From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0E447C433EF for ; Wed, 16 Mar 2022 14:11:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 782176B0071; Wed, 16 Mar 2022 10:11:43 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 709918D0002; Wed, 16 Mar 2022 10:11:43 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 55B2E8D0001; Wed, 16 Mar 2022 10:11:43 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.25]) by kanga.kvack.org (Postfix) with ESMTP id 40F786B0071 for ; Wed, 16 Mar 2022 10:11:43 -0400 (EDT) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id DF04521D3E for ; Wed, 16 Mar 2022 14:11:42 +0000 (UTC) X-FDA: 79250437644.04.361B99F Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232]) by imf14.hostedemail.com (Postfix) with ESMTP id 2A99710002F for ; Wed, 16 Mar 2022 14:11:42 +0000 (UTC) Received: from in01.mta.xmission.com ([166.70.13.51]:51018) by out02.mta.xmission.com with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1nUUNH-00BZn6-Pd; Wed, 16 Mar 2022 08:11:39 -0600 Received: from ip68-227-174-4.om.om.cox.net ([68.227.174.4]:37940 helo=email.froward.int.ebiederm.org.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1nUUNE-00C5Wr-7U; Wed, 16 Mar 2022 08:11:39 -0600 From: "Eric W. Biederman" To: Miaohe Lin Cc: , , , , Alexey Gladkov References: <20220314064039.62972-1-linmiaohe@huawei.com> <87h78036hl.fsf@email.froward.int.ebiederm.org> <82cf5aa8-a721-3ff3-7b09-54a66da0d506@huawei.com> <87lexbyslf.fsf@email.froward.int.ebiederm.org> <4803adf1-ba98-badc-6820-0948871b0742@huawei.com> Date: Wed, 16 Mar 2022 09:11:29 -0500 In-Reply-To: <4803adf1-ba98-badc-6820-0948871b0742@huawei.com> (Miaohe Lin's message of "Wed, 16 Mar 2022 14:55:15 +0800") Message-ID: <87sfri3s32.fsf@email.froward.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1nUUNE-00C5Wr-7U;;;mid=<87sfri3s32.fsf@email.froward.int.ebiederm.org>;;;hst=in01.mta.xmission.com;;;ip=68.227.174.4;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18FCjiVvSrQf6u+pfOyJrzh5dO8rfi6lsQ= X-SA-Exim-Connect-IP: 68.227.174.4 X-SA-Exim-Mail-From: ebiederm@xmission.com Subject: Re: [PATCH v2] mm/mlock: fix potential imbalanced rlimit ucounts adjustment X-SA-Exim-Version: 4.2.1 (built Sat, 08 Feb 2020 21:53:50 +0000) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 2A99710002F X-Stat-Signature: qkasuijkhww84ipnb89sg1h14d9rjqff Authentication-Results: imf14.hostedemail.com; dkim=none; spf=pass (imf14.hostedemail.com: domain of ebiederm@xmission.com designates 166.70.13.232 as permitted sender) smtp.mailfrom=ebiederm@xmission.com; dmarc=pass (policy=none) header.from=xmission.com X-HE-Tag: 1647439902-883926 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Miaohe Lin writes: > On 2022/3/16 2:32, Eric W. Biederman wrote: >> Miaohe Lin writes: >> >>> On 2022/3/14 23:21, Eric W. Biederman wrote: >>>> Miaohe Lin writes: >>>> >>>>> user_shm_lock forgets to set allowed to 0 when get_ucounts fails. So >>>>> the later user_shm_unlock might do the extra dec_rlimit_ucounts. Fix >>>>> this by resetting allowed to 0. >>>> >>>> This fix looks correct. But the ability for people to follow and read >>>> the code seems questionable. I saw in v1 of this patch Hugh originally >>>> misread the logic. >>>> >>>> Could we instead change the code to leave lock_limit at ULONG_MAX aka >>>> RLIM_INFINITY, leave initialized to 0, and not even need a special case >>>> of RLIM_INFINITY as nothing can be greater that ULONG_MAX? >>>> >>> >>> Many thanks for your advice. This looks good but it seems this results in different >>> behavior: When (memlock == LONG_MAX) && !capable(CAP_IPC_LOCK), we would fail now >>> while it will always success without this change. We should avoid this difference. >>> Or am I miss something? Maybe the origin patch is more suitable and >>> simple? >> >> Interesting. I think that is an unintended and necessary bug fix. >> >> When memlock == LONG_MAX that means inc_rlimit_ucounts failed. >> >> It either failed because at another level the limit was exceeded or >> because the counter wrapped. In either case it is not appropriate to >> succeed if inc_rlimit_ucounts detects a failure. >> >> Which is a long way of saying I think we really want the simplification >> because it found and fixed another bug as well. >> >> Without the simplification I don't think I will be confident the code is >> correct. > > Agree with you. This is a potential bug and you just catch it with the > code simplification. :) > > Am I supposed to do this altogether or will you do this simplification part? > Many thanks. If you can that would be great, and you can have the credit. Otherwise I will make my proposed changes into a proper patch. At this point we just need to dot the i's and cross the t's and get this fix in. Eric >>>> Something like this? >>>> >>>> diff --git a/mm/mlock.c b/mm/mlock.c >>>> index 8f584eddd305..e7eabf5193ab 100644 >>>> --- a/mm/mlock.c >>>> +++ b/mm/mlock.c >>>> @@ -827,13 +827,12 @@ int user_shm_lock(size_t size, struct ucounts *ucounts) >>>> >>>> locked = (size + PAGE_SIZE - 1) >> PAGE_SHIFT; >>>> lock_limit = rlimit(RLIMIT_MEMLOCK); >>>> - if (lock_limit == RLIM_INFINITY) >>>> - allowed = 1; >>>> - lock_limit >>= PAGE_SHIFT; >>>> + if (lock_limit != RLIM_INFINITY) >>>> + lock_limit >>= PAGE_SHIFT; >>>> spin_lock(&shmlock_user_lock); >>>> memlock = inc_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked); >>>> >>>> - if (!allowed && (memlock == LONG_MAX || memlock > lock_limit) && !capable(CAP_IPC_LOCK)) { >>>> + if ((memlock == LONG_MAX || memlock > lock_limit) && !capable(CAP_IPC_LOCK)) { >>>> dec_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked); >>>> goto out; >>>> } >>>> >>>>> >>>>> Fixes: d7c9e99aee48 ("Reimplement RLIMIT_MEMLOCK on top of ucounts") >>>>> Signed-off-by: Miaohe Lin >>>>> Acked-by: Hugh Dickins >>>>> --- >>>>> v1->v2: >>>>> correct Fixes tag and collect Acked-by tag >>>>> Thanks Hugh for review! >>>>> --- >>>>> mm/mlock.c | 1 + >>>>> 1 file changed, 1 insertion(+) >>>>> >>>>> diff --git a/mm/mlock.c b/mm/mlock.c >>>>> index 29372c0eebe5..efd2dd2943de 100644 >>>>> --- a/mm/mlock.c >>>>> +++ b/mm/mlock.c >>>>> @@ -733,6 +733,7 @@ int user_shm_lock(size_t size, struct ucounts *ucounts) >>>>> } >>>>> if (!get_ucounts(ucounts)) { >>>>> dec_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked); >>>>> + allowed = 0; >>>>> goto out; >>>>> } >>>>> allowed = 1; >>>> >>>> Eric >>>> . >>>> >> . >>