Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp9975122ybi; Wed, 24 Jul 2019 13:21:42 -0700 (PDT) X-Google-Smtp-Source: APXvYqz7UD83SqfPc35lKSKCca6GjhnmqkL/g9HP0igpbXPi/GCmGJsgJNPvsDtd8DfsR/y4jqtB X-Received: by 2002:a63:ff65:: with SMTP id s37mr41489689pgk.102.1563999702166; Wed, 24 Jul 2019 13:21:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563999702; cv=none; d=google.com; s=arc-20160816; b=JCWjlWgBtTv0tGzlD4LiQjsKBkCuql2VivDvkuOTdLEevGtjhpqj+vxH2NC1oy6aHB UrrIN8VJHu/xxIHgUePda//o32Nd/gvVU9BDl8Qtn2gvGjOuvC2f5Y7XXpIBBsPs4VY6 mjXSX4FKxpdrwCLewxez+Ko4+QgDCnLs/J37Y2QG1T3yAAlpkH/aeKP0Upqnq3AbFDnO CcEw+djDioxIkfcWFJ/icpv/V8Kd4BqQIbuQmRTJU1DpGGsYaP3S0Vsx8p9VUWB4Ydor ebmLAVTdn9A9fojuKohtvxkELBJ7mMRWrORmKI7q6e3XLVKzttQA7PUN14KETgOtrdvE WU2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=uCyHvJVkRZumARLm11LdjYU2wgRDrjk7Xpd2Pm/4CUM=; b=bOmAYQ5lNKY9zt+XgcBUP1deG8AHSLWwiIrFMqMRkid+HszrE/V3kIPoEKh8rVASUj hJjc6bQ4cg6UurTyZhyG1aq6HHxbtguIQhpH1aHuriTvw6l/Ggrh1UyT2t0BQeY6jv2k wB9icC1joj5fRdtJnA09iNr9nfiLdjh3+DY3JgllnguTwTKCsAkVCpwdCCGf54x2KEhl nqm3wcwlOsIgkoPxm8nR5UabzK2kzovH6uFCsTPK61d9fVEIqXrEoNfYLqOO1pDtDSY+ S9UDcOvMyy2xb3wWaxSy48Ejza2CDglOuy0Ar45Of/v3nhCTpMT+ICmB6VIoRK1KUz6O Ld5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=MMFhBM5P; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x6si15500649pjn.10.2019.07.24.13.21.27; Wed, 24 Jul 2019 13:21:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=MMFhBM5P; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392873AbfGXUTI (ORCPT + 99 others); Wed, 24 Jul 2019 16:19:08 -0400 Received: from mail-wm1-f65.google.com ([209.85.128.65]:36362 "EHLO mail-wm1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388998AbfGXUTD (ORCPT ); Wed, 24 Jul 2019 16:19:03 -0400 Received: by mail-wm1-f65.google.com with SMTP id g67so38617573wme.1 for ; Wed, 24 Jul 2019 13:19:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uCyHvJVkRZumARLm11LdjYU2wgRDrjk7Xpd2Pm/4CUM=; b=MMFhBM5Pt5Bu3rS3QrPnpjTF3l1IJpk1QmQmjGaPFr5PvBQwNLRpzX+5/gr6aNSdCZ vvEAbsdi+zHpVh40gCBAf96lB7k/+P16YkMaax7BCa3VCjo20+sJY/pvmfXxP7jDAlzc AWhRW16LHsMMAlx9kYR+te6xxCZz9DYQkUb9cIX+Eig3VWNu65JSMjOmny0yf4uDVhLR DU2YrYMoOP8itf1qPvplk8lYCeENSprEH141M2gm8iDVRP/7Xr9nbG+sdjrPUHqfrU+6 3k8U622iHi2XDVcsN54oFxmrEi6aL45ohjJEk/gDD0CN++uyO007eaD6Cs6hCiJ9dklQ 2oNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uCyHvJVkRZumARLm11LdjYU2wgRDrjk7Xpd2Pm/4CUM=; b=uAS2lWttSHHL9u89LW731jVHkzkoE2rUJsmJjKa4OpREXKQBUhVT0YJnUmzdLKvbRK vvJUMFsvsmIXLpdxfFgKYAIIzgsU0bepa4zrL0dZX2BfNq/lK8Fdyu6bhc3WyW1WTGtr QW5O+0cpjG1JPhT37gFGmC8eJwi/pt4UsnFAhGi2GfAx5p7W/Uuwb6pPDyq6Ccysv7jh mF2lyI3rY61E/sYKNWHrZFqHwVKpn2fzZQnqox0Glsr4LtsTrSxDUwklEm+j/wwFSZaV Ic+MfEbhArfPU7Acq1nfxhHxS9uHZOw6iCol1n9phm8j/YUaR3GkXbSF/a4IPHUBGonh 3DPQ== X-Gm-Message-State: APjAAAVUoi/dkqmgkHyq2HZmCj1sGxuc2sCx1IRrW+XXbSj5qVPzZyED 4t8ydpNs4sgF0mKCzqiyMFEOCZlP4BpoegYuavxjjQ== X-Received: by 2002:a1c:d10c:: with SMTP id i12mr75821649wmg.152.1563999540296; Wed, 24 Jul 2019 13:19:00 -0700 (PDT) MIME-Version: 1.0 References: <3b922aa4-c6d4-e4a4-766d-f324ff77f7b5@linux.com> <40f8b7d8-fafa-ad99-34fb-9c63e34917e2@redhat.com> In-Reply-To: <40f8b7d8-fafa-ad99-34fb-9c63e34917e2@redhat.com> From: John Stultz Date: Wed, 24 Jul 2019 13:18:47 -0700 Message-ID: Subject: Re: Limits for ION Memory Allocator To: Laura Abbott Cc: alex.popov@linux.com, Sumit Semwal , Greg Kroah-Hartman , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Riley Andrews , driverdevel , "moderated list:DMA BUFFER SHARING FRAMEWORK" , linux-arm-kernel , dri-devel , LKML , Brian Starkey , Daniel Vetter , Mark Brown , Benjamin Gaignard , Linux-MM , Dmitry Vyukov , Andrey Konovalov , syzkaller , Hridya Valsaraju , Alistair Delva Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 24, 2019 at 12:36 PM Laura Abbott wrote: > > On 7/17/19 12:31 PM, Alexander Popov wrote: > > Hello! > > > > The syzkaller [1] has a trouble with fuzzing the Linux kernel with ION Memory > > Allocator. > > > > Syzkaller uses several methods [2] to limit memory consumption of the userspace > > processes calling the syscalls for testing the kernel: > > - setrlimit(), > > - cgroups, > > - various sysctl. > > But these methods don't work for ION Memory Allocator, so any userspace process > > that has access to /dev/ion can bring the system to the out-of-memory state. > > > > An example of a program doing that: > > > > > > #include > > #include > > #include > > #include > > #include > > #include > > > > #define ION_IOC_MAGIC 'I' > > #define ION_IOC_ALLOC _IOWR(ION_IOC_MAGIC, 0, \ > > struct ion_allocation_data) > > > > struct ion_allocation_data { > > __u64 len; > > __u32 heap_id_mask; > > __u32 flags; > > __u32 fd; > > __u32 unused; > > }; > > > > int main(void) > > { > > unsigned long i = 0; > > int fd = -1; > > struct ion_allocation_data data = { > > .len = 0x13f65d8c, > > .heap_id_mask = 1, > > .flags = 0, > > .fd = -1, > > .unused = 0 > > }; > > > > fd = open("/dev/ion", 0); > > if (fd == -1) { > > perror("[-] open /dev/ion"); > > return 1; > > } > > > > while (1) { > > printf("iter %lu\n", i); > > ioctl(fd, ION_IOC_ALLOC, &data); > > i++; > > } > > > > return 0; > > } > > > > > > I looked through the code of ion_alloc() and didn't find any limit checks. > > Is it currently possible to limit ION kernel allocations for some process? > > > > If not, is it a right idea to do that? > > Thanks! > > > > Yes, I do think that's the right approach. We're working on moving Ion > out of staging and this is something I mentioned to John Stultz. I don't > think we've thought too hard about how to do the actual limiting so > suggestions are welcome. In part the dmabuf heaps allow for separate heap devices, so we can have finer grained permissions to the specific heaps. But that doesn't provide any controls on how much memory one process could allocate using the device if it has permission. I suspect the same issue is present with any of the dmabuf exporters (gpu/display drivers, etc), so this is less of an ION/dmabuf heap issue and more of a dmabuf core accounting issue. Another practical complication is that with Android these days, I believe the gralloc code lives in the HIDL-ized android.hardware.graphics.allocator@2.0-service HAL, which does the buffer allocations on behalf of requests sent over the binder IPC interface. So with all dma-buf allocations effectively going through that single process, I'm not sure we would want to put per-process limits on the allocator. Instead, I suspect we'd want the memory covered by the dmabuf to be accounted against processes that have the dmabuf fd still open? I know Android has some logic with their memtrack HAL to I believe try to do accounting of gpu memory against various processes, but I've not looked at that in detail recently. Todd/Joel: Any input here? thanks -john