Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp1497328rwl; Wed, 5 Apr 2023 18:58:49 -0700 (PDT) X-Google-Smtp-Source: AKy350bI6Jwdp4BZyWmvh/pg8q61qTme0WfSaAp/N3629Jex9AVrjRBiUK90OCfjwxu6h4/P/Jdq X-Received: by 2002:aa7:d74f:0:b0:4fb:999:e04c with SMTP id a15-20020aa7d74f000000b004fb0999e04cmr3308318eds.38.1680746329456; Wed, 05 Apr 2023 18:58:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680746329; cv=none; d=google.com; s=arc-20160816; b=XaiwAAScfVkV7K/x30t7vJIYtWiHwdr7DPEf/VIV6z2W6q5rhvWg+Kv8twJ3+h7PeJ zb7+Pfs0YYj+3tyP9U1bs5XRp+uKqV3W/Hzl37T5ZNGHWlU02Jvu0CEoP/JTf0sganQz SJyGSNbQmxVXPiqVkXZu+YTjH/p9HZcKYixONAO+yVhr6ofEIzg8g/yckDsyi8E4tHfD vul/Np5PIddUz79xRvrMRtI8wi40xE88tH6I0aEfE2KPug2PNstDdXAsumTIAbshvyax ZHiC8Kjc9n1PfGln1jRI9ZoilHKaMnKnouiqOPTtID9gBeB9COa0rOTK40MKmjNYQfyh G1Bg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=645s639VWaW0gE0UgAXUV1IewGhosCVfrsLD8Zy8VWQ=; b=0cbcwAv1iX23z9aVTScmuRFe8LrpL3j6RU2klQZba/Z49/rzrp9DcQ9TTOgEepnyDI u4Yq7Cpk2WV3crx76weetHGLuC3r0rXkDA0Y+TbiOqoubsRHctkwZ8SOGIF4D5H+dEz4 7aSrjf4C6LSgzO+Q8H/mHD0u3Z4w5kESg4vr912h5ebfdA2Uo9L9U6CWCR2ikp3KQy5M x4UOIyDKXJeiF/HCri73w3D3wpzs60OC0XGbnZNX7pyoPYjStgGFh4DYj51hyCudFJ1X d+/nM49M8i5GJebTNcrrrcxRp0HJcFiI+QzWLZC5as9+YpSe/G5sNzQ97fkvTKZ95SEb XSBw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=korg header.b=kuo7uiXV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d16-20020a056402079000b00501e22f86cbsi172221edy.245.2023.04.05.18.58.24; Wed, 05 Apr 2023 18:58:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=korg header.b=kuo7uiXV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231444AbjDFB4y (ORCPT + 99 others); Wed, 5 Apr 2023 21:56:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57806 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229608AbjDFB4x (ORCPT ); Wed, 5 Apr 2023 21:56:53 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8F8BEA9 for ; Wed, 5 Apr 2023 18:56:52 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 29CF7618D1 for ; Thu, 6 Apr 2023 01:56:52 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3B921C433EF; Thu, 6 Apr 2023 01:56:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1680746211; bh=NfVX/6hHzwCtO9HI9+XPZetTVkhGP+gQgPt3MPubcPk=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=kuo7uiXVaEjL4NGKpZ/ikc8NnyHxIM22q0eFCcPGmhranX/JO3hTSRGZf2Y8eEAQL VeKbZ2PDbfGbh0icOYaML7+71C3fqLRioDIOS7pritKeZtSAR8+wIwuQf3gvJITAvP mqDuEA+9mr/JJYl9mwWQGzkpkpbTYxsZ9929/Hw8= Date: Wed, 5 Apr 2023 18:56:50 -0700 From: Andrew Morton To: jaewon31.kim@samsung.com Cc: "jstultz@google.com" , "tjmercier@google.com" , "sumit.semwal@linaro.org" , "daniel.vetter@ffwll.ch" , "hannes@cmpxchg.org" , "mhocko@kernel.org" , "linux-mm@kvack.org" , "linux-kernel@vger.kernel.org" , "jaewon31.kim@gmail.com" Subject: Re: [PATCH v2] dma-buf/heaps: system_heap: Avoid DoS by limiting single allocations to half of all memory Message-Id: <20230405185650.239f9721f066aa480e83d543@linux-foundation.org> In-Reply-To: <20230406014419epcms1p3f285b6e3fdbb1457db1bcbaab9e863be@epcms1p3> References: <20230405172524.e25b62e1c548a95564b1d324@linux-foundation.org> <20230406000854.25764-1-jaewon31.kim@samsung.com> <20230406014419epcms1p3f285b6e3fdbb1457db1bcbaab9e863be@epcms1p3> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 06 Apr 2023 10:44:19 +0900 Jaewon Kim wrote: > >> ... > >> > >> --- a/drivers/dma-buf/heaps/system_heap.c > >> +++ b/drivers/dma-buf/heaps/system_heap.c > >> @@ -351,6 +351,9 @@ static struct dma_buf *system_heap_allocate(struct dma_heap *heap, > >> struct page *page, *tmp_page; > >> int i, ret = -ENOMEM; > >> > >> + if (len / PAGE_SIZE > totalram_pages() / 2) > >> + return ERR_PTR(-ENOMEM); > >> + > > > >This seems so random. Why ram/2 rather than ram/3 or 17*ram/35? > > Hello > > Thank you for your comment. > > I just took the change from the old ion driver code, and actually I thought the > half of all memory is unrealistic. It could be unwanted size like negative, > or too big size which incurs slowness or OoM panic. > > > > >Better behavior would be to try to allocate what the caller asked > >for and if that doesn't work out, fail gracefully after freeing the > >partial allocations which have been performed thus far. If dma_buf > >is changed to do this then that change is useful in many scenarios other > >than this crazy corner case. > > I think you would like __GFP_RETRY_MAYFAIL. Actually T.J. Mercier recommended > earlier, here's what we discussed. > https://lore.kernel.org/linux-mm/20230331005140epcms1p1ac5241f02f645e9dbc29626309a53b24@epcms1p1/ > > I just worried about a case in which we need oom kill to get more memory but > let me change my mind. That case seems to be rare. I think now it's time when > we need to make a decision and not to allow oom kill for dma-buf system heap > allocations. > > But I still want to block that huge size over ram. For an unavailabe size, > I think, we don't have to do memory reclaim or killing processes, and we can > avoid freezing screen in user perspecitve. > > This is eventually what I want. Can we check totalram_pages and and apply > __GFP_RETRY_MAYFAIL? > > --- a/drivers/dma-buf/heaps/system_heap.c > +++ b/drivers/dma-buf/heaps/system_heap.c > @@ -41,7 +41,7 @@ struct dma_heap_attachment { > bool mapped; > }; > > -#define LOW_ORDER_GFP (GFP_HIGHUSER | __GFP_ZERO | __GFP_COMP) > +#define LOW_ORDER_GFP (GFP_HIGHUSER | __GFP_ZERO | __GFP_COMP | __GFP_RETRY_MAYFAIL) > #define MID_ORDER_GFP (LOW_ORDER_GFP | __GFP_NOWARN) > #define HIGH_ORDER_GFP (((GFP_HIGHUSER | __GFP_ZERO | __GFP_NOWARN \ > | __GFP_NORETRY) & ~__GFP_RECLAIM) \ > @@ -351,6 +351,9 @@ static struct dma_buf *system_heap_allocate(struct dma_heap *heap, > struct page *page, *tmp_page; > int i, ret = -ENOMEM; > > + if (len / PAGE_SIZE > totalram_pages()) > + return ERR_PTR(-ENOMEM); We're catering for a buggy caller here, aren't we? Are such large requests ever reasonable? How about we decide what's the largest reasonable size and do a WARN_ON(larger-than-that), so the buggy caller gets fixed?