On Mon, Mar 15, 2021 at 12:24:31PM -0700, Shakeel Butt wrote: > On Mon, Mar 15, 2021 at 10:09 AM Jakub Kicinski <kuba@xxxxxxxxxx> wrote: > > > > On Mon, 15 Mar 2021 15:23:00 +0300 Vasily Averin wrote: > > > An untrusted netadmin inside a memcg-limited container can create a > > > huge number of routing entries. Currently, allocated kernel objects > > > are not accounted to proper memcg, so this can lead to global memory > > > shortage on the host and cause lot of OOM kiils. > > > > > > One such object is the 'struct fib6_node' mostly allocated in > > > net/ipv6/route.c::__ip6_ins_rt() inside the lock_bh()/unlock_bh() section: > > > > > > write_lock_bh(&table->tb6_lock); > > > err = fib6_add(&table->tb6_root, rt, info, mxc); > > > write_unlock_bh(&table->tb6_lock); > > > > > > It this case is not enough to simply add SLAB_ACCOUNT to corresponding > > > kmem cache. The proper memory cgroup still cannot be found due to the > > > incorrect 'in_interrupt()' check used in memcg_kmem_bypass(). > > > To be sure that caller is not executed in process contxt > > > '!in_task()' check should be used instead > > > > Sorry for a random question, I didn't get the cover letter. > > > > What's the overhead of adding SLAB_ACCOUNT? > > > > The potential overhead is for MEMCG users where we need to > charge/account each allocation from SLAB_ACCOUNT kmem caches. However > charging is done in batches, so the cost is amortized. If there is a > concern about a specific workload then it would be good to see the > impact of this patch for that workload. > > > Please make sure you CC netdev on series which may impact networking. In general the overhead is not that big, so I don't think we should argue too much about every new case where we want to enable the accounting and rather focus on those few examples (if any?) where it actually hurts the performance in a meaningful way. Thanks!