On Thu, Feb 17, 2022 at 03:36:20PM -0500, Rik van Riel wrote:
> The patch works, but a cleanup question for Al Viro:
>
> How do we get rid of #include "../fs/mount.h" and the raw ->mnt_ns = NULL thing
> in the cleanest way?
Maybe add a tiny helper to include/linux/mount.h or ipc_namespace.h,
slap two underscores in front of it, mention in the comment that this is
i) not for general use, ii) requires - as Al said - clean rcu handling,
iii) should never ever be exported? To prevent it from being reusable
you could make it take struct ipc_namespace as arg instead of struct
(vfs)mnt? That might mean you'd have to include it in ipc_namespace.h, I
guess. Not sure what's best there.
>
> ---8<---
> Currently freeing ipc_namespace structures is done through a
> workqueue, with every single item on the queue waiting in
> synchronize_rcu before it is freed, limiting the rate at which
> ipc_namespace structures can be freed to something on the order
> of 100 a second.
>
> Getting rid of that workqueue and just using rcu_work instead
> allows a whole batch of ipc_namespace frees to wait one single
> RCU grace period, after which they can all get freed quickly.
>
> Without this patch, a test program that simply calls
> unshare(CLONE_NEWIPC) a million times in a loop eventually
> gets -ENOSPC as the total number of ipc_namespace structures
> exceeds the limit, due to slow freeing.
>
> With this patch, the test program runs successfully every time.
>
> Reported-by: Chris Mason <clm@xxxxxx>
> Signed-off-by: Rik van Riel <riel@xxxxxxxxxxx>
> ---
> include/linux/ipc_namespace.h | 2 +-
> ipc/namespace.c | 30 ++++++++----------------------
> 2 files changed, 9 insertions(+), 23 deletions(-)
>
> diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h
> index b75395ec8d52..ee26fdbb2ce4 100644
> --- a/include/linux/ipc_namespace.h
> +++ b/include/linux/ipc_namespace.h
> @@ -67,7 +67,7 @@ struct ipc_namespace {
> struct user_namespace *user_ns;
> struct ucounts *ucounts;
>
> - struct llist_node mnt_llist;
> + struct rcu_work free_rwork;
>
> struct ns_common ns;
> } __randomize_layout;
> diff --git a/ipc/namespace.c b/ipc/namespace.c
> index ae83f0f2651b..3d151bc5f723 100644
> --- a/ipc/namespace.c
> +++ b/ipc/namespace.c
> @@ -17,6 +17,7 @@
> #include <linux/proc_ns.h>
> #include <linux/sched/task.h>
>
> +#include "../fs/mount.h"
> #include "util.h"
>
> static struct ucounts *inc_ipc_namespaces(struct user_namespace *ns)
> @@ -115,12 +116,11 @@ void free_ipcs(struct ipc_namespace *ns, struct ipc_ids *ids,
> up_write(&ids->rwsem);
> }
>
> -static void free_ipc_ns(struct ipc_namespace *ns)
> +static void free_ipc_ns(struct work_struct *work)
> {
> - /* mq_put_mnt() waits for a grace period as kern_unmount()
> - * uses synchronize_rcu().
> - */
> - mq_put_mnt(ns);
> + struct ipc_namespace *ns = container_of(to_rcu_work(work),
> + struct ipc_namespace, free_rwork);
> + mntput(ns->mq_mnt);
> sem_exit_ns(ns);
> msg_exit_ns(ns);
> shm_exit_ns(ns);
> @@ -131,21 +131,6 @@ static void free_ipc_ns(struct ipc_namespace *ns)
> kfree(ns);
> }
>
> -static LLIST_HEAD(free_ipc_list);
> -static void free_ipc(struct work_struct *unused)
> -{
> - struct llist_node *node = llist_del_all(&free_ipc_list);
> - struct ipc_namespace *n, *t;
> -
> - llist_for_each_entry_safe(n, t, node, mnt_llist)
> - free_ipc_ns(n);
> -}
> -
> -/*
> - * The work queue is used to avoid the cost of synchronize_rcu in kern_unmount.
> - */
> -static DECLARE_WORK(free_ipc_work, free_ipc);
> -
> /*
> * put_ipc_ns - drop a reference to an ipc namespace.
> * @ns: the namespace to put
> @@ -166,10 +151,11 @@ void put_ipc_ns(struct ipc_namespace *ns)
> {
> if (refcount_dec_and_lock(&ns->ns.count, &mq_lock)) {
> mq_clear_sbinfo(ns);
> + real_mount(ns->mq_mnt)->mnt_ns = NULL;
> spin_unlock(&mq_lock);
>
> - if (llist_add(&ns->mnt_llist, &free_ipc_list))
> - schedule_work(&free_ipc_work);
> + INIT_RCU_WORK(&ns->free_rwork, free_ipc_ns);
> + queue_rcu_work(system_wq, &ns->free_rwork);
> }
> }
>
> --
> 2.34.1
>
>
