| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Apr 2022 15:00:24 -0400
From: Nico Pache <npache@...hat.com>
To: Michal Hocko <mhocko@...e.com>
Cc: linux-kernel@...r.kernel.org, linux-mm@...ck.org,
David Rientjes <rientjes@...gle.com>,
Andrea Arcangeli <aarcange@...hat.com>
Subject: Re: [RFC 3/3] exit: Check for MMF_OOM_SKIP in exit_mmap
On 4/22/22 11:38, Michal Hocko wrote:
> On Thu 21-04-22 15:05:33, Nico Pache wrote:
>> The MMF_OOM_SKIP bit is used to indicate weather a mm_struct can not be
>> invalided or has already been invalided. exit_mmap currently calls
>> __oom_reap_task_mm unconditionally despite the fact that the oom reaper
>> may have already called this.
>>
>> Add a check for the MMF_OOM_SKIP bit being set in exit_mmap to avoid
>> unnessary calls to the invalidate code.
>
> Why do we care about this?
Is there no cost to the MMU/TLB invalidation? The MMU notifier contains a lock
too so perhaps we can also avoids some unnecessary MMU notifier lock contention.
>
>> A slight race can occur on the MMF_OOM_SKIP bit that will still allow
>> this to run twice. My testing has shown an ~66% decrease in double calls
>> to _oom_reap_task_mm.
>>
>> Fixes: 27ae357fa82b ("mm, oom: fix concurrent munlock and oom reaper unmap, v3")
>
> I do not see this would be fixing anything.
Ok im just trying to make sure we are keeping an eye on what introduced this
double call. Davids commit above is what introduced the oom_reap_task_mm in the
exit_mmap code. It goes along with some other changes that I dont fully
understand without more studying, so that's why I was hoping he could provide
some input around that CVE (the main thing im concerned about re-introducing).
>
>> Cc: David Rientjes <rientjes@...gle.com>
>> Cc: Michal Hocko <mhocko@...e.com>
>> Cc: Andrea Arcangeli <aarcange@...hat.com>
>> Signed-off-by: Nico Pache <npache@...hat.com>
>> ---
>> mm/mmap.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/mm/mmap.c b/mm/mmap.c
>> index a2968669fd4e..b867f408dacd 100644
>> --- a/mm/mmap.c
>> +++ b/mm/mmap.c
>> @@ -3113,7 +3113,8 @@ void exit_mmap(struct mm_struct *mm)
>> /* mm's last user has gone, and its about to be pulled down */
>> mmu_notifier_release(mm);
>>
>> - if (unlikely(mm_is_oom_victim(mm))) {
>> + if (unlikely(mm_is_oom_victim(mm)) &&
>> + !test_bit(MMF_OOM_SKIP, &mm->flags)) {
>> /*
>> * Manually reap the mm to free as much memory as possible.
>> * Then, as the oom reaper does, set MMF_OOM_SKIP to disregard
>> --
>> 2.35.1
>
Powered by blists - more mailing lists