From: Rik van Riel <riel@redhat.com>
To: linux-kernel@vger.kernel.org, Hugh Dickins <hughd@google.com>,
linux-mm <linux-mm@kvack.org>
Subject: Re: Repeated fork() causes SLAB to grow without bound
Date: Fri, 17 Aug 2012 23:46:18 -0400 [thread overview]
Message-ID: <502F100A.1080401@redhat.com> (raw)
In-Reply-To: <20120818000312.GA4262@evergreen.ssec.wisc.edu>
On 08/17/2012 08:03 PM, Daniel Forrest wrote:
> Based on your comments, I came up with the following patch. It boots
> and the anon_vma/anon_vma_chain SLAB usage is stable, but I don't know
> if I've overlooked something. I'm not a kernel hacker.
The patch looks reasonable to me. There is one spot left
for optimization, which I have pointed out below.
Of course, that leaves the big question: do we want the
overhead of having the atomic addition and decrement for
every anonymous memory page, or is it easier to fix this
issue in userspace?
Given that malicious userspace could potentially run the
system out of memory, without needing special privileges,
and the OOM killer may not be able to reclaim it due to
internal slab fragmentation, I guess this issue could be
classified as a low impact denial of service vulnerability.
Furthermore, there is already a fair amount of bookkeeping
being done in the rmap code, so this patch is not likely
to add a whole lot - some testing might be useful, though.
> @@ -262,7 +264,10 @@ int anon_vma_clone(struct vm_area_struct
> }
> anon_vma = pavc->anon_vma;
> root = lock_anon_vma_root(root, anon_vma);
> - anon_vma_chain_link(dst, avc, anon_vma);
> + if (!atomic_read(&anon_vma->pagecount))
> + anon_vma_chain_free(avc);
> + else
> + anon_vma_chain_link(dst, avc, anon_vma);
> }
> unlock_anon_vma_root(root);
> return 0;
In this function, you can do the test before the code block
where we try to allocate an anon_vma chain.
In other words:
list_for_each_entry_reverse(.....
struct anon_vma *anon_vma;
+ if (!atomic_read(&anon_vma->pagecount))
+ continue;
+
avc = anon_vma_chain_alloc(...
if (unlikely(!avc)) {
The rest looks good.
--
All rights reversed
WARNING: multiple messages have this Message-ID (diff)
From: Rik van Riel <riel@redhat.com>
To: linux-kernel@vger.kernel.org, Hugh Dickins <hughd@google.com>,
linux-mm <linux-mm@kvack.org>
Subject: Re: Repeated fork() causes SLAB to grow without bound
Date: Fri, 17 Aug 2012 23:46:18 -0400 [thread overview]
Message-ID: <502F100A.1080401@redhat.com> (raw)
In-Reply-To: <20120818000312.GA4262@evergreen.ssec.wisc.edu>
On 08/17/2012 08:03 PM, Daniel Forrest wrote:
> Based on your comments, I came up with the following patch. It boots
> and the anon_vma/anon_vma_chain SLAB usage is stable, but I don't know
> if I've overlooked something. I'm not a kernel hacker.
The patch looks reasonable to me. There is one spot left
for optimization, which I have pointed out below.
Of course, that leaves the big question: do we want the
overhead of having the atomic addition and decrement for
every anonymous memory page, or is it easier to fix this
issue in userspace?
Given that malicious userspace could potentially run the
system out of memory, without needing special privileges,
and the OOM killer may not be able to reclaim it due to
internal slab fragmentation, I guess this issue could be
classified as a low impact denial of service vulnerability.
Furthermore, there is already a fair amount of bookkeeping
being done in the rmap code, so this patch is not likely
to add a whole lot - some testing might be useful, though.
> @@ -262,7 +264,10 @@ int anon_vma_clone(struct vm_area_struct
> }
> anon_vma = pavc->anon_vma;
> root = lock_anon_vma_root(root, anon_vma);
> - anon_vma_chain_link(dst, avc, anon_vma);
> + if (!atomic_read(&anon_vma->pagecount))
> + anon_vma_chain_free(avc);
> + else
> + anon_vma_chain_link(dst, avc, anon_vma);
> }
> unlock_anon_vma_root(root);
> return 0;
In this function, you can do the test before the code block
where we try to allocate an anon_vma chain.
In other words:
list_for_each_entry_reverse(.....
struct anon_vma *anon_vma;
+ if (!atomic_read(&anon_vma->pagecount))
+ continue;
+
avc = anon_vma_chain_alloc(...
if (unlikely(!avc)) {
The rest looks good.
