All of lore.kernel.org
 help / color / mirror / Atom feed
* get_user_pages pinning: 2^22 page refs max?
@ 2019-05-01 22:19 Jann Horn
  2019-05-02  1:44 ` Matthew Wilcox
  0 siblings, 1 reply; 4+ messages in thread
From: Jann Horn @ 2019-05-01 22:19 UTC (permalink / raw)
  To: Jan Kara; +Cc: Linux-MM

Regarding the LSFMM talk today:
So with the page ref bias, the maximum number of page references will
be something like 2^22, right? Is the bias only applied to writable
references or also readonly ones?


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: get_user_pages pinning: 2^22 page refs max?
  2019-05-01 22:19 get_user_pages pinning: 2^22 page refs max? Jann Horn
@ 2019-05-02  1:44 ` Matthew Wilcox
  2019-05-02 15:24   ` Jan Kara
  0 siblings, 1 reply; 4+ messages in thread
From: Matthew Wilcox @ 2019-05-02  1:44 UTC (permalink / raw)
  To: Jann Horn; +Cc: Jan Kara, Linux-MM

On Wed, May 01, 2019 at 06:19:00PM -0400, Jann Horn wrote:
> Regarding the LSFMM talk today:
> So with the page ref bias, the maximum number of page references will
> be something like 2^22, right? Is the bias only applied to writable
> references or also readonly ones?

2^21, because it's going to get caught by the < 0 check.

I think that's fine, though.  Anyone trying to map that page so many times
is clearly doing something either malicious or inadvertently very wrong.
After the 2 millionth time, attempting to pin the page will fail, and
the application will have to deal with that failure.


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: get_user_pages pinning: 2^22 page refs max?
  2019-05-02  1:44 ` Matthew Wilcox
@ 2019-05-02 15:24   ` Jan Kara
  2019-05-02 15:34     ` Matthew Wilcox
  0 siblings, 1 reply; 4+ messages in thread
From: Jan Kara @ 2019-05-02 15:24 UTC (permalink / raw)
  To: Matthew Wilcox; +Cc: Jann Horn, Jan Kara, Linux-MM

On Wed 01-05-19 18:44:22, Matthew Wilcox wrote:
> On Wed, May 01, 2019 at 06:19:00PM -0400, Jann Horn wrote:
> > Regarding the LSFMM talk today:
> > So with the page ref bias, the maximum number of page references will
> > be something like 2^22, right? Is the bias only applied to writable
> > references or also readonly ones?
> 
> 2^21, because it's going to get caught by the < 0 check.
> 
> I think that's fine, though.  Anyone trying to map that page so many times
> is clearly doing something either malicious or inadvertently very wrong.
> After the 2 millionth time, attempting to pin the page will fail, and
> the application will have to deal with that failure.

So actually, you can still have ~2^31 *normal* page references (e.g. from
page tables). You would be limited to ~2^21 GUP references but I don't
think that would be a problem for any real workload.

If we are concerned about malicous application causing DOS by pinning page
too many times and then normal reference could not be acquired without
causing issues like leaking the page, I think we could even let get_pin()
fail whenever say page->_refcount >= 1<<29 to still leave *plenty* of space
for normal page references (effectively user could consume only 1/4 of
refcount range for GUP pins).

								Honza

-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: get_user_pages pinning: 2^22 page refs max?
  2019-05-02 15:24   ` Jan Kara
@ 2019-05-02 15:34     ` Matthew Wilcox
  0 siblings, 0 replies; 4+ messages in thread
From: Matthew Wilcox @ 2019-05-02 15:34 UTC (permalink / raw)
  To: Jan Kara; +Cc: Jann Horn, Linux-MM

On Thu, May 02, 2019 at 05:24:39PM +0200, Jan Kara wrote:
> On Wed 01-05-19 18:44:22, Matthew Wilcox wrote:
> > On Wed, May 01, 2019 at 06:19:00PM -0400, Jann Horn wrote:
> > > Regarding the LSFMM talk today:
> > > So with the page ref bias, the maximum number of page references will
> > > be something like 2^22, right? Is the bias only applied to writable
> > > references or also readonly ones?
> > 
> > 2^21, because it's going to get caught by the < 0 check.
> > 
> > I think that's fine, though.  Anyone trying to map that page so many times
> > is clearly doing something either malicious or inadvertently very wrong.
> > After the 2 millionth time, attempting to pin the page will fail, and
> > the application will have to deal with that failure.
> 
> So actually, you can still have ~2^31 *normal* page references (e.g. from
> page tables). You would be limited to ~2^21 GUP references but I don't
> think that would be a problem for any real workload.
> 
> If we are concerned about malicous application causing DOS by pinning page
> too many times and then normal reference could not be acquired without
> causing issues like leaking the page, I think we could even let get_pin()
> fail whenever say page->_refcount >= 1<<29 to still leave *plenty* of space
> for normal page references (effectively user could consume only 1/4 of
> refcount range for GUP pins).

Oh, I haven't explained the page refcount solution properly :-(

After the page refcount gets to 2^31, no more get_user_pages() calls
will succeed.  But normal get_page() calls will succeed, so you can
still fork() or do normal IO, just not O_DIRECT or RDMA.

I wanted to find a solution that didn't permit a local DoS by, eg,
doing O_DIRECT writes from a page of libc.  I mean, you can stop other
I/O from occurring, but you can't prevent fork().


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-05-02 15:34 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-01 22:19 get_user_pages pinning: 2^22 page refs max? Jann Horn
2019-05-02  1:44 ` Matthew Wilcox
2019-05-02 15:24   ` Jan Kara
2019-05-02 15:34     ` Matthew Wilcox

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.