From: Andrew Shewmaker <agshew@gmail.com>
To: Roman Gushchin <klamm@yandex-team.ru>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
Rik van Riel <riel@redhat.com>,
Konstantin Khlebnikov <khlebnikov@yandex-team.ru>,
stable@vger.kernel.org
Subject: Re: [PATCH] mm: fix arithmetic overflow in __vm_enough_memory()
Date: Thu, 29 Jan 2015 11:57:35 -0800 [thread overview]
Message-ID: <20150129195735.GA9331@scruffy> (raw)
In-Reply-To: <1422536763-31325-1-git-send-email-klamm@yandex-team.ru>
On Thu, Jan 29, 2015 at 04:06:03PM +0300, Roman Gushchin wrote:
> I noticed, that "allowed" can easily overflow by falling below 0,
> because (total_vm / 32) can be larger than "allowed". The problem
> occurs in OVERCOMMIT_NONE mode.
>
> In this case, a huge allocation can success and overcommit the system
> (despite OVERCOMMIT_NONE mode). All subsequent allocations will fall
> (system-wide), so system become unusable.
>
> The problem was masked out by commit c9b1d0981fcc
> ("mm: limit growth of 3% hardcoded other user reserve"),
> but it's easy to reproduce it on older kernels:
> 1) set overcommit_memory sysctl to 2
> 2) mmap() large file multiple times (with VM_SHARED flag)
> 3) try to malloc() large amount of memory
>
> It also can be reproduced on newer kernels, but miss-configured
> sysctl_user_reserve_kbytes is required.
>
> Fix this issue by switching to signed arithmetic here.
>
> Signed-off-by: Roman Gushchin <klamm@yandex-team.ru>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Andrew Shewmaker <agshew@gmail.com>
> Cc: Rik van Riel <riel@redhat.com>
> Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
> Cc: stable@vger.kernel.org
> ---
> mm/mmap.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/mm/mmap.c b/mm/mmap.c
> index 7f684d5..5aa8dfe 100644
> --- a/mm/mmap.c
> +++ b/mm/mmap.c
> @@ -152,7 +152,7 @@ EXPORT_SYMBOL_GPL(vm_memory_committed);
> */
> int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
> {
> - unsigned long free, allowed, reserve;
> + long free, allowed, reserve;
>
> VM_WARN_ONCE(percpu_counter_read(&vm_committed_as) <
> -(s64)vm_committed_as_batch * num_online_cpus(),
> @@ -220,7 +220,7 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
> */
> if (mm) {
> reserve = sysctl_user_reserve_kbytes >> (PAGE_SHIFT - 10);
> - allowed -= min(mm->total_vm / 32, reserve);
> + allowed -= min((long)mm->total_vm / 32, reserve);
> }
>
> if (percpu_counter_read_positive(&vm_committed_as) < allowed)
> --
> 2.1.0
>
Makes sense to me. Please fix mm/nommu.c also.
If a caller passes in a big negative value for pages,
then vm_acct_memory() would decrement vm_committed_as, possibly
causing percpu_counter_read_positive(&vm_committed_as) and
__vm_enough_memory to return 0. Maybe that's okay? Callers
won't be passing in a negative pages anyway. Is there a reason
to let them, though?
-Andrew
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Andrew Shewmaker <agshew@gmail.com>
To: Roman Gushchin <klamm@yandex-team.ru>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
Rik van Riel <riel@redhat.com>,
Konstantin Khlebnikov <khlebnikov@yandex-team.ru>,
stable@vger.kernel.org
Subject: Re: [PATCH] mm: fix arithmetic overflow in __vm_enough_memory()
Date: Thu, 29 Jan 2015 11:57:35 -0800 [thread overview]
Message-ID: <20150129195735.GA9331@scruffy> (raw)
In-Reply-To: <1422536763-31325-1-git-send-email-klamm@yandex-team.ru>
On Thu, Jan 29, 2015 at 04:06:03PM +0300, Roman Gushchin wrote:
> I noticed, that "allowed" can easily overflow by falling below 0,
> because (total_vm / 32) can be larger than "allowed". The problem
> occurs in OVERCOMMIT_NONE mode.
>
> In this case, a huge allocation can success and overcommit the system
> (despite OVERCOMMIT_NONE mode). All subsequent allocations will fall
> (system-wide), so system become unusable.
>
> The problem was masked out by commit c9b1d0981fcc
> ("mm: limit growth of 3% hardcoded other user reserve"),
> but it's easy to reproduce it on older kernels:
> 1) set overcommit_memory sysctl to 2
> 2) mmap() large file multiple times (with VM_SHARED flag)
> 3) try to malloc() large amount of memory
>
> It also can be reproduced on newer kernels, but miss-configured
> sysctl_user_reserve_kbytes is required.
>
> Fix this issue by switching to signed arithmetic here.
>
> Signed-off-by: Roman Gushchin <klamm@yandex-team.ru>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Andrew Shewmaker <agshew@gmail.com>
> Cc: Rik van Riel <riel@redhat.com>
> Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
> Cc: stable@vger.kernel.org
> ---
> mm/mmap.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/mm/mmap.c b/mm/mmap.c
> index 7f684d5..5aa8dfe 100644
> --- a/mm/mmap.c
> +++ b/mm/mmap.c
> @@ -152,7 +152,7 @@ EXPORT_SYMBOL_GPL(vm_memory_committed);
> */
> int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
> {
> - unsigned long free, allowed, reserve;
> + long free, allowed, reserve;
>
> VM_WARN_ONCE(percpu_counter_read(&vm_committed_as) <
> -(s64)vm_committed_as_batch * num_online_cpus(),
> @@ -220,7 +220,7 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin)
> */
> if (mm) {
> reserve = sysctl_user_reserve_kbytes >> (PAGE_SHIFT - 10);
> - allowed -= min(mm->total_vm / 32, reserve);
> + allowed -= min((long)mm->total_vm / 32, reserve);
> }
>
> if (percpu_counter_read_positive(&vm_committed_as) < allowed)
> --
> 2.1.0
>
Makes sense to me. Please fix mm/nommu.c also.
If a caller passes in a big negative value for pages,
then vm_acct_memory() would decrement vm_committed_as, possibly
causing percpu_counter_read_positive(&vm_committed_as) and
__vm_enough_memory to return 0. Maybe that's okay? Callers
won't be passing in a negative pages anyway. Is there a reason
to let them, though?
-Andrew
next prev parent reply other threads:[~2015-01-29 19:57 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-29 13:06 [PATCH] mm: fix arithmetic overflow in __vm_enough_memory() Roman Gushchin
2015-01-29 13:06 ` Roman Gushchin
2015-01-29 19:57 ` Andrew Shewmaker [this message]
2015-01-29 19:57 ` Andrew Shewmaker
2015-01-30 13:09 ` [PATCH] mm/nommu.c: " Roman Gushchin
2015-01-30 13:14 ` [PATCH] mm: " Roman Gushchin
2015-01-30 13:14 ` Roman Gushchin
2015-01-30 13:14 ` Roman Gushchin
2015-02-03 13:29 ` Michal Hocko
2015-02-03 13:29 ` Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150129195735.GA9331@scruffy \
--to=agshew@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=khlebnikov@yandex-team.ru \
--cc=klamm@yandex-team.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=riel@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.