From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97E74C433EF for ; Tue, 22 Feb 2022 15:57:06 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 15ED08D0002; Tue, 22 Feb 2022 10:57:06 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 10FC98D0001; Tue, 22 Feb 2022 10:57:06 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id F17FB8D0002; Tue, 22 Feb 2022 10:57:05 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0104.hostedemail.com [216.40.44.104]) by kanga.kvack.org (Postfix) with ESMTP id DFFA88D0001 for ; Tue, 22 Feb 2022 10:57:05 -0500 (EST) Received: from smtpin13.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 9906B8249980 for ; Tue, 22 Feb 2022 15:57:05 +0000 (UTC) X-FDA: 79170869610.13.7CC8ED2 Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com [209.85.219.179]) by imf25.hostedemail.com (Postfix) with ESMTP id 4E511A0008 for ; Tue, 22 Feb 2022 15:57:05 +0000 (UTC) Received: by mail-yb1-f179.google.com with SMTP id d21so19773014yba.11 for ; Tue, 22 Feb 2022 07:57:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4iDZ9H8inY+NDZ0HYQKmVnQ5HPOpNxH9x5TSVqE2tPM=; b=QSq82TnQ0nQE6N8kyjOuBwFCSTCmC32PZVhG9xE5SXdbwJuXbp8Q5uVYD/zKSnlfbL e+atEsS1GffladQeVh1ubCQ5owgNiqkgzMeRSr2NLa6BxM2AIARh7B7IAw5pFty4wwSd nEanN79Fi42rtZnhSwUUnGbO5qXAn0Pi0870dO6q42s60xze1hlXSBQN3jaYvZhub4kO M0ZZ20Yx8gF69hEqMNzge1OyOKf6pNtuokqTZ/fXZNGpH19nFH8OMdjSpH1EX+HXFG7n SFPbkFBXIS5ulX+AbygzCntKyYtHZJnsWRfgWWluXmdSxC/GqdUsyih3fDwZAMTZpZbR TNEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4iDZ9H8inY+NDZ0HYQKmVnQ5HPOpNxH9x5TSVqE2tPM=; b=bKtteS8nJ7XuFtnBV7G6wc6THIkyC6ijGHCW5mxlcNdvOjrogmRPvq6XEnNO6M8CRr N+vLfLx1dX0yvSpfInu5N2pkXWQLCnRMNoA6cYIJBloiNUNem6Ll49ohQNEMvgNxYaC9 kaymO6Vc1x8np+v+k1r74TnNJmDYDA0qxIRHh1LP0qWTaogaD9i/RQKGloEQGMLmiF1G l7N7Ls7m0FQzgvNCAOyaLvW/xztA8t9IXC8HRxFlyZvHN4XyggRhmH+sZcGg/4Utx62d PLu10BSGxrU6VcABCXWooTORihvyb73N7kLaaAhwpISDkpuGdqQaY31HQBBAJaggkjrW zU0Q== X-Gm-Message-State: AOAM531vrtuaWzaUCB3ek2oQY4sXlJSiHnNoXvQIoGT9PdMcfjUJnoYh SY+WhUrfpFWwgj3sOM9LG+dd8tBBSjvXqgR4ZsnJCw== X-Google-Smtp-Source: ABdhPJzsG2l5hbH/rvKMzmec8uK19VoBN6hBM7s2DgZKr/9BsfAxIoyNXShwzMmISOUmqF/VOKKxsrcDrM5jrEgLCY8= X-Received: by 2002:a25:2693:0:b0:624:50a8:fee9 with SMTP id m141-20020a252693000000b0062450a8fee9mr17039255ybm.348.1645545424324; Tue, 22 Feb 2022 07:57:04 -0800 (PST) MIME-Version: 1.0 References: <20220222054025.3412898-1-surenb@google.com> <20220222054025.3412898-2-surenb@google.com> In-Reply-To: From: Suren Baghdasaryan Date: Tue, 22 Feb 2022 07:56:53 -0800 Message-ID: Subject: Re: [PATCH 2/3] mm: prevent vm_area_struct::anon_name refcount saturation To: Michal Hocko Cc: akpm@linux-foundation.org, ccross@google.com, sumit.semwal@linaro.org, dave.hansen@intel.com, keescook@chromium.org, willy@infradead.org, kirill.shutemov@linux.intel.com, vbabka@suse.cz, hannes@cmpxchg.org, ebiederm@xmission.com, brauner@kernel.org, legion@kernel.org, ran.xiaokai@zte.com.cn, sashal@kernel.org, chris.hyser@oracle.com, dave@stgolabs.net, pcc@google.com, caoxiaofeng@yulong.com, david@redhat.com, gorcunov@gmail.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-team@android.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 4E511A0008 X-Stat-Signature: o1ea54f6n64dzo79sheed5tpkh76e9nj Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=QSq82TnQ; spf=pass (imf25.hostedemail.com: domain of surenb@google.com designates 209.85.219.179 as permitted sender) smtp.mailfrom=surenb@google.com; dmarc=pass (policy=reject) header.from=google.com X-Rspam-User: X-HE-Tag: 1645545425-985805 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Feb 22, 2022 at 1:17 AM Michal Hocko wrote: > > On Mon 21-02-22 21:40:24, Suren Baghdasaryan wrote: > > A deep process chain with many vmas could grow really high. > > This would really benefit from some numbers. With default > sysctl_max_map_count (64k) and default pid_max (32k) the INT_MAX could > be theoretically reached but I find it impractical because not all vmas > can be anonymous same as all available pids can be consumed for a > theoretical attack (if my counting is proper). > On the other hand any non-default configuration with any of the values > increased could hit this theoretically. re: This would really benefit from some numbers Should I just add the details you provided above into the description? Would that suffice? > > > kref > > refcounting interface used in anon_vma_name structure will detect > > a counter overflow when it reaches REFCOUNT_SATURATED value but will > > only generate a warning about broken refcounting. > > To ensure anon_vma_name refcount does not overflow, stop anon_vma_name > > sharing when the refcount reaches INT_MAX, which still leaves INT_MAX/2 > > values before the counter reaches REFCOUNT_SATURATED. This should provide > > enough headroom for raising the refcounts temporarily. > > > > Suggested-by: Michal Hocko > > Signed-off-by: Suren Baghdasaryan > > --- > > include/linux/mm_inline.h | 18 ++++++++++++++---- > > mm/madvise.c | 3 +-- > > 2 files changed, 15 insertions(+), 6 deletions(-) > > > > diff --git a/include/linux/mm_inline.h b/include/linux/mm_inline.h > > index 70b619442d56..b189e2638843 100644 > > --- a/include/linux/mm_inline.h > > +++ b/include/linux/mm_inline.h > > @@ -156,15 +156,25 @@ static inline void anon_vma_name_get(struct anon_vma_name *anon_name) > > > > extern void anon_vma_name_put(struct anon_vma_name *anon_name); > > > > +static inline > > +struct anon_vma_name *anon_vma_name_reuse(struct anon_vma_name *anon_name) > > +{ > > + /* Prevent anon_name refcount saturation early on */ > > + if (kref_read(&anon_name->kref) < INT_MAX) { > > REFCOUNT_MAX seems to be defined by the kref framework. Ah, indeed. I missed that. Will change to use it. > > Other than that looks good to me. Thanks for the review! > > > + anon_vma_name_get(anon_name); > > + return anon_name; > > + > > + } > > + return anon_vma_name_alloc(anon_name->name); > > +} > > + > > static inline void dup_vma_anon_name(struct vm_area_struct *orig_vma, > > struct vm_area_struct *new_vma) > > { > > struct anon_vma_name *anon_name = vma_anon_name(orig_vma); > > > > - if (anon_name) { > > - anon_vma_name_get(anon_name); > > - new_vma->anon_name = anon_name; > > - } > > + if (anon_name) > > + new_vma->anon_name = anon_vma_name_reuse(anon_name); > > } > > > > static inline void free_vma_anon_name(struct vm_area_struct *vma) > > diff --git a/mm/madvise.c b/mm/madvise.c > > index f81d62d8ce9b..a395884aeecb 100644 > > --- a/mm/madvise.c > > +++ b/mm/madvise.c > > @@ -122,8 +122,7 @@ static int replace_vma_anon_name(struct vm_area_struct *vma, > > if (anon_vma_name_eq(orig_name, anon_name)) > > return 0; > > > > - anon_vma_name_get(anon_name); > > - vma->anon_name = anon_name; > > + vma->anon_name = anon_vma_name_reuse(anon_name); > > anon_vma_name_put(orig_name); > > > > return 0; > > -- > > 2.35.1.473.g83b2b277ed-goog > > -- > Michal Hocko > SUSE Labs