[00/19] mm: Introduce a cgroup to limit the amount of locked and pinned memory

Message ID	cover.c238416f0e82377b449846dbb2459ae9d7030c8e.1675669136.git-series.apopple@nvidia.com (mailing list archive)
Headers	show Return-Path: <owner-linux-mm@kvack.org> From: Alistair Popple <apopple@nvidia.com> To: linux-mm@kvack.org, cgroups@vger.kernel.org Cc: linux-kernel@vger.kernel.org, jgg@nvidia.com, jhubbard@nvidia.com, tjmercier@google.com, hannes@cmpxchg.org, surenb@google.com, mkoutny@suse.com, daniel@ffwll.ch, "Daniel P . Berrange" <berrange@redhat.com>, Alex Williamson <alex.williamson@redhat.com>, Alistair Popple <apopple@nvidia.com> Subject: [PATCH 00/19] mm: Introduce a cgroup to limit the amount of locked and pinned memory Date: Mon, 6 Feb 2023 18:47:37 +1100 Message-Id: <cover.c238416f0e82377b449846dbb2459ae9d7030c8e.1675669136.git-series.apopple@nvidia.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0 Sender: owner-linux-mm@kvack.org Precedence: bulk
Series	mm: Introduce a cgroup to limit the amount of locked and pinned memory \| expand [00/19] mm: Introduce a cgroup to limit the amount of locked and pinned memory [01/19] mm: Introduce vm_account [02/19] drivers/vhost: Convert to use vm_account [03/19] drivers/vdpa: Convert vdpa to use the new vm_structure [04/19] infiniband/umem: Convert to use vm_account [05/19] RMDA/siw: Convert to use vm_account [06/19] RDMA/usnic: convert to use vm_account [07/19] vfio/type1: Charge pinned pages to pinned_vm instead of locked_vm [08/19] vfio/spapr_tce: Convert accounting to pinned_vm [09/19] io_uring: convert to use vm_account [10/19] net: skb: Switch to using vm_account [11/19] xdp: convert to use vm_account [12/19] kvm/book3s_64_vio: Convert account_locked_vm() to vm_account_pinned() [13/19] fpga: dfl: afu: convert to use vm_account [14/19] mm: Introduce a cgroup for pinned memory [15/19] mm/util: Extend vm_account to charge pages against the pin cgroup [16/19] mm/util: Refactor account_locked_vm [17/19] mm: Convert mmap and mlock to use account_locked_vm [18/19] mm/mmap: Charge locked memory to pins cgroup [19/19] selftests/vm: Add pins-cgroup selftest for mlock/mmap

Message ID

cover.c238416f0e82377b449846dbb2459ae9d7030c8e.1675669136.git-series.apopple@nvidia.com (mailing list archive)

Headers

From: Alistair Popple <apopple@nvidia.com>
To: linux-mm@kvack.org,
	cgroups@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	jgg@nvidia.com,
	jhubbard@nvidia.com,
	tjmercier@google.com,
	hannes@cmpxchg.org,
	surenb@google.com,
	mkoutny@suse.com,
	daniel@ffwll.ch,
	"Daniel P . Berrange" <berrange@redhat.com>,
	Alex Williamson <alex.williamson@redhat.com>,
	Alistair Popple <apopple@nvidia.com>
Subject: [PATCH 00/19] mm: Introduce a cgroup to limit the amount of locked
 and pinned memory
Date: Mon,  6 Feb 2023 18:47:37 +1100
Message-Id: 
 <cover.c238416f0e82377b449846dbb2459ae9d7030c8e.1675669136.git-series.apopple@nvidia.com>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 2JOTz2S9XeuBNr1Ngv1Xezoohsy9vLYgx7iUPzZPxfX2elXEFgzp4YEP7IzZg12sswETfkS1N/hvjXs3S0qPWkLuna6f4N2fkSK3Oxsc3btR1cfNuIiH1K/gCTZBYBWOY+Beq1ff/dYmgIhOhra0xBHDn0h/JZ7me959PW7Y/Bd39bpgtmvS8aBBYu28gzWGIaP5d0ktRPXiki06b8zk7hdOQAShPWQ2yzStVHHV44y5y58thuV//nLnXi0zQLIKcD1zAB8A2htSP3IXWb5RMcpBvDMTnYJGJGoowZWKtaBeOaEst31MHFwX2lL+L9tcs8agGGqJTBxcpOATPChcnxXLKoLb0HEC4+3jwsUDg29NTti2Be+1ZNiMSgY8NTvZju12047GenLw0aIikrkUfHD8mYKTQSr7TrX5lF2HROOsaxgvf1CntJOY1kDgWfKIZd9uBy0a28bV1faMtKl9DWwAZb1eNfKPWShwVHnWTZ3km95iS/YxmKswAzkOwjK/gPuqZRXVr6blE/RTKGYTN9CPa2Xu5/5WYxHozHMHEcp/7WuNTzQak1mdraqeLDeeyEzGm+FL38sxsUm/hKAwTfUwtpb/u9yVtcyLmEC3TvBzov1KFk9VGOiPXYbwMjudNH8XyDGJjF65R9MT03bmfIy923OjOxoyAQtdfajaMvqiG2uKgQ0GIwjNA2MDxJKpQSgloRku7x14ypkijdRNlXypGnSdmoRIn35gg6RP8sxEjUrh/ITvsoIyUW0GHEfLIUxh+rctcBledCJjef9q5gr62R1CtogsYMSV++8pfzDv3hRr7hV3QZr9PsoTfZ2rZW8kRE4/0IcBQDEbNGbx2whnJoWK98XAPHClK7Wm+7Dr7h+7LCygyLFKpEryJNOG5bBakmOuUnORyb6gDX9HpasPGIimV+h9hgUhR9nH1A+uxFUeogNGQY52Fx5DNHFIgu4Ql/Jpq7hZ4HRyjNolZGgqD99+jhi5IE11FsiqjOXMIFp/158wHz8G5hCPmn42I7nqRmPdmj/7uqB5j4KRmo6oAuqiEfUJGvUbzaKVIYBxH+PkpbwY5D1mVpoy1snY+ZgELHaMVgBsuPPZrsyorvyg6oWkaNF7A0qTj94O1HbZraoObZuIz49OGC9wx23s7GXfB0jFVPG/zxEhCwZXuagXJ5o7bP9wv1+V65aq7V9TLDxx2chZ1upp+xLmzgxLKMwq00R/lDNMJpe50IIQXn/VowVtf/pul45oEIY4c0C/UGvPnRpK2Sq30dsN1GlkahkbsCHcXObVxmbkt4XPpR5Spkqio9cHm76dMC4layBgn806x1FX/9cqmZb5qUGQwQKx8Jtymj0IA4SnKmtmO12SmokxwnoCfcJLaQbsmg5GjI7Z/XMdw/VGhC0hFC4ehryNDrDQAs5nu/9DHMBjOPw5EZsxdZ/KJGSMXO98eG1lU5a2pAeSk4LIVmESEmxhVUnrou4FL2KRZ9KWLOlPdbTg8ZyJzdom3BY2JenYnUabNZRj5PpU287TlmzuXXKPs5W8iRHUMlJuE9kl35IcxURQ2K7KD+H8KepteNYOsCbhO/6qhnjIujLys8E/c+nE
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 fd2b1542-16b2-4347-c077-08db081680c0
X-MS-Exchange-CrossTenant-AuthSource: BYAPR12MB3176.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Feb 2023 07:48:14.7350
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 4IrBqVVG9cUdx02dLYasiMlsarP8bApYffy2P8M8qHHPyzkj3/s80uOmFfh/49m1Z9RclAAxIwNDRtkL0YXhHw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY8PR12MB7097
X-Rspam-User: 
X-Rspamd-Server: rspam04
X-Rspamd-Queue-Id: D402140006
X-Stat-Signature: 8rybrm8rwrnf4q7b5prnguey5k36iw68
X-HE-Tag: 1675669699-742996
X-HE-Meta: 
 U2FsdGVkX1+dLHmJdWzzwa0E7na2ViWh5USI7Klo0D1vzc7L1yxtp+umiQ8XHtx/dVwCERhxGjlB4A6Hl1yU7+6hFLIpIea7V7aa5rqNkjhETa7MzTkcxtWhE2thlR/kA1ZHtA6EirEC7z6gzDVyx2+pyD7ALTMkdYW8ctBI7uop3wOjWeVPqPyJrzADTOCAhYrqNGwaWDWFYTHZHC0fra7uskku7onnxVGBueZIQ0CrohKg5M9W2ZghXhYIBmFmbAx83VUR9sbffa0vols1HoYugCKA4j0NEbQAVRXwBfOig/CJeVd3erWROFzQm9K2t/MFkM31JXK/oW3u5j3pH7tfJCE3DSu+JXxpQd3kqJVCcKkyIKQ97A5on0moT4MRFUKEva2KMSWE8k+jSeLo1P4mMhvW3xw9hna20HuXYnVtm8FXRU79meI0tPQ+9O1Iztx+ODeDU5XbTasRgvRYMe9qYF4y+v1wFWZny6VdM+M2BJePMALJjkgemwZNXovQZUC7j+RAvlhUwZCnotGZRBf4UvvEAkb3WG1cxRLxR8BZyRdmoW9iJQquOb9ZgQt5vxaXCM/JOJb5N330pirr4+46sMcFz6+2PYpHo4AQjzJKBG280nlkT7v8obmE9vUCzU2DlymaHJi5Akt3ZPGMD8XQzujL2F58OY7czImlCLv8jVlYvMaElh+ihqshf3rq5VFmymuUTaiBt0+NetwoBHFb6HVDvnhqll1zpsJDfSTX1kHU0SACD/KNuJRJOZ+gGPu07P8crieYfwj12/PvsYUvujHnPMKMJvwI6ZUBgL6D6wNURAhYRTNTCbM5jH4xkWdJdvlJdTBhYDaLNuzX12Ql8TpMXR72PmF0SpaXF5ra94CbxxWF0OrNpotQ8LxVInhgngxc6ey1+eCN8GNZeD/DbI3zhZ7FXaDXzo9KLGauPTCTZNDDvopQhnSURnJCqsKg/dZT3aDyZJXRFMV
 LvCADJ1P
 t/ujyCkmlMauaVPU41vA/t/X8CyWOMIw0A/f8g3zThs92pOAfQXcwNdd07pKDfRifQRl/E3k9cR6bf87SdpGJbF1N6B5u5oPgolpn/TdFZot6vj1mzhfM4PyIiefoM8xVVgRf+paK0Oa4GyBiDB8iBT5JLsKi9QFB1tvMgUJ5B4TQ6Ht2n3JxwhCGUgMjFsXi5Ha6WeSNNw5C1aXmqeO50i7NNHq0kJnmniuc4UMQgD/meFR5IHbtkZVRfffiYp7W5HfMF3n3lMxYmZ/Ac14K02MYQjEBwpFPlIn2OKV9y2yAzcIjovUnuu5J1OjwNrKQnOiUnCG/sx37eWgfDJEMnbI+AK1KdKkchBLR2SSURpkSSrnWVLSo4mUB1w==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Series

mm: Introduce a cgroup to limit the amount of locked and pinned memory | expand

Message

Alistair Popple Feb. 6, 2023, 7:47 a.m. UTC

Having large amounts of unmovable or unreclaimable memory in a system
can lead to system instability due to increasing the likelihood of
encountering out-of-memory conditions. Therefore it is desirable to
limit the amount of memory users can lock or pin.

From userspace such limits can be enforced by setting
RLIMIT_MEMLOCK. However there is no standard method that drivers and
other in-kernel users can use to check and enforce this limit.

This has lead to a large number of inconsistencies in how limits are
enforced. For example some drivers will use mm->locked_mm while others
will use mm->pinned_mm or user->locked_mm. It is therefore possible to
have up to three times RLIMIT_MEMLOCKED pinned.

Having pinned memory limited per-task also makes it easy for users to
exceed the limit. For example drivers that pin memory with
pin_user_pages() it tends to remain pinned after fork. To deal with
this and other issues this series introduces a cgroup for tracking and
limiting the number of pages pinned or locked by tasks in the group.

However the existing behaviour with regards to the rlimit needs to be
maintained. Therefore the lesser of the two limits is
enforced. Furthermore having CAP_IPC_LOCK usually bypasses the rlimit,
but this bypass is not allowed for the cgroup.

The first part of this series converts existing drivers which
open-code the use of locked_mm/pinned_mm over to a common interface
which manages the refcounts of the associated task/mm/user
structs. This ensures accounting of pages is consistent and makes it
easier to add charging of the cgroup.

The second part of the series adds the cgroup controller and converts
core mm code such as mlock over to charging the cgroup before finally
introducing some selftests.

