Subject: Re: [PATCH 1/2] staging: android: ion: Add __GFP_NOWARN for system
 contig heap
To: Chris Wilson <chris@chris-wilson.co.uk>,
        Greg KH <gregkh@linuxfoundation.org>,
        Sumit Semwal <sumit.semwal@linaro.org>
Cc: devel@driverdev.osuosl.org, LKML <linux-kernel@vger.kernel.org>,
        Dan Carpenter <dan.carpenter@oracle.com>
References: <20180105191409.17807-1-labbott@redhat.com>
 <151518101521.6838.4541956658403978617@mail.alporthouse.com>
From: Laura Abbott <labbott@redhat.com>
Message-ID: <73c2957c-0775-3829-e9e6-eb865b3ef47a@redhat.com>
Date: Fri, 5 Jan 2018 13:46:07 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <151518101521.6838.4541956658403978617@mail.alporthouse.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org

On 01/05/2018 11:36 AM, Chris Wilson wrote:
> Quoting Laura Abbott (2018-01-05 19:14:08)
>> syzbot reported a warning from Ion:
>>
>>    WARNING: CPU: 1 PID: 3485 at mm/page_alloc.c:3926
>>
>>    ...
>>     __alloc_pages_nodemask+0x9fb/0xd80 mm/page_alloc.c:4252
>>    alloc_pages_current+0xb6/0x1e0 mm/mempolicy.c:2036
>>    alloc_pages include/linux/gfp.h:492 [inline]
>>    ion_system_contig_heap_allocate+0x40/0x2c0
>>    drivers/staging/android/ion/ion_system_heap.c:374
>>    ion_buffer_create drivers/staging/android/ion/ion.c:93 [inline]
>>    ion_alloc+0x2c1/0x9e0 drivers/staging/android/ion/ion.c:420
>>    ion_ioctl+0x26d/0x380 drivers/staging/android/ion/ion-ioctl.c:84
>>    vfs_ioctl fs/ioctl.c:46 [inline]
>>    do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
>>    SYSC_ioctl fs/ioctl.c:701 [inline]
>>    SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
>>
>> This is a warning about attempting to allocate order > MAX_ORDER. This
>> is coming from a userspace Ion allocation request. Since userspace is
>> free to request however much memory it wants (and the kernel is free to
>> deny its allocation), silence the allocation attempt with __GFP_NOWARN
>> in case it fails.
>>
>> Reported-by: syzbot+76e7efc4748495855a4d@syzkaller.appspotmail.com
>> Reported-by: syzbot <syzkaller@googlegroups.com>
>> Signed-off-by: Laura Abbott <labbott@redhat.com>
>> ---
>>   drivers/staging/android/ion/ion_system_heap.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/staging/android/ion/ion_system_heap.c b/drivers/staging/android/ion/ion_system_heap.c
>> index 71c4228f8238..bc19cdd30637 100644
>> --- a/drivers/staging/android/ion/ion_system_heap.c
>> +++ b/drivers/staging/android/ion/ion_system_heap.c
>> @@ -362,7 +362,7 @@ static int ion_system_contig_heap_allocate(struct ion_heap *heap,
>>          unsigned long i;
>>          int ret;
>>   
>> -       page = alloc_pages(low_order_gfp_flags, order);
>> +       page = alloc_pages(low_order_gfp_flags | __GFP_NOWARN, order);
> 
> There's both high_order_gfp and low_order_gfp. The former includes
> NOWARN and NORETRY.
> 
> Interesting, ion_system_heap_create_pools() tries to mix low_order and
> high_order, but it only ever uses high_order flags. (orders[0] == 8
> forcing a permanent switch from low_order_gfp to high_order_gfp).
> 

Good find, that got lost in a refactor back in 4.9.

> There's no good reason for low_order_gfp, high_order_gfp to be static
> rewritable variables.
> 
> For this instance, I would go farther and suggest you may want
> __GFP_RETRY_MAYFAIL | __GFP_NOWARN to prevent userspace from triggering
> the lowmemkiller/oomkiller here.
>   
> (I would kill low_order_gfp_flags / high_order_gfp_flags and avoid the
> obfuscation.)
> -Chris
> 

Yeah, I think this all needs some refactoring. The high_order/low_order
flags were originally for the system heap to allocate pages for the
page pool and I don't think they should be reused for the contig heap.
I'll see about doing a refactor.

Thanks for the review!

Laura