Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp3596076iog; Tue, 21 Jun 2022 01:54:42 -0700 (PDT) X-Google-Smtp-Source: AGRyM1ujleK8Np0z1bnlA3pqB3jP8fYjzDLzTH7+wOvM3qhYcvdhGci10KeSCsUDEwlg+X+oDDy9 X-Received: by 2002:a17:906:7286:b0:722:d847:1fe4 with SMTP id b6-20020a170906728600b00722d8471fe4mr4754775ejl.586.1655801682575; Tue, 21 Jun 2022 01:54:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655801682; cv=none; d=google.com; s=arc-20160816; b=JkEwxkAJQLhTBEdXjU6kVl1I1dOAGDc0LBav6CflDB/zM9ctMULDCMjeYZQdCmsZ6i +CyzUoDPLtqThznrAWHlI6f4pmYQ88554eC7BPEm5KCn9Gyt8eBZwveo/ZdSOjs4re+2 WOIdz+lbV1fvLrzL20C3ztfO8S218fGUXpBXVI+chBSEoN84zSU6EC5+YeMGXXWAwlGh aMr5Io+DETktQeVTrHGgyeNVxOgCT5+5YpYj5QAAZ1X2pAyJRQP1J010KwvQ95JuN9Ys TMVU1p0A7vhu/Vs4GZr6sXIX6q1oFdARanzGunJu/RpJ4oeCIiVdk6bC1w6knhlh/not FTVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=6XMzK7aCM0UELfRs/4KvW4zPouERJ68sOMwvQ09F1bY=; b=OfyLsdaE3doqcI9A1TDJGMlRHHgyYgFPFNjlT408wAP9zTxZN5uufgVKVuealSFe/+ 2K7KJUjIVpPVv1Oz2Tuerjm6GZ9XV7PzLtZSudH9cXE8IHjGeLnquNIL61Qehzigamfd 9I9UPQWPMhBjKOpnHwrtgc8UZ8ptY+RucJ8qdv8KFjKyQeenWiFVDmBGB1b7KXEat4PA DO77wJbVNew3jHUTfJP7a52u7IeQbL1ju8MEJWJX7dh5I8WS89O2ejd6EZMnCQ6FFWT1 56PamzZKQD0vVWtF7rORdjQ3aCsmKHv0gyFtdJIIh3yx0WcCX0WevjKhM38Z5p4WabLj Cgbw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 3-20020a170906100300b00722e55c8275si949711ejm.746.2022.06.21.01.54.17; Tue, 21 Jun 2022 01:54:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343867AbiFUIVG (ORCPT + 99 others); Tue, 21 Jun 2022 04:21:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39722 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348745AbiFUIUt (ORCPT ); Tue, 21 Jun 2022 04:20:49 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 41FC1201A9 for ; Tue, 21 Jun 2022 01:20:48 -0700 (PDT) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.54]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4LRztz0GP0zkWL0; Tue, 21 Jun 2022 16:19:07 +0800 (CST) Received: from [10.174.177.76] (10.174.177.76) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 21 Jun 2022 16:20:17 +0800 Subject: Re: [PATCH v2 1/3] mm/swapfile: make security_vm_enough_memory_mm() work as expected To: "Huang, Ying" CC: , , , References: <20220608144031.829-1-linmiaohe@huawei.com> <20220608144031.829-2-linmiaohe@huawei.com> <87r13jrdst.fsf@yhuang6-desk2.ccr.corp.intel.com> <87letqpzm1.fsf@yhuang6-desk2.ccr.corp.intel.com> <463fe0cd-504a-f887-0201-691bacd9e69d@huawei.com> <87pmj2ea3g.fsf@yhuang6-desk2.ccr.corp.intel.com> From: Miaohe Lin Message-ID: Date: Tue, 21 Jun 2022 16:20:17 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <87pmj2ea3g.fsf@yhuang6-desk2.ccr.corp.intel.com> Content-Type: text/plain; charset="windows-1252" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.177.76] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022/6/21 15:42, Huang, Ying wrote: > Miaohe Lin writes: > >> On 2022/6/21 9:35, Huang, Ying wrote: >>> Miaohe Lin writes: >>> >>>> On 2022/6/20 15:31, Huang, Ying wrote: >>>>> Miaohe Lin writes: >>>>> >>>>>> security_vm_enough_memory_mm() checks whether a