From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC05FC433F5 for ; Tue, 22 Feb 2022 09:17:07 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2952A8D0002; Tue, 22 Feb 2022 04:17:07 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 244C08D0001; Tue, 22 Feb 2022 04:17:07 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 10CE08D0002; Tue, 22 Feb 2022 04:17:07 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.25]) by kanga.kvack.org (Postfix) with ESMTP id 02C3F8D0001 for ; Tue, 22 Feb 2022 04:17:06 -0500 (EST) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id CBA9122804 for ; Tue, 22 Feb 2022 09:17:06 +0000 (UTC) X-FDA: 79169861652.03.6F6CAF1 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by imf21.hostedemail.com (Postfix) with ESMTP id 3D5A51C0002 for ; Tue, 22 Feb 2022 09:17:06 +0000 (UTC) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out2.suse.de (Postfix) with ESMTP id F1CC41F399; Tue, 22 Feb 2022 09:17:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1645521425; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=lhOvZfGOGrjbPfhUhj9jbloPC8ssJktuoLOV8VfSkkM=; b=cmmHVuM6ZKpJd5Jt2yvNZ5BhR46fnCHamITtJlqBbPhCzsMPpwUzAJs0nWJncJKMJppEMc 9QPGngkX9OUjXPvYGS20VkkIL51pH6k+dw3pTjKSwYnemZBZOKs1PtLWS/SWQCWMzR4bgP HNY5xVq6qk2ap5UFU7JYQBApNRHpiAA= Received: from suse.cz (unknown [10.100.201.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id 1DE63A3B81; Tue, 22 Feb 2022 09:17:03 +0000 (UTC) Date: Tue, 22 Feb 2022 10:17:02 +0100 From: Michal Hocko To: Suren Baghdasaryan Cc: akpm@linux-foundation.org, ccross@google.com, sumit.semwal@linaro.org, dave.hansen@intel.com, keescook@chromium.org, willy@infradead.org, kirill.shutemov@linux.intel.com, vbabka@suse.cz, hannes@cmpxchg.org, ebiederm@xmission.com, brauner@kernel.org, legion@kernel.org, ran.xiaokai@zte.com.cn, sashal@kernel.org, chris.hyser@oracle.com, dave@stgolabs.net, pcc@google.com, caoxiaofeng@yulong.com, david@redhat.com, gorcunov@gmail.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-team@android.com Subject: Re: [PATCH 2/3] mm: prevent vm_area_struct::anon_name refcount saturation Message-ID: References: <20220222054025.3412898-1-surenb@google.com> <20220222054025.3412898-2-surenb@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220222054025.3412898-2-surenb@google.com> X-Rspamd-Queue-Id: 3D5A51C0002 X-Stat-Signature: 77ntg3zfy189x99qcforiud35ia3g6oj X-Rspam-User: Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=suse.com header.s=susede1 header.b=cmmHVuM6; spf=pass (imf21.hostedemail.com: domain of mhocko@suse.com designates 195.135.220.29 as permitted sender) smtp.mailfrom=mhocko@suse.com; dmarc=pass (policy=quarantine) header.from=suse.com X-Rspamd-Server: rspam05 X-HE-Tag: 1645521426-772011 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon 21-02-22 21:40:24, Suren Baghdasaryan wrote: > A deep process chain with many vmas could grow really high. This would really benefit from some numbers. With default sysctl_max_map_count (64k) and default pid_max (32k) the INT_MAX could be theoretically reached but I find it impractical because not all vmas can be anonymous same as all available pids can be consumed for a theoretical attack (if my counting is proper). On the other hand any non-default configuration with any of the values increased could hit this theoretically. > kref > refcounting interface used in anon_vma_name structure will detect > a counter overflow when it reaches REFCOUNT_SATURATED value but will > only generate a warning about broken refcounting. > To ensure anon_vma_name refcount does not overflow, stop anon_vma_name > sharing when the refcount reaches INT_MAX, which still leaves INT_MAX/2 > values before the counter reaches REFCOUNT_SATURATED. This should provide > enough headroom for raising the refcounts temporarily. > > Suggested-by: Michal Hocko > Signed-off-by: Suren Baghdasaryan > --- > include/linux/mm_inline.h | 18 ++++++++++++++---- > mm/madvise.c | 3 +-- > 2 files changed, 15 insertions(+), 6 deletions(-) > > diff --git a/include/linux/mm_inline.h b/include/linux/mm_inline.h > index 70b619442d56..b189e2638843 100644 > --- a/include/linux/mm_inline.h > +++ b/include/linux/mm_inline.h > @@ -156,15 +156,25 @@ static inline void anon_vma_name_get(struct anon_vma_name *anon_name) > > extern void anon_vma_name_put(struct anon_vma_name *anon_name); > > +static inline > +struct anon_vma_name *anon_vma_name_reuse(struct anon_vma_name *anon_name) > +{ > + /* Prevent anon_name refcount saturation early on */ > + if (kref_read(&anon_name->kref) < INT_MAX) { REFCOUNT_MAX seems to be defined by the kref framework. Other than that looks good to me. > + anon_vma_name_get(anon_name); > + return anon_name; > + > + } > + return anon_vma_name_alloc(anon_name->name); > +} > + > static inline void dup_vma_anon_name(struct vm_area_struct *orig_vma, > struct vm_area_struct *new_vma) > { > struct anon_vma_name *anon_name = vma_anon_name(orig_vma); > > - if (anon_name) { > - anon_vma_name_get(anon_name); > - new_vma->anon_name = anon_name; > - } > + if (anon_name) > + new_vma->anon_name = anon_vma_name_reuse(anon_name); > } > > static inline void free_vma_anon_name(struct vm_area_struct *vma) > diff --git a/mm/madvise.c b/mm/madvise.c > index f81d62d8ce9b..a395884aeecb 100644 > --- a/mm/madvise.c > +++ b/mm/madvise.c > @@ -122,8 +122,7 @@ static int replace_vma_anon_name(struct vm_area_struct *vma, > if (anon_vma_name_eq(orig_name, anon_name)) > return 0; > > - anon_vma_name_get(anon_name); > - vma->anon_name = anon_name; > + vma->anon_name = anon_vma_name_reuse(anon_name); > anon_vma_name_put(orig_name); > > return 0; > -- > 2.35.1.473.g83b2b277ed-goog -- Michal Hocko SUSE Labs