Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp304404rwl; Thu, 6 Apr 2023 19:46:37 -0700 (PDT) X-Google-Smtp-Source: AKy350YQLLyMDIcYBQ8v9n4BB8XzQLDNzXxSQNY+hCC/h2diYaaktGtIcbSYNIbR/b3D/rcIUjY+ X-Received: by 2002:a17:90b:1e0a:b0:234:bf0:86b9 with SMTP id pg10-20020a17090b1e0a00b002340bf086b9mr715025pjb.25.1680835597186; Thu, 06 Apr 2023 19:46:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680835597; cv=none; d=google.com; s=arc-20160816; b=BriQWm5apNkGzMJzgi0tGpFEDLCc+DwDozy1RUxcJfFY9WRVw79ntfhHIaA6THzHKa RSU3iujY8K2IOJMbHSGRaHZNilFBbkK0GW6Blli2F4yJaq+XsTNScxi5Q+/gcTJXmO50 Ug0cnQ/Du/5v86SPH8LdR6w7sM3ldMCP0c5tUmd5oZkckjTvYWNuPjedL+KkoXOtB58h R1OvrudpBaTA8/hvU6Fk1GKNf1cZEoBRlTP59XXkgUGMGZTo0cq4fRTjMBUiBW19Xkoh xJ/pkOGKxWGEC6ZXMbqfK8M/ptj/z0Q3j9K4Vy+hANiTG3pkuWXzbkD4zSq9SKR5jVNz 1hCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:references:dlp-filter:cms-type :content-transfer-encoding:date:message-id:in-reply-to:cc:to:from :sender:reply-to:subject:mime-version:dkim-signature:dkim-filter; bh=Yw6Lk1+TBtc4UyWyZCEUZwXQrCDTyX75toVgvvbCtW8=; b=a+FfgpMlFSZwoJibwMJHc2vi2z0FT78BctWJzPeVpn+L4kdC7cues5XoHgVJTefTE/ bl/j9A7MHRGw5K5svio1fY0iuO+ahwYeRUeMgsIzFSwq783L7DjpK+paM+kHJGa6oCyo 8E4oToa7h/d5xHWP2wJYSZVoJFclSCYhqQXg7yBhY6YD+R8sK+Wu17klU/rHw4uODwX0 iMtsvKvOqF8t2Fxg5YSKYJAQM8zAHcRThEdwHAyJGF92tcEk2MsTmvHqFl92cSkhzuS3 PZNzXBZ7d3lHGEcJCUKy2ZJ2HVMSYyWsn6fjFSvhPNHm1cGsdsjp1xopJ/eyxidfG6KJ zCHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@samsung.com header.s=mail20170921 header.b=gbNnpOCC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=samsung.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p1-20020a17090ad30100b00233efa8d3e5si5207429pju.20.2023.04.06.19.46.25; Thu, 06 Apr 2023 19:46:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@samsung.com header.s=mail20170921 header.b=gbNnpOCC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=samsung.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232527AbjDGCYa (ORCPT + 99 others); Thu, 6 Apr 2023 22:24:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59640 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229658AbjDGCY3 (ORCPT ); Thu, 6 Apr 2023 22:24:29 -0400 Received: from mailout2.samsung.com (mailout2.samsung.com [203.254.224.25]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 526D04480 for ; Thu, 6 Apr 2023 19:24:26 -0700 (PDT) Received: from epcas1p2.samsung.com (unknown [182.195.41.46]) by mailout2.samsung.com (KnoxPortal) with ESMTP id 20230407022421epoutp02dcbbdcc6320e7e70bc821b84fe5ab224~ThdrwdGG10769207692epoutp02J for ; Fri, 7 Apr 2023 02:24:21 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 mailout2.samsung.com 20230407022421epoutp02dcbbdcc6320e7e70bc821b84fe5ab224~ThdrwdGG10769207692epoutp02J DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1680834261; bh=Yw6Lk1+TBtc4UyWyZCEUZwXQrCDTyX75toVgvvbCtW8=; h=Subject:Reply-To:From:To:CC:In-Reply-To:Date:References:From; b=gbNnpOCC3p7dpslWMfoXxFRiFH66lJloS6UqybuxStG/L1xYcXJsAhX+L/TWsSBXE xRwdPXNX8xaUrehr3onweaALpcAurc/OqCDZeG3Znu9cTb4sL3pSucWFHPg7T1IZq/ dw03s5A5yoJAtaFtYT0lY0z0pOQzRY1kdRNjcBw8= Received: from epsnrtp2.localdomain (unknown [182.195.42.163]) by epcas1p3.samsung.com (KnoxPortal) with ESMTP id 20230407022420epcas1p3b77a3576c3962cd705bb5f686a37b6e5~ThdrP0r_m0936609366epcas1p3l; Fri, 7 Apr 2023 02:24:20 +0000 (GMT) Received: from epsmges1p2.samsung.com (unknown [182.195.38.241]) by epsnrtp2.localdomain (Postfix) with ESMTP id 4Pt2Hm29f6z4x9Pv; Fri, 7 Apr 2023 02:24:20 +0000 (GMT) X-AuditID: b6c32a36-bfdff70000023112-68-642f7ed4303e Received: from epcas1p4.samsung.com ( [182.195.41.48]) by epsmges1p2.samsung.com (Symantec Messaging Gateway) with SMTP id 91.E3.12562.4DE7F246; Fri, 7 Apr 2023 11:24:20 +0900 (KST) Mime-Version: 1.0 Subject: RE: [PATCH v2] dma-buf/heaps: system_heap: Avoid DoS by limiting single allocations to half of all memory Reply-To: jaewon31.kim@samsung.com Sender: Jaewon Kim From: Jaewon Kim To: "T.J. Mercier" , Andrew Morton CC: John Stultz , Jaewon Kim , "sumit.semwal@linaro.org" , "daniel.vetter@ffwll.ch" , "hannes@cmpxchg.org" , "mhocko@kernel.org" , "linux-mm@kvack.org" , "linux-kernel@vger.kernel.org" , "jaewon31.kim@gmail.com" X-Priority: 3 X-Content-Kind-Code: NORMAL In-Reply-To: X-Drm-Type: N,general X-Msg-Generator: Mail X-Msg-Type: PERSONAL X-Reply-Demand: N Message-ID: <20230407022419epcms1p424f1f8a7100aeccac62651ce25cd6140@epcms1p4> Date: Fri, 07 Apr 2023 11:24:19 +0900 X-CMS-MailID: 20230407022419epcms1p424f1f8a7100aeccac62651ce25cd6140 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" X-Sendblock-Type: SVC_REQ_APPROVE X-CPGSPASS: Y X-CPGSPASS: Y CMS-TYPE: 101P X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrCJsWRmVeSWpSXmKPExsWy7bCmge6VOv0Ug4ePeSzmrF/DZvHykKbF wod3mS1Wb/K16N48k9Gi9/0rJos/JzayWVzeNYfN4t6a/6wWr78tY7Y4dfczu8W79V/YHHg8 Dr95z+yx99sCFo+ds+6yeyzYVOqxaVUnm8emT5PYPe5c28PmcWLGbxaPvi2rGD0+b5IL4IrK tslITUxJLVJIzUvOT8nMS7dV8g6Od443NTMw1DW0tDBXUshLzE21VXLxCdB1y8wBulpJoSwx pxQoFJBYXKykb2dTlF9akqqQkV9cYquUWpCSU2BWoFecmFtcmpeul5daYmVoYGBkClSYkJ1x sHEva8FDiYoZ+z+zNzC+F+5i5OSQEDCRaD86nw3EFhLYwSixbHZMFyMHB6+AoMTfHcIgprBA icTk3QoQFUoSZ39cYQexhQV0JZq6V7OA2GwC2hLvF0xiBbFFBMIk1vZ8BZrIxcEssIFZYs/B CWwQq3glZrQ/ZYGwpSW2L9/KCGJzCgRKrH22EqpGVOLm6rfsMPb7Y/MZIWwRidZ7Z5khbEGJ Bz93M8LM+XP8OVRvscSyzgdMEHaNxIpzq6Di5hINbyHm8wr4Stzdcxysl0VAVaJn/wuoXS4S LdNugNnMAvIS29/OYQb5nVlAU2L9Ln2IEkWJnb/nMsK80rDxNzs6m1mAT+Ld1x5WmPiOeU+g zlGTaHn2FSouI/H33zPWCYxKsxABPQvJ4lkIixcwMq9iFEstKM5NTy02LDCCR21yfu4mRnDy 1TLbwTjp7Qe9Q4xMHIyHGCU4mJVEeC/X6aUI8aYkVlalFuXHF5XmpBYfYjQFenkis5Rocj4w /eeVxBuaWBqYmBmZWBhbGpspifN+eaqdIiSQnliSmp2aWpBaBNPHxMEp1cA00eT0uo+eGmuq hOSsZjsXFqycEWJoFDrHerWyi5dYaL26w7oObYnFN8QLjD0nnudzN/CJdamesCf9wjo9Feni Bcb9SaX3e97Os5i7p7MnJZ7vrElVyt2Kz80XZOTlPt2Y/njm1kT+w82ejD5lpRqOIo1HbnR7 zbj6KGKD4sTi6G+PlSNbn34+lrLlSL7J0T0KT7Pui5jYVG6+kBOt9+v2/s9bPBMDjW5xyT+J yr9RlbidcYfW882/Mk7f6fcRPfWF6eZmlnP3l95rfnluy5GdkYrJma+Wh749GebPOHPjMxMx u8h/b+5eDw7XqLjZlh48SzYjWrJ3Y3DuIa+D5uYeEzpY/0rpCdlPiToWmaHEUpyRaKjFXFSc CAAMOeu9RwQAAA== DLP-Filter: Pass X-CFilter-Loop: Reflected X-CMS-RootMailID: 20230406000841epcas1p3630010a770682be0f1d540a448f3e00e References: <20230405185650.239f9721f066aa480e83d543@linux-foundation.org> <20230405172524.e25b62e1c548a95564b1d324@linux-foundation.org> <20230406000854.25764-1-jaewon31.kim@samsung.com> <20230406014419epcms1p3f285b6e3fdbb1457db1bcbaab9e863be@epcms1p3> <20230406021712epcms1p216f274040d25d18380668ffbfa809c48@epcms1p2> <20230405200923.9b0dca2165ef3335a0f6b112@linux-foundation.org> <20230406163822.faae6a90b3aa4942df6e7442@linux-foundation.org> X-Spam-Status: No, score=-2.5 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_PASS, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org >On Thu, Apr 6, 2023 at 4:38?PM Andrew Morton wrote: >> >> On Thu, 6 Apr 2023 16:27:28 -0700 "T.J. Mercier" wrote: >> >> > > When you say "decide what's the largest reasonable size", I think it >> > > is difficult as with the variety of RAM sizes and buffer sizes I don't >> > > think there's a fixed limit. Systems with more ram will use larger >> > > buffers for image/video capture buffers. And yes, you're right that >> > > ram/2-1 in a single allocation is just as broken, but I'm not sure how >> > > to establish a better guard rail. >> > > >> > > thanks >> > > -john >> > >> > I like ENOMEM with the len / PAGE_SIZE > totalram_pages() check and >> > WARN_ON. We know for sure that's an invalid request, and it's pretty >> > cheap to check as opposed to trying a bunch of reclaim before failing. >> >> Well, if some buggy caller has gone and requested eleventy bigabytes of >:) >> memory, doing a lot of reclaiming before failing isn't really a problem >> - we don't want to optimize for this case! >> >The issue I see is that it could delay other non-buggy callers, or >cause reclaim that wouldn't have happened if we just outright rejected >a known-bad allocation request from the beginning. > >> > For buffers smaller than that I agree with John in that I'm not sure >> > there's a definitive threshold. >> >> Well... why do we want to do _anything_ here? Why cater for buggy >> callers? I think it's because "dma-buf behaves really badly with very >> large allocation requests". Again, can we fix that instead? >> >There are a variety of different allocation strategies used by >different exporters so I don't think there's one dma-buf thing we >could fix for slow, large allocations in general. For the system_heap >in this patch it's really just alloc_pages. I'm saying I don't think >the kernel should ever ask alloc_pages for more memory than exists on >the system, which seems like a pretty reasonable sanity check to me. >Given that, I don't think we should do anything for buffers smaller >than totalram_pages() (except maybe to prevent OOM panics via >__GFP_RETRY_MAYFAIL when we attempt to exhaust system memory on any >request - valid or otherwise). I think T. J. also agree with me on what I shared. if (len / PAGE_SIZE > totalram_pages()) return ERR_PTR(-ENOMEM); #define LOW_ORDER_GFP (GFP_HIGHUSER | __GFP_ZERO | __GFP_COMP | __GFP_RETRY_MAYFAIL) Regarding the dma-buf behavior, I also would like to say that the dma-buf system heap seems to be designed to allocate that large memory. In mobile devices, we need that large memory for camera buffers or grahpics rendendering buffers. So that large memory should be allowed but the invalid huge size over ram should be avoided. I agree on that mm should reclaim even for the large size. But that reclaim process may affect system performance or user convenience. In that perspective I thought ram / 2 was reasonable, but yes not a golden value. I hope to use just ram size as sanity check. Additionally if all agree, we may be able to apply __GFP_RETRY_MAYFAIL too. BR