Rather than adding onto an exisiting cgroup controller such as memcg
we introduce a new controller. This is primarily because we wish to
limit the total number of pages tasks within a cgroup may pin/lock.

As I don't have access to systems with all the various devices I
haven't been able to test all driver changes. Any help there would be
appreciated.

Note that this series is based on v6.2-rc5 and
https://lore.kernel.org/linux-rdma/20230201115540.360353-1-bmt@zurich.ibm.com/
which makes updating the siw driver easier (thanks Bernard).

Changes from initial RFC:

 - Fixes to some driver error handling.

 - Pages charged with vm_account will always increment mm->pinned_vm
   and enforce the limit against user->locked_vm or mm->pinned_vm
   depending on initialisation flags.

 - Moved vm_account prototypes and struct definitions into a separate header.

 - Minor updates to commit messages and kernel docs (thanks to Jason,
   Christoph, Yosry and T.J.).

Outstanding issues:

 - David H pointed out that the vm_account naming is potentially
   confusing and I agree. However I have yet to come up with something
   better so will rename this in a subsequent version of this series
   (suggestions welcome).

 - Jason G raised some issues with adding the accounting struct to
   struct sock which are unresolved.

Alistair Popple (19):
  mm: Introduce vm_account
  drivers/vhost: Convert to use vm_account
  drivers/vdpa: Convert vdpa to use the new vm_structure
  infiniband/umem: Convert to use vm_account
  RMDA/siw: Convert to use vm_account
  RDMA/usnic: convert to use vm_account
  vfio/type1: Charge pinned pages to pinned_vm instead of locked_vm
  vfio/spapr_tce: Convert accounting to pinned_vm
  io_uring: convert to use vm_account
  net: skb: Switch to using vm_account
  xdp: convert to use vm_account
  kvm/book3s_64_vio: Convert account_locked_vm() to vm_account_pinned()
  fpga: dfl: afu: convert to use vm_account
  mm: Introduce a cgroup for pinned memory
  mm/util: Extend vm_account to charge pages against the pin cgroup
  mm/util: Refactor account_locked_vm
  mm: Convert mmap and mlock to use account_locked_vm
  mm/mmap: Charge locked memory to pins cgroup
  selftests/vm: Add pins-cgroup selftest for mlock/mmap

 MAINTAINERS                              |   8 +-
 arch/powerpc/kvm/book3s_64_vio.c         |  10 +-
 arch/powerpc/mm/book3s64/iommu_api.c     |  30 +--
 drivers/fpga/dfl-afu-dma-region.c        |  11 +-
 drivers/fpga/dfl-afu.h                   |   2 +-
 drivers/infiniband/core/umem.c           |  16 +-
 drivers/infiniband/core/umem_odp.c       |   6 +-
 drivers/infiniband/hw/usnic/usnic_uiom.c |  14 +-
 drivers/infiniband/hw/usnic/usnic_uiom.h |   2 +-
 drivers/infiniband/sw/siw/siw.h          |   3 +-
 drivers/infiniband/sw/siw/siw_mem.c      |  21 +--
 drivers/infiniband/sw/siw/siw_verbs.c    |  15 +-
 drivers/vdpa/vdpa_user/vduse_dev.c       |  21 +--
 drivers/vfio/vfio_iommu_spapr_tce.c      |  16 +-
 drivers/vfio/vfio_iommu_type1.c          |  60 +----
 drivers/vhost/vdpa.c                     |  17 +-
 drivers/vhost/vhost.c                    |   2 +-
 drivers/vhost/vhost.h                    |   2 +-
 include/linux/cgroup.h                   |  20 ++-
 include/linux/cgroup_subsys.h            |   4 +-
 include/linux/io_uring_types.h           |   4 +-
 include/linux/kvm_host.h                 |   2 +-
 include/linux/mm.h                       |   5 +-
 include/linux/skbuff.h                   |   7 +-
 include/linux/vm_account.h               |  57 +++++-
 include/net/sock.h                       |   3 +-
 include/net/xdp_sock.h                   |   3 +-
 include/rdma/ib_umem.h                   |   2 +-
 io_uring/io_uring.c                      |  20 +--
 io_uring/notif.c                         |   4 +-
 io_uring/notif.h                         |  10 +-
 io_uring/rsrc.c                          |  38 +---
 io_uring/rsrc.h                          |   9 +-
 mm/Kconfig                               |  11 +-
 mm/Makefile                              |   1 +-
 mm/internal.h                            |   2 +-
 mm/mlock.c                               |  76 +------
 mm/mmap.c                                |  76 +++----
 mm/mremap.c                              |  54 +++--
 mm/pins_cgroup.c                         | 273 ++++++++++++++++++++++++-
 mm/secretmem.c                           |   6 +-
 mm/util.c                                | 234 +++++++++++++++++++--
 net/core/skbuff.c                        |  47 +---
 net/rds/message.c                        |  10 +-
 net/xdp/xdp_umem.c                       |  38 +--
 tools/testing/selftests/vm/Makefile      |   1 +-
 tools/testing/selftests/vm/pins-cgroup.c | 271 ++++++++++++++++++++++++-
 virt/kvm/kvm_main.c                      |   3 +-
 48 files changed, 1143 insertions(+), 404 deletions(-)
 create mode 100644 include/linux/vm_account.h
 create mode 100644 mm/pins_cgroup.c
 create mode 100644 tools/testing/selftests/vm/pins-cgroup.c

