Received: by 10.223.185.116 with SMTP id b49csp297207wrg; Fri, 2 Mar 2018 19:35:43 -0800 (PST) X-Google-Smtp-Source: AG47ELtCXO/nmLb8Ps/bsAEMSLQbQ2yPxYgyI7ozzny79IpmaI+0zxWMybym5zNQocq7h8v7y0W5 X-Received: by 10.99.125.25 with SMTP id y25mr6273227pgc.227.1520048143344; Fri, 02 Mar 2018 19:35:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520048143; cv=none; d=google.com; s=arc-20160816; b=d0j3xiuqmyT7zUKOSa3wUK4/AF7Ow/Y4V/zVciuSplfa3Y1dFWBHG8NOqwHi5V7gbV n4dL3i/5+8EuSDNnl1HMYYdqDYPrUx35aSHmt19YZShctHZQmUXAkxdc/BD2H1aAJrS0 R9n8KNZ2iw1muStSGW+W8KJuptTv389ZA3+AIOZxrrRRvYsHL+/z10+6LbsoIEE1glUP dfMjdQJeU6clTckwVPPLPLKKhSnMFhWhuPem9pZLBHgki4souc000WYBsIC8ZaTKPwos UVUeaFmyZg0RWD2PNQxBnzpZo3Isr/u43GilfPYeo4cSL9QG0bIV6OBRevWuGLDsogv4 pJIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=tAK774M3hcBS5ZLiu3DXZX8LmChdfOAYcFcfUTbfuSM=; b=BWWkDtt/XcW9qlyOYftLVWMyDBUmomtD60DknXi8F41Erc44pjefp7XBiZuyY0OPpZ O7rEjF9o42H7iBGEcxQuTw12GY1Tr3+FSjAIzDfWiYnIJ7As7wrON6YyP6VS5vjaJZDy zX3mgrKneLKYVybvfkfy/fFGn7PwoojY9WyIATo8Y4ujv6edrM4687dwLk+U9lYokvdi kLKixT6wuLoBTRBh1gR1c6sAXQCeiV+HpIJthgGgttvmdqhtvVgPuIehe4PjOBnGvhQf nRuQ6jJ80nukwc4gEqUJCNInlHOG5PKyG0K8VMUQCW72DI5qG5hGhvs9bJ3bm0L46XP4 asBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=G191BGyq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h34-v6si5849177pld.26.2018.03.02.19.35.29; Fri, 02 Mar 2018 19:35:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=G191BGyq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933443AbeCBWDo (ORCPT + 99 others); Fri, 2 Mar 2018 17:03:44 -0500 Received: from bombadil.infradead.org ([198.137.202.133]:53260 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933412AbeCBWDm (ORCPT ); Fri, 2 Mar 2018 17:03:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=In-Reply-To:Content-Type:MIME-Version :References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=tAK774M3hcBS5ZLiu3DXZX8LmChdfOAYcFcfUTbfuSM=; b=G191BGyq/XFRnGyuP0tHQVMte 2dW/+OIV34uXomEj8KoRopL2cV5DJkcVR3gmjvGnnOFzXSSkFnNWKwh+rIdn8nXfze2wDgEyExSEA /Gn4VzNw5fU5lYQXYZa6hgWuBU8bvvT297lGavOP8/swhWun8JC2Qm4pfQ10uh1o8+APCEEP5nVby /BRif9Allrn//NvDO3FGpT7Ai2r+GfFXn86Qrn9P+huEZUotoAtusruiKHedZaCGBBpYm4CqXngzV 0cZBhif/wAh08QYBGdYg1dq4wydz/iuOxKTeLG0y2q0N5pXtpkCVLBQMJmmVgPlq6g08mqBXVcMKX 4HSpcVAZQ==; Received: from willy by bombadil.infradead.org with local (Exim 4.89 #1 (Red Hat Linux)) id 1ersmD-0003NU-8A; Fri, 02 Mar 2018 22:03:41 +0000 Date: Fri, 2 Mar 2018 14:03:40 -0800 From: Matthew Wilcox To: linux-mm@kvack.org Cc: kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, "Kirill A. Shutemov" Subject: Re: [RFC] Handle mapcount overflows Message-ID: <20180302220340.GC671@bombadil.infradead.org> References: <20180208021112.GB14918@bombadil.infradead.org> <20180302212637.GB671@bombadil.infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180302212637.GB671@bombadil.infradead.org> User-Agent: Mutt/1.9.2 (2017-12-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 02, 2018 at 01:26:37PM -0800, Matthew Wilcox wrote: > Here's my third effort to handle page->_mapcount overflows. If you like this approach, but wonder if it works, here's a little forkbomb of a program and a patch to add instrumentation. In my dmesg, I never see the max mapcount getting above 65539. I see a mix of unlucky, it him! and it me! messages. #define _GNU_SOURCE #include #include #include #include #include #include int dummy; int main(int argc, char **argv) { int fd = open(argv[1], O_RDWR); int i; if (fd < 0) { perror(argv[1]); return 1; } // Spawn 511 children for (i = 0; i < 9; i++) fork(); for (i = 0; i < 5000; i++) dummy = *(int *)mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd, 0); } diff --git a/mm/mmap.c b/mm/mmap.c index 575766ec02f8..2b6187156db0 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1325,7 +1325,7 @@ static inline int mlock_future_check(struct mm_struct *mm, * Experimentally determined. gnome-shell currently uses fewer than * 3000 mappings, so should have zero effect on desktop users. */ -#define mm_track_threshold 5000 +#define mm_track_threshold 50 static DEFINE_SPINLOCK(heavy_users_lock); static DEFINE_IDR(heavy_users); @@ -1377,9 +1377,11 @@ static void kill_abuser(struct mm_struct *mm) break; if (down_write_trylock(&mm->mmap_sem)) { + printk_ratelimited("it him!\n"); kill_mm(tsk); up_write(&mm->mmap_sem); } else { + printk_ratelimited("unlucky!\n"); do_send_sig_info(SIGKILL, SEND_SIG_FORCED, tsk, true); } } @@ -1396,8 +1398,10 @@ void mm_mapcount_overflow(struct page *page) vma_interval_tree_foreach(vma, &mapping->i_mmap, pgoff, pgoff + 1) { if (vma->vm_mm == entry) count++; - if (count > 1000) + if (count > 1000) { + printk_ratelimited("it me!\n"); kill_mm(current); + } } rcu_read_lock(); @@ -1408,7 +1412,7 @@ void mm_mapcount_overflow(struct page *page) pgoff, pgoff + 1) { if (vma->vm_mm == entry) count++; - if (count > 1000) { + if (count > 10) { kill_abuser(entry); goto out; } diff --git a/mm/rmap.c b/mm/rmap.c index d88acf5c98e9..3f0509f6f011 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -1190,6 +1190,7 @@ void page_add_file_rmap(struct page *page, bool compound) VM_BUG_ON_PAGE(!PageSwapBacked(page), page); __inc_node_page_state(page, NR_SHMEM_PMDMAPPED); } else { + static int max = 0; int v; if (PageTransCompound(page) && page_mapping(page)) { VM_WARN_ON_ONCE(!PageLocked(page)); @@ -1199,12 +1200,14 @@ void page_add_file_rmap(struct page *page, bool compound) clear_page_mlock(compound_head(page)); } v = atomic_inc_return(&page->_mapcount); - if (likely(v > 0)) - goto out; - if (unlikely(v < 0)) { + if (unlikely(v > 65535)) { + if (max < v) max = v; + printk_ratelimited("overflow %d max %d\n", v, max); mm_mapcount_overflow(page); goto out; } + if (likely(v > 0)) + goto out; } __mod_lruvec_page_state(page, NR_FILE_MAPPED, nr); out: