2009-01-16 05:50:42 +08:00
|
|
|
Documentation for /proc/sys/vm/* kernel version 2.6.29
|
2005-04-17 06:20:36 +08:00
|
|
|
(c) 1998, 1999, Rik van Riel <riel@nl.linux.org>
|
2009-01-16 05:50:42 +08:00
|
|
|
(c) 2008 Peter W. Morreale <pmorreale@novell.com>
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
For general info and legal blurb, please look in README.
|
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
|
|
|
This file contains the documentation for the sysctl files in
|
2009-01-16 05:50:42 +08:00
|
|
|
/proc/sys/vm and is valid for Linux kernel version 2.6.29.
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
The files in this directory can be used to tune the operation
|
|
|
|
of the virtual memory (VM) subsystem of the Linux kernel and
|
|
|
|
the writeout of dirty data to disk.
|
|
|
|
|
|
|
|
Default values and initialization routines for most of these
|
|
|
|
files can be found in mm/swap.c.
|
|
|
|
|
|
|
|
Currently, these files are in /proc/sys/vm:
|
2009-01-16 05:50:42 +08:00
|
|
|
|
2013-04-30 06:08:11 +08:00
|
|
|
- admin_reserve_kbytes
|
2009-01-16 05:50:42 +08:00
|
|
|
- block_dump
|
2010-05-25 05:32:28 +08:00
|
|
|
- compact_memory
|
2015-04-16 07:13:20 +08:00
|
|
|
- compact_unevictable_allowed
|
2009-01-16 05:50:42 +08:00
|
|
|
- dirty_background_bytes
|
2005-04-17 06:20:36 +08:00
|
|
|
- dirty_background_ratio
|
2009-01-16 05:50:42 +08:00
|
|
|
- dirty_bytes
|
2005-04-17 06:20:36 +08:00
|
|
|
- dirty_expire_centisecs
|
2009-01-16 05:50:42 +08:00
|
|
|
- dirty_ratio
|
2005-04-17 06:20:36 +08:00
|
|
|
- dirty_writeback_centisecs
|
2009-01-16 05:50:42 +08:00
|
|
|
- drop_caches
|
2010-05-25 05:32:31 +08:00
|
|
|
- extfrag_threshold
|
2009-01-16 05:50:42 +08:00
|
|
|
- hugepages_treat_as_movable
|
|
|
|
- hugetlb_shm_group
|
|
|
|
- laptop_mode
|
|
|
|
- legacy_va_layout
|
|
|
|
- lowmem_reserve_ratio
|
2005-04-17 06:20:36 +08:00
|
|
|
- max_map_count
|
2009-09-16 17:50:15 +08:00
|
|
|
- memory_failure_early_kill
|
|
|
|
- memory_failure_recovery
|
2005-04-17 06:20:36 +08:00
|
|
|
- min_free_kbytes
|
2006-09-26 14:31:52 +08:00
|
|
|
- min_slab_ratio
|
2009-01-16 05:50:42 +08:00
|
|
|
- min_unmapped_ratio
|
|
|
|
- mmap_min_addr
|
mm: mmap: add new /proc tunable for mmap_base ASLR
Address Space Layout Randomization (ASLR) provides a barrier to
exploitation of user-space processes in the presence of security
vulnerabilities by making it more difficult to find desired code/data
which could help an attack. This is done by adding a random offset to
the location of regions in the process address space, with a greater
range of potential offset values corresponding to better protection/a
larger search-space for brute force, but also to greater potential for
fragmentation.
The offset added to the mmap_base address, which provides the basis for
the majority of the mappings for a process, is set once on process exec
in arch_pick_mmap_layout() and is done via hard-coded per-arch values,
which reflect, hopefully, the best compromise for all systems. The
trade-off between increased entropy in the offset value generation and
the corresponding increased variability in address space fragmentation
is not absolute, however, and some platforms may tolerate higher amounts
of entropy. This patch introduces both new Kconfig values and a sysctl
interface which may be used to change the amount of entropy used for
offset generation on a system.
The direct motivation for this change was in response to the
libstagefright vulnerabilities that affected Android, specifically to
information provided by Google's project zero at:
http://googleprojectzero.blogspot.com/2015/09/stagefrightened.html
The attack presented therein, by Google's project zero, specifically
targeted the limited randomness used to generate the offset added to the
mmap_base address in order to craft a brute-force-based attack.
Concretely, the attack was against the mediaserver process, which was
limited to respawning every 5 seconds, on an arm device. The hard-coded
8 bits used resulted in an average expected success rate of defeating
the mmap ASLR after just over 10 minutes (128 tries at 5 seconds a
piece). With this patch, and an accompanying increase in the entropy
value to 16 bits, the same attack would take an average expected time of
over 45 hours (32768 tries), which makes it both less feasible and more
likely to be noticed.
The introduced Kconfig and sysctl options are limited by per-arch
minimum and maximum values, the minimum of which was chosen to match the
current hard-coded value and the maximum of which was chosen so as to
give the greatest flexibility without generating an invalid mmap_base
address, generally a 3-4 bits less than the number of bits in the
user-space accessible virtual address space.
When decided whether or not to change the default value, a system
developer should consider that mmap_base address could be placed
anywhere up to 2^(value) bits away from the non-randomized location,
which would introduce variable-sized areas above and below the mmap_base
address such that the maximum vm_area_struct size may be reduced,
preventing very large allocations.
This patch (of 4):
ASLR only uses as few as 8 bits to generate the random offset for the
mmap base address on 32 bit architectures. This value was chosen to
prevent a poorly chosen value from dividing the address space in such a
way as to prevent large allocations. This may not be an issue on all
platforms. Allow the specification of a minimum number of bits so that
platforms desiring greater ASLR protection may determine where to place
the trade-off.
Signed-off-by: Daniel Cashman <dcashman@google.com>
Cc: Russell King <linux@arm.linux.org.uk>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Don Zickus <dzickus@redhat.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: David Rientjes <rientjes@google.com>
Cc: Mark Salyzyn <salyzyn@android.com>
Cc: Jeff Vander Stoep <jeffv@google.com>
Cc: Nick Kralevich <nnk@google.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Hector Marco-Gisbert <hecmargi@upv.es>
Cc: Borislav Petkov <bp@suse.de>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-01-15 07:19:53 +08:00
|
|
|
- mmap_rnd_bits
|
|
|
|
- mmap_rnd_compat_bits
|
2007-12-18 08:20:25 +08:00
|
|
|
- nr_hugepages
|
|
|
|
- nr_overcommit_hugepages
|
2009-01-16 05:50:42 +08:00
|
|
|
- nr_trim_pages (only if CONFIG_MMU=n)
|
|
|
|
- numa_zonelist_order
|
|
|
|
- oom_dump_tasks
|
|
|
|
- oom_kill_allocating_task
|
2014-01-22 07:49:14 +08:00
|
|
|
- overcommit_kbytes
|
2009-01-16 05:50:42 +08:00
|
|
|
- overcommit_memory
|
|
|
|
- overcommit_ratio
|
|
|
|
- page-cluster
|
|
|
|
- panic_on_oom
|
|
|
|
- percpu_pagelist_fraction
|
|
|
|
- stat_interval
|
2016-05-20 08:12:50 +08:00
|
|
|
- stat_refresh
|
2009-01-16 05:50:42 +08:00
|
|
|
- swappiness
|
mm: limit growth of 3% hardcoded other user reserve
Add user_reserve_kbytes knob.
Limit the growth of the memory reserved for other user processes to
min(3% current process size, user_reserve_pages). Only about 8MB is
necessary to enable recovery in the default mode, and only a few hundred
MB are required even when overcommit is disabled.
user_reserve_pages defaults to min(3% free pages, 128MB)
I arrived at 128MB by taking the max VSZ of sshd, login, bash, and top ...
then adding the RSS of each.
This only affects OVERCOMMIT_NEVER mode.
Background
1. user reserve
__vm_enough_memory reserves a hardcoded 3% of the current process size for
other applications when overcommit is disabled. This was done so that a
user could recover if they launched a memory hogging process. Without the
reserve, a user would easily run into a message such as:
bash: fork: Cannot allocate memory
2. admin reserve
Additionally, a hardcoded 3% of free memory is reserved for root in both
overcommit 'guess' and 'never' modes. This was intended to prevent a
scenario where root-cant-log-in and perform recovery operations.
Note that this reserve shrinks, and doesn't guarantee a useful reserve.
Motivation
The two hardcoded memory reserves should be updated to account for current
memory sizes.
Also, the admin reserve would be more useful if it didn't shrink too much.
When the current code was originally written, 1GB was considered
"enterprise". Now the 3% reserve can grow to multiple GB on large memory
systems, and it only needs to be a few hundred MB at most to enable a user
or admin to recover a system with an unwanted memory hogging process.
I've found that reducing these reserves is especially beneficial for a
specific type of application load:
* single application system
* one or few processes (e.g. one per core)
* allocating all available memory
* not initializing every page immediately
* long running
I've run scientific clusters with this sort of load. A long running job
sometimes failed many hours (weeks of CPU time) into a calculation. They
weren't initializing all of their memory immediately, and they weren't
using calloc, so I put systems into overcommit 'never' mode. These
clusters run diskless and have no swap.
However, with the current reserves, a user wishing to allocate as much
memory as possible to one process may be prevented from using, for
example, almost 2GB out of 32GB.
The effect is less, but still significant when a user starts a job with
one process per core. I have repeatedly seen a set of processes
requesting the same amount of memory fail because one of them could not
allocate the amount of memory a user would expect to be able to allocate.
For example, Message Passing Interfce (MPI) processes, one per core. And
it is similar for other parallel programming frameworks.
Changing this reserve code will make the overcommit never mode more useful
by allowing applications to allocate nearly all of the available memory.
Also, the new admin_reserve_kbytes will be safer than the current behavior
since the hardcoded 3% of available memory reserve can shrink to something
useless in the case where applications have grabbed all available memory.
Risks
* "bash: fork: Cannot allocate memory"
The downside of the first patch-- which creates a tunable user reserve
that is only used in overcommit 'never' mode--is that an admin can set
it so low that a user may not be able to kill their process, even if
they already have a shell prompt.
Of course, a user can get in the same predicament with the current 3%
reserve--they just have to launch processes until 3% becomes negligible.
* root-cant-log-in problem
The second patch, adding the tunable rootuser_reserve_pages, allows
the admin to shoot themselves in the foot by setting it too small. They
can easily get the system into a state where root-can't-log-in.
However, the new admin_reserve_kbytes will be safer than the current
behavior since the hardcoded 3% of available memory reserve can shrink
to something useless in the case where applications have grabbed all
available memory.
Alternatives
* Memory cgroups provide a more flexible way to limit application memory.
Not everyone wants to set up cgroups or deal with their overhead.
* We could create a fourth overcommit mode which provides smaller reserves.
The size of useful reserves may be drastically different depending
on the whether the system is embedded or enterprise.
* Force users to initialize all of their memory or use calloc.
Some users don't want/expect the system to overcommit when they malloc.
Overcommit 'never' mode is for this scenario, and it should work well.
The new user and admin reserve tunables are simple to use, with low
overhead compared to cgroups. The patches preserve current behavior where
3% of memory is less than 128MB, except that the admin reserve doesn't
shrink to an unusable size under pressure. The code allows admins to tune
for embedded and enterprise usage.
FAQ
* How is the root-cant-login problem addressed?
What happens if admin_reserve_pages is set to 0?
Root is free to shoot themselves in the foot by setting
admin_reserve_kbytes too low.
On x86_64, the minimum useful reserve is:
8MB for overcommit 'guess'
128MB for overcommit 'never'
admin_reserve_pages defaults to min(3% free memory, 8MB)
So, anyone switching to 'never' mode needs to adjust
admin_reserve_pages.
* How do you calculate a minimum useful reserve?
A user or the admin needs enough memory to login and perform
recovery operations, which includes, at a minimum:
sshd or login + bash (or some other shell) + top (or ps, kill, etc.)
For overcommit 'guess', we can sum resident set sizes (RSS)
because we only need enough memory to handle what the recovery
programs will typically use. On x86_64 this is about 8MB.
For overcommit 'never', we can take the max of their virtual sizes (VSZ)
and add the sum of their RSS. We use VSZ instead of RSS because mode
forces us to ensure we can fulfill all of the requested memory allocations--
even if the programs only use a fraction of what they ask for.
On x86_64 this is about 128MB.
When swap is enabled, reserves are useful even when they are as
small as 10MB, regardless of overcommit mode.
When both swap and overcommit are disabled, then the admin should
tune the reserves higher to be absolutley safe. Over 230MB each
was safest in my testing.
* What happens if user_reserve_pages is set to 0?
Note, this only affects overcomitt 'never' mode.
Then a user will be able to allocate all available memory minus
admin_reserve_kbytes.
However, they will easily see a message such as:
"bash: fork: Cannot allocate memory"
And they won't be able to recover/kill their application.
The admin should be able to recover the system if
admin_reserve_kbytes is set appropriately.
* What's the difference between overcommit 'guess' and 'never'?
"Guess" allows an allocation if there are enough free + reclaimable
pages. It has a hardcoded 3% of free pages reserved for root.
"Never" allows an allocation if there is enough swap + a configurable
percentage (default is 50) of physical RAM. It has a hardcoded 3% of
free pages reserved for root, like "Guess" mode. It also has a
hardcoded 3% of the current process size reserved for additional
applications.
* Why is overcommit 'guess' not suitable even when an app eventually
writes to every page? It takes free pages, file pages, available
swap pages, reclaimable slab pages into consideration. In other words,
these are all pages available, then why isn't overcommit suitable?
Because it only looks at the present state of the system. It
does not take into account the memory that other applications have
malloced, but haven't initialized yet. It overcommits the system.
Test Summary
There was little change in behavior in the default overcommit 'guess'
mode with swap enabled before and after the patch. This was expected.
Systems run most predictably (i.e. no oom kills) in overcommit 'never'
mode with swap enabled. This also allowed the most memory to be allocated
to a user application.
Overcommit 'guess' mode without swap is a bad idea. It is easy to
crash the system. None of the other tested combinations crashed.
This matches my experience on the Roadrunner supercomputer.
Without the tunable user reserve, a system in overcommit 'never' mode
and without swap does not allow the admin to recover, although the
admin can.
With the new tunable reserves, a system in overcommit 'never' mode
and without swap can be configured to:
1. maximize user-allocatable memory, running close to the edge of
recoverability
2. maximize recoverability, sacrificing allocatable memory to
ensure that a user cannot take down a system
Test Description
Fedora 18 VM - 4 x86_64 cores, 5725MB RAM, 4GB Swap
System is booted into multiuser console mode, with unnecessary services
turned off. Caches were dropped before each test.
Hogs are user memtester processes that attempt to allocate all free memory
as reported by /proc/meminfo
In overcommit 'never' mode, memory_ratio=100
Test Results
3.9.0-rc1-mm1
Overcommit | Swap | Hogs | MB Got/Wanted | OOMs | User Recovery | Admin Recovery
---------- ---- ---- ------------- ---- ------------- --------------
guess yes 1 5432/5432 no yes yes
guess yes 4 5444/5444 1 yes yes
guess no 1 5302/5449 no yes yes
guess no 4 - crash no no
never yes 1 5460/5460 1 yes yes
never yes 4 5460/5460 1 yes yes
never no 1 5218/5432 no no yes
never no 4 5203/5448 no no yes
3.9.0-rc1-mm1-tunablereserves
User and Admin Recovery show their respective reserves, if applicable.
Overcommit | Swap | Hogs | MB Got/Wanted | OOMs | User Recovery | Admin Recovery
---------- ---- ---- ------------- ---- ------------- --------------
guess yes 1 5419/5419 no - yes 8MB yes
guess yes 4 5436/5436 1 - yes 8MB yes
guess no 1 5440/5440 * - yes 8MB yes
guess no 4 - crash - no 8MB no
* process would successfully mlock, then the oom killer would pick it
never yes 1 5446/5446 no 10MB yes 20MB yes
never yes 4 5456/5456 no 10MB yes 20MB yes
never no 1 5387/5429 no 128MB no 8MB barely
never no 1 5323/5428 no 226MB barely 8MB barely
never no 1 5323/5428 no 226MB barely 8MB barely
never no 1 5359/5448 no 10MB no 10MB barely
never no 1 5323/5428 no 0MB no 10MB barely
never no 1 5332/5428 no 0MB no 50MB yes
never no 1 5293/5429 no 0MB no 90MB yes
never no 1 5001/5427 no 230MB yes 338MB yes
never no 4* 4998/5424 no 230MB yes 338MB yes
* more memtesters were launched, able to allocate approximately another 100MB
Future Work
- Test larger memory systems.
- Test an embedded image.
- Test other architectures.
- Time malloc microbenchmarks.
- Would it be useful to be able to set overcommit policy for
each memory cgroup?
- Some lines are slightly above 80 chars.
Perhaps define a macro to convert between pages and kb?
Other places in the kernel do this.
[akpm@linux-foundation.org: coding-style fixes]
[akpm@linux-foundation.org: make init_user_reserve() static]
Signed-off-by: Andrew Shewmaker <agshew@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-04-30 06:08:10 +08:00
|
|
|
- user_reserve_kbytes
|
2009-01-16 05:50:42 +08:00
|
|
|
- vfs_cache_pressure
|
2016-07-12 18:05:59 +08:00
|
|
|
- watermark_scale_factor
|
2009-01-16 05:50:42 +08:00
|
|
|
- zone_reclaim_mode
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
==============================================================
|
|
|
|
|
2013-04-30 06:08:11 +08:00
|
|
|
admin_reserve_kbytes
|
|
|
|
|
|
|
|
The amount of free memory in the system that should be reserved for users
|
|
|
|
with the capability cap_sys_admin.
|
|
|
|
|
|
|
|
admin_reserve_kbytes defaults to min(3% of free pages, 8MB)
|
|
|
|
|
|
|
|
That should provide enough for the admin to log in and kill a process,
|
|
|
|
if necessary, under the default overcommit 'guess' mode.
|
|
|
|
|
|
|
|
Systems running under overcommit 'never' should increase this to account
|
|
|
|
for the full Virtual Memory Size of programs used to recover. Otherwise,
|
|
|
|
root may not be able to log in to recover the system.
|
|
|
|
|
|
|
|
How do you calculate a minimum useful reserve?
|
|
|
|
|
|
|
|
sshd or login + bash (or some other shell) + top (or ps, kill, etc.)
|
|
|
|
|
|
|
|
For overcommit 'guess', we can sum resident set sizes (RSS).
|
|
|
|
On x86_64 this is about 8MB.
|
|
|
|
|
|
|
|
For overcommit 'never', we can take the max of their virtual sizes (VSZ)
|
|
|
|
and add the sum of their RSS.
|
|
|
|
On x86_64 this is about 128MB.
|
|
|
|
|
|
|
|
Changing this takes effect whenever an application requests memory.
|
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
block_dump
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
block_dump enables block I/O debugging when set to a nonzero value. More
|
|
|
|
information on block I/O debugging is in Documentation/laptops/laptop-mode.txt.
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
2010-05-25 05:32:28 +08:00
|
|
|
compact_memory
|
|
|
|
|
|
|
|
Available only when CONFIG_COMPACTION is set. When 1 is written to the file,
|
|
|
|
all zones are compacted such that free memory is available in contiguous
|
|
|
|
blocks where possible. This can be important for example in the allocation of
|
|
|
|
huge pages although processes will also directly compact memory as required.
|
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
2015-04-16 07:13:20 +08:00
|
|
|
compact_unevictable_allowed
|
|
|
|
|
|
|
|
Available only when CONFIG_COMPACTION is set. When set to 1, compaction is
|
|
|
|
allowed to examine the unevictable lru (mlocked pages) for pages to compact.
|
|
|
|
This should be used on systems where stalls for minor page faults are an
|
|
|
|
acceptable trade for large contiguous free memory. Set to 0 to prevent
|
|
|
|
compaction from moving pages that are unevictable. Default value is 1.
|
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
dirty_background_bytes
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2012-07-25 23:12:01 +08:00
|
|
|
Contains the amount of dirty memory at which the background kernel
|
|
|
|
flusher threads will start writeback.
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-10-28 06:33:31 +08:00
|
|
|
Note: dirty_background_bytes is the counterpart of dirty_background_ratio. Only
|
|
|
|
one of them may be specified at a time. When one sysctl is written it is
|
|
|
|
immediately taken into account to evaluate the dirty memory limits and the
|
|
|
|
other appears as 0 when read.
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
==============================================================
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
dirty_background_ratio
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2013-11-13 07:08:30 +08:00
|
|
|
Contains, as a percentage of total available memory that contains free pages
|
|
|
|
and reclaimable pages, the number of pages at which the background kernel
|
|
|
|
flusher threads will start writing out dirty data.
|
|
|
|
|
2015-09-18 14:10:55 +08:00
|
|
|
The total available memory is not equal to total system memory.
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
==============================================================
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
dirty_bytes
|
|
|
|
|
|
|
|
Contains the amount of dirty memory at which a process generating disk writes
|
|
|
|
will itself start writeback.
|
|
|
|
|
2010-10-28 06:33:31 +08:00
|
|
|
Note: dirty_bytes is the counterpart of dirty_ratio. Only one of them may be
|
|
|
|
specified at a time. When one sysctl is written it is immediately taken into
|
|
|
|
account to evaluate the dirty memory limits and the other appears as 0 when
|
|
|
|
read.
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2009-05-01 06:08:57 +08:00
|
|
|
Note: the minimum value allowed for dirty_bytes is two pages (in bytes); any
|
|
|
|
value lower than this limit will be ignored and the old configuration will be
|
|
|
|
retained.
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
==============================================================
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
dirty_expire_centisecs
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
This tunable is used to define when dirty data is old enough to be eligible
|
2012-07-25 23:12:01 +08:00
|
|
|
for writeout by the kernel flusher threads. It is expressed in 100'ths
|
|
|
|
of a second. Data which has been dirty in-memory for longer than this
|
|
|
|
interval will be written out next time a flusher thread wakes up.
|
2009-01-16 05:50:42 +08:00
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
|
|
|
dirty_ratio
|
|
|
|
|
2013-11-13 07:08:30 +08:00
|
|
|
Contains, as a percentage of total available memory that contains free pages
|
|
|
|
and reclaimable pages, the number of pages at which a process which is
|
|
|
|
generating disk writes will itself start writing out dirty data.
|
|
|
|
|
2015-09-18 14:10:55 +08:00
|
|
|
The total available memory is not equal to total system memory.
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
dirty_writeback_centisecs
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2012-07-25 23:12:01 +08:00
|
|
|
The kernel flusher threads will periodically wake up and write `old' data
|
2009-01-16 05:50:42 +08:00
|
|
|
out to disk. This tunable expresses the interval between those wakeups, in
|
|
|
|
100'ths of a second.
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
Setting this to zero disables periodic writeback altogether.
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
drop_caches
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2014-04-04 05:48:19 +08:00
|
|
|
Writing to this will cause the kernel to drop clean caches, as well as
|
|
|
|
reclaimable slab objects like dentries and inodes. Once dropped, their
|
|
|
|
memory becomes free.
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
To free pagecache:
|
|
|
|
echo 1 > /proc/sys/vm/drop_caches
|
2014-04-04 05:48:19 +08:00
|
|
|
To free reclaimable slab objects (includes dentries and inodes):
|
2009-01-16 05:50:42 +08:00
|
|
|
echo 2 > /proc/sys/vm/drop_caches
|
2014-04-04 05:48:19 +08:00
|
|
|
To free slab objects and pagecache:
|
2009-01-16 05:50:42 +08:00
|
|
|
echo 3 > /proc/sys/vm/drop_caches
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2014-04-04 05:48:19 +08:00
|
|
|
This is a non-destructive operation and will not free any dirty objects.
|
|
|
|
To increase the number of objects freed by this operation, the user may run
|
|
|
|
`sync' prior to writing to /proc/sys/vm/drop_caches. This will minimize the
|
|
|
|
number of dirty objects on the system and create more candidates to be
|
|
|
|
dropped.
|
|
|
|
|
|
|
|
This file is not a means to control the growth of the various kernel caches
|
|
|
|
(inodes, dentries, pagecache, etc...) These objects are automatically
|
|
|
|
reclaimed by the kernel when memory is needed elsewhere on the system.
|
|
|
|
|
|
|
|
Use of this file can cause performance problems. Since it discards cached
|
|
|
|
objects, it may cost a significant amount of I/O and CPU to recreate the
|
|
|
|
dropped objects, especially if they were under heavy use. Because of this,
|
|
|
|
use outside of a testing or debugging environment is not recommended.
|
|
|
|
|
|
|
|
You may see informational messages in your kernel log when this file is
|
|
|
|
used:
|
|
|
|
|
|
|
|
cat (1234): drop_caches: 3
|
|
|
|
|
|
|
|
These are informational only. They do not mean that anything is wrong
|
|
|
|
with your system. To disable them, echo 4 (bit 3) into drop_caches.
