From patchwork Fri Mar 2 22:03:40 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Wilcox X-Patchwork-Id: 10255799 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3631B6037F for ; Fri, 2 Mar 2018 22:04:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 233A62857D for ; Fri, 2 Mar 2018 22:04:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 15FC928581; Fri, 2 Mar 2018 22:04:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 121E12857D for ; Fri, 2 Mar 2018 22:03:59 +0000 (UTC) Received: (qmail 7909 invoked by uid 550); 2 Mar 2018 22:03:54 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 7863 invoked from network); 2 Mar 2018 22:03:53 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=In-Reply-To:Content-Type:MIME-Version :References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=tAK774M3hcBS5ZLiu3DXZX8LmChdfOAYcFcfUTbfuSM=; b=G191BGyq/XFRnGyuP0tHQVMte 2dW/+OIV34uXomEj8KoRopL2cV5DJkcVR3gmjvGnnOFzXSSkFnNWKwh+rIdn8nXfze2wDgEyExSEA /Gn4VzNw5fU5lYQXYZa6hgWuBU8bvvT297lGavOP8/swhWun8JC2Qm4pfQ10uh1o8+APCEEP5nVby /BRif9Allrn//NvDO3FGpT7Ai2r+GfFXn86Qrn9P+huEZUotoAtusruiKHedZaCGBBpYm4CqXngzV 0cZBhif/wAh08QYBGdYg1dq4wydz/iuOxKTeLG0y2q0N5pXtpkCVLBQMJmmVgPlq6g08mqBXVcMKX 4HSpcVAZQ==; Date: Fri, 2 Mar 2018 14:03:40 -0800 From: Matthew Wilcox To: linux-mm@kvack.org Cc: kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, "Kirill A. Shutemov" Subject: Re: [RFC] Handle mapcount overflows Message-ID: <20180302220340.GC671@bombadil.infradead.org> References: <20180208021112.GB14918@bombadil.infradead.org> <20180302212637.GB671@bombadil.infradead.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20180302212637.GB671@bombadil.infradead.org> User-Agent: Mutt/1.9.2 (2017-12-15) X-Virus-Scanned: ClamAV using ClamSMTP On Fri, Mar 02, 2018 at 01:26:37PM -0800, Matthew Wilcox wrote: > Here's my third effort to handle page->_mapcount overflows. If you like this approach, but wonder if it works, here's a little forkbomb of a program and a patch to add instrumentation. In my dmesg, I never see the max mapcount getting above 65539. I see a mix of unlucky, it him! and it me! messages. #define _GNU_SOURCE #include #include #include #include #include #include int dummy; int main(int argc, char **argv) { int fd = open(argv[1], O_RDWR); int i; if (fd < 0) { perror(argv[1]); return 1; } // Spawn 511 children for (i = 0; i < 9; i++) fork(); for (i = 0; i < 5000; i++) dummy = *(int *)mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd, 0); } diff --git a/mm/mmap.c b/mm/mmap.c index 575766ec02f8..2b6187156db0 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1325,7 +1325,7 @@ static inline int mlock_future_check(struct mm_struct *mm, * Experimentally determined. gnome-shell currently uses fewer than * 3000 mappings, so should have zero effect on desktop users. */ -#define mm_track_threshold 5000 +#define mm_track_threshold 50 static DEFINE_SPINLOCK(heavy_users_lock); static DEFINE_IDR(heavy_users); @@ -1377,9 +1377,11 @@ static void kill_abuser(struct mm_struct *mm) break; if (down_write_trylock(&mm->mmap_sem)) { + printk_ratelimited("it him!\n"); kill_mm(tsk); up_write(&mm->mmap_sem); } else { + printk_ratelimited("unlucky!\n"); do_send_sig_info(SIGKILL, SEND_SIG_FORCED, tsk, true); } } @@ -1396,8 +1398,10 @@ void mm_mapcount_overflow(struct page *page) vma_interval_tree_foreach(vma, &mapping->i_mmap, pgoff, pgoff + 1) { if (vma->vm_mm == entry) count++; - if (count > 1000) + if (count > 1000) { + printk_ratelimited("it me!\n"); kill_mm(current); + } } rcu_read_lock(); @@ -1408,7 +1412,7 @@ void mm_mapcount_overflow(struct page *page) pgoff, pgoff + 1) { if (vma->vm_mm == entry) count++; - if (count > 1000) { + if (count > 10) { kill_abuser(entry); goto out; } diff --git a/mm/rmap.c b/mm/rmap.c index d88acf5c98e9..3f0509f6f011 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -1190,6 +1190,7 @@ void page_add_file_rmap(struct page *page, bool compound) VM_BUG_ON_PAGE(!PageSwapBacked(page), page); __inc_node_page_state(page, NR_SHMEM_PMDMAPPED); } else { + static int max = 0; int v; if (PageTransCompound(page) && page_mapping(page)) { VM_WARN_ON_ONCE(!PageLocked(page)); @@ -1199,12 +1200,14 @@ void page_add_file_rmap(struct page *page, bool compound) clear_page_mlock(compound_head(page)); } v = atomic_inc_return(&page->_mapcount); - if (likely(v > 0)) - goto out; - if (unlikely(v < 0)) { + if (unlikely(v > 65535)) { + if (max < v) max = v; + printk_ratelimited("overflow %d max %d\n", v, max); mm_mapcount_overflow(page); goto out; } + if (likely(v > 0)) + goto out; } __mod_lruvec_page_state(page, NR_FILE_MAPPED, nr); out: