| From 992ace5c5b5684f4e96beed4adec0e1cbf116666 Mon Sep 17 00:00:00 2001 |
| From: Shakeel Butt <shakeelb@google.com> |
| Date: Sat, 4 Jan 2020 12:59:43 -0800 |
| Subject: [PATCH] memcg: account security cred as well to kmemcg |
| |
| commit 84029fd04c201a4c7e0b07ba262664900f47c6f5 upstream. |
| |
| The cred_jar kmem_cache is already memcg accounted in the current kernel |
| but cred->security is not. Account cred->security to kmemcg. |
| |
| Recently we saw high root slab usage on our production and on further |
| inspection, we found a buggy application leaking processes. Though that |
| buggy application was contained within its memcg but we observe much |
| more system memory overhead, couple of GiBs, during that period. This |
| overhead can adversely impact the isolation on the system. |
| |
| One source of high overhead we found was cred->security objects, which |
| have a lifetime of at least the life of the process which allocated |
| them. |
| |
| Link: http://lkml.kernel.org/r/20191205223721.40034-1-shakeelb@google.com |
| Signed-off-by: Shakeel Butt <shakeelb@google.com> |
| Acked-by: Chris Down <chris@chrisdown.name> |
| Reviewed-by: Roman Gushchin <guro@fb.com> |
| Acked-by: Michal Hocko <mhocko@suse.com> |
| Cc: Johannes Weiner <hannes@cmpxchg.org> |
| Cc: <stable@vger.kernel.org> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/kernel/cred.c b/kernel/cred.c |
| index 153ae369e024..7cfd1db529d4 100644 |
| --- a/kernel/cred.c |
| +++ b/kernel/cred.c |
| @@ -218,7 +218,7 @@ struct cred *cred_alloc_blank(void) |
| new->magic = CRED_MAGIC; |
| #endif |
| |
| - if (security_cred_alloc_blank(new, GFP_KERNEL) < 0) |
| + if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0) |
| goto error; |
| |
| return new; |
| @@ -277,7 +277,7 @@ struct cred *prepare_creds(void) |
| new->security = NULL; |
| #endif |
| |
| - if (security_prepare_creds(new, old, GFP_KERNEL) < 0) |
| + if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0) |
| goto error; |
| validate_creds(new); |
| return new; |
| @@ -706,7 +706,7 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon) |
| #ifdef CONFIG_SECURITY |
| new->security = NULL; |
| #endif |
| - if (security_prepare_creds(new, old, GFP_KERNEL) < 0) |
| + if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0) |
| goto error; |
| |
| put_cred(old); |
| -- |
| 2.7.4 |
| |