process has enough memory >>>>>> to allocate a new virtual mapping. And total_swap_pages is considered as >>>>>> available memory while swapoff tries to make sure there's enough memory >>>>>> that can hold the swapped out memory. But total_swap_pages contains the >>>>>> swap space that is being swapoff. So security_vm_enough_memory_mm() will >>>>>> success even if there's no memory to hold the swapped out memory because >>>>>> total_swap_pages always greater than or equal to p->pages. >>>>> >>>>> Per my understanding, swapoff will not allocate virtual mapping by >>>>> itself. But after swapoff, the overcommit limit could be exceeded. >>>>> security_vm_enough_memory_mm() is used to check that. For example, in a >>>>> system with 4GB memory and 8GB swap, and 10GB is in use, >>>>> >>>>> CommitLimit: 4+8 = 12GB >>>>> Committed_AS: 10GB >>>>> >>>>> security_vm_enough_memory_mm() in swapoff() will fail because >>>>> 10+8 = 18 > 12. This is expected because after swapoff, the overcommit >>>>> limit will be exceeded. >>>>> >>>>> If 3GB is in use, >>>>> >>>>> CommitLimit: 4+8 = 12GB >>>>> Committed_AS: 3GB >>>>> >>>>> security_vm_enough_memory_mm() in swapoff() will succeed because >>>>> 3+8 = 11 < 12. This is expected because after swapoff, the overcommit >>>>> limit will not be exceeded. >>>> >>>> In OVERCOMMIT_NEVER scene, I think you're right. >>>> >>>>> >>>>> So, what's the real problem of the original implementation? Can you >>>>> show it with an example as above? >>>> >>>> In OVERCOMMIT_GUESS scene, in a system with 4GB memory and 8GB swap, and 10GB is in use, >>>> pages below is 8GB, totalram_pages() + total_swap_pages is 12GB, so swapoff() will succeed >>>> instead of expected failure because 8 < 12. The overcommit limit is always *ignored* in the >>>> below case. >>>> >>>> if (sysctl_overcommit_memory == OVERCOMMIT_GUESS) { >>>> if (pages > totalram_pages() + total_swap_pages) >>>> goto error; >>>> return 0; >>>> } >>>> >>>> Or am I miss something? >>> >>> Per my understanding, with OVERCOMMIT_GUESS, the number of in-use pages >>> isn't checked at all. The only restriction is that the size of the >>> virtual mapping created should be less than total RAM + total swap >> >> Do you mean the only restriction is that the size of the virtual mapping >> *created every time* should be less than total RAM + total swap pages but >> *total virtual mapping* is not limited in OVERCOMMIT_GUESS scene? If so, >> the current behavior should be sane and I will drop this patch. > > Yes. This is my understanding. I see. Thank you. > > Best Regards, > Huang, Ying > >> Thanks! >> >>> pages. Because swapoff() will not create virtual mapping, so it's >>> expected that security_vm_enough_memory_mm() in swapoff() always >>> succeeds. >>> >>> Best Regards, >>> Huang, Ying >>> >>>> >>>> Thanks! >>>> >>>>> >>>>>> In order to fix it, p->pages should be retracted from total_swap_pages >>>>>> first and then check whether there's enough memory for inuse swap pages. >>>>>> >>>>>> Signed-off-by: Miaohe Lin >>>>> >>>>> [snip] >>>>> >>>>> . >>>>> >>> >>> . >>> > > . >