On Wed, May 27, 2020 at 12:58:46PM -0700, Jakub Kicinski wrote: > Add a memory.swap.high knob, which can be used to protect the system > from SWAP exhaustion. The mechanism used for penalizing is similar > to memory.high penalty (sleep on return to user space). > > That is not to say that the knob itself is equivalent to memory.high. > The objective is more to protect the system from potentially buggy > tasks consuming a lot of swap and impacting other tasks, or even > bringing the whole system to stand still with complete SWAP > exhaustion. Hopefully without the need to find per-task hard > limits. > > Slowing misbehaving tasks down gradually allows user space oom > killers or other protection mechanisms to react. oomd and earlyoom > already do killing based on swap exhaustion, and memory.swap.high > protection will help implement such userspace oom policies more > reliably. > > We can use one counter for number of pages allocated under > pressure to save struct task space and avoid two separate > hierarchy walks on the hot path. The exact overage is > calculated on return to user space, anyway. > > Take the new high limit into account when determining if swap > is "full". Borrowing the explanation from Johannes: > > The idea behind "swap full" is that as long as the workload has plenty > of swap space available and it's not changing its memory contents, it > makes sense to generously hold on to copies of data in the swap > device, even after the swapin. A later reclaim cycle can drop the page > without any IO. Trading disk space for IO. > > But the only two ways to reclaim a swap slot is when they're faulted > in and the references go away, or by scanning the virtual address space > like swapoff does - which is very expensive (one could argue it's too > expensive even for swapoff, it's often more practical to just reboot). > > So at some point in the fill level, we have to start freeing up swap > slots on fault/swapin. Otherwise we could eventually run out of swap > slots while they're filled with copies of data that is also in RAM. > > We don't want to OOM a workload because its available swap space is > filled with redundant cache. > > Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx> This looks great to me now, thanks Jakub! Acked-by: Johannes Weiner <hannes@xxxxxxxxxxx>