From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4495AC47254 for ; Fri, 1 May 2020 07:29:47 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id D86252071C for ; Fri, 1 May 2020 07:29:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Mi5ERmmK" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D86252071C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 7315F8E0008; Fri, 1 May 2020 03:29:46 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6E26C8E0001; Fri, 1 May 2020 03:29:46 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5F7DB8E0008; Fri, 1 May 2020 03:29:46 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0036.hostedemail.com [216.40.44.36]) by kanga.kvack.org (Postfix) with ESMTP id 4729C8E0001 for ; Fri, 1 May 2020 03:29:46 -0400 (EDT) Received: from smtpin02.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id F05E5180AD80F for ; Fri, 1 May 2020 07:29:45 +0000 (UTC) X-FDA: 76767325530.02.place59_1b03205eafa51 X-HE-Tag: place59_1b03205eafa51 X-Filterd-Recvd-Size: 11957 Received: from mail-lf1-f66.google.com (mail-lf1-f66.google.com [209.85.167.66]) by imf08.hostedemail.com (Postfix) with ESMTP for ; Fri, 1 May 2020 07:29:45 +0000 (UTC) Received: by mail-lf1-f66.google.com with SMTP id y3so3301499lfy.1 for ; Fri, 01 May 2020 00:29:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=WdYky6/+3S/nXofVeDdZMYzS4hpwd1fjyk0hvTc8SyE=; b=Mi5ERmmKKx3HshCCcH6cYEkNFy/NMwHedqlgIstMrMN2XKRt3sfxC2+Qet8qWB+zBf pBeerqNYutmY2TOweylMZu8bBhrfkCqblJyVv/QCZnFS+AV3atkSUkmD+PC2BTYuW1S7 koCVhKxXfDBF4br6islz1cdj6BZmQ4MahyqIs8G/ig0vZxDj7ljPeV0ZDaKVOuj5revM QqCcC9gdZ8ruBOS70wH2u8a5t8xxSY1LpYViwqq6ggZgKfHTiDDqE7i96Zpgta9Sgu6x 9Nie4IYROzARBh9HGnHbGV2pZ9DGNHqOiKDeQnDlKz/miqas33BEiSVPzTV3jA/4soL2 1jzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=WdYky6/+3S/nXofVeDdZMYzS4hpwd1fjyk0hvTc8SyE=; b=ekWLGrUS2BjSRDXlRDQwgsV75YDcMrgPP/8FOhUM+24peuhnXDOPnH11MzHkXGmXh2 +04EswHFCVDrjgqYQw6bJQC/aD5ugwdu+09T2jwLdU6MmqMdu0cqyGc2S+XDgFbtiIHe X7jBXU4aTVMKPkGFD9ExuE9O/tq8M7H4lvjhbsPAHACIhiEt83XUEG1CpiDgFthbj4gs w5a9Inp1/FQLrHW1zG14QvMKzMPPUytfx1b334MSaRLD/3Leut4V1W/9z96ueBNHRktN tUbbkPGavvkTclcgzrbToQV4xV14cEd2PZadA+hFHGNDJpVUztwp4NEeJtcrER1ampZY GXgw== X-Gm-Message-State: AGi0PubbZuEIIwAGgQJ1VkY7ximLDZS8QxWibk2oH0s8GfKy7NK+0L6i D2uEdWVQj8Jn8Ds1KLwwjHuAziKO X-Google-Smtp-Source: APiQypJC5oww79lM3H08w61Uc7si7FSeHT6IpNd/EWqmEEotOn108MtFfdADC8FiGHhBJS8EojvGHA== X-Received: by 2002:a05:6512:514:: with SMTP id o20mr1145495lfb.44.1588318183605; Fri, 01 May 2020 00:29:43 -0700 (PDT) Received: from [192.168.1.38] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id w29sm1647125lfq.35.2020.05.01.00.29.42 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 01 May 2020 00:29:42 -0700 (PDT) Subject: Re: Tmpfs size accounting misses memory allocations To: Hugh Dickins Cc: Helge Deller , Pete Zaitcev , linux-mm@kvack.org References: <63ab63bd-d6c6-a96a-9667-bbe8edb7cedb@gmail.com> <38759fbe-77a1-f105-ccde-9529170bd9a0@gmail.com> From: Topi Miettinen Message-ID: Date: Fri, 1 May 2020 10:29:41 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 1.5.2020 6.14, Hugh Dickins wrote: > On Tue, 28 Apr 2020, Topi Miettinen wrote: >> On 28.4.2020 4.34, Hugh Dickins wrote: >>> On Sat, 25 Apr 2020, Topi Miettinen wrote: >>>> Hi, >>>> >>>> It seems that tmpfs does not count memory which is allocated for short >>>> symlinks or xattrs towards size= limit. >>> >>> Yes, you are right. And that is why tmpfs does not (so far) support >>> user xattrs, because the unprivileged user could take up too much >>> memory that way. >>> >>>> I guess the fix would be to change >>>> shmem_sb_info->{used_blocks,max_blocks} to use bytes as units (instead of >>>> blocks) and then add accounting and checks to shmem_symlink() and >>>> shmem_initxattrs(). Would a patch for that be acceptable? >>> >>> Thank you for