From: Konstantin Khlebnikov <koct9i@gmail.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Rik van Riel <riel@redhat.com>,
Michel Lespinasse <walken@google.com>,
Hugh Dickins <hughd@google.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Tim Hartrick <tim@edgecast.com>, Michal Hocko <mhocko@suse.cz>
Subject: Re: [PATCH] Repeated fork() causes SLAB to grow without bound
Date: Wed, 19 Nov 2014 02:15:46 +0400 [thread overview]
Message-ID: <CALYGNiMxnxmy-LyJ4OT9OoFeKwTPPkZMF-bJ-eJDBFXgZQ6AEA@mail.gmail.com> (raw)
In-Reply-To: <20141118121936.07b02545a0684b2cc839a10c@linux-foundation.org>
On Tue, Nov 18, 2014 at 11:19 PM, Andrew Morton
<akpm@linux-foundation.org> wrote:
> On Mon, 17 Nov 2014 21:41:57 -0500 Rik van Riel <riel@redhat.com> wrote:
>
>> > Because of the serial forking there does indeed end up being an
>> > infinite number of vmas. The initial vma can never be deleted
>> > (even though the initial parent process has long since terminated)
>> > because the initial vma is referenced by the children.
>>
>> There is a finite number of VMAs, but an infite number of
>> anon_vmas.
>>
>> Subtle, yet deadly...
>
> Well, we clearly have the data structures screwed up. I've forgotten
> enough about this code for me to be unable to work out what the fixed
> up data structures would look like :( But surely there is some proper
> solution here. Help?
Not sure if it's right but probably we could reuse on fork an old anon_vma
from the chain if it's already lost all vmas which points to it.
For endlessly forking exploit this should work mostly like proposed patch
which stops branching after some depth but without magic constant.
>
>> > I can't say, but it only affects users who fork more than five
>> > levels deep without doing an exec. On the other hand, there are at
>> > least three users (Tim Hartrick, Michal Hocko, and myself) who have
>> > real world applications where the consequence of no patch is a
>> > crashed system.
>> >
>> > I would suggest reading the thread starting with my initial bug
>> > report for what others have had to say about this.
>>
>> I suspect what Andrew is hinting at is that the
>> changelog for the patch should contain a detailed
>> description of exactly what the bug is, how it is
>> triggered, what the symptoms are, and how the
>> patch avoids it.
>>
>> That way people can understand what the code does
>> simply by looking at the changelog - no need to go
>> find old linux-kernel mailing list threads.
>
> Yes please, there's a ton of stuff here which we should attempt to
> capture.
>
> https://lkml.org/lkml/2012/8/15/765 is useful.
>
> I'm assuming that with the "foo < 5" hack, an application which forked
> 5 times then did a lot of work would still trigger the "catastrophic
> issue at page reclaim time" issue which Rik identified at
> https://lkml.org/lkml/2012/8/20/265?
>
> There are real-world workloads which are triggering this slab growth
> problem, yes? (Detail them in the changelog, please).
>
> This bug snuck under my radar last time - we're permitting unprivileged
> userspace to exhaust memory and that's bad. I'm OK with the foo<5
> thing for -stable kernels, as it is simple. But I'm reluctant to merge
> (or at least to retain) it in mainline because then everyone will run
> away and think about other stuff and this bug will never get fixed
> properly.
>
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in
> the body to majordomo@kvack.org. For more info on Linux MM,
> see: http://www.linux-mm.org/ .
> Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Konstantin Khlebnikov <koct9i@gmail.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Rik van Riel <riel@redhat.com>,
Michel Lespinasse <walken@google.com>,
Hugh Dickins <hughd@google.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Tim Hartrick <tim@edgecast.com>, Michal Hocko <mhocko@suse.cz>
Subject: Re: [PATCH] Repeated fork() causes SLAB to grow without bound
Date: Wed, 19 Nov 2014 02:15:46 +0400 [thread overview]
Message-ID: <CALYGNiMxnxmy-LyJ4OT9OoFeKwTPPkZMF-bJ-eJDBFXgZQ6AEA@mail.gmail.com> (raw)
In-Reply-To: <20141118121936.07b02545a0684b2cc839a10c@linux-foundation.org>
On Tue, Nov 18, 2014 at 11:19 PM, Andrew Morton
<akpm@linux-foundation.org> wrote:
> On Mon, 17 Nov 2014 21:41:57 -0500 Rik van Riel <riel@redhat.com> wrote:
>
>> > Because of the serial forking there does indeed end up being an
>> > infinite number of vmas. The initial vma can never be deleted
>> > (even though the initial parent process has long since terminated)
>> > because the initial vma is referenced by the children.
>>
>> There is a finite number of VMAs, but an infite number of
>> anon_vmas.
>>
>> Subtle, yet deadly...
>
> Well, we clearly have the data structures screwed up. I've forgotten
> enough about this code for me to be unable to work out what the fixed
> up data structures would look like :( But surely there is some proper
> solution here. Help?
Not sure if it's right but probably we could reuse on fork an old anon_vma
from the chain if it's already lost all vmas which points to it.
For endlessly forking exploit this should work mostly like proposed patch
which stops branching after some depth but without magic constant.
>
>> > I can't say, but it only affects users who fork more than five
>> > levels deep without doing an exec. On the other hand, there are at
>> > least three users (Tim Hartrick, Michal Hocko, and myself) who have
>> > real world applications where the consequence of no patch is a
>> > crashed system.
>> >
>> > I would suggest reading the thread starting with my initial bug
>> > report for what others have had to say about this.
>>
>> I suspect what Andrew is hinting at is that the
>> changelog for the patch should contain a detailed
>> description of exactly what the bug is, how it is
>> triggered, what the symptoms are, and how the
>> patch avoids it.
>>
>> That way people can understand what the code does
>> simply by looking at the changelog - no need to go
>> find old linux-kernel mailing list threads.
>
> Yes please, there's a ton of stuff here which we should attempt to
> capture.
>
> https://lkml.org/lkml/2012/8/15/765 is useful.
>
> I'm assuming that with the "foo < 5" hack, an application which forked
> 5 times then did a lot of work would still trigger the "catastrophic
> issue at page reclaim time" issue which Rik identified at
> https://lkml.org/lkml/2012/8/20/265?
>
> There are real-world workloads which are triggering this slab growth
> problem, yes? (Detail them in the changelog, please).
>
> This bug snuck under my radar last time - we're permitting unprivileged
> userspace to exhaust memory and that's bad. I'm OK with the foo<5
> thing for -stable kernels, as it is simple. But I'm reluctant to merge
> (or at least to retain) it in mainline because then everyone will run
> away and think about other stuff and this bug will never get fixed
> properly.
>
> --
> To unsubscribe, send a message with 'unsubscribe linux-mm' in
> the body to majordomo@kvack.org. For more info on Linux MM,
> see: http://www.linux-mm.org/ .
> Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2014-11-18 22:15 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-16 2:46 Repeated fork() causes SLAB to grow without bound Daniel Forrest
2012-08-16 18:58 ` Rik van Riel
2012-08-16 18:58 ` Rik van Riel
2012-08-18 0:03 ` Daniel Forrest
2012-08-18 0:03 ` Daniel Forrest
2012-08-18 3:46 ` Rik van Riel
2012-08-18 3:46 ` Rik van Riel
2012-08-18 4:07 ` Daniel Forrest
2012-08-18 4:07 ` Daniel Forrest
2012-08-18 4:10 ` Rik van Riel
2012-08-18 4:10 ` Rik van Riel
2012-08-20 8:00 ` Hugh Dickins
2012-08-20 8:00 ` Hugh Dickins
2012-08-20 9:39 ` Michel Lespinasse
2012-08-20 9:39 ` Michel Lespinasse
2012-08-20 11:11 ` Andi Kleen
2012-08-20 11:11 ` Andi Kleen
2012-08-20 11:17 ` Rik van Riel
2012-08-20 11:17 ` Rik van Riel
2012-08-20 11:53 ` Michel Lespinasse
2012-08-20 11:53 ` Michel Lespinasse
2012-08-20 19:11 ` Michel Lespinasse
2012-08-20 19:11 ` Michel Lespinasse
2012-08-22 3:20 ` [RFC PATCH] " Michel Lespinasse
2012-08-22 3:20 ` Michel Lespinasse
2012-08-22 3:29 ` Rik van Riel
2012-08-22 3:29 ` Rik van Riel
2013-06-03 19:50 ` Daniel Forrest
2013-06-03 19:50 ` Daniel Forrest
2013-06-04 10:37 ` Rik van Riel
2013-06-04 10:37 ` Rik van Riel
2013-06-05 14:02 ` Andrea Arcangeli
2013-06-05 14:02 ` Andrea Arcangeli
2014-11-14 16:30 ` [PATCH] " Daniel Forrest
2014-11-14 16:30 ` Daniel Forrest
2014-11-18 0:02 ` Andrew Morton
2014-11-18 0:02 ` Andrew Morton
2014-11-18 1:41 ` Daniel Forrest
2014-11-18 1:41 ` Daniel Forrest
2014-11-18 2:41 ` Rik van Riel
2014-11-18 2:41 ` Rik van Riel
2014-11-18 20:19 ` Andrew Morton
2014-11-18 20:19 ` Andrew Morton
2014-11-18 22:15 ` Konstantin Khlebnikov [this message]
2014-11-18 22:15 ` Konstantin Khlebnikov
2014-11-18 23:02 ` Konstantin Khlebnikov
2014-11-18 23:50 ` Vlastimil Babka
2014-11-18 23:50 ` Vlastimil Babka
2014-11-19 14:36 ` Konstantin Khlebnikov
2014-11-19 14:36 ` Konstantin Khlebnikov
2014-11-19 16:09 ` Vlastimil Babka
2014-11-19 16:09 ` Vlastimil Babka
2014-11-19 16:58 ` Konstantin Khlebnikov
2014-11-19 16:58 ` Konstantin Khlebnikov
2014-11-19 23:14 ` Michel Lespinasse
2014-11-19 23:14 ` Michel Lespinasse
2014-11-20 14:42 ` Konstantin Khlebnikov
2014-11-20 14:42 ` Konstantin Khlebnikov
2014-11-20 14:50 ` Rik van Riel
2014-11-20 14:50 ` Rik van Riel
2014-11-20 15:03 ` Konstantin Khlebnikov
2014-11-20 15:03 ` Konstantin Khlebnikov
2014-11-24 7:09 ` Konstantin Khlebnikov
2014-11-25 10:59 ` Michal Hocko
2014-11-25 10:59 ` Michal Hocko
2014-11-25 12:13 ` Konstantin Khlebnikov
2014-11-25 15:00 ` Michal Hocko
2014-11-25 15:00 ` Michal Hocko
2014-11-26 17:35 ` Michal Hocko
2014-11-26 17:35 ` Michal Hocko
2014-12-05 15:44 ` Jerome Marchand
2014-11-20 15:27 ` Michel Lespinasse
2014-11-20 15:27 ` Michel Lespinasse
2014-11-19 2:48 ` Rik van Riel
2014-11-19 2:48 ` Rik van Riel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALYGNiMxnxmy-LyJ4OT9OoFeKwTPPkZMF-bJ-eJDBFXgZQ6AEA@mail.gmail.com \
--to=koct9i@gmail.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=hughd@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.cz \
--cc=riel@redhat.com \
--cc=tim@edgecast.com \
--cc=walken@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.