Received: by 2002:a05:6358:e9c4:b0:b2:91dc:71ab with SMTP id hc4csp801823rwb; Thu, 4 Aug 2022 11:07:55 -0700 (PDT) X-Google-Smtp-Source: AA6agR4q6eDP1zQeI784w2z0qXnTlPT+8Vt8/0w102s24xN+g9a2SAmePh0CJ7JZsp4Pb2fWnzIa X-Received: by 2002:a17:903:40c9:b0:16f:68b:fff7 with SMTP id t9-20020a17090340c900b0016f068bfff7mr3022530pld.29.1659636475464; Thu, 04 Aug 2022 11:07:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659636475; cv=none; d=google.com; s=arc-20160816; b=b+qFu/t3Mlx2BprDYH0NZJh/BkaZFnq7H5qbBkrtT/Aghk2Y+pEFHuIMQxGvzBM0uz Ng9TNrHGNwsG8kN97GfjGbOsoKt0/b6U6iiu3YMQ8D5bs0yUDPqYl6lPakOjVO908jar 9BApZHmyHequ2ha/ITmj8dfWUi9xpd8cQF7BCmD9I8CQmwAdWEzlFS/OKYChW0z7uzZy C9QhEmMnO2IdTKLwzGqgsnXWNHql2prrfT/fFr1tx9KK0d+f2LDdqWf4Hp6L0wRPd7x4 gBX7atakPv2HAuksnaOU/kNQfH5vlTfgvy3nYIZb8ZRsx81npDXf8U6QUrJbcVZeo8dC U8ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=5PGSzs/RHLl4IHT0dS6eKTXoAtufKMWNCxKjyskNDOc=; b=co8uRzcxVjwoeUdN6tlQ7/rtT4ChKtzcZ2L9rMTeTE5j1bcrjQQKVEDUgNXH6wJ45V yT4QmqXKyNIj5FbYlItfftdm7N1PAA/cNu0P05Tjfys4pxD0qAkYRWLgJHj5z0a2vE0m u9HnQjGTgIO34/TfkoMs00k3Mmhx84uuLRV5CWaiNZKeSpCJI32ZMDaYvN8HzTKEytjO Zhv5QzbRN6XSUmdGNToe/h9oUUE3QlnwS7EI3YDuwUnj0mSWv7MdjyXeaCSIrsdl/gM5 1WIPrRFNDv0Yvc4fj/JxJDnu4n7gYmXlV/x8qdLhUCfzoDWMgZZCHsVte9fqCAeRASzE 33rA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=OPwaMWyy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k3-20020a654643000000b0041aee1cc298si476446pgr.805.2022.08.04.11.07.41; Thu, 04 Aug 2022 11:07:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=OPwaMWyy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231248AbiHDRq1 (ORCPT + 99 others); Thu, 4 Aug 2022 13:46:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59298 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239321AbiHDRqW (ORCPT ); Thu, 4 Aug 2022 13:46:22 -0400 Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DA74113FAD; Thu, 4 Aug 2022 10:46:19 -0700 (PDT) Received: by mail-pg1-x532.google.com with SMTP id 73so501664pgb.9; Thu, 04 Aug 2022 10:46:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=5PGSzs/RHLl4IHT0dS6eKTXoAtufKMWNCxKjyskNDOc=; b=OPwaMWyyNWcKS4pX4rm7X/nACsfm6WSTCGj0Nql2nxvhJjSAENVYUJSVSx/ZWKcWDC fPzlypiDbpIfbx2aOR0Kpkk91qu7Zs0gie84iH7ewzB4wbYOFhq4uvxD8p3Xi+pL4J9/ 3HHMOTdNMEW9oK/nCFvD3RYuldtMyO/2BLrMuy4dcSMLOu3bCN9zupX0n9yFrJpwdh0f 6SeX1ncImbKJdqC6DXEcAGqLIdRoxxoIRbfaP6dtBCzy2z7VDFs5JMzymnC2Y/30WWZW 87saak1BeKIT5T17tlgCae/cJy6HD2RCEgYY6lrd3k9OSJGMVeL8p56lqYA+6DmqoLlu R/uA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=5PGSzs/RHLl4IHT0dS6eKTXoAtufKMWNCxKjyskNDOc=; b=7skpDbsggmcoqdUEgqGnWVOkew6TGZJ4sOtNZEeKOHs2IvM+VtiBN/Hx047MR9OFXJ xO/+e00skCQ4PweOCJIGXu8iUsx8ttwRQTLPCV9hF3agDReTz5S1C/oeTvEklzs0wcIo Yz1wUJB3rzdMAuxVMBveQcegKfG0QhSqFE6zFdz1FKPAQuuiZrNSh3SoyIHzbBn0gKyy YH0rQ5vmAEg7KZSsvDlq1fkPrevcDoW+TxPgmse201lcAfLjDZNIGcEZWam7Ip7zZFYH iiAHoCSb1LkpWGCBIToH3KQ7iQf/+0m9MYM/kiWqq9qgCaM/VbGD4N+c0ZkZIhHl3wiD x5+w== X-Gm-Message-State: ACgBeo17+J1jUbGFCPl7Ci5EK1de4Ar3bDYWGkhlZh45lswqQn73X9Ab XMVO0nC/o+quHthmHyYGk4akkRgWOv2tqby5Jdg= X-Received: by 2002:a65:5503:0:b0:41b:bbdc:9a5d with SMTP id f3-20020a655503000000b0041bbbdc9a5dmr2418981pgr.587.1659635179149; Thu, 04 Aug 2022 10:46:19 -0700 (PDT) MIME-Version: 1.0 References: <20220801210946.3069083-1-zokeefe@google.com> In-Reply-To: From: Yang Shi Date: Thu, 4 Aug 2022 10:46:06 -0700 Message-ID: Subject: Re: [PATCH mm-unstable] mm/madvise: