From: John Stultz <jstultz@google.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: jaewon31.kim@samsung.com,
"tjmercier@google.com" <tjmercier@google.com>,
"sumit.semwal@linaro.org" <sumit.semwal@linaro.org>,
"daniel.vetter@ffwll.ch" <daniel.vetter@ffwll.ch>,
"hannes@cmpxchg.org" <hannes@cmpxchg.org>,
"mhocko@kernel.org" <mhocko@kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"jaewon31.kim@gmail.com" <jaewon31.kim@gmail.com>
Subject: Re: [PATCH v2] dma-buf/heaps: system_heap: Avoid DoS by limiting single allocations to half of all memory
Date: Wed, 5 Apr 2023 21:24:17 -0700 [thread overview]
Message-ID: <CANDhNCq+mhhXjW7huYoQwUq18sRCcn6HjbPqh7mU9KrGyKeLfA@mail.gmail.com> (raw)
In-Reply-To: <20230405200923.9b0dca2165ef3335a0f6b112@linux-foundation.org>
On Wed, Apr 5, 2023 at 8:09 PM Andrew Morton <akpm@linux-foundation.org> wrote:
> On Thu, 06 Apr 2023 11:17:12 +0900 Jaewon Kim <jaewon31.kim@samsung.com> wrote:
>
> > >> + if (len / PAGE_SIZE > totalram_pages())
> > >> + return ERR_PTR(-ENOMEM);
> > >
> > >We're catering for a buggy caller here, aren't we? Are such large
> > >requests ever reasonable?
> > >
> > >How about we decide what's the largest reasonable size and do a
> > >WARN_ON(larger-than-that), so the buggy caller gets fixed?
> >
> > Yes we're considering a buggy caller. I thought even totalram_pages() / 2 in
> > the old ion system is also unreasonable. To avoid the /2, I changed it to
> > totalram_pages() though.
> >
> > Because userspace can request that size repeately, I think WARN_ON() may be
> > called to too often, so that it would fill the kernel log buffer.
>
> Oh geeze. I trust that userspace needs elevated privileges of some form?
>
> If so, then spamming dmesg isn't an issue - root can do much worse than
> that.
>
> > Even we think WARN_ON_ONCE rather than WARN_ON, the buggy point is not kernel
> > layer. Unlike page fault mechanism, this dma-buf system heap gets the size from
> > userspace, and it is allowing unlimited size. I think we can't fix the buggy
> > user space with the kernel warning log. So I think warning is not enough,
> > and we need a safeguard in kernel layer.
>
> I really dislike that ram/2 thing - it's so arbitrary, hence is surely
> wrong for all cases. Is there something more thoughtful we can do?
Just for context, here's the old commit that added this to ION:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c9e8440eca61298ecccbb27f53036124a7a3c6c8
I think the consideration was that allocations larger than half of
memory are likely due to erroneously "negative" size values.
My memory is foggy on any discussions from that time, but I imagine
the thinking was treating the value as if it were signed and error out
immediately on negative values, but rather than just capping at 2gb on
32bit systems, one could scale it to half of the system memory size,
as that seemed an appropriate border of "obviously wrong".
And the reason why I think folks wanted to avoid just warning and
continuing with the allocation, is that these large allocations would
bog the system down badly before it failed, so failing quickly was a
benefit as the system was still responsive and able to be used to
collect logs and debug the issue.
When you say "decide what's the largest reasonable size", I think it
is difficult as with the variety of RAM sizes and buffer sizes I don't
think there's a fixed limit. Systems with more ram will use larger
buffers for image/video capture buffers. And yes, you're right that
ram/2-1 in a single allocation is just as broken, but I'm not sure how
to establish a better guard rail.
thanks
-john
next prev parent reply other threads:[~2023-04-06 4:24 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20230406000841epcas1p3630010a770682be0f1d540a448f3e00e@epcas1p3.samsung.com>
2023-04-06 0:08 ` Jaewon Kim
2023-04-06 0:25 ` Andrew Morton
[not found] ` <CGME20230406000841epcas1p3630010a770682be0f1d540a448f3e00e@epcms1p3>
2023-04-06 1:44 ` Jaewon Kim
2023-04-06 1:56 ` Andrew Morton
[not found] ` <CGME20230406000841epcas1p3630010a770682be0f1d540a448f3e00e@epcms1p2>
2023-04-06 2:17 ` Jaewon Kim
2023-04-06 3:09 ` Andrew Morton
2023-04-06 4:24 ` John Stultz [this message]
2023-04-06 23:27 ` T.J. Mercier
2023-04-06 23:38 ` Andrew Morton
2023-04-07 0:00 ` T.J. Mercier
[not found] ` <CGME20230406000841epcas1p3630010a770682be0f1d540a448f3e00e@epcms1p4>
2023-04-07 2:24 ` Jaewon Kim
2023-04-07 5:12 ` T.J. Mercier
2023-04-07 13:03 ` Jaewon Kim
2023-04-06 3:46 ` 김재원
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANDhNCq+mhhXjW7huYoQwUq18sRCcn6HjbPqh7mU9KrGyKeLfA@mail.gmail.com \
--to=jstultz@google.com \
--cc=akpm@linux-foundation.org \
--cc=daniel.vetter@ffwll.ch \
--cc=hannes@cmpxchg.org \
--cc=jaewon31.kim@gmail.com \
--cc=jaewon31.kim@samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=sumit.semwal@linaro.org \
--cc=tjmercier@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox