Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1293609pxb; Thu, 4 Feb 2021 09:18:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJxl26tquF9Jmg/BUwK5O9cGxGejJDGEs/gQTarm6TFYzn/8dggQ0iejI8J0QDr+L9JmE7CR X-Received: by 2002:aa7:d696:: with SMTP id d22mr8772064edr.361.1612459112351; Thu, 04 Feb 2021 09:18:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612459112; cv=none; d=google.com; s=arc-20160816; b=077gvYR7MJoaQWUlIgxON5Ha7yFUoP/pxOkoxNksrdJ8F88fAkyYS+8kBQOCYVi4Nz DEoJYrR8rtANnVivCYGdBpJoj4U0kglOq0wTqK9GGP4QLBqetIbrHfPP5Z8+kpcuTj6v psSGQ6NfPJnQvBJiBJ6q97m1+2XXSpLQhi7Xj3xMUzH7TqPbvIHY+mLf2H4kZLUbP1N0 LIIw/MTMl6o9x+P3FiMTq89Ni5ie5IFg/ky46PQq5qoVwbU0wMyhgiwTpxBhFw2Vv69V IzWdwC1T+KNZTa7aRxM6eT/D7hyQ1EV8JaIZ9zDupdrUnwwNi0hDBKP8ZwpY+lhqNb1k 1N3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=tRbGxBcIWlQ5ydIcOc3/iCMnGIEF7Z8ZmPfjABG4AbA=; b=vdZVOk4XlVegyGrv4+mLJB6oKhL4qx1c6m6fKQuHmFAUvoMdRfXUQg4MYLXqfzl9F9 l4bRca6JfqDG68VIqUdt5lttRlQLUXz0SH9G+dLh2tGfzJ2AjQokjA4tWLPW3bBgEYwF uQMTMC0WALkxk9KGai1cbQ1xFtg5MYL7kLf+Ly2aUWmrKCg4p+xfGVYHO9xRY5Qe3OaL kQFcccdscrSWYXVwna6EVkNwOsILwHtveBdE/2JoFC+JLC5nKOqdSgsJbdZOHRPXODgE VRVm5+j7JL2Zq0pR1fYhc+nylz+xeIohGmCBRj3hMLL/4uIc/QhsP3bMIGAWMA20U2ql 7Nrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=gI4CUFYG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=suse.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n22si3559618ejh.391.2021.02.04.09.18.06; Thu, 04 Feb 2021 09:18:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=gI4CUFYG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=suse.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238136AbhBDRQA (ORCPT + 99 others); Thu, 4 Feb 2021 12:16:00 -0500 Received: from mx2.suse.de ([195.135.220.15]:40636 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238363AbhBDRNn (ORCPT ); Thu, 4 Feb 2021 12:13:43 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1612458777; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tRbGxBcIWlQ5ydIcOc3/iCMnGIEF7Z8ZmPfjABG4AbA=; b=gI4CUFYG1Mx1jeaaXtRPYe3wMK9zHikzKOsFJ+pD3uxxfElu/0fvfkhxWhVVNFOeMJe9O4 D15/g4UTR15bAM+TTmf8Disvopu1dFGP/kFnuKKWsx9/LiyEVvay0X/QmuDfN5ESJeZ9+9 vsaXLSDArxZzJuWPfgVnKmap3cEdyw8= Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 9EF07B18F; Thu, 4 Feb 2021 17:12:57 +0000 (UTC) Date: Thu, 4 Feb 2021 18:12:56 +0100 From: Michal Hocko To: Christian =?iso-8859-1?Q?K=F6nig?= Cc: LKML Subject: Re: Possible deny of service with memfd_create() Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu 04-02-21 17:32:20, Christian K?nig wrote: > Hi Michal, > > as requested in the other mail thread the following sample code gets my test > system down within seconds. > > The issue is that the memory allocated for the file descriptor is not > accounted to the process allocating it, so the OOM killer pics whatever > process it things is good but never my small test program. > > Since memfd_create() doesn't need any special permission this is a rather > nice deny of service and as far as I can see also works with a standard > Ubuntu 5.4.0-65-generic kernel. Thanks for following up. This is really nasty but now that I am looking at it more closely, this is not really different from tmpfs in general. You are free to create files and eat the memory without being accounted for that memory because that is not seen as your memory from the sysstem POV. You would have to map that memory to be part of your rss. The only existing protection right now is to use memoery cgroup controller because the tmpfs memory is accounted to the process which faults the memory in (or write to the file). I am not sure there is a good way to handle this in general unfortunatelly. Shmem is is just tricky (e.g. how to you deal with left overs after the fd is closed?). Maybe memfd_create can be more clever and account memory to all owners of the fd but even that sounds far from trivial from the accounting POV. It is true that tmpfs can at least control who can write to it which is not the case for memfd but then we hit the backward compatibility wall. -- Michal Hocko SUSE Labs