| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Apr 2019 21:47:05 -0400
From: Daniel Jordan <daniel.m.jordan@...cle.com>
To: Jason Gunthorpe <jgg@...lanox.com>
Cc: Daniel Jordan <daniel.m.jordan@...cle.com>,
Christophe Leroy <christophe.leroy@....fr>,
"akpm@...ux-foundation.org" <akpm@...ux-foundation.org>,
Alexey Kardashevskiy <aik@...abs.ru>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
Paul Mackerras <paulus@...ba.org>,
Christoph Lameter <cl@...ux.com>,
"linuxppc-dev@...ts.ozlabs.org" <linuxppc-dev@...ts.ozlabs.org>
Subject: Re: [PATCH 5/6] powerpc/mmu: drop mmap_sem now that locked_vm is
atomic
On Wed, Apr 24, 2019 at 11:10:24AM +0000, Jason Gunthorpe wrote:
> On Tue, Apr 23, 2019 at 07:15:44PM -0700, Davidlohr Bueso wrote:
> > Wouldn't the cmpxchg alternative also be exposed the locked_vm changing between
> > validating the new value and the cmpxchg() and we'd bogusly fail even when there
> > is still just because the value changed (I'm assuming we don't hold any locks,
> > otherwise all this is pointless).
That's true, I hadn't considered that we could retry even when there's enough
locked_vm. Seems like another one is that RLIMIT_MEMLOCK could change after
it's read. I guess nothing's going to be perfect. :/
> Well it needs a loop..
>
> again:
> current_locked = atomic_read(&mm->locked_vm);
> new_locked = current_locked + npages;
> if (new_locked < lock_limit)
> if (cmpxchg(&mm->locked_vm, current_locked, new_locked) != current_locked)
> goto again;
>
> So it won't have bogus failures as there is no unwind after
> error. Basically this is a load locked/store conditional style of
> locking pattern.
This is basically what I have so far.
> > > That's a good idea, and especially worth doing considering that an arbitrary
> > > number of threads that charge a low amount of locked_vm can fail just because
> > > one thread charges lots of it.
> >
> > Yeah but the window for this is quite small, I doubt it would be a real issue.
>
> > What if before doing the atomic_add_return(), we first did the racy new_locked
> > check for ENOMEM, then do the speculative add and cleanup, if necessary. This
> > would further reduce the scope of the window where false ENOMEM can occur.
So the upside of this is that there's no retry loop so tasks don't spin under
heavy contention? Seems better to always guard against false ENOMEM, at least
from the locked_vm side if not from the rlimit changing.
> > > pinned_vm appears to be broken the same way, so I can fix it too unless someone
> > > beats me to it.
> >
> > This should not be a surprise for the rdma folks. Cc'ing Jason nonetheless.
>
> I think we accepted this tiny race as a side effect of removing the
> lock, which was very beneficial. Really the time window between the
> atomic failing and unwind is very small, and there are enough other
> ways a hostile user could DOS locked_vm that I don't think it really
> matters in practice..
>
> However, the cmpxchg seems better, so a helper to implement that would
> probably be the best thing to do.
I've collapsed all the locked_vm users into such a helper and am now working on
converting the pinned_vm users to the same helper. Taking longer than I
thought.
Powered by blists - more mailing lists