X-Received: by 2002:a17:90a:8a81:b0:1bc:b707:ce08 with SMTP id x1-20020a17090a8a8100b001bcb707ce08mr2113641pjn.21.1645665259557; Wed, 23 Feb 2022 17:14:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645665259; cv=none; d=google.com; s=arc-20160816; b=Sn7cYwk/1qTVGSzpP62TL83TlXhzeGEqxdNXGMmmwPZf1pcM+h5WWdh72ud56c+F6x 3wkVYYb/ijATL4dwZtsy6nlFXkmEZXnxsxxlvrUvzZkeoXnEp3Brd4MYHv1e8gakTge4 DxGe8C++0GLdB4nv/jeEDgGF4IZM2w5x/y9CLl++li7w5zWvu69tah5L3ydTuR2mikWu aCx9GHFEhEYhhWrJ/MW9Ah7wSEKl9md9fwN5Mdql2hW6aVZrqwMsCNowDp7L7NP9Qsdm q5FMXLgZx6FW0Brt7QR1m+BLSHFb9ExbB+FJJQti91vmSZj6mNzvWg2uzlXviaEFX2Ln DlGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=4iDZ9H8inY+NDZ0HYQKmVnQ5HPOpNxH9x5TSVqE2tPM=; b=zYeFB2J4i/90a9COiYKPTq5AP+ab7XX3lq6ik7sH1+35uGZl/oc7GsaFxFt3dXuiRd kEbN1wHNxsgkelxNgAJ20d/T6aLa3IOSMsueTTxs4jhrJi0JTtNX77Xvmuf6hjxLKAeQ l7nDJUrb+prr11MYX3AbjxBcJXd3D59nY8hTfl9BaFfS48QDsqHA1zJaAqr9sM1Oaqrr M+1ylLCtpXrz0stBXr1xfcXEm+5+fYhWs2lqFgiONSO1x+E4b4zFWidkIRAPGuxFtsti 05hYEXDsWUfbtMGohKy5w8tzLpol47cLjJH8L3P1KonHzdpxI87wkjmXZi09FemaG6hw EaMw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=QSq82TnQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id k22si1181929pfc.49.2022.02.23.17.14.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Feb 2022 17:14:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=QSq82TnQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 37B2A1688C9; Wed, 23 Feb 2022 17:00:51 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233584AbiBVP5d (ORCPT + 99 others); Tue, 22 Feb 2022 10:57:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53160 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231523AbiBVP5b (ORCPT ); Tue, 22 Feb 2022 10:57:31 -0500 Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4FEEABF52 for ; Tue, 22 Feb 2022 07:57:05 -0800 (PST) Received: by mail-yb1-xb31.google.com with SMTP id bt13so42102076ybb.2 for ; Tue, 22 Feb 2022 07:57:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4iDZ9H8inY+NDZ0HYQKmVnQ5HPOpNxH9x5TSVqE2tPM=; b=QSq82TnQ0nQE6N8kyjOuBwFCSTCmC32PZVhG9xE5SXdbwJuXbp8Q5uVYD/zKSnlfbL e+atEsS1GffladQeVh1ubCQ5owgNiqkgzMeRSr2NLa6BxM2AIARh7B7IAw5pFty4wwSd nEanN79Fi42rtZnhSwUUnGbO5qXAn0Pi0870dO6q42s60xze1hlXSBQN3jaYvZhub4kO M0ZZ20Yx8gF69hEqMNzge1OyOKf6pNtuokqTZ/fXZNGpH19nFH8OMdjSpH1EX+HXFG7n SFPbkFBXIS5ulX+AbygzCntKyYtHZJnsWRfgWWluXmdSxC/GqdUsyih3fDwZAMTZpZbR TNEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4iDZ9H8inY+NDZ0HYQKmVnQ5HPOpNxH9x5TSVqE2tPM=; b=Kap1SMjVmIOSUReSiqo/k0fsR3WaIXGMK1+l9KXB9HcklsBbTuKvucHwO0Nua5tb2X vD5cvl3+Lw2PljFrBgc/01MGNMysfXd/59GcFG4X90AtaL2L03Dc9Nnw02SY7rMpM1N2 X8zViRy46oXb/kHflF9grsQIZmV6BspF/KFmC85yvrkrZfoaPJqrOWuDE29H4YqDvkM5 oUvUuZk461g8cpLTAeRGLtDeXH8vQ9Xaq3cR69AhJHRJGlrWNSm61ZY7vJIO+ic1ko1E 7KdMVFNk1GMi2FqNE7FaKfeecL6pighX+MltHxafk7Q8DkwJtfkidT5hnGTKbjO8VuNk cvRw== X-Gm-Message-State: AOAM532LCJ7sOq6FY5OeuR6EdSHdXs4CCUxVU8VqCEA59wyf6f1S7T8f Pe0a5GrvlWGAhLdr3T/tdwiVWDrBG2LwvJOAWhkg3A== X-Received: by 2002:a25:2693:0:b0:624:50a8:fee9 with SMTP id m141-20020a252693000000b0062450a8fee9mr17039255ybm.348.1645545424324; Tue, 22 Feb 2022 07:57:04 -0800 (PST) MIME-Version: 1.0 References: <20220222054025.3412898-1-surenb@google.com> <20220222054025.3412898-2-surenb@google.com> In-Reply-To: From: Suren Baghdasaryan Date: Tue, 22 Feb 2022 07:56:53 -0800 Message-ID: Subject: Re: [PATCH 2/3] mm: prevent vm_area_struct::anon_name refcount saturation To: Michal Hocko Cc: akpm@linux-foundation.org, ccross@google.com, sumit.semwal@linaro.org, dave.hansen@intel.com, keescook@chromium.org, willy@infradead.org, kirill.shutemov@linux.intel.com, vbabka@suse.cz, hannes@cmpxchg.org, ebiederm@xmission.com, brauner@kernel.org, legion@kernel.org, ran.xiaokai@zte.com.cn, sashal@kernel.org, chris.hyser@oracle.com, dave@stgolabs.net, pcc@google.com, caoxiaofeng@yulong.com, david@redhat.com, gorcunov@gmail.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-team@android.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 22, 2022 at 1:17 AM Michal Hocko wrote: > > On Mon 21-02-22 21:40:24, Suren Baghdasaryan wrote: > > A deep process chain with many vmas could grow really high. > > This would really benefit from some numbers. With default > sysctl_max_map_count (64k) and default pid_max (32k) the INT_MAX could > be theoretically reached but I find it impractical because not all vmas > can be anonymous same as all available pids can be consumed for a > theoretical attack (if my counting is proper). > On the other hand any non-default configuration with any of the values > increased could hit this theoretically. re: This would really benefit from some numbers Should I just add the details you provided above into the description? Would that suffice? > > > kref > > refcounting interface used in anon_vma_name structure will detect > > a counter overflow when it reaches REFCOUNT_SATURATED value but will > > only generate a warning about broken refcounting. > > To ensure anon_vma_name refcount does not overflow, stop anon_vma_name > > sharing when the refcount reaches INT_MAX, which still leaves INT_MAX/2 > > values before the counter reaches REFCOUNT_SATURATED. This should provide > > enough headroom for raising the refcounts temporarily. > > > > Suggested-by: Michal Hocko > > Signed-off-by: Suren Baghdasaryan > > --- > > include/linux/mm_inline.h | 18 ++++++++++++++---- > > mm/madvise.c | 3 +-- > > 2 files changed, 15 insertions(+), 6 deletions(-) > > > > diff --git a/include/linux/mm_inline.h b/include/linux/mm_inline.h > > index 70b619442d56..b189e2638843 100644 > > --- a/include/linux/mm_inline.h > > +++ b/include/linux/mm_inline.h > > @@ -156,15 +156,25 @@ static inline void anon_vma_name_get(struct anon_vma_name *anon_name) > > > > extern void anon_vma_name_put(struct anon_vma_name *anon_name); > > > > +static inline > > +struct anon_vma_name *anon_vma_name_reuse(struct anon_vma_name *anon_name) > > +{ > > + /* Prevent anon_name refcount saturation early on */ > > + if (kref_read(&anon_name->kref) < INT_MAX) { > > REFCOUNT_MAX seems to be defined by the kref framework. Ah, indeed. I missed that. Will change to use it. > > Other than that looks good to me. Thanks for the review! > > > + anon_vma_name_get(anon_name); > > + return anon_name; > > + > > + } > > + return anon_vma_name_alloc(anon_name->name); > > +} > > + > > static inline void dup_vma_anon_name(struct vm_area_struct *orig_vma, > > struct vm_area_struct *new_vma) > > { > > struct anon_vma_name *anon_name = vma_anon_name(orig_vma); > > > > - if (anon_name) { > > - anon_vma_name_get(anon_name); > > - new_vma->anon_name = anon_name; > > - } > > + if (anon_name) > > + new_vma->anon_name = anon_vma_name_reuse(anon_name); > > } > > > > static inline void free_vma_anon_name(struct vm_area_struct *vma) > > diff --git a/mm/madvise.c b/mm/madvise.c > > index f81d62d8ce9b..a395884aeecb 100644 > > --- a/mm/madvise.c > > +++ b/mm/madvise.c > > @@ -122,8 +122,7 @@ static int replace_vma_anon_name(struct vm_area_struct *vma, > > if (anon_vma_name_eq(orig_name, anon_name)) > > return 0; > > > > - anon_vma_name_get(anon_name); > > - vma->anon_name = anon_name; > > + vma->anon_name = anon_vma_name_reuse(anon_name); > > anon_vma_name_put(orig_name); > > > > return 0; > > -- > > 2.35.1.473.g83b2b277ed-goog > > -- > Michal Hocko > SUSE Labs