From: Rik van Riel <riel@redhat.com> To: linux-kernel@vger.kernel.org, Hugh Dickins <hughd@google.com>, linux-mm <linux-mm@kvack.org> Subject: Re: Repeated fork() causes SLAB to grow without bound Date: Fri, 17 Aug 2012 23:46:18 -0400 [thread overview] Message-ID: <502F100A.1080401@redhat.com> (raw) In-Reply-To: <20120818000312.GA4262@evergreen.ssec.wisc.edu> On 08/17/2012 08:03 PM, Daniel Forrest wrote: > Based on your comments, I came up with the following patch. It boots > and the anon_vma/anon_vma_chain SLAB usage is stable, but I don't know > if I've overlooked something. I'm not a kernel hacker. The patch looks reasonable to me. There is one spot left for optimization, which I have pointed out below. Of course, that leaves the big question: do we want the overhead of having the atomic addition and decrement for every anonymous memory page, or is it easier to fix this issue in userspace? Given that malicious userspace could potentially run the system out of memory, without needing special privileges, and the OOM killer may not be able to reclaim it due to internal slab fragmentation, I guess this issue could be classified as a low impact denial of service vulnerability. Furthermore, there is already a fair amount of bookkeeping being done in the rmap code, so this patch is not likely to add a whole lot - some testing might be useful, though. > @@ -262,7 +264,10 @@ int anon_vma_clone(struct vm_area_struct > } > anon_vma = pavc->anon_vma; > root = lock_anon_vma_root(root, anon_vma); > - anon_vma_chain_link(dst, avc, anon_vma); > + if (!atomic_read(&anon_vma->pagecount)) > + anon_vma_chain_free(avc); > + else > + anon_vma_chain_link(dst, avc, anon_vma); > } > unlock_anon_vma_root(root); > return 0; In this function, you can do the test before the code block where we try to allocate an anon_vma chain. In other words: list_for_each_entry_reverse(..... struct anon_vma *anon_vma; + if (!atomic_read(&anon_vma->pagecount)) + continue; + avc = anon_vma_chain_alloc(... if (unlikely(!avc)) { The rest looks good. -- All rights reversed
WARNING: multiple messages have this Message-ID (diff)
From: Rik van Riel <riel@redhat.com> To: linux-kernel@vger.kernel.org, Hugh Dickins <hughd@google.com>, linux-mm <linux-mm@kvack.org> Subject: Re: Repeated fork() causes SLAB to grow without bound Date: Fri, 17 Aug 2012 23:46:18 -0400 [thread overview] Message-ID: <502F100A.1080401@redhat.com> (raw) In-Reply-To: <20120818000312.GA4262@evergreen.ssec.wisc.edu> On 08/17/2012 08:03 PM, Daniel Forrest wrote: > Based on your comments, I came up with the following patch. It boots > and the anon_vma/anon_vma_chain SLAB usage is stable, but I don't know > if I've overlooked something. I'm not a kernel hacker. The patch looks reasonable to me. There is one spot left for optimization, which I have pointed out below. Of course, that leaves the big question: do we want the overhead of having the atomic addition and decrement for every anonymous memory page, or is it easier to fix this issue in userspace? Given that malicious userspace could potentially run the system out of memory, without needing special privileges, and the OOM killer may not be able to reclaim it due to internal slab fragmentation, I guess this issue could be classified as a low impact denial of service vulnerability. Furthermore, there is already a fair amount of bookkeeping being done in the rmap code, so this patch is not likely to add a whole lot - some testing might be useful, though. > @@ -262,7 +264,10 @@ int anon_vma_clone(struct vm_area_struct > } > anon_vma = pavc->anon_vma; > root = lock_anon_vma_root(root, anon_vma); > - anon_vma_chain_link(dst, avc, anon_vma); > + if (!atomic_read(&anon_vma->pagecount)) > + anon_vma_chain_free(avc); > + else > + anon_vma_chain_link(dst, avc, anon_vma); > } > unlock_anon_vma_root(root); > return 0; In this function, you can do the test before the code block where we try to allocate an anon_vma chain. In other words: list_for_each_entry_reverse(..... struct anon_vma *anon_vma; + if (!atomic_read(&anon_vma->pagecount)) + continue; + avc = anon_vma_chain_alloc(... if (unlikely(!avc)) { The rest looks good. -- All rights reversed -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2012-08-18 3:46 UTC|newest] Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top 2012-08-16 2:46 Repeated fork() causes SLAB to grow without bound Daniel Forrest 2012-08-16 18:58 ` Rik van Riel 2012-08-16 18:58 ` Rik van Riel 2012-08-18 0:03 ` Daniel Forrest 2012-08-18 0:03 ` Daniel Forrest 2012-08-18 3:46 ` Rik van Riel [this message] 2012-08-18 3:46 ` Rik van Riel 2012-08-18 4:07 ` Daniel Forrest 2012-08-18 4:07 ` Daniel Forrest 2012-08-18 4:10 ` Rik van Riel 2012-08-18 4:10 ` Rik van Riel 2012-08-20 8:00 ` Hugh Dickins 2012-08-20 8:00 ` Hugh Dickins 2012-08-20 9:39 ` Michel Lespinasse 2012-08-20 9:39 ` Michel Lespinasse 2012-08-20 11:11 ` Andi Kleen 2012-08-20 11:11 ` Andi Kleen 2012-08-20 11:17 ` Rik van Riel 2012-08-20 11:17 ` Rik van Riel 2012-08-20 11:53 ` Michel Lespinasse 2012-08-20 11:53 ` Michel Lespinasse 2012-08-20 19:11 ` Michel Lespinasse 2012-08-20 19:11 ` Michel Lespinasse 2012-08-22 3:20 ` [RFC PATCH] " Michel Lespinasse 2012-08-22 3:20 ` Michel Lespinasse 2012-08-22 3:29 ` Rik van Riel 2012-08-22 3:29 ` Rik van Riel 2013-06-03 19:50 ` Daniel Forrest 2013-06-03 19:50 ` Daniel Forrest 2013-06-04 10:37 ` Rik van Riel 2013-06-04 10:37 ` Rik van Riel 2013-06-05 14:02 ` Andrea Arcangeli 2013-06-05 14:02 ` Andrea Arcangeli 2014-11-14 16:30 ` [PATCH] " Daniel Forrest 2014-11-14 16:30 ` Daniel Forrest 2014-11-18 0:02 ` Andrew Morton 2014-11-18 0:02 ` Andrew Morton 2014-11-18 1:41 ` Daniel Forrest 2014-11-18 1:41 ` Daniel Forrest 2014-11-18 2:41 ` Rik van Riel 2014-11-18 2:41 ` Rik van Riel 2014-11-18 20:19 ` Andrew Morton 2014-11-18 20:19 ` Andrew Morton 2014-11-18 22:15 ` Konstantin Khlebnikov 2014-11-18 22:15 ` Konstantin Khlebnikov 2014-11-18 23:02 ` Konstantin Khlebnikov 2014-11-18 23:50 ` Vlastimil Babka 2014-11-18 23:50 ` Vlastimil Babka 2014-11-19 14:36 ` Konstantin Khlebnikov 2014-11-19 14:36 ` Konstantin Khlebnikov 2014-11-19 16:09 ` Vlastimil Babka 2014-11-19 16:09 ` Vlastimil Babka 2014-11-19 16:58 ` Konstantin Khlebnikov 2014-11-19 16:58 ` Konstantin Khlebnikov 2014-11-19 23:14 ` Michel Lespinasse 2014-11-19 23:14 ` Michel Lespinasse 2014-11-20 14:42 ` Konstantin Khlebnikov 2014-11-20 14:42 ` Konstantin Khlebnikov 2014-11-20 14:50 ` Rik van Riel 2014-11-20 14:50 ` Rik van Riel 2014-11-20 15:03 ` Konstantin Khlebnikov 2014-11-20 15:03 ` Konstantin Khlebnikov 2014-11-24 7:09 ` Konstantin Khlebnikov 2014-11-25 10:59 ` Michal Hocko 2014-11-25 10:59 ` Michal Hocko 2014-11-25 12:13 ` Konstantin Khlebnikov 2014-11-25 15:00 ` Michal Hocko 2014-11-25 15:00 ` Michal Hocko 2014-11-26 17:35 ` Michal Hocko 2014-11-26 17:35 ` Michal Hocko 2014-12-05 15:44 ` Jerome Marchand 2014-11-20 15:27 ` Michel Lespinasse 2014-11-20 15:27 ` Michel Lespinasse 2014-11-19 2:48 ` Rik van Riel 2014-11-19 2:48 ` Rik van Riel
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=502F100A.1080401@redhat.com \ --to=riel@redhat.com \ --cc=hughd@google.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.