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
2010-05-25 05:32:31 +08:00
|
|
|
extfrag_threshold
|
|
|
|
|
|
|
|
This parameter affects whether the kernel will compact memory or direct
|
2015-07-14 13:35:11 +08:00
|
|
|
reclaim to satisfy a high-order allocation. The extfrag/extfrag_index file in
|
|
|
|
debugfs shows what the fragmentation index for each order is in each zone in
|
|
|
|
the system. Values tending towards 0 imply allocations would fail due to lack
|
|
|
|
of memory, values towards 1000 imply failures are due to fragmentation and -1
|
|
|
|
implies that the allocation will succeed as long as watermarks are met.
|
2010-05-25 05:32:31 +08:00
|
|
|
|
|
|
|
The kernel will not compact memory in a zone if the
|
|
|
|
fragmentation index is <= extfrag_threshold. The default value is 500.
|
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
hugepages_treat_as_movable
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2013-09-12 05:22:13 +08:00
|
|
|
This parameter controls whether we can allocate hugepages from ZONE_MOVABLE
|
|
|
|
or not. If set to non-zero, hugepages can be allocated from ZONE_MOVABLE.
|
|
|
|
ZONE_MOVABLE is created when kernel boot parameter kernelcore= is specified,
|
|
|
|
so this parameter has no effect if used without kernelcore=.
|
|
|
|
|
|
|
|
Hugepage migration is now available in some situations which depend on the
|
|
|
|
architecture and/or the hugepage size. If a hugepage supports migration,
|
|
|
|
allocation from ZONE_MOVABLE is always enabled for the hugepage regardless
|
|
|
|
of the value of this parameter.
|
|
|
|
IOW, this parameter affects only non-migratable hugepages.
|
|
|
|
|
|
|
|
Assuming that hugepages are not migratable in your system, one usecase of
|
|
|
|
this parameter is that users can make hugepage pool more extensible by
|
|
|
|
enabling the allocation from ZONE_MOVABLE. This is because on ZONE_MOVABLE
|
|
|
|
page reclaim/migration/compaction work more and you can get contiguous
|
|
|
|
memory more likely. Note that using ZONE_MOVABLE for non-migratable
|
|
|
|
hugepages can do harm to other features like memory hotremove (because
|
|
|
|
memory hotremove expects that memory blocks on ZONE_MOVABLE are always
|
|
|
|
removable,) so it's a trade-off responsible for the users.
|
2007-10-17 14:31:28 +08:00
|
|
|
|
2006-01-08 17:00:40 +08:00
|
|
|
==============================================================
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
hugetlb_shm_group
|
2006-01-08 17:00:40 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
hugetlb_shm_group contains group id that is allowed to create SysV
|
|
|
|
shared memory segment using hugetlb page.
|
2006-01-08 17:00:40 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
==============================================================
|
2006-01-08 17:00:40 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
laptop_mode
|
2006-01-19 09:42:32 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
laptop_mode is a knob that controls "laptop mode". All the things that are
|
|
|
|
controlled by this knob are discussed in Documentation/laptops/laptop-mode.txt.
|
2006-01-19 09:42:32 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
==============================================================
|
2006-01-19 09:42:32 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
legacy_va_layout
|
2006-02-01 19:05:34 +08:00
|
|
|
|
2010-06-28 19:59:28 +08:00
|
|
|
If non-zero, this sysctl disables the new 32-bit mmap layout - the kernel
|
2009-01-16 05:50:42 +08:00
|
|
|
will use the legacy (2.4) layout for all processes.
|
2006-02-01 19:05:34 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
==============================================================
|
2006-02-01 19:05:34 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
lowmem_reserve_ratio
|
|
|
|
|
|
|
|
For some specialised workloads on highmem machines it is dangerous for
|
|
|
|
the kernel to allow process memory to be allocated from the "lowmem"
|
|
|
|
zone. This is because that memory could then be pinned via the mlock()
|
|
|
|
system call, or by unavailability of swapspace.
|
|
|
|
|
|
|
|
And on large highmem machines this lack of reclaimable lowmem memory
|
|
|
|
can be fatal.
|
|
|
|
|
|
|
|
So the Linux page allocator has a mechanism which prevents allocations
|
|
|
|
which _could_ use highmem from using too much lowmem. This means that
|
|
|
|
a certain amount of lowmem is defended from the possibility of being
|
|
|
|
captured into pinned user memory.
|
|
|
|
|
|
|
|
(The same argument applies to the old 16 megabyte ISA DMA region. This
|
|
|
|
mechanism will also defend that region from allocations which could use
|
|
|
|
highmem or lowmem).
|
|
|
|
|
|
|
|
The `lowmem_reserve_ratio' tunable determines how aggressive the kernel is
|
|
|
|
in defending these lower zones.
|
|
|
|
|
|
|
|
If you have a machine which uses highmem or ISA DMA and your
|
|
|
|
applications are using mlock(), or if you are running with no swap then
|
|
|
|
you probably should change the lowmem_reserve_ratio setting.
|
|
|
|
|
|
|
|
The lowmem_reserve_ratio is an array. You can see them by reading this file.
|
|
|
|
-
|
|
|
|
% cat /proc/sys/vm/lowmem_reserve_ratio
|
|
|
|
256 256 32
|
|
|
|
-
|
|
|
|
Note: # of this elements is one fewer than number of zones. Because the highest
|
|
|
|
zone's value is not necessary for following calculation.
|
|
|
|
|
|
|
|
But, these values are not used directly. The kernel calculates # of protection
|
|
|
|
pages for each zones from them. These are shown as array of protection pages
|
|
|
|
in /proc/zoneinfo like followings. (This is an example of x86-64 box).
|
|
|
|
Each zone has an array of protection pages like this.
|
|
|
|
|
|
|
|
-
|
|
|
|
Node 0, zone DMA
|
|
|
|
pages free 1355
|
|
|
|
min 3
|
|
|
|
low 3
|
|
|
|
high 4
|
|
|
|
:
|
|
|
|
:
|
|
|
|
numa_other 0
|
|
|
|
protection: (0, 2004, 2004, 2004)
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
pagesets
|
|
|
|
cpu: 0 pcp: 0
|
|
|
|
:
|
|
|
|
-
|
|
|
|
These protections are added to score to judge whether this zone should be used
|
|
|
|
for page allocation or should be reclaimed.
|
|
|
|
|
|
|
|
In this example, if normal pages (index=2) are required to this DMA zone and
|
2009-06-17 06:32:12 +08:00
|
|
|
watermark[WMARK_HIGH] is used for watermark, the kernel judges this zone should
|
|
|
|
not be used because pages_free(1355) is smaller than watermark + protection[2]
|
2009-01-16 05:50:42 +08:00
|
|
|
(4 + 2004 = 2008). If this protection value is 0, this zone would be used for
|
|
|
|
normal page requirement. If requirement is DMA zone(index=0), protection[0]
|
|
|
|
(=0) is used.
|
|
|
|
|
|
|
|
zone[i]'s protection[j] is calculated by following expression.
|
|
|
|
|
|
|
|
(i < j):
|
|
|
|
zone[i]->protection[j]
|
2015-09-09 06:04:10 +08:00
|
|
|
= (total sums of managed_pages from zone[i+1] to zone[j] on the node)
|
2009-01-16 05:50:42 +08:00
|
|
|
/ lowmem_reserve_ratio[i];
|
|
|
|
(i = j):
|
|
|
|
(should not be protected. = 0;
|
|
|
|
(i > j):
|
|
|
|
(not necessary, but looks 0)
|
|
|
|
|
|
|
|
The default values of lowmem_reserve_ratio[i] are
|
|
|
|
256 (if zone[i] means DMA or DMA32 zone)
|
|
|
|
32 (others).
|
|
|
|
As above expression, they are reciprocal number of ratio.
|
2015-09-09 06:04:10 +08:00
|
|
|
256 means 1/256. # of protection pages becomes about "0.39%" of total managed
|
2009-01-16 05:50:42 +08:00
|
|
|
pages of higher zones on the node.
|
|
|
|
|
|
|
|
If you would like to protect more pages, smaller values are effective.
|
|
|
|
The minimum value is 1 (1/1 -> 100%).
|
2006-02-01 19:05:34 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
==============================================================
|
2006-02-01 19:05:34 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
max_map_count:
|
2006-01-19 09:42:32 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
This file contains the maximum number of memory map areas a process
|
|
|
|
may have. Memory map areas are used as a side-effect of calling
|
|
|
|
malloc, directly by mmap and mprotect, and also when loading shared
|
|
|
|
libraries.
|
2006-01-19 09:42:32 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
While most applications need less than a thousand maps, certain
|
|
|
|
programs, particularly malloc debuggers, may consume lots of them,
|
|
|
|
e.g., up to one or two maps per allocation.
|
2006-06-23 17:03:13 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
The default value is 65536.
|
2006-07-03 15:24:13 +08:00
|
|
|
|
2009-09-16 17:50:15 +08:00
|
|
|
=============================================================
|
|
|
|
|
|
|
|
memory_failure_early_kill:
|
|
|
|
|
|
|
|
Control how to kill processes when uncorrected memory error (typically
|
|
|
|
a 2bit error in a memory module) is detected in the background by hardware
|
|
|
|
that cannot be handled by the kernel. In some cases (like the page
|
|
|
|
still having a valid copy on disk) the kernel will handle the failure
|
|
|
|
transparently without affecting any applications. But if there is
|
|
|
|
no other uptodate copy of the data it will kill to prevent any data
|
|
|
|
corruptions from propagating.
|
|
|
|
|
|
|
|
1: Kill all processes that have the corrupted and not reloadable page mapped
|
|
|
|
as soon as the corruption is detected. Note this is not supported
|
|
|
|
for a few types of pages, like kernel internally allocated data or
|
|
|
|
the swap cache, but works for the majority of user pages.
|
|
|
|
|
|
|
|
0: Only unmap the corrupted page from all processes and only kill a process
|
|
|
|
who tries to access it.
|
|
|
|
|
|
|
|
The kill is done using a catchable SIGBUS with BUS_MCEERR_AO, so processes can
|
|
|
|
handle this if they want to.
|
|
|
|
|
|
|
|
This is only active on architectures/platforms with advanced machine
|
|
|
|
check handling and depends on the hardware capabilities.
|
|
|
|
|
|
|
|
Applications can override this setting individually with the PR_MCE_KILL prctl
|
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
|
|
|
memory_failure_recovery
|
|
|
|
|
|
|
|
Enable memory failure recovery (when supported by the platform)
|
|
|
|
|
|
|
|
1: Attempt recovery.
|
|
|
|
|
|
|
|
0: Always panic on a memory failure.
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
==============================================================
|
2006-07-03 15:24:13 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
min_free_kbytes:
|
2006-07-03 15:24:13 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
This is used to force the Linux VM to keep a minimum number
|
2009-06-17 06:32:12 +08:00
|
|
|
of kilobytes free. The VM uses this number to compute a
|
|
|
|
watermark[WMARK_MIN] value for each lowmem zone in the system.
|
|
|
|
Each lowmem zone gets a number of reserved free pages based
|
|
|
|
proportionally on its size.
|
2009-01-16 05:50:42 +08:00
|
|
|
|
|
|
|
Some minimal amount of memory is needed to satisfy PF_MEMALLOC
|
|
|
|
allocations; if you set this to lower than 1024KB, your system will
|
|
|
|
become subtly broken, and prone to deadlock under high loads.
|
|
|
|
|
|
|
|
Setting this too high will OOM your machine instantly.
|
2006-07-03 15:24:13 +08:00
|
|
|
|
|
|
|
=============================================================
|
|
|
|
|
2006-09-26 14:31:52 +08:00
|
|
|
min_slab_ratio:
|
|
|
|
|
|
|
|
This is available only on NUMA kernels.
|
|
|
|
|
|
|
|
A percentage of the total pages in each zone. On Zone reclaim
|
|
|
|
(fallback from the local zone occurs) slabs will be reclaimed if more
|
|
|
|
than this percentage of pages in a zone are reclaimable slab pages.
|
|
|
|
This insures that the slab growth stays under control even in NUMA
|
|
|
|
systems that rarely perform global reclaim.
|
|
|
|
|
|
|
|
The default is 5 percent.
|
|
|
|
|
|
|
|
Note that slab reclaim is triggered in a per zone / node fashion.
|
|
|
|
The process of reclaiming slab memory is currently not node specific
|
|
|
|
and may not be fast.
|
|
|
|
|
|
|
|
=============================================================
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
min_unmapped_ratio:
|
2006-06-23 17:03:13 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
This is available only on NUMA kernels.
|
2006-06-23 17:03:13 +08:00
|
|
|
|
vmscan: properly account for the number of page cache pages zone_reclaim() can reclaim
A bug was brought to my attention against a distro kernel but it affects
mainline and I believe problems like this have been reported in various
guises on the mailing lists although I don't have specific examples at the
moment.
The reported problem was that malloc() stalled for a long time (minutes in
some cases) if a large tmpfs mount was occupying a large percentage of
memory overall. The pages did not get cleaned or reclaimed by
zone_reclaim() because the zone_reclaim_mode was unsuitable, but the lists
are uselessly scanned frequencly making the CPU spin at near 100%.
This patchset intends to address that bug and bring the behaviour of
zone_reclaim() more in line with expectations which were noticed during
investigation. It is based on top of mmotm and takes advantage of
Kosaki's work with respect to zone_reclaim().
Patch 1 fixes the heuristics that zone_reclaim() uses to determine if the
scan should go ahead. The broken heuristic is what was causing the
malloc() stall as it uselessly scanned the LRU constantly. Currently,
zone_reclaim is assuming zone_reclaim_mode is 1 and historically it
could not deal with tmpfs pages at all. This fixes up the heuristic so
that an unnecessary scan is more likely to be correctly avoided.
Patch 2 notes that zone_reclaim() returning a failure automatically means
the zone is marked full. This is not always true. It could have
failed because the GFP mask or zone_reclaim_mode were unsuitable.
Patch 3 introduces a counter zreclaim_failed that will increment each
time the zone_reclaim scan-avoidance heuristics fail. If that
counter is rapidly increasing, then zone_reclaim_mode should be
set to 0 as a temporarily resolution and a bug reported because
the scan-avoidance heuristic is still broken.
This patch:
On NUMA machines, the administrator can configure zone_reclaim_mode that
is a more targetted form of direct reclaim. On machines with large NUMA
distances for example, a zone_reclaim_mode defaults to 1 meaning that
clean unmapped pages will be reclaimed if the zone watermarks are not
being met.
