On Tue, Mar 17, 2020 at 08:52:12AM +0100, Michal Hocko wrote: > On Mon 16-03-20 15:35:10, Roman Gushchin wrote: > > If a task is getting moved out of the OOMing cgroup, it might > > result in unexpected OOM killings if memory.oom.group is used > > anywhere in the cgroup tree. > > > > Imagine the following example: > > > > A (oom.group = 1) > > / \ > > (OOM) B C > > > > Let's say B's memory.max is exceeded and it's OOMing. The OOM killer > > selects a task in B as a victim, but someone asynchronously moves > > the task into C. > > I can see Reported-by here, does that mean that the race really happened > in real workloads? If yes, I would be really curious. Mostly because > moving tasks outside of the oom domain is quite questionable without > charge migration. Yes, I've got a number of OOM messages where oom_cgroup != task_cgroup. The only reasonable explanation is that the task has been moved out after being selected as a victim. In my case it resulted in killing all tasks in A, and it what hurt the workload. > > > mem_cgroup_get_oom_group() will iterate over all > > ancestors of C up to the root cgroup. In theory it had to stop > > at the oom_domain level - the memory cgroup which is OOMing. > > But because B is not an ancestor of C, it's not happening. > > Instead it chooses A (because it's oom.group is set), and kills > > all tasks in A. This behavior is wrong because the OOM happened in B, > > so there is no reason to kill anything outside. > > > > Fix this by checking it the memory cgroup to which the task belongs > > is a descendant of the oom_domain. If not, memory.oom.group should > > be ignored, and the OOM killer should kill only the victim task. > > I was about to suggest storing the memcg in oom_evaluate_task but then I > have realized that this would be both more complex and I am not yet > sure it would be better so much better after all. > > The thing is that killing the selected task makes a lot of sense > because it was the largest consumer. No matter it has run away. On the > other hand if your B was oom.group = 1 then one could expect that any > OOM killer event in that group will result in the whole group tear > down. This is however a gray zone because we do emit MEMCG_OOM event but > MEMCG_OOM_KILL event will go to the victim's at-the-time memcg. So the > observer B could think that the oom was resolved without killing while > observer C would see a kill event without oom. I agree. Killing the task outside of the OOMing cgroup is already strange. Should we somehow lock the OOMing cgroup? So that tasks can not escape and enter it until the finish of the OOM killing? It seems to be a better idea, because it will also make the oom.group killing less racy: currently a forking app can potentially escape from it. And the we can put something like if (WARN_ON_ONCE(!mem_cgroup_is_descendant(memcg, oom_domain))) goto out; to mem_cgroup_get_oom_group? What do you think? Thanks!