Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp6239849yba; Wed, 1 May 2019 08:30:37 -0700 (PDT) X-Google-Smtp-Source: APXvYqxvBY5oJNMT7IOJ3jUMrJ2uuuUfNRBc97yLi6win4ITjXfmAUROeGiFqvk3Fi5EbX41snvl X-Received: by 2002:a17:902:34d:: with SMTP id 71mr28716092pld.140.1556724637102; Wed, 01 May 2019 08:30:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556724637; cv=none; d=google.com; s=arc-20160816; b=M4R3bVlcNMdAO3etkzaQlw6nAL+Pd232lueEJaVVH+M9CazLg+AGIwuFk6v8L8S3/8 8FBYHljS60lhSNmVUQDguptDr5s5VPNlXEH0WeHNazSGR+4pFIpsplyr/Dr+F8fRYUtA IdWPzlp8921DdvRu1LV/eHc756jlJc2L6i61E3fXu+fTvXcqJkcYRNkorImdHmQeB/RS uGH5POSEhXX574/oIY1FWjR+F5DGWWOrHlS5puV2DIRMRJw0ygkOgWvAexJ4ani5bRJh +VKXmtM53KEAh8tRrO6c2DWHHtzxZS5ahT3JdVyvIzbFDBncwH50wu2OogriIJNdiO6h J/Dg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=w9icvTpHr/0UAUYKXVxAi0Mjttdtx3G15AY7sawXcdw=; b=XxR7QY06UdfMHLD0bJ1mRxk2d7mKjpAJ9mcPbN1/2AecmX0f7MQOrBRHc16yS868qj 5m3YwQOVRfKJnqnbHyj+WFhwG8sO+drGmmpL17BbMdH1N6ROpfeJJF/U/1TvyLy4U8M6 V4HHk4Rqy3LxIZWWqdnRonavDj2jF49hh4LJoTqLZzenTZncNRQzVnrp4HcAJna+TyMC rmRxla19BqR295nNI8nQaBjD5PVyiMElmmk6e/6AYD0wKH/KSA8PI9gnM3YtvXyCJU8O aadqcbm1gKV+AYrIZRjeyDFH5V9pFAyCPhGijh+0qPUFetoNY+Qe/b7Vs+1R+DeHUy89 0CEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=GmHq9NsE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q1si388407plr.14.2019.05.01.08.30.21; Wed, 01 May 2019 08:30:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=GmHq9NsE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726780AbfEAP33 (ORCPT + 99 others); Wed, 1 May 2019 11:29:29 -0400 Received: from mail-io1-f68.google.com ([209.85.166.68]:46799 "EHLO mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726489AbfEAP33 (ORCPT ); Wed, 1 May 2019 11:29:29 -0400 Received: by mail-io1-f68.google.com with SMTP id m14so4163504ion.13 for ; Wed, 01 May 2019 08:29:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=w9icvTpHr/0UAUYKXVxAi0Mjttdtx3G15AY7sawXcdw=; b=GmHq9NsEB0M1Qo6k1yWcAHJTK0LWrOuMLjXx9IWyix/blgs73E4lFLnPvnhmLAAS5u nwqL5nI6DiCbISjtx1RjtFET5bxHiEOPGBOyCGyDbh/tfZlYZTXA6UDZVjaqSVCb60Bh Og8GxSsoOVPGIn+hKcIX6dSyo0eablzlos+vwYtQayNZgF4rWR3xH5xVSlpYyteP3SDS 3SoEqVtQn4apu/yRc564DLei1YlkoLjOn93D2lvn8uWV+fK8AMgTkGWwbsTHZnHqwfZs fs7npyoefdRfvUWewCSTCEurMzYSKUFufcv/2sLNSRT5WUMow1oL5g+kogrIdBZWEIih abFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=w9icvTpHr/0UAUYKXVxAi0Mjttdtx3G15AY7sawXcdw=; b=sjjwbJ2gSDJzbnZhbg6tYbpumEtwBuiGBXRVlSN+32rdbYPHlP+xdMoFUxgFpCTf/R BNX+vht7T7VCMsGO28HnU3N9gH+pMt1Sqt+DhFKlz2poazot+jyB5FRGuh8ZJPHByULW bO4lg3YeO0wHE8QXzRMby9cLno8XIIvm5J+R1p5v+2xjZDKRqyNDlws6JlIs7HJV52Wo pf9g3Af0ye0NsQMmyBAsHp8roxRwoz3FzDyr4OciGG76InVPp3iW1eVxZewXNufat7wD nnVlT21J6Us1YBPcSbZE88/eRi708lLKEf4Gwbd0GZXCHm/LPbvyCpUksRXFsXDPnZwt 6Keg== X-Gm-Message-State: APjAAAVWSwMOLVrwO7lT4ZRi6X6g5KeHcARgq51C3ilesydrQRxcf2RJ icYkPEZFbxiV8y6CDvTIcEMqQw== X-Received: by 2002:a6b:6f11:: with SMTP id k17mr20872583ioc.76.1556724568160; Wed, 01 May 2019 08:29:28 -0700 (PDT) Received: from [192.168.1.158] ([216.160.245.98]) by smtp.gmail.com with ESMTPSA id y7sm4851938ioq.87.2019.05.01.08.29.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 May 2019 08:29:26 -0700 (PDT) Subject: Re: [PATCH] io_uring: avoid page allocation warnings To: Mark Rutland Cc: Matthew Wilcox , linux-kernel@vger.kernel.org, Alexander Viro , linux-fsdevel@vger.kernel.org, linux-block@vger.kernel.org References: <20190430132405.8268-1-mark.rutland@arm.com> <20190430141810.GF13796@bombadil.infradead.org> <20190430145938.GA8314@lakrids.cambridge.arm.com> <20190430170302.GD8314@lakrids.cambridge.arm.com> <0bd395a0-e0d3-16a5-e29f-557e97782a48@kernel.dk> <20190501103026.GA11740@lakrids.cambridge.arm.com> <710a3048-ccab-260d-d8b7-1d51ff6d589d@kernel.dk> <20190501150921.GE11740@lakrids.cambridge.arm.com> From: Jens Axboe Message-ID: <88fee953-ea3e-b9c0-650c-60faea07dd04@kernel.dk> Date: Wed, 1 May 2019 09:29:25 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190501150921.GE11740@lakrids.cambridge.arm.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/1/19 9:09 AM, Mark Rutland wrote: > On Wed, May 01, 2019 at 06:41:43AM -0600, Jens Axboe wrote: >> On 5/1/19 4:30 AM, Mark Rutland wrote: >>> On Tue, Apr 30, 2019 at 12:11:59PM -0600, Jens Axboe wrote: >>>> On 4/30/19 11:03 AM, Mark Rutland wrote: >>>>> I've just had a go at that, but when using kvmalloc() with or without >>>>> GFP_KERNEL_ACCOUNT I hit OOM and my system hangs within a few seconds with the >>>>> syzkaller prog below: >>>>> >>>>> ---- >>>>> Syzkaller reproducer: >>>>> # {Threaded:false Collide:false Repeat:false RepeatTimes:0 Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 EnableTun:false EnableNetDev:false EnableNetReset:false EnableCgroups:false EnableBinfmtMisc:false EnableCloseFds:false UseTmpDir:false HandleSegv:false Repro:false Trace:false} >>>>> r0 = io_uring_setup(0x378, &(0x7f00000000c0)) >>>>> sendmsg$SEG6_CMD_SET_TUNSRC(0xffffffffffffffff, &(0x7f0000000240)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x40000000}, 0xc, 0x0, 0x1, 0x0, 0x0, 0x10}, 0x800) >>>>> io_uring_register$IORING_REGISTER_BUFFERS(r0, 0x0, &(0x7f0000000000), 0x1) >>>>> ---- >>>>> >>>>> ... I'm a bit worried that opens up a trivial DoS. >>>>> >>>>> Thoughts? >>>> >>>> Can you post the patch you used? >>> >>> Diff below. >> >> And the reproducer, that was never posted. > > It was; the "Syzakller reproducer" above is the reproducer I used with > syz-repro. > > I've manually minimized that to C below. AFAICT, that hits a leak, which > is what's triggering the OOM after the program is run a number of times > with the previously posted kvmalloc patch. > > Per /proc/meminfo, that memory isn't accounted anywhere. > >> Patch looks fine to me. Note >> that buffer registration is under the protection of RLIMIT_MEMLOCK. >> That's usually very limited for non-root, as root you can of course >> consume as much as you want and OOM the system. > > Sure. > > As above, it looks like there's a leak, regardless. The leak is that we're not releasing imu->bvec in case of error. I fixed a missing kfree -> kvfree as well in your patch, with this rolled up version it works for me. diff --git a/fs/io_uring.c b/fs/io_uring.c index 18cecb6a0151..3e817d40fb96 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -2443,7 +2443,7 @@ static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx) if (ctx->account_mem) io_unaccount_mem(ctx->user, imu->nr_bvecs); - kfree(imu->bvec); + kvfree(imu->bvec); imu->nr_bvecs = 0; } @@ -2533,11 +2533,11 @@ static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg, ret = 0; if (!pages || nr_pages > got_pages) { - kfree(vmas); - kfree(pages); - pages = kmalloc_array(nr_pages, sizeof(struct page *), + kvfree(vmas); + kvfree(pages); + pages = kvmalloc_array(nr_pages, sizeof(struct page *), GFP_KERNEL); - vmas = kmalloc_array(nr_pages, + vmas = kvmalloc_array(nr_pages, sizeof(struct vm_area_struct *), GFP_KERNEL); if (!pages || !vmas) { @@ -2549,7 +2549,7 @@ static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg, got_pages = nr_pages; } - imu->bvec = kmalloc_array(nr_pages, sizeof(struct bio_vec), + imu->bvec = kvmalloc_array(nr_pages, sizeof(struct bio_vec), GFP_KERNEL); ret = -ENOMEM; if (!imu->bvec) { @@ -2588,6 +2588,7 @@ static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg, } if (ctx->account_mem) io_unaccount_mem(ctx->user, nr_pages); + kvfree(imu->bvec); goto err; } @@ -2610,12 +2611,12 @@ static int io_sqe_buffer_register(struct io_ring_ctx *ctx, void __user *arg, ctx->nr_user_bufs++; } - kfree(pages); - kfree(vmas); + kvfree(pages); + kvfree(vmas); return 0; err: - kfree(pages); - kfree(vmas); + kvfree(pages); + kvfree(vmas); io_sqe_buffer_unregister(ctx); return ret; } -- Jens Axboe