offering, but I don't think a patch for exactly that would >>> be acceptable. Because "size=" has just been another way of expressing >>> "nr_blocks=" ever since it was added in 2.4.4, and tmpfs has never >>> counted the kernel metadata towards its data blocks limit. >>> >>> You could certainly argue that it should have done from the start; but >>> in order to keep the accounting suitably simple (pages rather than bytes) >>> it never did. And I believe there are many users who expect a tmpfs of a >>> certain size to be able to accommodate data of that size, who would not >>> care to have to change their scripts or apps to meet a lower limitation. >>> >>>> >>>> Another issue is that inodes aren't counted towards size= limit either, >>>> but >>>> perhaps that's intentional because there's nr_inodes= mount option for >>>> exactly that. >>> >>> Yes, tmpfs lets the nr_inodes limit be used to constrain the kernel >>> metadata (and tmpfs has a peculiarity, that it actually counts hard >>> links out of nr_inodes, in order to limit the memory spent on dentries). >>> >>> I doubt the nr_inodes limit is depended upon so critically as the >>> nr_blocks, and I think we might extend it (say, consider each 1 of >>> nr_inodes to grant approximately 1kB of unswappable lowmem metadata) >>> to enable limited user xattrs: a patch along those lines might well >>> be acceptable. >> >> I'm interested in restricting the amount of memory allocated to tmpfs mounts >> in the system rather than granting more. I've seen a system lock up because >> tmpfs mounts consumed the entire memory. Possible contributing factors could >> be use of LVM and encryption for the swap. > > Yes, it is too easy to get into a terrible state that way. With OOM > killer doing no good at all, because it's busy killing processes, which > does nothing to free the memory held by tmpfs files. I've never found > a good answer to that in general, though marking files as suitable for > truncation on OOM has been useful in special cases. > >> >> Perhaps there should be a single system limit (sysctl) for total memory >> consumed by all {dev,}tmpfs mounts? Setting this to for example 75% could be >> life saving. Then also the compatibility issues would not matter and all >> memory allocations could be counted. > > It's a good suggestion, though I don't much like it. Why not? Hmm: > I'm having difficulty expressing why not, let me sit on it for a bit, > I may come around to your idea there. > > My resistance is partly because we already have several other schemes > for resource limiting: the nr_blocks+nr_inodes, the __vm_enough_memory() > checks (/proc/sys/vm/overcommit*), and nowadays memory cgroups. Adding > yet another is likely to make some fast paths slower. > > I expect you to say that this is a fundamental problem with tmpfs, which > should not have to rely on use of MEMCG to save it: I'll agree with you. > And I'd hoped to sell you /proc/sys/vm/overcommit_memory 2 (never > overcommit), before realizing that offers no protection at all from an > explosion of tmpfs inodes, only an explosion of tmpfs data. Not sure > why we never realized that back in the day: perhaps that is what should > be fixed. Memory cgroups (or something similar) could be a solution if the total could be kept for example at 75%, but wouldn't this leave 25% of memory totally unused? A new cgroup to limit only tmpfs would not have this problem. Either way, setting reasonable limits for each cgroup could be a lot of work. The mounts can be global and each mount namespace can have additional tmpfs mounts. /proc/sys/vm/overcommit_memory or overcommit_ratio could also work, if there was a way to limit the memory use to less than 100%. Also address space usage by itself is not interesting but physical RAM use (perhaps via page tables for address spaces). Man