base-commit: f0076df3552b965d8107318bd9d9e678530f1687

Comments

David Hildenbrand Feb. 16, 2023, 11:01 a.m. UTC | #1

On 06.02.23 08:47, Alistair Popple wrote:
> Having large amounts of unmovable or unreclaimable memory in a system
> can lead to system instability due to increasing the likelihood of
> encountering out-of-memory conditions. Therefore it is desirable to
> limit the amount of memory users can lock or pin.
> 
>  From userspace such limits can be enforced by setting
> RLIMIT_MEMLOCK. However there is no standard method that drivers and
> other in-kernel users can use to check and enforce this limit.
> 
> This has lead to a large number of inconsistencies in how limits are
> enforced. For example some drivers will use mm->locked_mm while others
> will use mm->pinned_mm or user->locked_mm. It is therefore possible to
> have up to three times RLIMIT_MEMLOCKED pinned.
> 
> Having pinned memory limited per-task also makes it easy for users to
> exceed the limit. For example drivers that pin memory with
> pin_user_pages() it tends to remain pinned after fork. To deal with
> this and other issues this series introduces a cgroup for tracking and
> limiting the number of pages pinned or locked by tasks in the group.
> 
> However the existing behaviour with regards to the rlimit needs to be
> maintained. Therefore the lesser of the two limits is
> enforced. Furthermore having CAP_IPC_LOCK usually bypasses the rlimit,
> but this bypass is not allowed for the cgroup.
> 
> The first part of this series converts existing drivers which
> open-code the use of locked_mm/pinned_mm over to a common interface
> which manages the refcounts of the associated task/mm/user
> structs. This ensures accounting of pages is consistent and makes it
> easier to add charging of the cgroup.
> 
> The second part of the series adds the cgroup controller and converts
> core mm code such as mlock over to charging the cgroup before finally
> introducing some selftests.
> 
> Rather than adding onto an exisiting cgroup controller such as memcg
> we introduce a new controller. This is primarily because we wish to
> limit the total number of pages tasks within a cgroup may pin/lock.
> 
> As I don't have access to systems with all the various devices I
> haven't been able to test all driver changes. Any help there would be
> appreciated.
> 
> Note that this series is based on v6.2-rc5 and
> https://lore.kernel.org/linux-rdma/20230201115540.360353-1-bmt@zurich.ibm.com/
> which makes updating the siw driver easier (thanks Bernard).
> 
> Changes from initial RFC:
> 
>   - Fixes to some driver error handling.
> 
>   - Pages charged with vm_account will always increment mm->pinned_vm
>     and enforce the limit against user->locked_vm or mm->pinned_vm
>     depending on initialisation flags.
> 
>   - Moved vm_account prototypes and struct definitions into a separate header.
> 
>   - Minor updates to commit messages and kernel docs (thanks to Jason,
>     Christoph, Yosry and T.J.).
> 
> Outstanding issues:
> 
>   - David H pointed out that the vm_account naming is potentially
>     confusing and I agree. However I have yet to come up with something
>     better so will rename this in a subsequent version of this series
>     (suggestions welcome).


vm_lockaccount ? vm_pinaccount ?

Less confusing than reusing VM_ACCOUNT which translates to "commit 
accounting".

Might also make sense to rename VM_ACCOUNT to VM_COMMIT or sth like that.