From patchwork Thu Dec 5 22:37:21 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shakeel Butt X-Patchwork-Id: 11275475 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BB8C7112B for ; Thu, 5 Dec 2019 22:39:30 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 880422464E for ; Thu, 5 Dec 2019 22:39:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="slwC1m8p" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 880422464E Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id A9E4C6B128A; Thu, 5 Dec 2019 17:39:29 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id A4F606B128B; Thu, 5 Dec 2019 17:39:29 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9655E6B128C; Thu, 5 Dec 2019 17:39:29 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0254.hostedemail.com [216.40.44.254]) by kanga.kvack.org (Postfix) with ESMTP id 8080D6B128A for ; Thu, 5 Dec 2019 17:39:29 -0500 (EST) Received: from smtpin20.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with SMTP id 30251513 for ; Thu, 5 Dec 2019 22:39:29 +0000 (UTC) X-FDA: 76232555658.20.moon03_52c867f275425 X-Spam-Summary: 2,0,0,587588e0d3a7ee0b,d41d8cd98f00b204,3h4fpxqgkcmg6voysszpu22uzs.q20zw18b-00y9oqy.25u@flex--shakeelb.bounces.google.com,:akpm@linux-foundation.org:guro@fb.com::hannes@cmpxchg.org:mhocko@suse.com:linux-kernel@vger.kernel.org:shakeelb@google.com,RULES_HIT:41:152:355:379:541:800:960:973:988:989:1260:1277:1313:1314:1345:1437:1516:1518:1534:1541:1593:1594:1711:1730:1747:1777:1792:2393:2559:2562:2890:2894:3138:3139:3140:3141:3142:3152:3352:3865:3866:3867:3868:3870:3871:3874:4042:4321:5007:6261:6653:8957:9969:10004:10400:11026:11473:11658:11914:12043:12296:12297:12438:12555:12895:13069:13161:13229:13311:13357:14096:14097:14181:14394:14659:14721:21080:21444:21450:21451:21627:30001:30054,0,RBL:209.85.214.201:@flex--shakeelb.bounces.google.com:.lbl8.mailshell.net-62.18.0.100 66.100.201.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:25,LUA_SUMMARY:none X-HE-Tag: moon03_52c867f275425 X-Filterd-Recvd-Size: 4191 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) by imf37.hostedemail.com (Postfix) with ESMTP for ; Thu, 5 Dec 2019 22:39:28 +0000 (UTC) Received: by mail-pl1-f201.google.com with SMTP id z9so2400645plo.8 for ; Thu, 05 Dec 2019 14:39:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=kGHV6wWHuR85r8JUVhZxWZLnGRhOsKtFOqh8044dUiY=; b=slwC1m8pMy3CmZ2Rmyejy/2oozQ0iVHpXII02F/rtTyqOBzv3xgogwpPqHDQtMdtmR NpRHBcfjGdSKwuQ9FR5ybbmGuPZ010y+jjBQWWgvpMwt5JRr6YX3C3L0Pz1N3fJfB6rT 3u8tDZAcToNIzsyinGyh22g18lwiMnbk/QS+6xwzvl5vlBHfNX3qYsSC0R/5v7Ez9ZKv x1dtRLFrYHDk7vCGBYEb0yK6nIJGyZ9L8FbEwzcEtDuEqHE2Sz492L1sTgODQFy+V5cc ejenTr1sN//W7JtpSZ6aF4FZ6/ErbCKlbY0UV9cfW5WChHmAH9bCSKrkOGulQ8MLVae9 G6cA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=kGHV6wWHuR85r8JUVhZxWZLnGRhOsKtFOqh8044dUiY=; b=XEsqbaBeky+Ut11whIcvkxecIsgQa70cBhHYMcEoA175lwBvA7Eh7oavuZV8NU0tmQ X/Ugh4a89SA1DSS/HnNibgtzTKBk5m4UYAshlUZj1qtXDba2vppsTWI01rSfYfy1/d8I 0i58NrpSMdOCC9Rxi+O9jExwSMCWX466IQiF3pffNf2eMVASx2UPpdLoGqlnhtADA0rx t0p3ZCGPW75KX1G2XY+nozfifLhvtCok11ByWmxAz7VBYTT3yB3fyl7Q2CqEwSHOknt+ yRCiswdVGFT2xGAcwMvSSAMApsL6sak/08ryf30WPm+Nq/33juUMu3Oer5BJCeNB06j3 XzIg== X-Gm-Message-State: APjAAAXBb0YELnNnGFRSYTlNIu2Jd25s5wuwbHR5nCbAH43T2xaTr71D 1kM2M2KzANY/kqRgRE8soS/N5/smJHgJAg== X-Google-Smtp-Source: APXvYqwe4CwGsiUN2fTj1I/3OuD/q3NkVnY6avpKVZED0zX+q/YWlF8hdegcNwN7w8/e+OsExNr2SJOakyob1g== X-Received: by 2002:a63:8eca:: with SMTP id k193mr11745136pge.293.1575585567543; Thu, 05 Dec 2019 14:39:27 -0800 (PST) Date: Thu, 5 Dec 2019 14:37:21 -0800 Message-Id: <20191205223721.40034-1-shakeelb@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.24.0.393.g34dc348eaf-goog Subject: [PATCH] memcg: account security cred as well to kmemcg From: Shakeel Butt To: Andrew Morton Cc: Roman Gushchin , linux-mm@kvack.org, Johannes Weiner , Michal Hocko , linux-kernel@vger.kernel.org, Shakeel Butt X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The cred_jar kmem_cache is already memcg accounted in the current kernel but cred->security is not. Account cred->security to kmemcg. Recently we saw high root slab usage on our production and on further inspection, we found a buggy application leaking processes. Though that buggy application was contained within its memcg but we observe much more system memory overhead, couple of GiBs, during that period. This overhead can adversely impact the isolation on the system. One of source of high overhead, we found was cred->secuity objects. Signed-off-by: Shakeel Butt Acked-by: Chris Down Reviewed-by: Roman Gushchin Acked-by: Michal Hocko --- kernel/cred.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/cred.c b/kernel/cred.c index c0a4c12d38b2..9ed51b70ed80 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -223,7 +223,7 @@ struct cred *cred_alloc_blank(void) new->magic = CRED_MAGIC; #endif - if (security_cred_alloc_blank(new, GFP_KERNEL) < 0) + if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0) goto error; return new; @@ -282,7 +282,7 @@ struct cred *prepare_creds(void) new->security = NULL; #endif - if (security_prepare_creds(new, old, GFP_KERNEL) < 0) + if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0) goto error; validate_creds(new); return new; @@ -715,7 +715,7 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon) #ifdef CONFIG_SECURITY new->security = NULL; #endif - if (security_prepare_creds(new, old, GFP_KERNEL) < 0) + if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0) goto error; put_cred(old);