Skip to content

Commit ea9bae1

Browse files
jrjohansenjrjohansen
committed
apparmor: cache buffers on percpu list if there is lock contention
commit df32333 ("apparmor: Use a memory pool instead per-CPU caches") changed buffer allocation to use a memory pool, however on a heavily loaded machine there can be lock contention on the global buffers lock. Add a percpu list to cache buffers on when lock contention is encountered. When allocating buffers attempt to use cached buffers first, before taking the global buffers lock. When freeing buffers try to put them back to the global list but if contention is encountered, put the buffer on the percpu list. The length of time a buffer is held on the percpu list is dynamically adjusted based on lock contention. The amount of hold time is increased and decreased linearly. v5: - simplify base patch by removing: improvements can be added later - MAX_LOCAL and must lock - contention scaling. v4: - fix percpu ->count buffer count which had been spliced across a debug patch. - introduce define for MAX_LOCAL_COUNT - rework count check and locking around it. - update commit message to reference commit that introduced the memory. v3: - limit number of buffers that can be pushed onto the percpu list. This avoids a problem on some kernels where one percpu list can inherit buffers from another cpu after a reschedule, causing more kernel memory to used than is necessary. Under normal conditions this should eventually return to normal but under pathelogical conditions the extra memory consumption may have been unbouanded v2: - dynamically adjust buffer hold time on percpu list based on lock contention. v1: - cache buffers on percpu list on lock contention Reported-by: Sergey Senozhatsky <senozhatsky@chromium.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
1 parent c4371d9 commit ea9bae1

File tree

1 file changed

+62
-5
lines changed

1 file changed

+62
-5
lines changed

security/apparmor/lsm.c

Lines changed: 62 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -49,12 +49,19 @@ union aa_buffer {
4949
DECLARE_FLEX_ARRAY(char, buffer);
5050
};
5151

52+
struct aa_local_cache {
53+
unsigned int hold;
54+
unsigned int count;
55+
struct list_head head;
56+
};
57+
5258
#define RESERVE_COUNT 2
5359
static int reserve_count = RESERVE_COUNT;
5460
static int buffer_count;
5561

5662
static LIST_HEAD(aa_global_buffers);
5763
static DEFINE_SPINLOCK(aa_buffers_lock);
64+
static DEFINE_PER_CPU(struct aa_local_cache, aa_local_buffers);
5865

5966
/*
6067
* LSM hook functions
@@ -1789,11 +1796,32 @@ static int param_set_mode(const char *val, const struct kernel_param *kp)
17891796
char *aa_get_buffer(bool in_atomic)
17901797
{
17911798
union aa_buffer *aa_buf;
1799+
struct aa_local_cache *cache;
17921800
bool try_again = true;
17931801
gfp_t flags = (GFP_KERNEL | __GFP_RETRY_MAYFAIL | __GFP_NOWARN);
17941802

1803+
/* use per cpu cached buffers first */
1804+
cache = get_cpu_ptr(&aa_local_buffers);
1805+
if (!list_empty(&cache->head)) {
1806+
aa_buf = list_first_entry(&cache->head, union aa_buffer, list);
1807+
list_del(&aa_buf->list);
1808+
cache->hold--;
1809+
cache->count--;
1810+
put_cpu_ptr(&aa_local_buffers);
1811+
return &aa_buf->buffer[0];
1812+
}
1813+
put_cpu_ptr(&aa_local_buffers);
1814+
1815+
if (!spin_trylock(&aa_buffers_lock)) {
1816+
cache = get_cpu_ptr(&aa_local_buffers);
1817+
cache->hold += 1;
1818+
put_cpu_ptr(&aa_local_buffers);
1819+
spin_lock(&aa_buffers_lock);
1820+
} else {
1821+
cache = get_cpu_ptr(&aa_local_buffers);
1822+
put_cpu_ptr(&aa_local_buffers);
1823+
}
17951824
retry:
1796-
spin_lock(&aa_buffers_lock);
17971825
if (buffer_count > reserve_count ||
17981826
(in_atomic && !list_empty(&aa_global_buffers))) {
17991827
aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer,
@@ -1819,6 +1847,7 @@ char *aa_get_buffer(bool in_atomic)
18191847
if (!aa_buf) {
18201848
if (try_again) {
18211849
try_again = false;
1850+
spin_lock(&aa_buffers_lock);
18221851
goto retry;
18231852
}
18241853
pr_warn_once("AppArmor: Failed to allocate a memory buffer.\n");
@@ -1830,15 +1859,34 @@ char *aa_get_buffer(bool in_atomic)
18301859
void aa_put_buffer(char *buf)
18311860
{
18321861
union aa_buffer *aa_buf;
1862+
struct aa_local_cache *cache;
18331863

18341864
if (!buf)
18351865
return;
18361866
aa_buf = container_of(buf, union aa_buffer, buffer[0]);
18371867

1838-
spin_lock(&aa_buffers_lock);
1839-
list_add(&aa_buf->list, &aa_global_buffers);
1840-
buffer_count++;
1841-
spin_unlock(&aa_buffers_lock);
1868+
cache = get_cpu_ptr(&aa_local_buffers);
1869+
if (!cache->hold) {
1870+
put_cpu_ptr(&aa_local_buffers);
1871+
1872+
if (spin_trylock(&aa_buffers_lock)) {
1873+
/* put back on global list */
1874+
list_add(&aa_buf->list, &aa_global_buffers);
1875+
buffer_count++;
1876+
spin_unlock(&aa_buffers_lock);
1877+
cache = get_cpu_ptr(&aa_local_buffers);
1878+
put_cpu_ptr(&aa_local_buffers);
1879+
return;
1880+
}
1881+
/* contention on global list, fallback to percpu */
1882+
cache = get_cpu_ptr(&aa_local_buffers);
1883+
cache->hold += 1;
1884+
}
1885+
1886+
/* cache in percpu list */
1887+
list_add(&aa_buf->list, &cache->head);
1888+
cache->count++;
1889+
put_cpu_ptr(&aa_local_buffers);
18421890
}
18431891

18441892
/*
@@ -1880,6 +1928,15 @@ static int __init alloc_buffers(void)
18801928
union aa_buffer *aa_buf;
18811929
int i, num;
18821930

1931+
/*
1932+
* per cpu set of cached allocated buffers used to help reduce
1933+
* lock contention
1934+
*/
1935+
for_each_possible_cpu(i) {
1936+
per_cpu(aa_local_buffers, i).hold = 0;
1937+
per_cpu(aa_local_buffers, i).count = 0;
1938+
INIT_LIST_HEAD(&per_cpu(aa_local_buffers, i).head);
1939+
}
18831940
/*
18841941
* A function may require two buffers at once. Usually the buffers are
18851942
* used for a short period of time and are shared. On UP kernel buffers

0 commit comments

Comments
 (0)