proc(5) also mentions /proc/sys/fs/inode-max to limit in-memory inodes but it no longer exists since v2.2. Another existing candidate could be /proc/sys/kernel/shmall (system-wide limit on the total number of pages of System V shared memory), if SysV shm here was somehow reinterpreted as any shared memory including tmpfs. Is there any connection between SysV shm and tmpfs anymore? If there was a global limit (and/or cgroup limits), should shm also be counted towards the limits or should they be separate? Then there's /proc/sys/vm/admin_reserve_kbytes. I suppose 'admin' means UID 0 here, so it would not protect the system from accidental filling of tmpfs mounts by UID 0 processes. It would still be something. > I see now that whether metadata (nr_inodes space) is included in size > or not is just a detail: you had quite reasonably expected it to be > included, but it happens to be additional. The problem is not that it's > additional to size, but that few of us are conscious of how high its > default is: how much memory could be gobbled up in that way (I roughly > estimate 1kB per inode+dentry). Though I think you need a malicious > explosion of inodes in several tmpfs instances to get into trouble > that way, if data sizes are already properly limited. Half of physical memory pages allows 1/8 (50% * 1kB / 4kB pagesize) of the memory to be used for the inodes, so if inodes are not limited, it would take eight tmpfs mounts for inodes only attack. Though data block limits are never zero and unfortunately there could be unlimited mounts in the systems, so the number of mounts needed for causing trouble is probably lower. >>>> If these are not bugs but intentional features, I think the manual page >>>> tmpfs(5) should be clearer in this respect. >>> >>> Nobody has asked for that before, it seems to have met expectations as is. >>> But a sentence could be added to the manpage: do you have wording in mind? >> >> For example addition to the size option: >> >> NB: Only the contents (blocks) of regular files are counted towards the size >> limit. To limit RAM consumption also by the inodes of the directories, >> symbolic links or device special files, option nr_inodes must be used. > > Better not get into listing directories, symbolic links or device special > files there: it's equally a weakness for regular files - if so minded, > I think you could exhaust memory with enough 0-length regular files > across enough tmpfs instances. > > I'm holding back from sending that on to Michael Kerrisk for the man-page > for now: if we do decide to add a protective sysctl, we shall want to > mention that there too. > > But one little change that occurred to me this morning: how about this > patch, to stop hiding the default size and nr_inodes from /proc/mounts > (and "mount" command), to help make people more conscious of these limits, > and encourage them to be scaled down: > > --- 5.7-rc3/mm/shmem.c 2020-04-26 16:05:25.061228461 -0700 > +++ linux/mm/shmem.c 2020-04-30 18:59:59.253865989 -0700 > @@ -3583,11 +3583,8 @@ static int shmem_show_options(struct seq > { > struct shmem_sb_info *sbinfo = SHMEM_SB(root->d_sb); > > - if (sbinfo->max_blocks != shmem_default_max_blocks()) > - seq_printf(seq, ",size=%luk", > - sbinfo->max_blocks << (PAGE_SHIFT - 10)); > - if (sbinfo->max_inodes != shmem_default_max_inodes()) > - seq_printf(seq, ",nr_inodes=%lu", sbinfo->max_inodes); > + seq_printf(seq, ",size=%luk", sbinfo->max_blocks << (PAGE_SHIFT - 10)); > + seq_printf(seq, ",nr_inodes=%lu", sbinfo->max_inodes); > if (sbinfo->mode != (0777 | S_ISVTX)) > seq_printf(seq, ",mode=%03ho", sbinfo->mode); > if (!uid_eq(sbinfo->uid, GLOBAL_ROOT_UID)) > Good idea. There shouldn't be any compatibility issues since the applications should have been prepared to read the size and nr_inodes options always. -Topi