From: Daniel Micay <danielmicay@gmail.com>
To: Jann Horn <jannh@google.com>
Cc: Matthew Wilcox <willy@infradead.org>,
linux-mm@kvack.org,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
kernel list <linux-kernel@vger.kernel.org>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Subject: Re: [RFC] Warn the user when they could overflow mapcount
Date: Thu, 8 Feb 2018 13:05:33 -0500 [thread overview]
Message-ID: <CA+DvKQLHDR0s=6r4uiHL8kw2_PnfJcwYfPxgQOmuLbc=5k39+g@mail.gmail.com> (raw)
In-Reply-To: <CAG48ez2-MTJ2YrS5fPZi19RY6P_6NWuK1U5CcQpJ25=xrGSy_A@mail.gmail.com>
>> That seems pretty bad. So here's a patch which adds documentation to the
>> two sysctls that a sysadmin could use to shoot themselves in the foot,
>> and adds a warning if they change either of them to a dangerous value.
>
> I have negative feelings about this patch, mostly because AFAICS:
>
> - It documents an issue instead of fixing it.
> - It likely only addresses a small part of the actual problem.
The standard map_max_count / pid_max are very low and there are many
situations where either or both need to be raised.
VM fragmentation in long-lived processes is a major issue. There are
allocators like jemalloc designed to minimize VM fragmentation by
never unmapping memory but they're relying on not having anything else
using mmap regularly so they can have all their ranges merged
together, unless they decide to do something like making a 1TB
PROT_NONE mapping up front to slowly consume. If you Google this
sysctl name, you'll find lots of people running into the limit. If
you're using a debugging / hardened allocator designed to use a lot of
guard pages, the standard map_max_count is close to unusable...
I think the same thing applies to pid_max. There are too many
reasonable reasons to increase it. Process-per-request is quite
reasonable if you care about robustness / security and want to sandbox
each request handler. Look at Chrome / Chromium: it's currently
process-per-site-instance, but they're moving to having more processes
with site isolation to isolate iframes into their own processes to
work towards enforcing the boundaries between sites at a process
level. It's way worse for fine-grained server-side sandboxing. Using a
lot of processes like this does counter VM fragmentation especially if
long-lived processes doing a lot of work are mostly avoided... but if
your allocators like using guard pages you're still going to hit the
limit.
I do think the default value in the documentation should be fixed but
if there's a clear problem with raising these it really needs to be
fixed. Google either of the sysctl names and look at all the people
running into issues and needing to raise them. It's only going to
become more common to raise these with people trying to use lots of
fine-grained sandboxing. Process-per-request is back in style.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2018-02-08 18:05 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-08 2:11 Matthew Wilcox
2018-02-08 2:56 ` Jann Horn
2018-02-08 4:04 ` Matthew Wilcox
2018-02-08 17:58 ` valdis.kletnieks
2018-02-08 18:05 ` Daniel Micay [this message]
2018-02-08 18:56 ` Matthew Wilcox
2018-02-08 19:33 ` Daniel Micay
2018-02-08 19:42 ` Matthew Wilcox
2018-02-08 19:48 ` Daniel Micay
2018-02-08 20:21 ` Matthew Wilcox
2018-02-08 21:37 ` [RFC] Limit mappings to ten per page per process Matthew Wilcox
2018-02-09 4:26 ` Kirill A. Shutemov
2018-02-14 13:51 ` Matthew Wilcox
2018-02-14 14:05 ` Kirill A. Shutemov
2018-02-09 1:47 ` [RFC] Warn the user when they could overflow mapcount Daniel Micay
2018-02-08 3:18 ` Tobin C. Harding
2018-02-08 4:06 ` Matthew Wilcox
2018-03-02 21:26 ` [RFC] Handle mapcount overflows Matthew Wilcox
2018-03-02 22:03 ` Matthew Wilcox
2019-05-01 14:41 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+DvKQLHDR0s=6r4uiHL8kw2_PnfJcwYfPxgQOmuLbc=5k39+g@mail.gmail.com' \
--to=danielmicay@gmail.com \
--cc=jannh@google.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox