lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <233o4lohzhriye27szk6mucduneuvosmnp6pmnjepz3enxjgtt@id6kwhjgysbj>
Date: Fri, 21 Mar 2025 11:26:18 +0000
From: Pedro Falcato <pfalcato@...e.de>
To: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>, 
	Vlastimil Babka <vbabka@...e.cz>, Jann Horn <jannh@...gle.com>, 
	"Liam R . Howlett" <Liam.Howlett@...cle.com>, linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 6.15] mm/vma: add give_up_on_oom option on modify/merge,
 use in uffd release

On Fri, Mar 21, 2025 at 10:09:37AM +0000, Lorenzo Stoakes wrote:
> Currently, if a VMA merge fails due to an OOM condition arising on commit
> merge or a failure to duplicate anon_vma's, we report this so the caller
> can handle it.
> 
> However there are cases where the caller is only ostensibly trying a
> merge, and doesn't mind if it fails due to this condition.
>

Ok, so here's my problem with your idea: I don't think merge should be exposed
to vma_modify() callers. Right now (at least AIUI), you want to modify a given
VMA, you call vma_modify(), and it gives you a vma you can straight up modify
without any problems. Essentially breaks down any VMAs necessary. This feels
contractually simple and easy to use, and I don't think leaking details about
merging is the correct approach here.

> Since we do not want to introduce an implicit assumption that we only
> actually modify VMAs after OOM conditions might arise, add a 'give up on
> oom' option and make an explicit contract that, should this flag be set, we
> absolutely will not modify any VMAs should OOM arise and just bail out.
>

Thus, to me the most natural solution is still mine. Do you think it places too
many constraints on vma_modify()? vma_modify() on a single VMA, without
splitting, Just Working(tm) is a sensible expectation (and vma_merge being fully
best-effort). Things like mprotect() failing due to OOM are also pretty disastrous,
so if we could limit that it'd be great.

In any case, your solution looks palatable to me, but I want to make
sure we're not making this excessively complicated.

-- 
Pedro

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