There is a heuristic that determines if the scan is worthwhile but the
problem is that the heuristic is not being properly applied and is
basically assuming zone_reclaim_mode is 1 if it is enabled. The lack of
proper detection can manfiest as high CPU usage as the LRU list is scanned
uselessly.
Historically, once enabled it was depending on NR_FILE_PAGES which may
include swapcache pages that the reclaim_mode cannot deal with. Patch
vmscan-change-the-number-of-the-unmapped-files-in-zone-reclaim.patch by
Kosaki Motohiro noted that zone_page_state(zone, NR_FILE_PAGES) included
pages that were not file-backed such as swapcache and made a calculation
based on the inactive, active and mapped files. This is far superior when
zone_reclaim==1 but if RECLAIM_SWAP is set, then NR_FILE_PAGES is a
reasonable starting figure.
This patch alters how zone_reclaim() works out how many pages it might be
able to reclaim given the current reclaim_mode. If RECLAIM_SWAP is set in
the reclaim_mode it will either consider NR_FILE_PAGES as potential
candidates or else use NR_{IN}ACTIVE}_PAGES-NR_FILE_MAPPED to discount
swapcache and other non-file-backed pages. If RECLAIM_WRITE is not set,
then NR_FILE_DIRTY number of pages are not candidates. If RECLAIM_SWAP is
not set, then NR_FILE_MAPPED are not.
[kosaki.motohiro@jp.fujitsu.com: Estimate unmapped pages minus tmpfs pages]
[fengguang.wu@intel.com: Fix underflow problem in Kosaki's estimate]
Signed-off-by: Mel Gorman <mel@csn.ul.ie>
Reviewed-by: Rik van Riel <riel@redhat.com>
Acked-by: Christoph Lameter <cl@linux-foundation.org>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-06-17 06:33:20 +08:00
|
|
|
This is a percentage of the total pages in each zone. Zone reclaim will
|
|
|
|
only occur if more than this percentage of pages are in a state that
|
|
|
|
zone_reclaim_mode allows to be reclaimed.
|
|
|
|
|
|
|
|
If zone_reclaim_mode has the value 4 OR'd, then the percentage is compared
|
|
|
|
against all file-backed unmapped pages including swapcache pages and tmpfs
|
|
|
|
files. Otherwise, only unmapped pages backed by normal files but not tmpfs
|
|
|
|
files and similar are considered.
|
2007-05-07 05:49:59 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
The default is 1 percent.
|
2006-06-23 17:03:13 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
==============================================================
|
2007-05-07 05:49:59 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
mmap_min_addr
|
2007-06-29 03:55:21 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
This file indicates the amount of address space which a user process will
|
tree-wide: fix assorted typos all over the place
That is "success", "unknown", "through", "performance", "[re|un]mapping"
, "access", "default", "reasonable", "[con]currently", "temperature"
, "channel", "[un]used", "application", "example","hierarchy", "therefore"
, "[over|under]flow", "contiguous", "threshold", "enough" and others.
Signed-off-by: André Goddard Rosa <andre.goddard@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2009-11-14 23:09:05 +08:00
|
|
|
be restricted from mmapping. Since kernel null dereference bugs could
|
2009-01-16 05:50:42 +08:00
|
|
|
accidentally operate based on the information in the first couple of pages
|
|
|
|
of memory userspace processes should not be allowed to write to them. By
|
|
|
|
default this value is set to 0 and no protections will be enforced by the
|
|
|
|
security module. Setting this value to something like 64k will allow the
|
|
|
|
vast majority of applications to work correctly and provide defense in depth
|
|
|
|
against future potential kernel bugs.
|
2007-10-17 14:25:56 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
==============================================================
|
oom: add sysctl to enable task memory dump
Adds a new sysctl, 'oom_dump_tasks', that enables the kernel to produce a
dump of all system tasks (excluding kernel threads) when performing an
OOM-killing. Information includes pid, uid, tgid, vm size, rss, cpu,
oom_adj score, and name.
This is helpful for determining why there was an OOM condition and which
rogue task caused it.
It is configurable so that large systems, such as those with several
thousand tasks, do not incur a performance penalty associated with dumping
data they may not desire.
If an OOM was triggered as a result of a memory controller, the tasklist
shall be filtered to exclude tasks that are not a member of the same
cgroup.
Cc: Andrea Arcangeli <andrea@suse.de>
Cc: Christoph Lameter <clameter@sgi.com>
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Signed-off-by: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-02-07 16:14:07 +08:00
|
|
|
|
mm: mmap: add new /proc tunable for mmap_base ASLR
Address Space Layout Randomization (ASLR) provides a barrier to
exploitation of user-space processes in the presence of security
vulnerabilities by making it more difficult to find desired code/data
which could help an attack. This is done by adding a random offset to
the location of regions in the process address space, with a greater
range of potential offset values corresponding to better protection/a
larger search-space for brute force, but also to greater potential for
fragmentation.
The offset added to the mmap_base address, which provides the basis for
the majority of the mappings for a process, is set once on process exec
in arch_pick_mmap_layout() and is done via hard-coded per-arch values,
which reflect, hopefully, the best compromise for all systems. The
trade-off between increased entropy in the offset value generation and
the corresponding increased variability in address space fragmentation
is not absolute, however, and some platforms may tolerate higher amounts
of entropy. This patch introduces both new Kconfig values and a sysctl
interface which may be used to change the amount of entropy used for
offset generation on a system.
The direct motivation for this change was in response to the
libstagefright vulnerabilities that affected Android, specifically to
information provided by Google's project zero at:
http://googleprojectzero.blogspot.com/2015/09/stagefrightened.html
The attack presented therein, by Google's project zero, specifically
targeted the limited randomness used to generate the offset added to the
mmap_base address in order to craft a brute-force-based attack.
Concretely, the attack was against the mediaserver process, which was
limited to respawning every 5 seconds, on an arm device. The hard-coded
8 bits used resulted in an average expected success rate of defeating
the mmap ASLR after just over 10 minutes (128 tries at 5 seconds a
piece). With this patch, and an accompanying increase in the entropy
value to 16 bits, the same attack would take an average expected time of
over 45 hours (32768 tries), which makes it both less feasible and more
likely to be noticed.
The introduced Kconfig and sysctl options are limited by per-arch
minimum and maximum values, the minimum of which was chosen to match the
current hard-coded value and the maximum of which was chosen so as to
give the greatest flexibility without generating an invalid mmap_base
address, generally a 3-4 bits less than the number of bits in the
user-space accessible virtual address space.
When decided whether or not to change the default value, a system
developer should consider that mmap_base address could be placed
anywhere up to 2^(value) bits away from the non-randomized location,
which would introduce variable-sized areas above and below the mmap_base
address such that the maximum vm_area_struct size may be reduced,
preventing very large allocations.
This patch (of 4):
ASLR only uses as few as 8 bits to generate the random offset for the
mmap base address on 32 bit architectures. This value was chosen to
prevent a poorly chosen value from dividing the address space in such a
way as to prevent large allocations. This may not be an issue on all
platforms. Allow the specification of a minimum number of bits so that
platforms desiring greater ASLR protection may determine where to place
the trade-off.
Signed-off-by: Daniel Cashman <dcashman@google.com>
Cc: Russell King <linux@arm.linux.org.uk>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Don Zickus <dzickus@redhat.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: David Rientjes <rientjes@google.com>
Cc: Mark Salyzyn <salyzyn@android.com>
Cc: Jeff Vander Stoep <jeffv@google.com>
Cc: Nick Kralevich <nnk@google.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Hector Marco-Gisbert <hecmargi@upv.es>
Cc: Borislav Petkov <bp@suse.de>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-01-15 07:19:53 +08:00
|
|
|
mmap_rnd_bits:
|
|
|
|
|
|
|
|
This value can be used to select the number of bits to use to
|
|
|
|
determine the random offset to the base address of vma regions
|
|
|
|
resulting from mmap allocations on architectures which support
|
|
|
|
tuning address space randomization. This value will be bounded
|
|
|
|
by the architecture's minimum and maximum supported values.
|
|
|
|
|
|
|
|
This value can be changed after boot using the
|
|
|
|
/proc/sys/vm/mmap_rnd_bits tunable
|
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
|
|
|
mmap_rnd_compat_bits:
|
|
|
|
|
|
|
|
This value can be used to select the number of bits to use to
|
|
|
|
determine the random offset to the base address of vma regions
|
|
|
|
resulting from mmap allocations for applications run in
|
|
|
|
compatibility mode on architectures which support tuning address
|
|
|
|
space randomization. This value will be bounded by the
|
|
|
|
architecture's minimum and maximum supported values.
|
|
|
|
|
|
|
|
This value can be changed after boot using the
|
|
|
|
/proc/sys/vm/mmap_rnd_compat_bits tunable
|
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
nr_hugepages
|
oom: add sysctl to enable task memory dump
Adds a new sysctl, 'oom_dump_tasks', that enables the kernel to produce a
dump of all system tasks (excluding kernel threads) when performing an
OOM-killing. Information includes pid, uid, tgid, vm size, rss, cpu,
oom_adj score, and name.
This is helpful for determining why there was an OOM condition and which
rogue task caused it.
It is configurable so that large systems, such as those with several
thousand tasks, do not incur a performance penalty associated with dumping
data they may not desire.
If an OOM was triggered as a result of a memory controller, the tasklist
shall be filtered to exclude tasks that are not a member of the same
cgroup.
Cc: Andrea Arcangeli <andrea@suse.de>
Cc: Christoph Lameter <clameter@sgi.com>
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Signed-off-by: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-02-07 16:14:07 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
Change the minimum size of the hugepage pool.
|
oom: add sysctl to enable task memory dump
Adds a new sysctl, 'oom_dump_tasks', that enables the kernel to produce a
dump of all system tasks (excluding kernel threads) when performing an
OOM-killing. Information includes pid, uid, tgid, vm size, rss, cpu,
oom_adj score, and name.
This is helpful for determining why there was an OOM condition and which
rogue task caused it.
It is configurable so that large systems, such as those with several
thousand tasks, do not incur a performance penalty associated with dumping
data they may not desire.
If an OOM was triggered as a result of a memory controller, the tasklist
shall be filtered to exclude tasks that are not a member of the same
cgroup.
Cc: Andrea Arcangeli <andrea@suse.de>
Cc: Christoph Lameter <clameter@sgi.com>
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Signed-off-by: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-02-07 16:14:07 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
See Documentation/vm/hugetlbpage.txt
|
oom: add sysctl to enable task memory dump
Adds a new sysctl, 'oom_dump_tasks', that enables the kernel to produce a
dump of all system tasks (excluding kernel threads) when performing an
OOM-killing. Information includes pid, uid, tgid, vm size, rss, cpu,
oom_adj score, and name.
This is helpful for determining why there was an OOM condition and which
rogue task caused it.
It is configurable so that large systems, such as those with several
thousand tasks, do not incur a performance penalty associated with dumping
data they may not desire.
If an OOM was triggered as a result of a memory controller, the tasklist
shall be filtered to exclude tasks that are not a member of the same
cgroup.
Cc: Andrea Arcangeli <andrea@suse.de>
Cc: Christoph Lameter <clameter@sgi.com>
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Signed-off-by: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-02-07 16:14:07 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
==============================================================
|
oom: add sysctl to enable task memory dump
Adds a new sysctl, 'oom_dump_tasks', that enables the kernel to produce a
dump of all system tasks (excluding kernel threads) when performing an
OOM-killing. Information includes pid, uid, tgid, vm size, rss, cpu,
oom_adj score, and name.
This is helpful for determining why there was an OOM condition and which
rogue task caused it.
It is configurable so that large systems, such as those with several
thousand tasks, do not incur a performance penalty associated with dumping
data they may not desire.
If an OOM was triggered as a result of a memory controller, the tasklist
shall be filtered to exclude tasks that are not a member of the same
cgroup.
Cc: Andrea Arcangeli <andrea@suse.de>
Cc: Christoph Lameter <clameter@sgi.com>
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Signed-off-by: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-02-07 16:14:07 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
nr_overcommit_hugepages
|
oom: add sysctl to enable task memory dump
Adds a new sysctl, 'oom_dump_tasks', that enables the kernel to produce a
dump of all system tasks (excluding kernel threads) when performing an
OOM-killing. Information includes pid, uid, tgid, vm size, rss, cpu,
oom_adj score, and name.
This is helpful for determining why there was an OOM condition and which
rogue task caused it.
It is configurable so that large systems, such as those with several
thousand tasks, do not incur a performance penalty associated with dumping
data they may not desire.
If an OOM was triggered as a result of a memory controller, the tasklist
shall be filtered to exclude tasks that are not a member of the same
cgroup.
