From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
To: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: John Johansen <john.johansen@canonical.com>,
linux-security-module@vger.kernel.org,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
tglx@linutronix.de
Subject: Re: [PATCH 1/2] apparmor: Use a memory pool instead per-CPU caches
Date: Thu, 2 May 2019 23:10:50 +0900 [thread overview]
Message-ID: <001f651f-c544-c3fa-c0c2-f2a2b1ed565a@i-love.sakura.ne.jp> (raw)
In-Reply-To: <20190502134730.d3ya46ave6a7bvom@linutronix.de>
On 2019/05/02 22:47, Sebastian Andrzej Siewior wrote:
> On 2019-05-02 22:17:35 [+0900], Tetsuo Handa wrote:
>> There is 'The "too small to fail" memory-allocation rule'
>> ( https://lwn.net/Articles/627419/ ) where GFP_KERNEL allocation for
>> size <= 32768 bytes never fails unless current thread was killed by
>> the OOM killer. This means that kmalloc() in
>>
>> +char *aa_get_buffer(void)
>> +{
>> + union aa_buffer *aa_buf;
>> +
>> +try_again:
>> + spin_lock(&aa_buffers_lock);
>> + if (!list_empty(&aa_global_buffers)) {
>> + aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer,
>> + list);
>> + list_del(&aa_buf->list);
>> + spin_unlock(&aa_buffers_lock);
>> + return &aa_buf->buffer[0];
>> + }
>> + spin_unlock(&aa_buffers_lock);
>> +
>> + aa_buf = kmalloc(aa_g_path_max, GFP_KERNEL);
>> + if (WARN_ON_ONCE(!aa_buf))
>> + goto try_again;
>> + return &aa_buf->buffer[0];
>> +}
>>
>> can't return NULL unless current thread was killed by the OOM killer
>> if aa_g_path_max <= 32768. On the other hand, if aa_g_path_max > 32768,
>> this allocation can easily fail, and retrying forever is very bad.
>
> as I pointed out in the other email, it shouldn't retry forever because
> we should have something in the pool which will be returned.
>
The point of 'The "too small to fail" memory-allocation rule' is that kmalloc(GFP_KERNEL)
can't return NULL after current thread once reached kmalloc(GFP_KERNEL). That is, current
thread loops forever inside __alloc_pages_nodemask() unless killed by the OOM killer.
If you want to use aa_get_buffer() as if a memory pool, you need to specify __GFP_NORETRY
(or __GFP_RETRY_MAYFAIL).
>>> @@ -1399,6 +1404,7 @@ static int param_set_aauint(const char *val, const struct kernel_param *kp)
>>> return -EPERM;
>>>
>>> error = param_set_uint(val, kp);
>>> + aa_g_path_max = min_t(uint32_t, aa_g_path_max, sizeof(union aa_buffer));
>>
>> I think that this will guarantee that aa_g_path_max <= sizeof(struct list_head)
>> which is too small to succeed. :-(
>
> Ach right, this should have been max instead of min. Btw: are there any
> sane upper/lower limits while at it?
Although PATH_MAX is a limit which can be passed as a string argument to syscalls,
there is no limit for a pathname calculated by d_path() etc. The pathname can grow
until memory allocation for dentry cache fails after OOM-killer killed almost all
userspace processes.
But for pathname based access control, returning an error to userspace due to memory
allocation failure for d_path() etc. might result in unexpected termination of that
process. Therefore, you don't want to give up easily.
next prev parent reply other threads:[~2019-05-02 14:11 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-05 13:34 [PATCH 1/2] apparmor: Use a memory pool instead per-CPU caches Sebastian Andrzej Siewior
2019-04-05 13:34 ` [PATCH 2/2] apparmor: Switch to GFP_KERNEL where possible Sebastian Andrzej Siewior
2019-05-07 19:57 ` John Johansen
2019-04-15 10:50 ` [PATCH 1/2] apparmor: Use a memory pool instead per-CPU caches Sebastian Andrzej Siewior
2019-04-28 23:56 ` John Johansen
2019-04-30 14:47 ` Sebastian Andrzej Siewior
2019-05-01 21:29 ` John Johansen
2019-05-02 10:51 ` Sebastian Andrzej Siewior
2019-05-02 13:17 ` Tetsuo Handa
2019-05-02 13:47 ` Sebastian Andrzej Siewior
2019-05-02 14:10 ` Tetsuo Handa [this message]
2019-05-03 11:48 ` [PATCH v2] " Sebastian Andrzej Siewior
2019-05-03 11:51 ` [PATCH v3] " Sebastian Andrzej Siewior
2019-05-03 12:41 ` Tetsuo Handa
2019-05-03 14:12 ` [PATCH v4] " Sebastian Andrzej Siewior
2019-05-07 19:57 ` John Johansen
2019-10-02 8:59 ` Sebastian Andrzej Siewior
2019-10-02 15:47 ` John Johansen
2019-10-02 15:52 ` Sebastian Andrzej Siewior
2019-05-02 19:33 ` [PATCH 1/2] " John Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=001f651f-c544-c3fa-c0c2-f2a2b1ed565a@i-love.sakura.ne.jp \
--to=penguin-kernel@i-love.sakura.ne.jp \
--cc=bigeasy@linutronix.de \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).