Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp255533pxy; Tue, 20 Apr 2021 18:20:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyonOgjXEX/QzAqwfZrsyRafZKLm6XMg2dji+ILc9AcBUrztODGErzj+tVpSsEQUTuzgDWc X-Received: by 2002:a17:906:314f:: with SMTP id e15mr30201517eje.30.1618968042600; Tue, 20 Apr 2021 18:20:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618968042; cv=none; d=google.com; s=arc-20160816; b=EFPZri3Xg0tF3CiPHN3MIaJlh48CljKzlEKH/gpyELIkC9yUdlds64bTOjG2C2Ag0z CzltPNTuldtLUAzPW51bK+9s6d2d0sOQOPIIrwBjuON8tXZTvpZSm4U6ET5MRYPM4A/G Tafe27TjO32g2OKu/s3syGtzGaLqSKDMB2m+3a1tSX9C8e8V9Ksy1PWj1PxOa/bsDNAm 143XcBOVAi1MosJnaEWS8fh4d427DsHXwIQfHaJH3/J7bObTFT9pl04eUxmKgrwRJws1 9ucR81twoy8NfOPz6yjqK/Dffi5rE0XHpO2Uxir/XI3bx6a/CLvpNovwf/MoXNZHzEtO YEeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=iuYkrU1zcW7Z65oSaWVLBz+0IZ221pOBrSimYNtby7s=; b=td8u1HU76E8RPkqwS/t7OUJJyBE+2rlTPr6Lx8EV7jWxXspPDS4W9ZivvMZcwKdB6y 4rvBlRx3I4QdcwpE7CSf7RpkrN9NpCtX/5vmYYinppUOIMkXg1I3KlsRIVjQHNKun/pP 4xhBW/QogWTNozGEApyhRUZtHsYHF5hrgY2VtzYk9R0ZGjV6VzUeEzeUTBYyRuzKKRoO okB9SX/UdAfEVLIVUaP2BzkKrAZVXRYw3UEMd9jJ3tmKkZRpkTKjM7/jo3WCzXeLF42Y HbHviX0z1K0WF6tDmIcGRzTCxaymDKcLlgvUpPRXRBSHlvS0A9uan+c2ZwCyenLfB97A VbzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ndkdt3mj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m20si364486eja.616.2021.04.20.18.19.54; Tue, 20 Apr 2021 18:20:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ndkdt3mj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233897AbhDUBTP (ORCPT + 99 others); Tue, 20 Apr 2021 21:19:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53404 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233824AbhDUBTP (ORCPT ); Tue, 20 Apr 2021 21:19:15 -0400 Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0767BC061763 for ; Tue, 20 Apr 2021 18:18:43 -0700 (PDT) Received: by mail-lf1-x12f.google.com with SMTP id g8so64393043lfv.12 for ; Tue, 20 Apr 2021 18:18:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iuYkrU1zcW7Z65oSaWVLBz+0IZ221pOBrSimYNtby7s=; b=ndkdt3mjYlW+H/QWZc671xlRMDK4yybhmgXbvu53LBPocwBLlpjTZ783Rd2QVNzrGj IkSdWhxhBQo0UbqFvs6XPv6hCdPKkg3b7FMjuPdJLz2w54a+Wyfrp6CFYDZyPmDZ3IkE W0vUtwV0T3yekrghgmLcCS164X9lDUDwgvhq916QgiJMH6wfzNW5C5/XrLnNN1ph/GiG K9J+ZM292B32Iy7S2ga4b5yxthPArwSwjdGo+ryLUmzGMwC6X6Vm5f3VEnJDlzd6Fanr 5Tu901R+Odid1zCgNaLUEr0kwh4Mm7azowTlPf+njENOsLhgr4i1ixuDJo8Jn+I4+guT /+4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iuYkrU1zcW7Z65oSaWVLBz+0IZ221pOBrSimYNtby7s=; b=QZ4Xs6cuy90s87K7eSJQo+JnWnuyVK6yXbZldrlfXxrD9XgGuRd/eCm8f+4VhQlZOV Z3/eUax/kKeRaa6cyshUMHZuxOb7qfzeJwW68+5DpYPkog95mZ3Fa6l9UrZeJDy9njYq RX5Mvq5ceytUXZq/vLlq3LUQWRhyLt8QdYzJlOl3ekgtdCJTY9yCLkkJLvCqx83EUpIa D9TjCUnBbDPPHOgMNCiytXwVFnQvLiMbp4MSbjCVV1OQvNRwR8PFMEAam3hWC0+ozpYE 6zLvc9oTvZ1nQaHfA0F4QEICgL3i/sk7r/XIRD7/Cceeu6ir4BsqwPY+7PvNqjgw7oBT RFYQ== X-Gm-Message-State: AOAM533QejDjZqJAyHymndjag5H7zl3UQG/UEcSC27+Ez4N6IhAg0cb8 mZWPRRbKzu3D/x293QVvCbuB0xopugifP3RGnj9JRA== X-Received: by 2002:a05:6512:2037:: with SMTP id s23mr17393868lfs.358.1618967921088; Tue, 20 Apr 2021 18:18:41 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Shakeel Butt Date: Tue, 20 Apr 2021 18:18:29 -0700 Message-ID: Subject: Re: [RFC] memory reserve for userspace oom-killer To: Roman Gushchin Cc: Johannes Weiner , Michal Hocko , Linux MM , Andrew Morton , Cgroups , David Rientjes , LKML , Suren Baghdasaryan , Greg Thelen , Dragos Sbirlea , Priya Duraisamy Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 20, 2021 at 12:18 PM Roman Gushchin wrote: > > On Mon, Apr 19, 2021 at 06:44:02PM -0700, Shakeel Butt wrote: [...] > > 1. prctl(PF_MEMALLOC) > > > > The idea is to give userspace oom-killer (just one thread which is > > finding the appropriate victims and will be sending SIGKILLs) access > > to MEMALLOC reserves. Most of the time the preallocation, mlock and > > memory.min will be good enough but for rare occasions, when the > > userspace oom-killer needs to allocate, the PF_MEMALLOC flag will > > protect it from reclaim and let the allocation dip into the memory > > reserves. > > > > The misuse of this feature would be risky but it can be limited to > > privileged applications. Userspace oom-killer is the only appropriate > > user of this feature. This option is simple to implement. > > Hello Shakeel! > > If ordinary PAGE_SIZE and smaller kernel allocations start to fail, > the system is already in a relatively bad shape. Arguably the userspace > OOM killer should kick in earlier, it's already a bit too late. Please note that these are not allocation failures but rather reclaim on allocations (which