From: Andrew Morton <akpm@linux-foundation.org>
To: Randy Dunlap <rdunlap@infradead.org>
Cc: linux-kernel@vger.kernel.org, "Jens Axboe" <axboe@kernel.dk>,
"Toralf Förster" <toralf.foerster@gmx.de>,
linux-mm@kvack.org
Subject: Re: [RFC PATCH 2/2] mm: readahead: handle LARGE input to get_init_ra_size()
Date: Tue, 22 Dec 2020 17:35:33 -0800 [thread overview]
Message-ID: <20201222173533.c9e28416835d7487b0e28cda@linux-foundation.org> (raw)
In-Reply-To: <20201220211051.1416-1-rdunlap@infradead.org>
On Sun, 20 Dec 2020 13:10:51 -0800 Randy Dunlap <rdunlap@infradead.org> wrote:
> Add a test to detect if the input ra request size has its high order
> bit set (is negative when tested as a signed long). This would be a
> really Huge readahead.
>
> If so, WARN() with the value and a stack trace so that we can see
> where this is happening and then make further corrections later.
> Then adjust the size value so that it is not so Huge (although
> this may not be needed).
What motivates this change? Is there any reason to think this can
happen?
Also, everything in there *should* be unsigned, because a negative
readahead is semantically nonsensical. Is our handling of this
inherently unsigned quantity incorrect somewhere?
> --- linux-5.10.1.orig/mm/readahead.c
> +++ linux-5.10.1/mm/readahead.c
>
> ...
>
> @@ -303,14 +304,21 @@ void force_page_cache_ra(struct readahea
> }
>
> /*
> - * Set the initial window size, round to next power of 2 and square
> + * Set the initial window size, round to next power of 2
> * for small size, x 4 for medium, and x 2 for large
> * for 128k (32 page) max ra
> * 1-8 page = 32k initial, > 8 page = 128k initial
> */
> static unsigned long get_init_ra_size(unsigned long size, unsigned long max)
> {
> - unsigned long newsize = roundup_pow_of_two(size);
> + unsigned long newsize;
> +
> + if ((signed long)size < 0) { /* high bit is set: ultra-large ra req */
> + WARN_ONCE(1, "%s: size=0x%lx\n", __func__, size);
> + size = -size; /* really only need to flip the high/sign bit */
> + }
> +
> + newsize = roundup_pow_of_two(size);
Is there any way in which userspace can deliberately trigger warning?
Via sys_readadhead() or procfs tuning or whatever?
I guess that permitting a user-triggerable WARN_ONCE() isn't a huuuuge
problem - it isn't a DoS if it only triggers a single time. It does
permit the malicious user to disable future valid warnings, but I don't
see what incentive there would be for this. But still, it seems
desirable to avoid it.
next prev parent reply other threads:[~2020-12-23 1:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-20 21:10 [RFC PATCH 2/2] mm: readahead: handle LARGE input to get_init_ra_size() Randy Dunlap
2020-12-23 1:35 ` Andrew Morton [this message]
2020-12-23 1:50 ` Randy Dunlap
2020-12-29 18:01 ` Toralf Förster
2020-12-29 18:11 ` Randy Dunlap
2020-12-29 20:00 ` Randy Dunlap
2020-12-29 20:46 ` Toralf Förster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201222173533.c9e28416835d7487b0e28cda@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=axboe@kernel.dk \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=rdunlap@infradead.org \
--cc=toralf.foerster@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).