release/5.2.35/memcg-account-security-cred-as-well-to-kmemcg.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From 992ace5c5b5684f4e96beed4adec0e1cbf116666 Mon Sep 17 00:00:00 2001
 From: Shakeel Butt <shakeelb@google.com>
 Date: Sat, 4 Jan 2020 12:59:43 -0800
 Subject: [PATCH] memcg: account security cred as well to kmemcg

 commit 84029fd04c201a4c7e0b07ba262664900f47c6f5 upstream.

 The cred_jar kmem_cache is already memcg accounted in the current kernel
 but cred->security is not.  Account cred->security to kmemcg.

 Recently we saw high root slab usage on our production and on further
 inspection, we found a buggy application leaking processes.  Though that
 buggy application was contained within its memcg but we observe much
 more system memory overhead, couple of GiBs, during that period.  This
 overhead can adversely impact the isolation on the system.

 One source of high overhead we found was cred->security objects, which
 have a lifetime of at least the life of the process which allocated
 them.

 Link: http://lkml.kernel.org/r/20191205223721.40034-1-shakeelb@google.com
 Signed-off-by: Shakeel Butt <shakeelb@google.com>
 Acked-by: Chris Down <chris@chrisdown.name>
 Reviewed-by: Roman Gushchin <guro@fb.com>
 Acked-by: Michal Hocko <mhocko@suse.com>
 Cc: Johannes Weiner <hannes@cmpxchg.org>
 Cc: <stable@vger.kernel.org>
 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/kernel/cred.c b/kernel/cred.c
 index 153ae369e024..7cfd1db529d4 100644
 --- a/kernel/cred.c
 +++ b/kernel/cred.c
 @@ -218,7 +218,7 @@ struct cred *cred_alloc_blank(void)
  	new->magic = CRED_MAGIC;
  #endif

 -	if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
 +	if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0)
  		goto error;

  	return new;
 @@ -277,7 +277,7 @@ struct cred *prepare_creds(void)
  	new->security = NULL;
  #endif

 -	if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
 +	if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
  		goto error;
  	validate_creds(new);
  	return new;
 @@ -706,7 +706,7 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
  #ifdef CONFIG_SECURITY
  	new->security = NULL;
  #endif
 -	if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
 +	if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
  		goto error;

  	put_cred(old);
 --
 2.7.4
	From 992ace5c5b5684f4e96beed4adec0e1cbf116666 Mon Sep 17 00:00:00 2001
	From: Shakeel Butt <shakeelb@google.com>
	Date: Sat, 4 Jan 2020 12:59:43 -0800
	Subject: [PATCH] memcg: account security cred as well to kmemcg

	commit 84029fd04c201a4c7e0b07ba262664900f47c6f5 upstream.

	The cred_jar kmem_cache is already memcg accounted in the current kernel
	but cred->security is not. Account cred->security to kmemcg.

	Recently we saw high root slab usage on our production and on further
	inspection, we found a buggy application leaking processes. Though that
	buggy application was contained within its memcg but we observe much
	more system memory overhead, couple of GiBs, during that period. This
	overhead can adversely impact the isolation on the system.

	One source of high overhead we found was cred->security objects, which
	have a lifetime of at least the life of the process which allocated
	them.

	Link: http://lkml.kernel.org/r/20191205223721.40034-1-shakeelb@google.com
	Signed-off-by: Shakeel Butt <shakeelb@google.com>
	Acked-by: Chris Down <chris@chrisdown.name>
	Reviewed-by: Roman Gushchin <guro@fb.com>
	Acked-by: Michal Hocko <mhocko@suse.com>
	Cc: Johannes Weiner <hannes@cmpxchg.org>
	Cc: <stable@vger.kernel.org>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/kernel/cred.c b/kernel/cred.c
	index 153ae369e024..7cfd1db529d4 100644
	--- a/kernel/cred.c
	+++ b/kernel/cred.c
	@@ -218,7 +218,7 @@ struct cred *cred_alloc_blank(void)
	new->magic = CRED_MAGIC;
	#endif

	- if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
	+ if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0)
	goto error;

	return new;
	@@ -277,7 +277,7 @@ struct cred *prepare_creds(void)
	new->security = NULL;
	#endif

	- if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
	+ if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
	goto error;
	validate_creds(new);
	return new;
	@@ -706,7 +706,7 @@ struct cred prepare_kernel_cred(struct task_struct daemon)
	#ifdef CONFIG_SECURITY
	new->security = NULL;
	#endif
	- if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
	+ if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
	goto error;

	put_cred(old);
	--
	2.7.4