From: "Yang Shi" <yang.s@alibaba-inc.com>
To: Jan Kara <jack@suse.cz>
Cc: amir73il@gmail.com, linux-fsdevel@vger.kernel.org,
linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] fs: fsnotify: account fsnotify metadata to kmemcg
Date: Tue, 31 Oct 2017 00:39:58 +0800 [thread overview]
Message-ID: <76a4d544-833a-5f42-a898-115640b6783b@alibaba-inc.com> (raw)
In-Reply-To: <20171030124358.GF23278@quack2.suse.cz>
On 10/30/17 5:43 AM, Jan Kara wrote:
> On Sat 28-10-17 02:22:18, Yang Shi wrote:
>> If some process generates events into a huge or unlimit event queue, but no
>> listener read them, they may consume significant amount of memory silently
>> until oom happens or some memory pressure issue is raised.
>> It'd better to account those slab caches in memcg so that we can get heads
>> up before the problematic process consume too much memory silently.
>>
>> But, the accounting might be heuristic if the producer is in the different
>> memcg from listener if the listener doesn't read the events. Due to the
>> current design of kmemcg, who does the allocation, who gets the accounting.
>>
>> Signed-off-by: Yang Shi <yang.s@alibaba-inc.com>
>> ---
>> v1 --> v2:
>> * Updated commit log per Amir's suggestion
>
> I'm sorry but I don't think this solution is acceptable. I understand that
> in some cases (and you likely run one of these) the result may *happen* to
> be the desired one but in other cases, you might be charging wrong memcg
> and so misbehaving process in memcg A can effectively cause a DoS attack on
> a process in memcg B.
Yes, as what I discussed with Amir in earlier review, current memcg
design just accounts memory to the allocation process, but has no idea
who is consumer process.
Although it is not desirable to DoS a memcg, it still sounds better than
DoS the whole machine due to potential oom. This patch is aimed to avoid
such case.
>
> If you have a setup in which notification events can consume considerable
> amount of resources, you are doing something wrong I think. Standard event
> queue length is limited, overall events are bounded to consume less than 1
> MB. If you have unbounded queue, the process has to be CAP_SYS_ADMIN and
> presumably it has good reasons for requesting unbounded queue and it should
> know what it is doing.
Yes, I agree it does mean something is going wrong. So, it'd better to
be accounted in order to get some heads up early before something is
going really bad. The limit will not be set too high since fsnotify
metadata will not consume too much memory in *normal* case.
I agree we should trust admin user, but kernel should be responsible for
the last defense when something is really going wrong. And, we can't
guarantee admin process will not do something wrong, the code might be
not reviewed thoroughly, the test might not cover some extreme cases.
>
> So maybe we could come up with some better way to control amount of
> resources consumed by notification events but for that we lack more
> information about your use case. And I maintain that the solution should
> account events to the consumer, not the producer...
I do agree it is not fair and not neat to account to producer rather
than misbehaving consumer, but current memcg design looks not support
such use case. And, the other question is do we know who is the listener
if it doesn't read the events?
Thanks,
Yang
>
> Honza
>
next prev parent reply other threads:[~2017-10-30 16:40 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-27 18:22 [PATCH v2] fs: fsnotify: account fsnotify metadata to kmemcg Yang Shi
2017-10-28 14:19 ` Amir Goldstein
2017-10-29 2:39 ` Matthew Wilcox
2017-10-30 12:43 ` Jan Kara
2017-10-30 16:39 ` Yang Shi [this message]
2017-10-31 10:12 ` Jan Kara
2017-10-31 16:44 ` Yang Shi
2017-11-01 15:15 ` Jan Kara
2017-11-09 13:54 ` Michal Hocko
2017-11-13 19:10 ` Yang Shi
2017-11-14 9:39 ` Michal Hocko
2017-11-14 17:32 ` Yang Shi
2017-11-15 9:31 ` Jan Kara
2018-01-19 15:02 ` Shakeel Butt
2018-01-22 20:31 ` Amir Goldstein
2018-01-24 10:34 ` Jan Kara
2018-01-24 11:12 ` Amir Goldstein
2018-01-25 1:08 ` Shakeel Butt
2018-01-25 1:54 ` Al Viro
2018-01-25 2:15 ` Shakeel Butt
2018-01-25 7:51 ` Amir Goldstein
2018-01-25 20:20 ` Shakeel Butt
2018-01-25 20:36 ` Amir Goldstein
2018-02-13 6:30 ` Amir Goldstein
2018-02-13 21:10 ` Shakeel Butt
2018-02-13 21:54 ` Amir Goldstein
2018-02-13 22:20 ` Shakeel Butt
2018-02-14 1:59 ` Shakeel Butt
2018-02-14 8:38 ` Amir Goldstein
2018-02-19 13:50 ` Jan Kara
2018-02-19 19:07 ` Amir Goldstein
2018-02-20 12:43 ` Jan Kara
2018-02-20 19:20 ` Shakeel Butt
2018-02-20 20:30 ` Amir Goldstein
2018-02-14 9:00 ` Amir Goldstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=76a4d544-833a-5f42-a898-115640b6783b@alibaba-inc.com \
--to=yang.s@alibaba-inc.com \
--cc=amir73il@gmail.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).