Cc: Andrea Arcangeli <andrea@suse.de>
Cc: Christoph Lameter <clameter@sgi.com>
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Signed-off-by: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-02-07 16:14:07 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
Change the maximum size of the hugepage pool. The maximum is
|
|
|
|
nr_hugepages + nr_overcommit_hugepages.
|
2007-10-17 14:25:56 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
See Documentation/vm/hugetlbpage.txt
|
2007-10-17 14:25:56 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
==============================================================
|
2007-10-17 14:25:56 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
nr_trim_pages
|
2007-06-29 03:55:21 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
This is available only on NOMMU kernels.
|
|
|
|
|
|
|
|
This value adjusts the excess page trimming behaviour of power-of-2 aligned
|
|
|
|
NOMMU mmap allocations.
|
|
|
|
|
|
|
|
A value of 0 disables trimming of allocations entirely, while a value of 1
|
|
|
|
trims excess pages aggressively. Any value >= 1 acts as the watermark where
|
|
|
|
trimming of allocations is initiated.
|
|
|
|
|
|
|
|
The default value is 1.
|
|
|
|
|
|
|
|
See Documentation/nommu-mmap.txt for more information.
|
2007-06-29 03:55:21 +08:00
|
|
|
|
2007-07-16 14:38:01 +08:00
|
|
|
==============================================================
|
|
|
|
|
|
|
|
numa_zonelist_order
|
|
|
|
|
|
|
|
This sysctl is only for NUMA.
|
|
|
|
'where the memory is allocated from' is controlled by zonelists.
|
|
|
|
(This documentation ignores ZONE_HIGHMEM/ZONE_DMA32 for simple explanation.
|
|
|
|
you may be able to read ZONE_DMA as ZONE_DMA32...)
|
|
|
|
|
|
|
|
In non-NUMA case, a zonelist for GFP_KERNEL is ordered as following.
|
|
|
|
ZONE_NORMAL -> ZONE_DMA
|
|
|
|
This means that a memory allocation request for GFP_KERNEL will
|
|
|
|
get memory from ZONE_DMA only when ZONE_NORMAL is not available.
|
|
|
|
|
|
|
|
In NUMA case, you can think of following 2 types of order.
|
|
|
|
Assume 2 node NUMA and below is zonelist of Node(0)'s GFP_KERNEL
|
|
|
|
|
|
|
|
(A) Node(0) ZONE_NORMAL -> Node(0) ZONE_DMA -> Node(1) ZONE_NORMAL
|
|
|
|
(B) Node(0) ZONE_NORMAL -> Node(1) ZONE_NORMAL -> Node(0) ZONE_DMA.
|
|
|
|
|
|
|
|
Type(A) offers the best locality for processes on Node(0), but ZONE_DMA
|
|
|
|
will be used before ZONE_NORMAL exhaustion. This increases possibility of
|
|
|
|
out-of-memory(OOM) of ZONE_DMA because ZONE_DMA is tend to be small.
|
|
|
|
|
|
|
|
Type(B) cannot offer the best locality but is more robust against OOM of
|
|
|
|
the DMA zone.
|
|
|
|
|
|
|
|
Type(A) is called as "Node" order. Type (B) is "Zone" order.
|
|
|
|
|
|
|
|
"Node order" orders the zonelists by node, then by zone within each node.
|
2011-04-06 17:09:55 +08:00
|
|
|
Specify "[Nn]ode" for node order
|
2007-07-16 14:38:01 +08:00
|
|
|
|
|
|
|
"Zone Order" orders the zonelists by zone type, then by node within each
|
2011-04-06 17:09:55 +08:00
|
|
|
zone. Specify "[Zz]one" for zone order.
|
2007-07-16 14:38:01 +08:00
|
|
|
|
2016-04-29 07:19:11 +08:00
|
|
|
Specify "[Dd]efault" to request automatic configuration.
|
|
|
|
|
|
|
|
On 32-bit, the Normal zone needs to be preserved for allocations accessible
|
|
|
|
by the kernel, so "zone" order will be selected.
|
|
|
|
|
|
|
|
On 64-bit, devices that require DMA32/DMA are relatively rare, so "node"
|
|
|
|
order will be selected.
|
|
|
|
|
|
|
|
Default order is recommended unless this is causing problems for your
|
|
|
|
system/application.
|
2007-12-18 08:20:25 +08:00
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
oom_dump_tasks
|
2007-12-18 08:20:25 +08:00
|
|
|
|
mm: account pmd page tables to the process
Dave noticed that unprivileged process can allocate significant amount of
memory -- >500 MiB on x86_64 -- and stay unnoticed by oom-killer and
memory cgroup. The trick is to allocate a lot of PMD page tables. Linux
kernel doesn't account PMD tables to the process, only PTE.
The use-cases below use few tricks to allocate a lot of PMD page tables
while keeping VmRSS and VmPTE low. oom_score for the process will be 0.
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#define PUD_SIZE (1UL << 30)
#define PMD_SIZE (1UL << 21)
#define NR_PUD 130000
int main(void)
{
char *addr = NULL;
unsigned long i;
prctl(PR_SET_THP_DISABLE);
for (i = 0; i < NR_PUD ; i++) {
addr = mmap(addr + PUD_SIZE, PUD_SIZE, PROT_WRITE|PROT_READ,
MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
if (addr == MAP_FAILED) {
perror("mmap");
break;
}
*addr = 'x';
munmap(addr, PMD_SIZE);
mmap(addr, PMD_SIZE, PROT_WRITE|PROT_READ,
MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED, -1, 0);
if (addr == MAP_FAILED)
perror("re-mmap"), exit(1);
}
printf("PID %d consumed %lu KiB in PMD page tables\n",
getpid(), i * 4096 >> 10);
return pause();
}
The patch addresses the issue by account PMD tables to the process the
same way we account PTE.
The main place where PMD tables is accounted is __pmd_alloc() and
free_pmd_range(). But there're few corner cases:
- HugeTLB can share PMD page tables. The patch handles by accounting
the table to all processes who share it.
- x86 PAE pre-allocates few PMD tables on fork.
- Architectures with FIRST_USER_ADDRESS > 0. We need to adjust sanity
check on exit(2).
Accounting only happens on configuration where PMD page table's level is
present (PMD is not folded). As with nr_ptes we use per-mm counter. The
counter value is used to calculate baseline for badness score by
oom-killer.
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Hugh Dickins <hughd@google.com>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Pavel Emelyanov <xemul@openvz.org>
Cc: David Rientjes <rientjes@google.com>
Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-02-12 07:26:50 +08:00
|
|
|
Enables a system-wide task dump (excluding kernel threads) to be produced
|
|
|
|
when the kernel performs an OOM-killing and includes such information as
|
|
|
|
pid, uid, tgid, vm size, rss, nr_ptes, nr_pmds, swapents, oom_score_adj
|
|
|
|
score, and name. This is helpful to determine why the OOM killer was
|
|
|
|
invoked, to identify the rogue task that caused it, and to determine why
|
|
|
|
the OOM killer chose the task it did to kill.
|
2007-12-18 08:20:25 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
If this is set to zero, this information is suppressed. On very
|
|
|
|
large systems with thousands of tasks it may not be feasible to dump
|
|
|
|
the memory state information for each one. Such systems should not
|
|
|
|
be forced to incur a performance penalty in OOM conditions when the
|
|
|
|
information may not be desired.
|
|
|
|
|
|
|
|
If this is set to non-zero, this information is shown whenever the
|
|
|
|
OOM killer actually kills a memory-hogging task.
|
|
|
|
|
2010-08-10 08:18:53 +08:00
|
|
|
The default value is 1 (enabled).
|
2007-12-18 08:20:25 +08:00
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
oom_kill_allocating_task
|
2007-12-18 08:20:25 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
This enables or disables killing the OOM-triggering task in
|
|
|
|
out-of-memory situations.
|
2007-12-18 08:20:25 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
If this is set to zero, the OOM killer will scan through the entire
|
|
|
|
tasklist and select a task based on heuristics to kill. This normally
|
|
|
|
selects a rogue memory-hogging task that frees up a large amount of
|
|
|
|
memory when killed.
|
|
|
|
|
|
|
|
If this is set to non-zero, the OOM killer simply kills the task that
|
|
|
|
triggered the out-of-memory condition. This avoids the expensive
|
|
|
|
tasklist scan.
|
|
|
|
|
|
|
|
If panic_on_oom is selected, it takes precedence over whatever value
|
|
|
|
is used in oom_kill_allocating_task.
|
|
|
|
|
|
|
|
The default value is 0.
|
2009-01-08 20:04:47 +08:00
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
2014-01-22 07:49:14 +08:00
|
|
|
overcommit_kbytes:
|
|
|
|
|
|
|
|
When overcommit_memory is set to 2, the committed address space is not
|
|
|
|
permitted to exceed swap plus this amount of physical RAM. See below.
|
|
|
|
|
|
|
|
Note: overcommit_kbytes is the counterpart of overcommit_ratio. Only one
|
|
|
|
of them may be specified at a time. Setting one disables the other (which
|
|
|
|
then appears as 0 when read).
|
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
overcommit_memory:
|
2009-01-08 20:04:47 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
This value contains a flag that enables memory overcommitment.
|
2009-01-08 20:04:47 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
When this flag is 0, the kernel attempts to estimate the amount
|
|
|
|
of free memory left when userspace requests more memory.
|
2009-01-08 20:04:47 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
When this flag is 1, the kernel pretends there is always enough
|
|
|
|
memory until it actually runs out.
|
2009-01-08 20:04:47 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
When this flag is 2, the kernel uses a "never overcommit"
|
|
|
|
policy that attempts to prevent any overcommit of memory.
|
mm: limit growth of 3% hardcoded other user reserve
Add user_reserve_kbytes knob.
Limit the growth of the memory reserved for other user processes to
min(3% current process size, user_reserve_pages). Only about 8MB is
necessary to enable recovery in the default mode, and only a few hundred
MB are required even when overcommit is disabled.
user_reserve_pages defaults to min(3% free pages, 128MB)
I arrived at 128MB by taking the max VSZ of sshd, login, bash, and top ...
then adding the RSS of each.
This only affects OVERCOMMIT_NEVER mode.
Background
1. user reserve
__vm_enough_memory reserves a hardcoded 3% of the current process size for
other applications when overcommit is disabled. This was done so that a
user could recover if they launched a memory hogging process. Without the
reserve, a user would easily run into a message such as:
bash: fork: Cannot allocate memory
2. admin reserve
Additionally, a hardcoded 3% of free memory is reserved for root in both
overcommit 'guess' and 'never' modes. This was intended to prevent a
scenario where root-cant-log-in and perform recovery operations.
Note that this reserve shrinks, and doesn't guarantee a useful reserve.
Motivation
The two hardcoded memory reserves should be updated to account for current
memory sizes.
Also, the admin reserve would be more useful if it didn't shrink too much.
When the current code was originally written, 1GB was considered
"enterprise". Now the 3% reserve can grow to multiple GB on large memory
systems, and it only needs to be a few hundred MB at most to enable a user
or admin to recover a system with an unwanted memory hogging process.
I've found that reducing these reserves is especially beneficial for a
specific type of application load:
* single application system
* one or few processes (e.g. one per core)
* allocating all available memory
* not initializing every page immediately
* long running
I've run scientific clusters with this sort of load. A long running job
sometimes failed many hours (weeks of CPU time) into a calculation. They
weren't initializing all of their memory immediately, and they weren't
using calloc, so I put systems into overcommit 'never' mode. These
clusters run diskless and have no swap.
However, with the current reserves, a user wishing to allocate as much
memory as possible to one process may be prevented from using, for
example, almost 2GB out of 32GB.
The effect is less, but still significant when a user starts a job with
one process per core. I have repeatedly seen a set of processes
requesting the same amount of memory fail because one of them could not
allocate the amount of memory a user would expect to be able to allocate.
For example, Message Passing Interfce (MPI) processes, one per core. And
it is similar for other parallel programming frameworks.
Changing this reserve code will make the overcommit never mode more useful
by allowing applications to allocate nearly all of the available memory.
Also, the new admin_reserve_kbytes will be safer than the current behavior
since the hardcoded 3% of available memory reserve can shrink to something
useless in the case where applications have grabbed all available memory.
Risks
* "bash: fork: Cannot allocate memory"
The downside of the first patch-- which creates a tunable user reserve
that is only used in overcommit 'never' mode--is that an admin can set
it so low that a user may not be able to kill their process, even if
they already have a shell prompt.
Of course, a user can get in the same predicament with the current 3%
reserve--they just have to launch processes until 3% becomes negligible.
* root-cant-log-in problem
The second patch, adding the tunable rootuser_reserve_pages, allows
the admin to shoot themselves in the foot by setting it too small. They
can easily get the system into a state where root-can't-log-in.
However, the new admin_reserve_kbytes will be safer than the current
behavior since the hardcoded 3% of available memory reserve can shrink
to something useless in the case where applications have grabbed all
available memory.
Alternatives
* Memory cgroups provide a more flexible way to limit application memory.
Not everyone wants to set up cgroups or deal with their overhead.
* We could create a fourth overcommit mode which provides smaller reserves.
The size of useful reserves may be drastically different depending
on the whether the system is embedded or enterprise.
* Force users to initialize all of their memory or use calloc.
Some users don't want/expect the system to overcommit when they malloc.
Overcommit 'never' mode is for this scenario, and it should work well.
The new user and admin reserve tunables are simple to use, with low
overhead compared to cgroups. The patches preserve current behavior where
3% of memory is less than 128MB, except that the admin reserve doesn't
shrink to an unusable size under pressure. The code allows admins to tune
for embedded and enterprise usage.
FAQ
* How is the root-cant-login problem addressed?
What happens if admin_reserve_pages is set to 0?
Root is free to shoot themselves in the foot by setting
admin_reserve_kbytes too low.
On x86_64, the minimum useful reserve is:
8MB for overcommit 'guess'
128MB for overcommit 'never'
admin_reserve_pages defaults to min(3% free memory, 8MB)
So, anyone switching to 'never' mode needs to adjust
admin_reserve_pages.
* How do you calculate a minimum useful reserve?
A user or the admin needs enough memory to login and perform
recovery operations, which includes, at a minimum:
sshd or login + bash (or some other shell) + top (or ps, kill, etc.)
For overcommit 'guess', we can sum resident set sizes (RSS)
because we only need enough memory to handle what the recovery
programs will typically use. On x86_64 this is about 8MB.
For overcommit 'never', we can take the max of their virtual sizes (VSZ)
and add the sum of their RSS. We use VSZ instead of RSS because mode
forces us to ensure we can fulfill all of the requested memory allocations--
even if the programs only use a fraction of what they ask for.
On x86_64 this is about 128MB.
When swap is enabled, reserves are useful even when they are as
small as 10MB, regardless of overcommit mode.
When both swap and overcommit are disabled, then the admin should
tune the reserves higher to be absolutley safe. Over 230MB each
was safest in my testing.
* What happens if user_reserve_pages is set to 0?
Note, this only affects overcomitt 'never' mode.
Then a user will be able to allocate all available memory minus
admin_reserve_kbytes.
However, they will easily see a message such as:
"bash: fork: Cannot allocate memory"
And they won't be able to recover/kill their application.
The admin should be able to recover the system if
admin_reserve_kbytes is set appropriately.
* What's the difference between overcommit 'guess' and 'never'?
"Guess" allows an allocation if there are enough free + reclaimable
pages. It has a hardcoded 3% of free pages reserved for root.
"Never" allows an allocation if there is enough swap + a configurable
percentage (default is 50) of physical RAM. It has a hardcoded 3% of
free pages reserved for root, like "Guess" mode. It also has a
hardcoded 3% of the current process size reserved for additional
applications.
* Why is overcommit 'guess' not suitable even when an app eventually
writes to every page? It takes free pages, file pages, available
swap pages, reclaimable slab pages into consideration. In other words,
these are all pages available, then why isn't overcommit suitable?
Because it only looks at the present state of the system. It
does not take into account the memory that other applications have
malloced, but haven't initialized yet. It overcommits the system.
Test Summary
There was little change in behavior in the default overcommit 'guess'
mode with swap enabled before and after the patch. This was expected.
Systems run most predictably (i.e. no oom kills) in overcommit 'never'
mode with swap enabled. This also allowed the most memory to be allocated
to a user application.
Overcommit 'guess' mode without swap is a bad idea. It is easy to
crash the system. None of the other tested combinations crashed.
This matches my experience on the Roadrunner supercomputer.
Without the tunable user reserve, a system in overcommit 'never' mode
and without swap does not allow the admin to recover, although the
admin can.
With the new tunable reserves, a system in overcommit 'never' mode
and without swap can be configured to:
1. maximize user-allocatable memory, running close to the edge of
recoverability
2. maximize recoverability, sacrificing allocatable memory to
ensure that a user cannot take down a system
Test Description
Fedora 18 VM - 4 x86_64 cores, 5725MB RAM, 4GB Swap
System is booted into multiuser console mode, with unnecessary services
turned off. Caches were dropped before each test.
Hogs are user memtester processes that attempt to allocate all free memory
as reported by /proc/meminfo
In overcommit 'never' mode, memory_ratio=100
Test Results
3.9.0-rc1-mm1
Overcommit | Swap | Hogs | MB Got/Wanted | OOMs | User Recovery | Admin Recovery
---------- ---- ---- ------------- ---- ------------- --------------
guess yes 1 5432/5432 no yes yes
guess yes 4 5444/5444 1 yes yes
guess no 1 5302/5449 no yes yes
guess no 4 - crash no no
never yes 1 5460/5460 1 yes yes
never yes 4 5460/5460 1 yes yes
never no 1 5218/5432 no no yes
never no 4 5203/5448 no no yes
3.9.0-rc1-mm1-tunablereserves
User and Admin Recovery show their respective reserves, if applicable.
Overcommit | Swap | Hogs | MB Got/Wanted | OOMs | User Recovery | Admin Recovery
---------- ---- ---- ------------- ---- ------------- --------------
guess yes 1 5419/5419 no - yes 8MB yes
guess yes 4 5436/5436 1 - yes 8MB yes
guess no 1 5440/5440 * - yes 8MB yes
guess no 4 - crash - no 8MB no
* process would successfully mlock, then the oom killer would pick it
never yes 1 5446/5446 no 10MB yes 20MB yes
never yes 4 5456/5456 no 10MB yes 20MB yes
never no 1 5387/5429 no 128MB no 8MB barely
never no 1 5323/5428 no 226MB barely 8MB barely
never no 1 5323/5428 no 226MB barely 8MB barely
never no 1 5359/5448 no 10MB no 10MB barely
never no 1 5323/5428 no 0MB no 10MB barely
never no 1 5332/5428 no 0MB no 50MB yes
never no 1 5293/5429 no 0MB no 90MB yes
never no 1 5001/5427 no 230MB yes 338MB yes
never no 4* 4998/5424 no 230MB yes 338MB yes
* more memtesters were launched, able to allocate approximately another 100MB
Future Work
- Test larger memory systems.
- Test an embedded image.
- Test other architectures.
- Time malloc microbenchmarks.
- Would it be useful to be able to set overcommit policy for
each memory cgroup?
- Some lines are slightly above 80 chars.
Perhaps define a macro to convert between pages and kb?
Other places in the kernel do this.
[akpm@linux-foundation.org: coding-style fixes]
[akpm@linux-foundation.org: make init_user_reserve() static]
Signed-off-by: Andrew Shewmaker <agshew@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-04-30 06:08:10 +08:00
|
|
|
Note that user_reserve_kbytes affects this policy.
|
2009-01-08 20:04:47 +08:00
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
This feature can be very useful because there are a lot of
|
|
|
|
programs that malloc() huge amounts of memory "just-in-case"
|
|
|
|
and don't use much of it.
|
|
|
|
|
|
|
|
The default value is 0.
|
|
|
|
|
|
|
|
See Documentation/vm/overcommit-accounting and
|
2015-11-10 06:58:15 +08:00
|
|
|
mm/mmap.c::__vm_enough_memory() for more information.
|
2009-01-16 05:50:42 +08:00
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
|
|
|
overcommit_ratio:
|
|
|
|
|
|
|
|
When overcommit_memory is set to 2, the committed address
|
|
|
|
space is not permitted to exceed swap plus this percentage
|
|
|
|
of physical RAM. See above.
|
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
|
|
|
page-cluster
|
|
|
|
|
2012-08-01 07:41:46 +08:00
|
|
|
page-cluster controls the number of pages up to which consecutive pages
|
|
|
|
are read in from swap in a single attempt. This is the swap counterpart
|
|
|
|
to page cache readahead.
|
|
|
|
The mentioned consecutivity is not in terms of virtual/physical addresses,
|
|
|
|
but consecutive on swap space - that means they were swapped out together.
|
2009-01-16 05:50:42 +08:00
|
|
|
|
|
|
|
It is a logarithmic value - setting it to zero means "1 page", setting
|
|
|
|
it to 1 means "2 pages", setting it to 2 means "4 pages", etc.
|
2012-08-01 07:41:46 +08:00
|
|
|
Zero disables swap readahead completely.
|
2009-01-16 05:50:42 +08:00
|
|
|
|
|
|
|
The default value is three (eight pages at a time). There may be some
|
|
|
|
small benefits in tuning this to a different value if your workload is
|
|
|
|
swap-intensive.
|
|
|
|
|
2012-08-01 07:41:46 +08:00
|
|
|
Lower values mean lower latencies for initial faults, but at the same time
|
|
|
|
extra faults and I/O delays for following faults if they would have been part of
|
|
|
|
that consecutive pages readahead would have brought in.
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
=============================================================
|
|
|
|
|
|
|
|
panic_on_oom
|
|
|
|
|
|
|
|
This enables or disables panic on out-of-memory feature.
|
|
|
|
|
|
|
|
If this is set to 0, the kernel will kill some rogue process,
|
|
|
|
called oom_killer. Usually, oom_killer can kill rogue processes and
|
|
|
|
system will survive.
|
|
|
|
|
|
|
|
If this is set to 1, the kernel panics when out-of-memory happens.
|
|
|
|
However, if a process limits using nodes by mempolicy/cpusets,
|
|
|
|
and those nodes become memory exhaustion status, one process
|
|
|
|
may be killed by oom-killer. No panic occurs in this case.
|
|
|
|
Because other nodes' memory may be free. This means system total status
|
|
|
|
may be not fatal yet.
|
|
|
|
|
|
|
|
If this is set to 2, the kernel panics compulsorily even on the
|
memcg: handle panic_on_oom=always case
Presently, if panic_on_oom=2, the whole system panics even if the oom
happend in some special situation (as cpuset, mempolicy....). Then,
panic_on_oom=2 means painc_on_oom_always.
Now, memcg doesn't check panic_on_oom flag. This patch adds a check.
BTW, how it's useful ?
kdump+panic_on_oom=2 is the last tool to investigate what happens in
oom-ed system. When a task is killed, the sysytem recovers and there will
be few hint to know what happnes. In mission critical system, oom should
never happen. Then, panic_on_oom=2+kdump is useful to avoid next OOM by
knowing precise information via snapshot.
TODO:
- For memcg, it's for isolate system's memory usage, oom-notiifer and
freeze_at_oom (or rest_at_oom) should be implemented. Then, management
daemon can do similar jobs (as kdump) or taking snapshot per cgroup.
Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Reviewed-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-03-11 07:22:32 +08:00
|
|
|
above-mentioned. Even oom happens under memory cgroup, the whole
|
|
|
|
system panics.
|
2009-01-16 05:50:42 +08:00
|
|
|
|
|
|
|
The default value is 0.
|
|
|
|
1 and 2 are for failover of clustering. Please select either
|
|
|
|
according to your policy of failover.
|
memcg: handle panic_on_oom=always case
Presently, if panic_on_oom=2, the whole system panics even if the oom
happend in some special situation (as cpuset, mempolicy....). Then,
panic_on_oom=2 means painc_on_oom_always.
Now, memcg doesn't check panic_on_oom flag. This patch adds a check.
BTW, how it's useful ?
kdump+panic_on_oom=2 is the last tool to investigate what happens in
oom-ed system. When a task is killed, the sysytem recovers and there will
be few hint to know what happnes. In mission critical system, oom should
never happen. Then, panic_on_oom=2+kdump is useful to avoid next OOM by
knowing precise information via snapshot.
TODO:
- For memcg, it's for isolate system's memory usage, oom-notiifer and
freeze_at_oom (or rest_at_oom) should be implemented. Then, management
daemon can do similar jobs (as kdump) or taking snapshot per cgroup.
Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Reviewed-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-03-11 07:22:32 +08:00
|
|
|
panic_on_oom=2+kdump gives you very strong tool to investigate
|
|
|
|
why oom happens. You can get snapshot.
|
2009-01-16 05:50:42 +08:00
|
|
|
|
|
|
|
=============================================================
|
|
|
|
|
|
|
|
percpu_pagelist_fraction
|
|
|
|
|
|
|
|
This is the fraction of pages at most (high mark pcp->high) in each zone that
|
|
|
|
are allocated for each per cpu page list. The min value for this is 8. It
|
|
|
|
means that we don't allow more than 1/8th of pages in each zone to be
|
|
|
|
allocated in any single per_cpu_pagelist. This entry only changes the value
|
|
|
|
of hot per cpu pagelists. User can specify a number like 100 to allocate
|
|
|
|
1/100th of each zone to each per cpu page list.
|
|
|
|
|
|
|
|
The batch value of each per cpu pagelist is also updated as a result. It is
|
|
|
|
set to pcp->high/4. The upper limit of batch is (PAGE_SHIFT * 8)
|
|
|
|
|
|
|
|
The initial value is zero. Kernel does not use this value at boot time to set
|
2014-06-24 04:22:04 +08:00
|
|
|
the high water marks for each per cpu page list. If the user writes '0' to this
|
|
|
|
sysctl, it will revert to this default behavior.
|
2009-01-16 05:50:42 +08:00
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
|
|
|
stat_interval
|
|
|
|
|
|
|
|
The time interval between which vm statistics are updated. The default
|
|
|
|
is 1 second.
|
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
2016-05-20 08:12:50 +08:00
|
|
|
stat_refresh
|
|
|
|
|
|
|
|
Any read or write (by root only) flushes all the per-cpu vm statistics
|
|
|
|
into their global totals, for more accurate reports when testing
|
|
|
|
e.g. cat /proc/sys/vm/stat_refresh /proc/meminfo
|
|
|
|
|
|
|
|
As a side-effect, it also checks for negative totals (elsewhere reported
|
|
|
|
as 0) and "fails" with EINVAL if any are found, with a warning in dmesg.
|
|
|
|
(At time of writing, a few stats are known sometimes to be found negative,
|
|
|
|
with no ill effects: errors and warnings on these stats are suppressed.)
|
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
swappiness
|
|
|
|
|
|
|
|
This control is used to define how aggressive the kernel will swap
|
|
|
|
memory pages. Higher values will increase agressiveness, lower values
|
2014-01-30 06:05:38 +08:00
|
|
|
decrease the amount of swap. A value of 0 instructs the kernel not to
|
|
|
|
initiate swap until the amount of free and file-backed pages is less
|
|
|
|
than the high water mark in a zone.
|
2009-01-16 05:50:42 +08:00
|
|
|
|
|
|
|
The default value is 60.
|
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
mm: limit growth of 3% hardcoded other user reserve
Add user_reserve_kbytes knob.
