Re: [PATCH v2 1/3] mm/swapfile: make security_vm_enough_memory_mm() work as expected

From: Miaohe Lin <linmiaohe@huawei.com>
To: David Hildenbrand <david@redhat.com>, <akpm@linux-foundation.org>
Cc: <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 1/3] mm/swapfile: make security_vm_enough_memory_mm() work as expected
Date: Sat, 18 Jun 2022 15:31:16 +0800	[thread overview]
Message-ID: <ca8dac22-197f-c824-6806-132fc077722c@huawei.com> (raw)
In-Reply-To: <24fd3f78-f7e5-a1dc-cad0-15ff826744a9@redhat.com>

On 2022/6/18 15:10, David Hildenbrand wrote:
> On 18.06.22 04:43, Miaohe Lin wrote:
>> On 2022/6/17 15:33, David Hildenbrand wrote:
>>> On 08.06.22 16:40, Miaohe Lin wrote:
>>>> security_vm_enough_memory_mm() checks whether a process has enough memory
>>>> to allocate a new virtual mapping. And total_swap_pages is considered as
>>>> available memory while swapoff tries to make sure there's enough memory
>>>> that can hold the swapped out memory. But total_swap_pages contains the
>>>> swap space that is being swapoff. So security_vm_enough_memory_mm() will
>>>> success even if there's no memory to hold the swapped out memory because
>>>
>>> s/success/succeed/
>>
>> OK. Thanks.
>>
>>>
>>>> total_swap_pages always greater than or equal to p->pages.
>>>>
>>>> In order to fix it, p->pages should be retracted from total_swap_pages
>>>
>>> s/retracted/subtracted/
>>
>> OK. Thanks.
>>
>>>
>>>> first and then check whether there's enough memory for inuse swap pages.
>>>>
>>>> Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
>>>> ---
>>>>  mm/swapfile.c | 10 +++++++---
>>>>  1 file changed, 7 insertions(+), 3 deletions(-)
>>>>
>>>> diff --git a/mm/swapfile.c b/mm/swapfile.c
>>>> index ec4c1b276691..d2bead7b8b70 100644
>>>> --- a/mm/swapfile.c
>>>> +++ b/mm/swapfile.c
>>>> @@ -2398,6 +2398,7 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile)
>>>>  	struct filename *pathname;
>>>>  	int err, found = 0;
>>>>  	unsigned int old_block_size;
>>>> +	unsigned int inuse_pages;
>>>>  
>>>>  	if (!capable(CAP_SYS_ADMIN))
>>>>  		return -EPERM;
>>>> @@ -2428,9 +2429,13 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile)
>>>>  		spin_unlock(&swap_lock);
>>>>  		goto out_dput;
>>>>  	}
>>>> -	if (!security_vm_enough_memory_mm(current->mm, p->pages))
>>>> -		vm_unacct_memory(p->pages);
>>>> +
>>>> +	total_swap_pages -= p->pages;
>>>> +	inuse_pages = READ_ONCE(p->inuse_pages);
>>>> +	if (!security_vm_enough_memory_mm(current->mm, inuse_pages))
>>>> +		vm_unacct_memory(inuse_pages);
>>>>  	else {
>>>> +		total_swap_pages += p->pages;
>>>
>>> That implies that whenever we fail in security_vm_enough_memory_mm(),
>>> that other concurrent users might see a wrong total_swap_pages.
>>>
>>> Assume 4 GiB memory and 8 GiB swap. Let's assume 10 GiB are in use.
>>>
>>> Temporarily, we'd have
>>>
>>> CommitLimit    4 GiB
>>> Committed_AS  10 GiB
>>
>> IIUC, even if without this change, the other concurrent users if come after vm_acct_memory()
>> is done in __vm_enough_memory(), they might see
>>
>> CommitLimit   12 GiB (4 GiB memory + 8GiB total swap)
>> Committed_AS  18 GiB (10 GiB in use + 8GiB swap space to swapoff)
>>
>> Or am I miss something?
>>
> 
> I think you are right!
> 
> Reviewed-by: David Hildenbrand <david@redhat.com>

Thanks a lot!

> 
> 