is very normal). Our observation is that this reclaim is very unpredictable and depends on the type of memory present on the system which depends on the workload. If there is a good amount of easily reclaimable memory (e.g. clean file pages), the reclaim would be really fast. However for other types of reclaimable memory the reclaim time varies a lot. The unreclaimable memory, pinned memory, too many direct reclaimers, too many isolated memory and many other things/heuristics/assumptions make the reclaim further non-deterministic. In our observation the global reclaim is very non-deterministic at the tail and dramatically impacts the reliability of the system. We are looking for a solution which is independent of the global reclaim. > Allowing to use reserves just pushes this even further, so we're risking > the kernel stability for no good reason. Michal has suggested ALLOC_OOM which is less risky. > > But I agree that throttling the oom daemon in direct reclaim makes no sense. > I wonder if we can introduce a per-task flag which will exclude the task from > throttling, but instead all (large) allocations will just fail under a > significant memory pressure more easily. In this case if there is a significant > memory shortage the oom daemon will not be fully functional (will get -ENOMEM > for an attempt to read some stats, for example), but still will be able to kill > some processes and make the forward progress. So, the suggestion is to have a per-task flag to (1) indicate to not throttle and (2) fail allocations easily on significant memory pressure. For (1), the challenge I see is that there are a lot of places in the reclaim code paths where a task can get throttled. There are filesystems that block/throttle in slab shrinking. Any process can get blocked on an unrelated page or inode writeback within reclaim. For (2), I am not sure how to deterministically define "significant memory pressure". One idea is to follow the __GFP_NORETRY semantics and along with (1) the userspace oom-killer will see ENOMEM more reliably than stucking in the reclaim. So, the oom-killer maintains a list of processes to kill in extreme conditions, have their pidfds open and keep that list fresh. Whenever any syscalls returns ENOMEM, it starts doing pidfd_send_signal(SIGKILL) to that list of processes, right? The idea has merit but I don't see how this is any simpler. The (1) is challenging on its own and my main concern is that it will be very hard to maintain as reclaim code (particularly shrinkers) callbacks into many diverse subsystems. > But maybe it can be done in userspace too: by splitting the daemon into > a core- and extended part and avoid doing anything behind bare minimum > in the core part. > > > > > 2. Mempool > > > > The idea is to preallocate mempool with a given amount of memory for > > userspace oom-killer. Preferably this will be per-thread and > > oom-killer can preallocate mempool for its specific threads. The core > > page allocator can check before going to the reclaim path if the task > > has private access to the mempool and return page from it if yes. > > > > This option would be more complicated than the previous option as the > > lifecycle of the page from the mempool would be more sophisticated. > > Additionally the current mempool does not handle higher order pages > > and we might need to extend it to allow such allocations. Though this > > feature might have more use-cases and it would be less risky than the > > previous option. > > It looks like an over-kill for the oom daemon protection, but if there > are other good use cases, maybe it's a good feature to have. > IMHO it is not an over-kill and easier to do then to remove all instances of potential blocking/throttling sites in memory reclaim. > > > > Another idea I had was to use kthread based oom-killer and provide the > > policies through eBPF program. Though I am not sure how to make it > > monitor arbitrary metrics and if that can be done without any > > allocations. > > To start this effort it would be nice to understand what metrics various > oom daemons use and how easy is to gather them from the bpf side. I like > this idea long-term, but not sure if it has been settled down enough. > I imagine it will require a fair amount of work on the bpf side, so we > need a good understanding of features we need. > Are there any examples of gathering existing metrics from bpf? Suren has given a list of metrics useful for Android. Is it possible to gather those metrics? BTW thanks a lot for taking a look and I really appreciate your time. thanks, Shakeel