Limit the growth of the memory reserved for other user processes to
min(3% current process size, user_reserve_pages). Only about 8MB is
necessary to enable recovery in the default mode, and only a few hundred
MB are required even when overcommit is disabled.
user_reserve_pages defaults to min(3% free pages, 128MB)
I arrived at 128MB by taking the max VSZ of sshd, login, bash, and top ...
then adding the RSS of each.
This only affects OVERCOMMIT_NEVER mode.
Background
1. user reserve
__vm_enough_memory reserves a hardcoded 3% of the current process size for
other applications when overcommit is disabled. This was done so that a
user could recover if they launched a memory hogging process. Without the
reserve, a user would easily run into a message such as:
bash: fork: Cannot allocate memory
2. admin reserve
Additionally, a hardcoded 3% of free memory is reserved for root in both
overcommit 'guess' and 'never' modes. This was intended to prevent a
scenario where root-cant-log-in and perform recovery operations.
Note that this reserve shrinks, and doesn't guarantee a useful reserve.
Motivation
The two hardcoded memory reserves should be updated to account for current
memory sizes.
Also, the admin reserve would be more useful if it didn't shrink too much.
When the current code was originally written, 1GB was considered
"enterprise". Now the 3% reserve can grow to multiple GB on large memory
systems, and it only needs to be a few hundred MB at most to enable a user
or admin to recover a system with an unwanted memory hogging process.
I've found that reducing these reserves is especially beneficial for a
specific type of application load:
* single application system
* one or few processes (e.g. one per core)
* allocating all available memory
* not initializing every page immediately
* long running
I've run scientific clusters with this sort of load. A long running job
sometimes failed many hours (weeks of CPU time) into a calculation. They
weren't initializing all of their memory immediately, and they weren't
using calloc, so I put systems into overcommit 'never' mode. These
clusters run diskless and have no swap.
However, with the current reserves, a user wishing to allocate as much
memory as possible to one process may be prevented from using, for
example, almost 2GB out of 32GB.
The effect is less, but still significant when a user starts a job with
one process per core. I have repeatedly seen a set of processes
requesting the same amount of memory fail because one of them could not
allocate the amount of memory a user would expect to be able to allocate.
For example, Message Passing Interfce (MPI) processes, one per core. And
it is similar for other parallel programming frameworks.
Changing this reserve code will make the overcommit never mode more useful
by allowing applications to allocate nearly all of the available memory.
Also, the new admin_reserve_kbytes will be safer than the current behavior
since the hardcoded 3% of available memory reserve can shrink to something
useless in the case where applications have grabbed all available memory.
Risks
* "bash: fork: Cannot allocate memory"
The downside of the first patch-- which creates a tunable user reserve
that is only used in overcommit 'never' mode--is that an admin can set
it so low that a user may not be able to kill their process, even if
they already have a shell prompt.
Of course, a user can get in the same predicament with the current 3%
reserve--they just have to launch processes until 3% becomes negligible.
* root-cant-log-in problem
The second patch, adding the tunable rootuser_reserve_pages, allows
the admin to shoot themselves in the foot by setting it too small. They
can easily get the system into a state where root-can't-log-in.
However, the new admin_reserve_kbytes will be safer than the current
behavior since the hardcoded 3% of available memory reserve can shrink
to something useless in the case where applications have grabbed all
available memory.
Alternatives
* Memory cgroups provide a more flexible way to limit application memory.
Not everyone wants to set up cgroups or deal with their overhead.
* We could create a fourth overcommit mode which provides smaller reserves.
The size of useful reserves may be drastically different depending
on the whether the system is embedded or enterprise.
* Force users to initialize all of their memory or use calloc.
Some users don't want/expect the system to overcommit when they malloc.
Overcommit 'never' mode is for this scenario, and it should work well.
The new user and admin reserve tunables are simple to use, with low
overhead compared to cgroups. The patches preserve current behavior where
3% of memory is less than 128MB, except that the admin reserve doesn't
shrink to an unusable size under pressure. The code allows admins to tune
for embedded and enterprise usage.
FAQ
* How is the root-cant-login problem addressed?
What happens if admin_reserve_pages is set to 0?
Root is free to shoot themselves in the foot by setting
admin_reserve_kbytes too low.
On x86_64, the minimum useful reserve is:
8MB for overcommit 'guess'
128MB for overcommit 'never'
admin_reserve_pages defaults to min(3% free memory, 8MB)
So, anyone switching to 'never' mode needs to adjust
admin_reserve_pages.
* How do you calculate a minimum useful reserve?
A user or the admin needs enough memory to login and perform
recovery operations, which includes, at a minimum:
sshd or login + bash (or some other shell) + top (or ps, kill, etc.)
For overcommit 'guess', we can sum resident set sizes (RSS)
because we only need enough memory to handle what the recovery
programs will typically use. On x86_64 this is about 8MB.
For overcommit 'never', we can take the max of their virtual sizes (VSZ)
and add the sum of their RSS. We use VSZ instead of RSS because mode
forces us to ensure we can fulfill all of the requested memory allocations--
even if the programs only use a fraction of what they ask for.
On x86_64 this is about 128MB.
When swap is enabled, reserves are useful even when they are as
small as 10MB, regardless of overcommit mode.
When both swap and overcommit are disabled, then the admin should
tune the reserves higher to be absolutley safe. Over 230MB each
was safest in my testing.
* What happens if user_reserve_pages is set to 0?
Note, this only affects overcomitt 'never' mode.
Then a user will be able to allocate all available memory minus
admin_reserve_kbytes.
However, they will easily see a message such as:
"bash: fork: Cannot allocate memory"
And they won't be able to recover/kill their application.
The admin should be able to recover the system if
admin_reserve_kbytes is set appropriately.
* What's the difference between overcommit 'guess' and 'never'?
"Guess" allows an allocation if there are enough free + reclaimable
pages. It has a hardcoded 3% of free pages reserved for root.
"Never" allows an allocation if there is enough swap + a configurable
percentage (default is 50) of physical RAM. It has a hardcoded 3% of
free pages reserved for root, like "Guess" mode. It also has a
hardcoded 3% of the current process size reserved for additional
applications.
* Why is overcommit 'guess' not suitable even when an app eventually
writes to every page? It takes free pages, file pages, available
swap pages, reclaimable slab pages into consideration. In other words,
these are all pages available, then why isn't overcommit suitable?
Because it only looks at the present state of the system. It
does not take into account the memory that other applications have
malloced, but haven't initialized yet. It overcommits the system.
Test Summary
There was little change in behavior in the default overcommit 'guess'
mode with swap enabled before and after the patch. This was expected.
Systems run most predictably (i.e. no oom kills) in overcommit 'never'
mode with swap enabled. This also allowed the most memory to be allocated
to a user application.
Overcommit 'guess' mode without swap is a bad idea. It is easy to
crash the system. None of the other tested combinations crashed.
This matches my experience on the Roadrunner supercomputer.
Without the tunable user reserve, a system in overcommit 'never' mode
and without swap does not allow the admin to recover, although the
admin can.
With the new tunable reserves, a system in overcommit 'never' mode
and without swap can be configured to:
1. maximize user-allocatable memory, running close to the edge of
recoverability
2. maximize recoverability, sacrificing allocatable memory to
ensure that a user cannot take down a system
Test Description
Fedora 18 VM - 4 x86_64 cores, 5725MB RAM, 4GB Swap
System is booted into multiuser console mode, with unnecessary services
turned off. Caches were dropped before each test.
Hogs are user memtester processes that attempt to allocate all free memory
as reported by /proc/meminfo
In overcommit 'never' mode, memory_ratio=100
Test Results
3.9.0-rc1-mm1
Overcommit | Swap | Hogs | MB Got/Wanted | OOMs | User Recovery | Admin Recovery
---------- ---- ---- ------------- ---- ------------- --------------
guess yes 1 5432/5432 no yes yes
guess yes 4 5444/5444 1 yes yes
guess no 1 5302/5449 no yes yes
guess no 4 - crash no no
never yes 1 5460/5460 1 yes yes
never yes 4 5460/5460 1 yes yes
never no 1 5218/5432 no no yes
never no 4 5203/5448 no no yes
3.9.0-rc1-mm1-tunablereserves
User and Admin Recovery show their respective reserves, if applicable.
Overcommit | Swap | Hogs | MB Got/Wanted | OOMs | User Recovery | Admin Recovery
---------- ---- ---- ------------- ---- ------------- --------------
guess yes 1 5419/5419 no - yes 8MB yes
guess yes 4 5436/5436 1 - yes 8MB yes
guess no 1 5440/5440 * - yes 8MB yes
guess no 4 - crash - no 8MB no
* process would successfully mlock, then the oom killer would pick it
never yes 1 5446/5446 no 10MB yes 20MB yes
never yes 4 5456/5456 no 10MB yes 20MB yes
never no 1 5387/5429 no 128MB no 8MB barely
never no 1 5323/5428 no 226MB barely 8MB barely
never no 1 5323/5428 no 226MB barely 8MB barely
never no 1 5359/5448 no 10MB no 10MB barely
never no 1 5323/5428 no 0MB no 10MB barely
never no 1 5332/5428 no 0MB no 50MB yes
never no 1 5293/5429 no 0MB no 90MB yes
never no 1 5001/5427 no 230MB yes 338MB yes
never no 4* 4998/5424 no 230MB yes 338MB yes
* more memtesters were launched, able to allocate approximately another 100MB
Future Work
- Test larger memory systems.
- Test an embedded image.
- Test other architectures.
- Time malloc microbenchmarks.
- Would it be useful to be able to set overcommit policy for
each memory cgroup?
- Some lines are slightly above 80 chars.
Perhaps define a macro to convert between pages and kb?
Other places in the kernel do this.
[akpm@linux-foundation.org: coding-style fixes]
[akpm@linux-foundation.org: make init_user_reserve() static]
Signed-off-by: Andrew Shewmaker <agshew@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-04-30 06:08:10 +08:00
|
|
|
- user_reserve_kbytes
|
|
|
|
|
2015-01-02 11:03:19 +08:00
|
|
|
When overcommit_memory is set to 2, "never overcommit" mode, reserve
|
mm: limit growth of 3% hardcoded other user reserve
Add user_reserve_kbytes knob.
Limit the growth of the memory reserved for other user processes to
min(3% current process size, user_reserve_pages). Only about 8MB is
necessary to enable recovery in the default mode, and only a few hundred
MB are required even when overcommit is disabled.
user_reserve_pages defaults to min(3% free pages, 128MB)
I arrived at 128MB by taking the max VSZ of sshd, login, bash, and top ...
then adding the RSS of each.
This only affects OVERCOMMIT_NEVER mode.
Background
1. user reserve
__vm_enough_memory reserves a hardcoded 3% of the current process size for
other applications when overcommit is disabled. This was done so that a
user could recover if they launched a memory hogging process. Without the
reserve, a user would easily run into a message such as:
bash: fork: Cannot allocate memory
2. admin reserve
Additionally, a hardcoded 3% of free memory is reserved for root in both
overcommit 'guess' and 'never' modes. This was intended to prevent a
scenario where root-cant-log-in and perform recovery operations.
Note that this reserve shrinks, and doesn't guarantee a useful reserve.
Motivation
The two hardcoded memory reserves should be updated to account for current
memory sizes.
Also, the admin reserve would be more useful if it didn't shrink too much.
When the current code was originally written, 1GB was considered
"enterprise". Now the 3% reserve can grow to multiple GB on large memory
systems, and it only needs to be a few hundred MB at most to enable a user
or admin to recover a system with an unwanted memory hogging process.
I've found that reducing these reserves is especially beneficial for a
specific type of application load:
* single application system
* one or few processes (e.g. one per core)
* allocating all available memory
* not initializing every page immediately
* long running
I've run scientific clusters with this sort of load. A long running job
sometimes failed many hours (weeks of CPU time) into a calculation. They
weren't initializing all of their memory immediately, and they weren't
using calloc, so I put systems into overcommit 'never' mode. These
clusters run diskless and have no swap.
However, with the current reserves, a user wishing to allocate as much
memory as possible to one process may be prevented from using, for
example, almost 2GB out of 32GB.
The effect is less, but still significant when a user starts a job with
one process per core. I have repeatedly seen a set of processes
requesting the same amount of memory fail because one of them could not
allocate the amount of memory a user would expect to be able to allocate.
For example, Message Passing Interfce (MPI) processes, one per core. And
it is similar for other parallel programming frameworks.