remove CAP_SYS_ADMIN requirement for process_madvise(MADV_COLLAPSE) To: "Zach O'Keefe" Cc: Michal Hocko , linux-mm@kvack.org, Andrew Morton , linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, Axel Rasmussen , James Houghton , Hugh Dickins , Miaohe Lin , David Hildenbrand , David Rientjes , Matthew Wilcox , Pasha Tatashin , Peter Xu , Rongwei Wang , SeongJae Park , Song Liu , Vlastimil Babka , Zi Yan , Andrea Arcangeli , Arnd Bergmann , Chris Kennelly , Chris Zankel , Helge Deller , Ivan Kokshaysky , "James E.J. Bottomley" , Jens Axboe , "Kirill A. Shutemov" , Matt Turner , Max Filippov , Minchan Kim , Patrick Xia , Pavel Begunkov , Thomas Bogendoerfer Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 2, 2022 at 12:43 PM Zach O'Keefe wrote: > > On Tue, Aug 2, 2022 at 5:04 AM Michal Hocko wrote: > > > > On Tue 02-08-22 02:48:33, Zach O'Keefe wrote: > > [...] > > > "mm/madvise: add MADV_COLLAPSE to process_madvise()" in the v7 series > > > ended with me mentioning a couple options, but ultimately I didn't > > > present a solution, and no consensus was reached[1]. After taking a > > > closer look, this is my proposal for what I believe to be the best > > > path forward. It should be squashed into the original patch. What do you think? > > > > If it is agreed that the CAP_SYS_ADMIN is too strict of a requirement > > then yes, this should be squashed into the original patch. There is no > > real reason to create a potential bisection headache by changing the > > permission model in a later patch. > > Sorry about the confusion here. Assumed (incorrectly) that Andrew > would kindly squash this in mm-unstable since I added the Fixes: tag. > Next time I'll add some explicit verbiage saying it should be > squashed. > > > From my POV, I would agree that CAP_SYS_ADMIN is just too strict of a > > requirement. > > > > I didn't really have time to follow recent discussions but I would argue > > that the operation is not really destructive or seriously harmful. All > > applications can already have their memory (almost) equally THP > > collapsed by khupaged with the proposed process_madvise semantic. > > > > NOHUGEMEM and prctl opt out from THP are both honored AFAIU and the only > > difference is the global THP killswitch behavior which I do not think > > warrants the strongest CAP_SYS_ADMIN capability (especially because it > > doesn't really control all kinds of THPs). > > Ya. In fact, I don't think the ignoring the THP sysfs controls > warrants any additional capability (set alone CAPS_SYS_ADMIN), since a > malicious program can't really inflict any more damage than they would > with CAP_SYS_NICE and PTRACE_MODE_READ. > > > If there is a userspace agent collapsing memory and causing problems > > then it can be easily fixed in the userspace. And I find that easier > > to do than putting the bar so high that userspace agents would be > > unfeasible because of CAP_SYS_ADMIN (which is nono in many cases as it > > would allow essentially full control of other stuff). So from practical > > POV, risking an extended RSS is really a negligible risk to lose a > > potentially useful feature for all others. > > > > Agreed. +1 > > Thanks for taking the time, Michal! > Zach > > > > Just my 2c > > > > > Thanks again, > > > Zach > > > > > > [1] https://lore.kernel.org/linux-mm/Ys4aTRqWIbjNs1mI@google.com/ > > > > -- > > Michal Hocko > > SUSE Labs