From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40C4AC433FE for ; Thu, 17 Mar 2022 01:50:17 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id BBB676B0071; Wed, 16 Mar 2022 21:50:16 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B6B256B0072; Wed, 16 Mar 2022 21:50:16 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A33758D0001; Wed, 16 Mar 2022 21:50:16 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0157.hostedemail.com [216.40.44.157]) by kanga.kvack.org (Postfix) with ESMTP id 96E1C6B0071 for ; Wed, 16 Mar 2022 21:50:16 -0400 (EDT) Received: from smtpin21.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 424C6A3271 for ; Thu, 17 Mar 2022 01:50:16 +0000 (UTC) X-FDA: 79252198032.21.7A74F66 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by imf22.hostedemail.com (Postfix) with ESMTP id E9C1FC001A for ; Thu, 17 Mar 2022 01:50:14 +0000 (UTC) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.55]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4KJqmq1CjZzfYqR; Thu, 17 Mar 2022 09:48:43 +0800 (CST) Received: from [10.174.177.76] (10.174.177.76) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Thu, 17 Mar 2022 09:50:11 +0800 Subject: Re: [PATCH v2] mm/mlock: fix potential imbalanced rlimit ucounts adjustment To: "Eric W. Biederman" CC: , , , , Alexey Gladkov References: <20220314064039.62972-1-linmiaohe@huawei.com> <87h78036hl.fsf@email.froward.int.ebiederm.org> <82cf5aa8-a721-3ff3-7b09-54a66da0d506@huawei.com> <87lexbyslf.fsf@email.froward.int.ebiederm.org> <4803adf1-ba98-badc-6820-0948871b0742@huawei.com> <87sfri3s32.fsf@email.froward.int.ebiederm.org> From: Miaohe Lin Message-ID: Date: Thu, 17 Mar 2022 09:50:10 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <87sfri3s32.fsf@email.froward.int.ebiederm.org> Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.177.76] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: E9C1FC001A X-Stat-Signature: m3wnfny4zeu15b1djn7b4maamepyp4jk Authentication-Results: imf22.hostedemail.com; dkim=none; spf=pass (imf22.hostedemail.com: domain of linmiaohe@huawei.com designates 45.249.212.187 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com X-Rspam-User: X-HE-Tag: 1647481814-72125 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 2022/3/16 22:11, Eric W. Biederman wrote: > Miaohe Lin writes: > >> On 2022/3/16 2:32, Eric W. Biederman wrote: >>> Miaohe Lin writes: >>> >>>> On 2022/3/14 23:21, Eric W. Biederman wrote: >>>>> Miaohe Lin writes: >>>>> >>>>>> user_shm_lock forgets to set allowed to 0 when get_ucounts fails. So >>>>>> the later user_shm_unlock might do the extra dec_rlimit_ucounts. Fix >>>>>> this by resetting allowed to 0. >>>>> >>>>> This fix looks correct. But the ability for people to follow and read >>>>> the code seems questionable. I saw in v1 of this patch Hugh originally >>>>> misread the logic. >>>>> >>>>> Could we instead change the code to leave lock_limit at ULONG_MAX aka >>>>> RLIM_INFINITY, leave initialized to 0, and not even need a special case >>>>> of RLIM_INFINITY as nothing can be greater that ULONG_MAX? >>>>> >>>> >>>> Many thanks for your advice. This looks good but it seems this results in different >>>> behavior: When (memlock == LONG_MAX) && !capable(CAP_IPC_LOCK), we would fail now >>>> while it will always success without this change. We should avoid this difference. >>>> Or am I miss something? Maybe the origin patch is more suitable and >>>> simple? >>> >>> Interesting. I think that is an unintended and necessary bug fix. >>> >>> When memlock == LONG_MAX that means inc_rlimit_ucounts failed. >>> >>> It either failed because at another level the limit was exceeded or >>> because the counter wrapped. In either case it is not appropriate to >>> succeed if inc_rlimit_ucounts detects a failure. >>> >>> Which is a long way of saying I think we really want the simplification >>> because it found and fixed another bug as well. >>> >>> Without the simplification I don't think I will be confident the code is >>> correct. >> >> Agree with you. This is a potential bug and you just catch it with the >> code simplification. :) >> >> Am I supposed to do this altogether or will you do this simplification part? >> Many thanks. > > If you can that would be great, and you can have the credit. > > Otherwise I will make my proposed changes into a proper patch. At this > point we just need to dot the i's and cross the t's and get this fix in. I will try to do this. Many thanks! > > Eric > >>>>> Something like this? >>>>> >>>>> diff --git a/mm/mlock.c b/mm/mlock.c >>>>> index 8f584eddd305..e7eabf5193ab 100644 >>>>> --- a/mm/mlock.c >>>>> +++ b/mm/mlock.c >>>>> @@ -827,13 +827,12 @@ int user_shm_lock(size_t size, struct ucounts *ucounts) >>>>> >>>>> locked = (size + PAGE_SIZE - 1) >> PAGE_SHIFT; >>>>> lock_limit = rlimit(RLIMIT_MEMLOCK); >>>>> - if (lock_limit == RLIM_INFINITY) >>>>> - allowed = 1; >>>>> - lock_limit >>= PAGE_SHIFT; >>>>> + if (lock_limit != RLIM_INFINITY) >>>>> + lock_limit >>= PAGE_SHIFT; >>>>> spin_lock(&shmlock_user_lock); >>>>> memlock = inc_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked); >>>>> >>>>> - if (!allowed && (memlock == LONG_MAX || memlock > lock_limit) && !capable(CAP_IPC_LOCK)) { >>>>> + if ((memlock == LONG_MAX || memlock > lock_limit) && !capable(CAP_IPC_LOCK)) { >>>>> dec_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked); >>>>> goto out; >>>>> } >>>>> >>>>>> >>>>>> Fixes: d7c9e99aee48 ("Reimplement RLIMIT_MEMLOCK on top of ucounts") >>>>>> Signed-off-by: Miaohe Lin >>>>>> Acked-by: Hugh Dickins >>>>>> --- >>>>>> v1->v2: >>>>>> correct Fixes tag and collect Acked-by tag >>>>>> Thanks Hugh for review! >>>>>> --- >>>>>> mm/mlock.c | 1 + >>>>>> 1 file changed, 1 insertion(+) >>>>>> >>>>>> diff --git a/mm/mlock.c b/mm/mlock.c >>>>>> index 29372c0eebe5..efd2dd2943de 100644 >>>>>> --- a/mm/mlock.c >>>>>> +++ b/mm/mlock.c >>>>>> @@ -733,6 +733,7 @@ int user_shm_lock(size_t size, struct ucounts *ucounts) >>>>>> } >>>>>> if (!get_ucounts(ucounts)) { >>>>>> dec_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked); >>>>>> + allowed = 0; >>>>>> goto out; >>>>>> } >>>>>> allowed = 1; >>>>> >>>>> Eric >>>>> . >>>>> >>> . >>> > . >