Changing this reserve code will make the overcommit never mode more useful
by allowing applications to allocate nearly all of the available memory.
Also, the new admin_reserve_kbytes will be safer than the current behavior
since the hardcoded 3% of available memory reserve can shrink to something
useless in the case where applications have grabbed all available memory.
Risks
* "bash: fork: Cannot allocate memory"
The downside of the first patch-- which creates a tunable user reserve
that is only used in overcommit 'never' mode--is that an admin can set
it so low that a user may not be able to kill their process, even if
they already have a shell prompt.
Of course, a user can get in the same predicament with the current 3%
reserve--they just have to launch processes until 3% becomes negligible.
* root-cant-log-in problem
The second patch, adding the tunable rootuser_reserve_pages, allows
the admin to shoot themselves in the foot by setting it too small. They
can easily get the system into a state where root-can't-log-in.
However, the new admin_reserve_kbytes will be safer than the current
behavior since the hardcoded 3% of available memory reserve can shrink
to something useless in the case where applications have grabbed all
available memory.
Alternatives
* Memory cgroups provide a more flexible way to limit application memory.
Not everyone wants to set up cgroups or deal with their overhead.
* We could create a fourth overcommit mode which provides smaller reserves.
The size of useful reserves may be drastically different depending
on the whether the system is embedded or enterprise.
* Force users to initialize all of their memory or use calloc.
Some users don't want/expect the system to overcommit when they malloc.
Overcommit 'never' mode is for this scenario, and it should work well.
The new user and admin reserve tunables are simple to use, with low
overhead compared to cgroups. The patches preserve current behavior where
3% of memory is less than 128MB, except that the admin reserve doesn't
shrink to an unusable size under pressure. The code allows admins to tune
for embedded and enterprise usage.
FAQ
* How is the root-cant-login problem addressed?
What happens if admin_reserve_pages is set to 0?
Root is free to shoot themselves in the foot by setting
admin_reserve_kbytes too low.
On x86_64, the minimum useful reserve is:
8MB for overcommit 'guess'
128MB for overcommit 'never'
admin_reserve_pages defaults to min(3% free memory, 8MB)
So, anyone switching to 'never' mode needs to adjust
admin_reserve_pages.
* How do you calculate a minimum useful reserve?
A user or the admin needs enough memory to login and perform
recovery operations, which includes, at a minimum:
sshd or login + bash (or some other shell) + top (or ps, kill, etc.)
For overcommit 'guess', we can sum resident set sizes (RSS)
because we only need enough memory to handle what the recovery
programs will typically use. On x86_64 this is about 8MB.
For overcommit 'never', we can take the max of their virtual sizes (VSZ)
and add the sum of their RSS. We use VSZ instead of RSS because mode
forces us to ensure we can fulfill all of the requested memory allocations--
even if the programs only use a fraction of what they ask for.
On x86_64 this is about 128MB.
When swap is enabled, reserves are useful even when they are as
small as 10MB, regardless of overcommit mode.
When both swap and overcommit are disabled, then the admin should
tune the reserves higher to be absolutley safe. Over 230MB each
was safest in my testing.
* What happens if user_reserve_pages is set to 0?
Note, this only affects overcomitt 'never' mode.
Then a user will be able to allocate all available memory minus
admin_reserve_kbytes.
However, they will easily see a message such as:
"bash: fork: Cannot allocate memory"
And they won't be able to recover/kill their application.
The admin should be able to recover the system if
admin_reserve_kbytes is set appropriately.
* What's the difference between overcommit 'guess' and 'never'?
"Guess" allows an allocation if there are enough free + reclaimable
pages. It has a hardcoded 3% of free pages reserved for root.
"Never" allows an allocation if there is enough swap + a configurable
percentage (default is 50) of physical RAM. It has a hardcoded 3% of
free pages reserved for root, like "Guess" mode. It also has a
hardcoded 3% of the current process size reserved for additional
applications.
* Why is overcommit 'guess' not suitable even when an app eventually
writes to every page? It takes free pages, file pages, available
swap pages, reclaimable slab pages into consideration. In other words,
these are all pages available, then why isn't overcommit suitable?
Because it only looks at the present state of the system. It
does not take into account the memory that other applications have
malloced, but haven't initialized yet. It overcommits the system.
Test Summary
There was little change in behavior in the default overcommit 'guess'
mode with swap enabled before and after the patch. This was expected.
Systems run most predictably (i.e. no oom kills) in overcommit 'never'
mode with swap enabled. This also allowed the most memory to be allocated
to a user application.
Overcommit 'guess' mode without swap is a bad idea. It is easy to
crash the system. None of the other tested combinations crashed.
This matches my experience on the Roadrunner supercomputer.
Without the tunable user reserve, a system in overcommit 'never' mode
and without swap does not allow the admin to recover, although the
admin can.
With the new tunable reserves, a system in overcommit 'never' mode
and without swap can be configured to:
1. maximize user-allocatable memory, running close to the edge of
recoverability
2. maximize recoverability, sacrificing allocatable memory to
ensure that a user cannot take down a system
Test Description
Fedora 18 VM - 4 x86_64 cores, 5725MB RAM, 4GB Swap
System is booted into multiuser console mode, with unnecessary services
turned off. Caches were dropped before each test.
Hogs are user memtester processes that attempt to allocate all free memory
as reported by /proc/meminfo
In overcommit 'never' mode, memory_ratio=100
Test Results
3.9.0-rc1-mm1
Overcommit | Swap | Hogs | MB Got/Wanted | OOMs | User Recovery | Admin Recovery
---------- ---- ---- ------------- ---- ------------- --------------
guess yes 1 5432/5432 no yes yes
guess yes 4 5444/5444 1 yes yes
guess no 1 5302/5449 no yes yes
guess no 4 - crash no no
never yes 1 5460/5460 1 yes yes
never yes 4 5460/5460 1 yes yes
never no 1 5218/5432 no no yes
never no 4 5203/5448 no no yes
3.9.0-rc1-mm1-tunablereserves
User and Admin Recovery show their respective reserves, if applicable.
Overcommit | Swap | Hogs | MB Got/Wanted | OOMs | User Recovery | Admin Recovery
---------- ---- ---- ------------- ---- ------------- --------------
guess yes 1 5419/5419 no - yes 8MB yes
guess yes 4 5436/5436 1 - yes 8MB yes
guess no 1 5440/5440 * - yes 8MB yes
guess no 4 - crash - no 8MB no
* process would successfully mlock, then the oom killer would pick it
never yes 1 5446/5446 no 10MB yes 20MB yes
never yes 4 5456/5456 no 10MB yes 20MB yes
never no 1 5387/5429 no 128MB no 8MB barely
never no 1 5323/5428 no 226MB barely 8MB barely
never no 1 5323/5428 no 226MB barely 8MB barely
never no 1 5359/5448 no 10MB no 10MB barely
never no 1 5323/5428 no 0MB no 10MB barely
never no 1 5332/5428 no 0MB no 50MB yes
never no 1 5293/5429 no 0MB no 90MB yes
never no 1 5001/5427 no 230MB yes 338MB yes
never no 4* 4998/5424 no 230MB yes 338MB yes
* more memtesters were launched, able to allocate approximately another 100MB
Future Work
- Test larger memory systems.
- Test an embedded image.
- Test other architectures.
- Time malloc microbenchmarks.
- Would it be useful to be able to set overcommit policy for
each memory cgroup?
- Some lines are slightly above 80 chars.
Perhaps define a macro to convert between pages and kb?
Other places in the kernel do this.
[akpm@linux-foundation.org: coding-style fixes]
[akpm@linux-foundation.org: make init_user_reserve() static]
Signed-off-by: Andrew Shewmaker <agshew@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-04-30 06:08:10 +08:00
|
|
|
min(3% of current process size, user_reserve_kbytes) of free memory.
|
|
|
|
This is intended to prevent a user from starting a single memory hogging
|
|
|
|
process, such that they cannot recover (kill the hog).
|
|
|
|
|
|
|
|
user_reserve_kbytes defaults to min(3% of the current process size, 128MB).
|
|
|
|
|
|
|
|
If this is reduced to zero, then the user will be allowed to allocate
|
|
|
|
all free memory with a single process, minus admin_reserve_kbytes.
|
|
|
|
Any subsequent attempts to execute a command will result in
|
|
|
|
"fork: Cannot allocate memory".
|
|
|
|
|
|
|
|
Changing this takes effect whenever an application requests memory.
|
|
|
|
|
|
|
|
==============================================================
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
vfs_cache_pressure
|
|
|
|
------------------
|
|
|
|
|
2014-06-05 07:11:03 +08:00
|
|
|
This percentage value controls the tendency of the kernel to reclaim
|
|
|
|
the memory which is used for caching of directory and inode objects.
|
2009-01-16 05:50:42 +08:00
|
|
|
|
|
|
|
At the default value of vfs_cache_pressure=100 the kernel will attempt to
|
|
|
|
reclaim dentries and inodes at a "fair" rate with respect to pagecache and
|
|
|
|
swapcache reclaim. Decreasing vfs_cache_pressure causes the kernel to prefer
|
2009-09-22 08:01:40 +08:00
|
|
|
to retain dentry and inode caches. When vfs_cache_pressure=0, the kernel will
|
|
|
|
never reclaim dentries and inodes due to memory pressure and this can easily
|
|
|
|
lead to out-of-memory conditions. Increasing vfs_cache_pressure beyond 100
|
2009-01-16 05:50:42 +08:00
|
|
|
causes the kernel to prefer to reclaim dentries and inodes.
|
|
|
|
|
2014-06-05 07:11:03 +08:00
|
|
|
Increasing vfs_cache_pressure significantly beyond 100 may have negative
|
|
|
|
performance impact. Reclaim code needs to take various locks to find freeable
|
|
|
|
directory and inode objects. With vfs_cache_pressure=1000, it will look for
|
|
|
|
ten times more freeable objects than there are.
|
|
|
|
|
2016-03-18 05:19:14 +08:00
|
|
|
=============================================================
|
|
|
|
|
|
|
|
watermark_scale_factor:
|
|
|
|
|
|
|
|
This factor controls the aggressiveness of kswapd. It defines the
|
|
|
|
amount of memory left in a node/system before kswapd is woken up and
|
|
|
|
how much memory needs to be free before kswapd goes back to sleep.
|
|
|
|
|
|
|
|
The unit is in fractions of 10,000. The default value of 10 means the
|
|
|
|
distances between watermarks are 0.1% of the available memory in the
|
|
|
|
node/system. The maximum value is 1000, or 10% of memory.
|
|
|
|
|
|
|
|
A high rate of threads entering direct reclaim (allocstall) or kswapd
|
|
|
|
going to sleep prematurely (kswapd_low_wmark_hit_quickly) can indicate
|
|
|
|
that the number of free pages kswapd maintains for latency reasons is
|
|
|
|
too small for the allocation bursts occurring in the system. This knob
|
|
|
|
can then be used to tune kswapd aggressiveness accordingly.
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
==============================================================
|
|
|
|
|
|
|
|
zone_reclaim_mode:
|
|
|
|
|
|
|
|
Zone_reclaim_mode allows someone to set more or less aggressive approaches to
|
|
|
|
reclaim memory when a zone runs out of memory. If it is set to zero then no
|
|
|
|
zone reclaim occurs. Allocations will be satisfied from other zones / nodes
|
|
|
|
in the system.
|
|
|
|
|
|
|
|
This is value ORed together of
|
|
|
|
|
|
|
|
1 = Zone reclaim on
|
|
|
|
2 = Zone reclaim writes dirty pages out
|
|
|
|
4 = Zone reclaim swaps pages
|
|
|
|
|
2014-06-05 07:07:14 +08:00
|
|
|
zone_reclaim_mode is disabled by default. For file servers or workloads
|
|
|
|
that benefit from having their data cached, zone_reclaim_mode should be
|
|
|
|
left disabled as the caching effect is likely to be more important than
|
2009-01-16 05:50:42 +08:00
|
|
|
data locality.
|
|
|
|
|
2014-06-05 07:07:14 +08:00
|
|
|
zone_reclaim may be enabled if it's known that the workload is partitioned
|
|
|
|
such that each partition fits within a NUMA node and that accessing remote
|
|
|
|
memory would cause a measurable performance reduction. The page allocator
|
|
|
|
will then reclaim easily reusable pages (those page cache pages that are
|
|
|
|
currently not used) before allocating off node pages.
|
|
|
|
|
2009-01-16 05:50:42 +08:00
|
|
|
Allowing zone reclaim to write out pages stops processes that are
|
|
|
|
writing large amounts of data from dirtying pages on other nodes. Zone
|
|
|
|
reclaim will write out dirty pages if a zone fills up and so effectively
|
|
|
|
throttle the process. This may decrease the performance of a single process
|
|
|
|
since it cannot use all of system memory to buffer the outgoing writes
|
|
|
|
anymore but it preserve the memory on other nodes so that the performance
|
|
|
|
of other processes running on other nodes will not be affected.
|
|
|
|
|
|
|
|
Allowing regular swap effectively restricts allocations to the local
|
|
|
|
node unless explicitly overridden by memory policies or cpuset
|
|
|
|
configurations.
|
|
|
|
|
|
|
|
============ End of Document =================================
|