--
All rights reversed
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2012-08-18 3:46 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-16 2:46 Repeated fork() causes SLAB to grow without bound Daniel Forrest
2012-08-16 18:58 ` Rik van Riel
2012-08-16 18:58 ` Rik van Riel
2012-08-18 0:03 ` Daniel Forrest
2012-08-18 0:03 ` Daniel Forrest
2012-08-18 3:46 ` Rik van Riel [this message]
2012-08-18 3:46 ` Rik van Riel
2012-08-18 4:07 ` Daniel Forrest
2012-08-18 4:07 ` Daniel Forrest
2012-08-18 4:10 ` Rik van Riel
2012-08-18 4:10 ` Rik van Riel
2012-08-20 8:00 ` Hugh Dickins
2012-08-20 8:00 ` Hugh Dickins
2012-08-20 9:39 ` Michel Lespinasse
2012-08-20 9:39 ` Michel Lespinasse
2012-08-20 11:11 ` Andi Kleen
2012-08-20 11:11 ` Andi Kleen
2012-08-20 11:17 ` Rik van Riel
2012-08-20 11:17 ` Rik van Riel
2012-08-20 11:53 ` Michel Lespinasse
2012-08-20 11:53 ` Michel Lespinasse
2012-08-20 19:11 ` Michel Lespinasse
2012-08-20 19:11 ` Michel Lespinasse
2012-08-22 3:20 ` [RFC PATCH] " Michel Lespinasse
2012-08-22 3:20 ` Michel Lespinasse
2012-08-22 3:29 ` Rik van Riel
2012-08-22 3:29 ` Rik van Riel
2013-06-03 19:50 ` Daniel Forrest
2013-06-03 19:50 ` Daniel Forrest
2013-06-04 10:37 ` Rik van Riel
2013-06-04 10:37 ` Rik van Riel
2013-06-05 14:02 ` Andrea Arcangeli
2013-06-05 14:02 ` Andrea Arcangeli
2014-11-14 16:30 ` [PATCH] " Daniel Forrest
2014-11-14 16:30 ` Daniel Forrest
2014-11-18 0:02 ` Andrew Morton
2014-11-18 0:02 ` Andrew Morton
2014-11-18 1:41 ` Daniel Forrest
2014-11-18 1:41 ` Daniel Forrest
2014-11-18 2:41 ` Rik van Riel
2014-11-18 2:41 ` Rik van Riel
2014-11-18 20:19 ` Andrew Morton
2014-11-18 20:19 ` Andrew Morton
2014-11-18 22:15 ` Konstantin Khlebnikov
2014-11-18 22:15 ` Konstantin Khlebnikov
2014-11-18 23:02 ` Konstantin Khlebnikov
2014-11-18 23:50 ` Vlastimil Babka
2014-11-18 23:50 ` Vlastimil Babka
2014-11-19 14:36 ` Konstantin Khlebnikov
2014-11-19 14:36 ` Konstantin Khlebnikov
2014-11-19 16:09 ` Vlastimil Babka
2014-11-19 16:09 ` Vlastimil Babka
2014-11-19 16:58 ` Konstantin Khlebnikov
2014-11-19 16:58 ` Konstantin Khlebnikov
2014-11-19 23:14 ` Michel Lespinasse
2014-11-19 23:14 ` Michel Lespinasse
2014-11-20 14:42 ` Konstantin Khlebnikov
2014-11-20 14:42 ` Konstantin Khlebnikov
2014-11-20 14:50 ` Rik van Riel
2014-11-20 14:50 ` Rik van Riel
2014-11-20 15:03 ` Konstantin Khlebnikov
2014-11-20 15:03 ` Konstantin Khlebnikov
2014-11-24 7:09 ` Konstantin Khlebnikov
2014-11-25 10:59 ` Michal Hocko
2014-11-25 10:59 ` Michal Hocko
2014-11-25 12:13 ` Konstantin Khlebnikov
2014-11-25 15:00 ` Michal Hocko
2014-11-25 15:00 ` Michal Hocko
2014-11-26 17:35 ` Michal Hocko
2014-11-26 17:35 ` Michal Hocko
2014-12-05 15:44 ` Jerome Marchand
2014-11-20 15:27 ` Michel Lespinasse
2014-11-20 15:27 ` Michel Lespinasse
2014-11-19 2:48 ` Rik van Riel
2014-11-19 2:48 ` Rik van Riel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=502F100A.1080401@redhat.com \
--to=riel@redhat.com \
--cc=hughd@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.