On Thu, Feb 23, 2023 at 9:28 AM Jason Gunthorpe <jgg@xxxxxxxxxx> wrote: > > On Thu, Feb 23, 2023 at 09:18:23AM -0800, T.J. Mercier wrote: > > > > Solving that problem means figuring out when every cgroup stops using > > > the memory - pinning or not. That seems to be very costly. > > > > > This is the current behavior of accounting for memfds, and I suspect > > any kind of shared memory. > > > > If cgroup A creates a memfd, maps and faults in pages, shares the > > memfd with cgroup B and then A unmaps and closes the memfd, then > > cgroup A is still charged for the pages it faulted in. > > As we discussed, as long as the memory is swappable then eventually > memory pressure on cgroup A will evict the memfd pages and then cgroup > B will swap it in and be charged for it. I am not familiar with memfd, but based on mem_cgroup_swapin_charge_folio() it seems like if cgroup B swapped in the pages they will remain charged to cgroup A, unless cgroup A is removed/offlined. Am I missing something? > > > FWIW this is also the behavior I was trying to use to attribute > > dma-buffers to their original allocators. Whoever touches it first > > gets charged as long as the memory is alive somewhere. > > > > Can't we do the same thing for pins? > > If pins are tracked independently from memcg then definately not, > a process in cgroup A should never be able to make a charge on cgroup > B as a matter of security. > > If pins are part of the memcg then we can't always turn the pin > request in to a NOP - the current cgroup always has to be charged for > the memory. Otherwise what is the point from a security perspective? > > Jason
