Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2640250imm; Thu, 11 Oct 2018 13:40:40 -0700 (PDT) X-Google-Smtp-Source: ACcGV63AF5++uI906ykqg5K4SrPqgHLskWwE/tmK3GbnQ4GSyA5vTSrfWLbIUPZWpO/KpZhxyEnE X-Received: by 2002:a62:adc:: with SMTP id 89-v6mr3088313pfk.56.1539290440721; Thu, 11 Oct 2018 13:40:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539290440; cv=none; d=google.com; s=arc-20160816; b=BJ9j5cl4NYW9Kn+o4k+uGWeqoSUn1j1ytAb3kg4NBIyXuOR6aVQR6XC9ZtYx724e0w PP9VIVmTr7OfAb6hLq1Bn2i8JAyL7xIWu3Y/or/VDd7ZMDpAMzhmndYylzfPH8a2eFel OQFBip1cKs75TgIEz9ug3rP6I2Hi5WzF03HhE/8mpP3mdQ3L09EtRZa5x+ajR/IqBziX U2kCAEBc1MuV0W9o485vq/RnkQNMj6E1Rm/7CzFwqYgZXClW2XzY2hnpm5lwlAX9Fr3X OzA2/RJxwL6C0TFbfdlVw9EfO+3MX55KrWtiSTGWy0YzkMpNE4k/IJcY8iblDi7vXbtV IapA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=+NaERK3t9jZbwruYt+KRN4CMKJa5ImYF22IDwr1nznw=; b=AMUvOHY8cOe3xQNaTLp2fj4Loa3e+P5X8+IGfVspXQWOYfmiA2d3aR6eMpy7EvPQ0B OuI845WOoTHaCHvJY8OeFMt5xaZzjCribGduj/v7vPNV88fusYl3oGZtOLqMQUH4wLU5 jO3xfhkl+Ri8TgcheofdFxtmC6OrpgXgqvpDLu+h3/4WQxUCD++Cx7U8Q9GFfQf8NshY Qj7YZRUNI7tvRR7ZagYQY8PbKf2IdDJsLmQ/CdjsCOol6cHwcr3+B15jSA8kJgZBjKau E6foiQdnDU8lvTdi/q8g/VZxFe1PIrcrIXRw9xTw7KbV9t3BSDseYuIHQq7IigOis03p nroQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=i3BZB1Rt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 145-v6si29774974pgd.509.2018.10.11.13.40.24; Thu, 11 Oct 2018 13:40:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=i3BZB1Rt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726336AbeJLEIq (ORCPT + 99 others); Fri, 12 Oct 2018 00:08:46 -0400 Received: from mail-oi1-f195.google.com ([209.85.167.195]:44395 "EHLO mail-oi1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725903AbeJLEIq (ORCPT ); Fri, 12 Oct 2018 00:08:46 -0400 Received: by mail-oi1-f195.google.com with SMTP id u74-v6so8159266oia.11 for ; Thu, 11 Oct 2018 13:39:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+NaERK3t9jZbwruYt+KRN4CMKJa5ImYF22IDwr1nznw=; b=i3BZB1RtGZo5hdf7PWvA4dOZk/fhJBBk32vLvTd5+GzbqHSBaSQAIL+mQ4unxVniio 16PRaK0Jxyo3KiJJle9dBIvIE1GXUvoBhxFFSU58vppUWrpWLrsC1TqXUqFkZNholw9E mdUXiN4Yk6zBxCx/bRZzkwyLMNJwAdTtJDhrWCeATYq9srbvZ/OhF32CGu8wtopdl1lY jLZBqm/5hMInID+rqzyxyMOK5gLHRnMiAIzoXHlGZZOipLDxvoZng4fStVa4mQNj5j/W 4x4hIPDKOOX5pkz33N2ftql/o+0Kq3/F8g4R48YXCWNeZ3nnKXR4A2yRLjBwOMeSODEC j8bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+NaERK3t9jZbwruYt+KRN4CMKJa5ImYF22IDwr1nznw=; b=ow3yyH5i6k8A89rVUG+dqQjAd/9WJmOB+NHgGbvxjd+2Vj3L3tuJhNQpwDD2Xvv2QZ EGqne6IXwVtnjcHtmepQ1sykrk+irZczRGMGNzxEnHimdQXEC57jOrDKinbd4zZthef2 wDOBuLkm0DXQXop9aOfjRpIC4LGVlFqdE0oVnidAmGcYmM0Qv9Kf+Zpgng8rXzFYYHNJ RaIYb+7nAioYWU+a+eoBnqYMZcfGXtPmaQqD0WyaI+oKEm1m5Bi29HHnlH86tfFA/+St gOZAeyuyVv0K1x9b4pw6jgA+NFMa3rhC8FUik6k9SLy+d5eIxI6yg8laYSnuJdCyNLvO 7mFQ== X-Gm-Message-State: ABuFfojrfqTGbP+cVuSXHVY+bGxUaTycKGM+MUR1IEKjWUZZKLPirJT0 eg+lMik+0kQkoM+v2vEvukmKHUE6YkK8zNwvEiBbFA== X-Received: by 2002:aca:bf55:: with SMTP id p82-v6mr1857876oif.39.1539290390243; Thu, 11 Oct 2018 13:39:50 -0700 (PDT) MIME-Version: 1.0 References: <20181011151523.27101-1-yu-cheng.yu@intel.com> <20181011151523.27101-8-yu-cheng.yu@intel.com> In-Reply-To: <20181011151523.27101-8-yu-cheng.yu@intel.com> From: Jann Horn Date: Thu, 11 Oct 2018 22:39:24 +0200 Message-ID: Subject: Re: [PATCH v5 07/27] mm/mmap: Create a guard area between VMAs To: yu-cheng.yu@intel.com, Andy Lutomirski Cc: "the arch/x86 maintainers" , "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , kernel list , linux-doc@vger.kernel.org, Linux-MM , linux-arch , Linux API , Arnd Bergmann , Balbir Singh , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , hjl.tools@gmail.com, Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , rdunlap@infradead.org, ravi.v.shankar@intel.com, vedvyas.shanbhogue@intel.com, Daniel Micay Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 11, 2018 at 5:20 PM Yu-cheng Yu wrote: > Create a guard area between VMAs to detect memory corruption. [...] > +config VM_AREA_GUARD > + bool "VM area guard" > + default n > + help > + Create a guard area between VM areas so that access beyond > + limit can be detected. > + > endmenu Sorry to bring this up so late, but Daniel Micay pointed out to me that, given that VMA guards will raise the number of VMAs by inhibiting vma_merge(), people are more likely to run into /proc/sys/vm/max_map_count (which limits the number of VMAs to ~65k by default, and can't easily be raised without risking an overflow of page->_mapcount on systems with over ~800GiB of RAM, see https://lore.kernel.org/lkml/20180208021112.GB14918@bombadil.infradead.org/ and replies) with this change. Playing with glibc's memory allocator, it looks like glibc will use mmap() for 128KB allocations; so at 65530*128KB=8GB of memory usage in 128KB chunks, an application could run out of VMAs. People already run into that limit sometimes when mapping files, and recommend raising it: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html http://docs.actian.com/vector/4.2/User/Increase_max_map_count_Kernel_Parameter_(Linux).htm https://www.suse.com/de-de/support/kb/doc/?id=7000830 (they actually ran into ENOMEM on **munmap**, because you can't split VMAs once the limit is reached): "A custom application was failing on a SLES server with ENOMEM errors when attempting to release memory using an munmap call. This resulted in memory failing to be released, and the system load and swap use increasing until the SLES machine ultimately crashed or hung." https://access.redhat.com/solutions/99913 https://forum.manjaro.org/t/resolved-how-to-set-vm-max-map-count-during-boot/43360 Arguably the proper solution to this would be to raise the default max_map_count to be much higher; but then that requires fixing the mapcount overflow.