From: Vasily Averin <vasily.averin@linux.dev>
To: Florian Westphal <fw@strlen.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
kernel@openvz.org, Jozsef Kadlecsik <kadlec@netfilter.org>,
netfilter-devel@vger.kernel.org, linux-kernel@vger.kernel.org,
Roman Gushchin <roman.gushchin@linux.dev>
Subject: Re: [PATCH nft] nft: memcg accounting for dynamically allocated objects
Date: Fri, 1 Apr 2022 21:56:26 +0300 [thread overview]
Message-ID: <7bfa2e2e-b22d-7561-661b-41ef7714caf5@linux.dev> (raw)
In-Reply-To: <20220401120342.GC9545@breakpoint.cc>
On 4/1/22 15:03, Florian Westphal wrote:
> Vasily Averin <vasily.averin@linux.dev> wrote:
>> nft_*.c files whose NFT_EXPR_STATEFUL flag is set on need to
>> use __GFP_ACCOUNT flag for objects that are dynamically
>> allocated from the packet path.
>>
>> Such objects are allocated inside .init() or .clone() callbacks
>> of struct nft_expr_ops executed in task context while processing
>> netlink messages.
>
> They can also be called from packet path.
>> @@ -214,7 +214,7 @@ static int nft_connlimit_clone(struct nft_expr *dst, const struct nft_expr *src)
>> struct nft_connlimit *priv_dst = nft_expr_priv(dst);
>> struct nft_connlimit *priv_src = nft_expr_priv(src);
>>
>> - priv_dst->list = kmalloc(sizeof(*priv_dst->list), GFP_ATOMIC);
>> + priv_dst->list = kmalloc(sizeof(*priv_dst->list), GFP_ATOMIC | __GFP_ACCOUNT);
>
> This can be called from packet path, via nft_dynset.c.
>
> nft_do_chain -> nft_dynset_eval -> nft_dynset_new ->
> nft_dynset_expr_setup -> nft_expr_clone -> src->ops->clone()
>
Thank you, I noticed this case but did not understand that it is related to packet path.
>> @@ -235,7 +235,7 @@ static int nft_counter_clone(struct nft_expr *dst, const struct nft_expr *src)
>>
>> nft_counter_fetch(priv, &total);
>>
>> - cpu_stats = alloc_percpu_gfp(struct nft_counter, GFP_ATOMIC);
>> + cpu_stats = alloc_percpu_gfp(struct nft_counter, GFP_ATOMIC | __GFP_ACCOUNT);
>> if (cpu_stats == NULL)
>> return -ENOMEM;
>
> Same problem as connlimit, can be called from packet path.
> Basically all GFP_ATOMIC are suspicious.
>
> Not sure how to resolve this, similar mechanics in iptables world (e.g.
> connlimit or SET target) don't use memcg accounting.
>
> Perhaps for now resend with only the GFP_KERNEL parts converted?
> Those are safe.
It is safe for packet path too, _ACCOUNT allocation will not be able to find memcg
in case of "!in_task()" context.
On the other hand any additional checks on such path will affect performance.
Could you please estimate how often is this code used in the case of nft vs packet path?
If packet path is rare case I think we can keep current code as is.
If the opposite is the case, then I can add __GFP_ACCOUNT flag depending on in_task() check.
Thank you,
Vasily Averin
next prev parent reply other threads:[~2022-04-01 18:56 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-28 6:39 [PATCH RFC] memcg: Enable accounting for nft objects Vasily Averin
2022-02-28 12:24 ` Florian Westphal
2022-03-21 5:02 ` [PATCH v2] memcg: enable " Vasily Averin
2022-03-22 10:25 ` Florian Westphal
2022-03-24 14:19 ` Pablo Neira Ayuso
2022-03-24 17:23 ` Vasily Averin
2022-03-21 5:12 ` [PATCH RFC] memcg: Enable " Vasily Averin
2022-03-24 18:05 ` [PATCH v2 RESEND] memcg: enable " Vasily Averin
2022-03-28 8:15 ` Pablo Neira Ayuso
2022-03-28 9:23 ` Vasily Averin
2022-03-31 8:40 ` [PATCH nft] nft: memcg accounting for dynamically allocated objects Vasily Averin
2022-03-31 18:45 ` Roman Gushchin
2022-04-01 12:03 ` Florian Westphal
2022-04-01 18:56 ` Vasily Averin [this message]
2022-04-01 19:31 ` Florian Westphal
2022-04-01 21:14 ` Roman Gushchin
2022-04-01 23:01 ` Florian Westphal
2022-04-02 8:55 ` Vasily Averin
2022-04-02 9:50 ` [PATCH v2] " Vasily Averin
2022-04-05 9:58 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7bfa2e2e-b22d-7561-661b-41ef7714caf5@linux.dev \
--to=vasily.averin@linux.dev \
--cc=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=kernel@openvz.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=roman.gushchin@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.