From: Jaewon Kim <jaewon31.kim@samsung.com>
To: "T.J. Mercier" <tjmercier@google.com>,
Andrew Morton <akpm@linux-foundation.org>
Cc: John Stultz <jstultz@google.com>,
Jaewon Kim <jaewon31.kim@samsung.com>,
"sumit.semwal@linaro.org" <sumit.semwal@linaro.org>,
"daniel.vetter@ffwll.ch" <daniel.vetter@ffwll.ch>,
"hannes@cmpxchg.org" <hannes@cmpxchg.org>,
"mhocko@kernel.org" <mhocko@kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"jaewon31.kim@gmail.com" <jaewon31.kim@gmail.com>
Subject: RE: [PATCH v2] dma-buf/heaps: system_heap: Avoid DoS by limiting single allocations to half of all memory
Date: Fri, 07 Apr 2023 11:24:19 +0900 [thread overview]
Message-ID: <20230407022419epcms1p424f1f8a7100aeccac62651ce25cd6140@epcms1p4> (raw)
In-Reply-To: <CABdmKX3NzTWHa3K_rna1iY+UERUrYK1Rq9WqUt9VQRaAKZsWwg@mail.gmail.com>
>On Thu, Apr 6, 2023 at 4:38?PM Andrew Morton <akpm@linux-foundation.org> wrote:
>>
>> On Thu, 6 Apr 2023 16:27:28 -0700 "T.J. Mercier" <tjmercier@google.com> wrote:
>>
>> > > When you say "decide what's the largest reasonable size", I think it
>> > > is difficult as with the variety of RAM sizes and buffer sizes I don't
>> > > think there's a fixed limit. Systems with more ram will use larger
>> > > buffers for image/video capture buffers. And yes, you're right that
>> > > ram/2-1 in a single allocation is just as broken, but I'm not sure how
>> > > to establish a better guard rail.
>> > >
>> > > thanks
>> > > -john
>> >
>> > I like ENOMEM with the len / PAGE_SIZE > totalram_pages() check and
>> > WARN_ON. We know for sure that's an invalid request, and it's pretty
>> > cheap to check as opposed to trying a bunch of reclaim before failing.
>>
>> Well, if some buggy caller has gone and requested eleventy bigabytes of
>:)
>> memory, doing a lot of reclaiming before failing isn't really a problem
>> - we don't want to optimize for this case!
>>
>The issue I see is that it could delay other non-buggy callers, or
>cause reclaim that wouldn't have happened if we just outright rejected
>a known-bad allocation request from the beginning.
>
>> > For buffers smaller than that I agree with John in that I'm not sure
>> > there's a definitive threshold.
>>
>> Well... why do we want to do _anything_ here? Why cater for buggy
>> callers? I think it's because "dma-buf behaves really badly with very
>> large allocation requests". Again, can we fix that instead?
>>
>There are a variety of different allocation strategies used by
>different exporters so I don't think there's one dma-buf thing we
>could fix for slow, large allocations in general. For the system_heap
>in this patch it's really just alloc_pages. I'm saying I don't think
>the kernel should ever ask alloc_pages for more memory than exists on
>the system, which seems like a pretty reasonable sanity check to me.
>Given that, I don't think we should do anything for buffers smaller
>than totalram_pages() (except maybe to prevent OOM panics via
>__GFP_RETRY_MAYFAIL when we attempt to exhaust system memory on any
>request - valid or otherwise).
I think T. J. also agree with me on what I shared.
if (len / PAGE_SIZE > totalram_pages()) return ERR_PTR(-ENOMEM);
#define LOW_ORDER_GFP (GFP_HIGHUSER | __GFP_ZERO | __GFP_COMP | __GFP_RETRY_MAYFAIL)
Regarding the dma-buf behavior, I also would like to say that the dma-buf
system heap seems to be designed to allocate that large memory. In mobile
devices, we need that large memory for camera buffers or grahpics
rendendering buffers. So that large memory should be allowed but the invalid
huge size over ram should be avoided.
I agree on that mm should reclaim even for the large size. But that reclaim
process may affect system performance or user convenience. In that perspective
I thought ram / 2 was reasonable, but yes not a golden value. I hope to use
just ram size as sanity check.
Additionally if all agree, we may be able to apply __GFP_RETRY_MAYFAIL too.
BR
next prev parent reply other threads:[~2023-04-07 2:24 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20230406000841epcas1p3630010a770682be0f1d540a448f3e00e@epcas1p3.samsung.com>
2023-04-06 0:08 ` Jaewon Kim
2023-04-06 0:25 ` Andrew Morton
[not found] ` <CGME20230406000841epcas1p3630010a770682be0f1d540a448f3e00e@epcms1p3>
2023-04-06 1:44 ` Jaewon Kim
2023-04-06 1:56 ` Andrew Morton
[not found] ` <CGME20230406000841epcas1p3630010a770682be0f1d540a448f3e00e@epcms1p2>
2023-04-06 2:17 ` Jaewon Kim
2023-04-06 3:09 ` Andrew Morton
2023-04-06 4:24 ` John Stultz
2023-04-06 23:27 ` T.J. Mercier
2023-04-06 23:38 ` Andrew Morton
2023-04-07 0:00 ` T.J. Mercier
[not found] ` <CGME20230406000841epcas1p3630010a770682be0f1d540a448f3e00e@epcms1p4>
2023-04-07 2:24 ` Jaewon Kim [this message]
2023-04-07 5:12 ` T.J. Mercier
2023-04-07 13:03 ` Jaewon Kim
2023-04-06 3:46 ` 김재원
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230407022419epcms1p424f1f8a7100aeccac62651ce25cd6140@epcms1p4 \
--to=jaewon31.kim@samsung.com \
--cc=akpm@linux-foundation.org \
--cc=daniel.vetter@ffwll.ch \
--cc=hannes@cmpxchg.org \
--cc=jaewon31.kim@gmail.com \
--cc=jstultz@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=sumit.semwal@linaro.org \
--cc=tjmercier@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox