Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp2438038pxb; Sun, 3 Apr 2022 06:58:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxU0bAtjUqYL4oGTr3gtSm6PTKsXHKXTtiOUwKcRHDVayRqZLmcwvDFeQ+mZESzNLiLMzl6 X-Received: by 2002:a05:6a00:1907:b0:4f7:945:14cf with SMTP id y7-20020a056a00190700b004f7094514cfmr19495466pfi.47.1648994307872; Sun, 03 Apr 2022 06:58:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648994307; cv=none; d=google.com; s=arc-20160816; b=ireqYO09yxnfsD/JBvqx5BC7dd+6wshalu/e6fFbpvEsTB2EHdz4fGKwuLk1zL8mLY 6lSUdtCw82/QQi9En6dvzY6eMXvCh8G7vnIGY58av4FP2jfh68iVf0xxr6Iebd5QeGr5 sQisLcfQJyiqd1oYpsXZ2mrRxmX8m5BZruUpfkXNYdtFSpQB2a4p4rgvzDWlmFf57jDR CUmMWKSP4sRtNUH9U9wmlXCftlEyR7Zb+Z06E6uqP7oE5wFayOIn5Wu1SZzt5Tfqu0cf h8ENFVjaIwMSNRc+K+wQDWpjGLN7LYduxeJgMHtucCFNoMOEKZrDr4wwNOwmrjPIP4R0 Zzkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:dkim-signature:date; bh=qQPbMxATgPsqR0bbHUcTP6NBEErFcNaDM6bna/D7CWc=; b=F0+HhCRpVdLpbQOJQqP5ePyB831GVybJiRskiIboVN7ptB9s6gmM/cmKkq8kU5h6O1 eccDRp579WVrBLOLxSE+f5wuTvVM8Le2feSiQO/2n0chc30T7ebkTqrQEgHqMfse97L8 f2dXtugQqq6hFdOzE6RlQLq7hOUBhUX83pj5s+RKIMuxcCx53eE1/XWxtFm6PfYBRa6f quqqj9EQ3tzUHGBRwpt9kQTwSbnuh/o53x+u893vHoCOXkyusV7dzj2oGHvuui6ZFjJq 5NQavBWhfW1Y43IhNJBUoGDH7NHGDT9y7Z0tJGnEp3kNEgGqXpc5g5jykFc6YGgqKiY1 ZnQg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b="S1xB/VeB"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s13-20020a056a00194d00b004fa3a8dff83si7314274pfk.58.2022.04.03.06.58.12; Sun, 03 Apr 2022 06:58:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b="S1xB/VeB"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352721AbiDAVQo (ORCPT + 99 others); Fri, 1 Apr 2022 17:16:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37590 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245368AbiDAVQn (ORCPT ); Fri, 1 Apr 2022 17:16:43 -0400 Received: from out2.migadu.com (out2.migadu.com [188.165.223.204]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C8328148C for ; Fri, 1 Apr 2022 14:14:52 -0700 (PDT) Date: Fri, 1 Apr 2022 14:14:44 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1648847690; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=qQPbMxATgPsqR0bbHUcTP6NBEErFcNaDM6bna/D7CWc=; b=S1xB/VeBA2PtdLMYm1TIUy3l5XknOdb7JYkFyCUActTxWOhIhfbV19hvwDT62ns5ZeIN64 tk4jS6o4OHLGg8jKou/3GF7wwWigcrw4ZsMyVGulwhw/mHUOHnoNyhfn+t90jS/ypz76ur Q0PlSXXlJKqdj9aZJT8JGRhk7/8+nL0= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Roman Gushchin To: Florian Westphal Cc: Vasily Averin , Pablo Neira Ayuso , kernel@openvz.org, Jozsef Kadlecsik , netfilter-devel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH nft] nft: memcg accounting for dynamically allocated objects Message-ID: References: <20220401120342.GC9545@breakpoint.cc> <7bfa2e2e-b22d-7561-661b-41ef7714caf5@linux.dev> <20220401193159.GB28321@breakpoint.cc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220401193159.GB28321@breakpoint.cc> X-Migadu-Flow: FLOW_OUT X-Migadu-Auth-User: linux.dev X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 01, 2022 at 09:31:59PM +0200, Florian Westphal wrote: > Vasily Averin wrote: > > > Same problem as connlimit, can be called from packet path. > > > Basically all GFP_ATOMIC are suspicious. > > > > > > Not sure how to resolve this, similar mechanics in iptables world (e.g. > > > connlimit or SET target) don't use memcg accounting. > > > > > > Perhaps for now resend with only the GFP_KERNEL parts converted? > > > Those are safe. > > > > It is safe for packet path too, _ACCOUNT allocation will not be able to find memcg > > in case of "!in_task()" context. > > On the other hand any additional checks on such path will affect performance. > > I'm not sure this works with ksoftirqd serving network stack? > > > Could you please estimate how often is this code used in the case of nft vs packet path? > > It depends on user configuration. > Update from packet path is used for things like port knocking or other > dyanamic filter lists, or somehing like Limiting connections to x-per-address/subnet and so on. > > > If the opposite is the case, then I can add __GFP_ACCOUNT flag depending on in_task() check. > > But what task/memcg is used for the accounting in that case? Root memcg/no accounting, which is the same. There is a way to account for a specific memcg in such cases, it's used for bpf maps, for example. We save a pointer to the memcg which created the map and charge it for all allocations from a !in_task context. But the performance can be affected, so let's not do without regression tests and a serious need. Thanks!