ` [Bridge] " Shakeel Butt
2018-12-29 19:34 ` Shakeel Butt
2018-12-30 7:45 ` Michal Hocko
2018-12-30 7:45 ` [Bridge] " Michal Hocko
2018-12-30 8:00 ` Michal Hocko
2018-12-30 8:00 ` [Bridge] " Michal Hocko
2018-12-31 3:59 ` Shakeel Butt
2018-12-31 3:59 ` [Bridge] " Shakeel Butt
2018-12-31 3:59 ` Shakeel Butt
2018-12-31 10:11 ` Michal Hocko
2018-12-31 10:11 ` [Bridge] " Michal Hocko
2019-01-03 20:52 ` Shakeel Butt [this message]
2019-01-03 20:52 ` Shakeel Butt
2019-01-03 20:52 ` Shakeel Butt
2019-01-04 13:21 ` Michal Hocko
2019-01-04 13:21 ` [Bridge] " Michal Hocko
2018-12-31 4:00 ` Shakeel Butt
2018-12-31 4:00 ` [Bridge] " Shakeel Butt
2018-12-31 4:00 ` Shakeel Butt
2018-12-29 9:52 ` Kirill Tkhai
2018-12-29 9:52 ` [Bridge] " Kirill Tkhai
2018-12-29 19:39 ` Shakeel Butt
2018-12-29 19:39 ` [Bridge] " Shakeel Butt
2018-12-29 19:39 ` Shakeel Butt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALvZod4sQ7ZEwfEefoNUeso2Va255x0jNgwOVZSU-b7+CevQuQ@mail.gmail.com \
--to=shakeelb@google.com \
--cc=akpm@linux-foundation.org \
--cc=bridge@lists.linux-foundation.org \
--cc=coreteam@netfilter.org \
--cc=fw@strlen.de \
--cc=kadlec@blackhole.kfki.hu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nikolay@cumulusnetworks.com \
--cc=pablo@netfilter.org \
--cc=roopa@cumulusnetworks.com \
--cc=syzbot+7713f3aa67be76b1552c@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.