Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20180302220340.GC671@bombadil.infradead.org>
Date: Fri, 2 Mar 2018 14:03:40 -0800
From: Matthew Wilcox <willy@...radead.org>
To: linux-mm@...ck.org
Cc: kernel-hardening@...ts.openwall.com, linux-kernel@...r.kernel.org,
	"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>
Subject: Re: [RFC] Handle mapcount overflows

On Fri, Mar 02, 2018 at 01:26:37PM -0800, Matthew Wilcox wrote:
> Here's my third effort to handle page->_mapcount overflows.

If you like this approach, but wonder if it works, here's a little forkbomb
of a program and a patch to add instrumentation.

In my dmesg, I never see the max mapcount getting above 65539.  I see a mix
of unlucky, it him! and it me! messages.

#define _GNU_SOURCE

#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>

int dummy;

int main(int argc, char **argv)
{
	int fd = open(argv[1], O_RDWR);
	int i;

	if (fd < 0) {
		perror(argv[1]);
		return 1;
	}

	// Spawn 511 children
	for (i = 0; i < 9; i++)
		fork();

	for (i = 0; i < 5000; i++)
		dummy = *(int *)mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd, 0);
}


diff --git a/mm/mmap.c b/mm/mmap.c
index 575766ec02f8..2b6187156db0 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1325,7 +1325,7 @@ static inline int mlock_future_check(struct mm_struct *mm,
  * Experimentally determined.  gnome-shell currently uses fewer than
  * 3000 mappings, so should have zero effect on desktop users.
  */
-#define mm_track_threshold	5000
+#define mm_track_threshold	50
 static DEFINE_SPINLOCK(heavy_users_lock);
 static DEFINE_IDR(heavy_users);
 
@@ -1377,9 +1377,11 @@ static void kill_abuser(struct mm_struct *mm)
 			break;
 
 	if (down_write_trylock(&mm->mmap_sem)) {
+		printk_ratelimited("it him!\n");
 		kill_mm(tsk);
 		up_write(&mm->mmap_sem);
 	} else {
+		printk_ratelimited("unlucky!\n");
 		do_send_sig_info(SIGKILL, SEND_SIG_FORCED, tsk, true);
 	}
 }
@@ -1396,8 +1398,10 @@ void mm_mapcount_overflow(struct page *page)
 	vma_interval_tree_foreach(vma, &mapping->i_mmap, pgoff, pgoff + 1) {
 		if (vma->vm_mm == entry)
 			count++;
-		if (count > 1000)
+		if (count > 1000) {
+			printk_ratelimited("it me!\n");
 			kill_mm(current);
+		}
 	}
 
 	rcu_read_lock();
@@ -1408,7 +1412,7 @@ void mm_mapcount_overflow(struct page *page)
 				pgoff, pgoff + 1) {
 			if (vma->vm_mm == entry)
 				count++;
-			if (count > 1000) {
+			if (count > 10) {
 				kill_abuser(entry);
 				goto out;
 			}
diff --git a/mm/rmap.c b/mm/rmap.c
index d88acf5c98e9..3f0509f6f011 100644
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -1190,6 +1190,7 @@ void page_add_file_rmap(struct page *page, bool compound)
 		VM_BUG_ON_PAGE(!PageSwapBacked(page), page);
 		__inc_node_page_state(page, NR_SHMEM_PMDMAPPED);
 	} else {
+		static int max = 0;
 		int v;
 		if (PageTransCompound(page) && page_mapping(page)) {
 			VM_WARN_ON_ONCE(!PageLocked(page));
@@ -1199,12 +1200,14 @@ void page_add_file_rmap(struct page *page, bool compound)
 				clear_page_mlock(compound_head(page));
 		}
 		v = atomic_inc_return(&page->_mapcount);
-		if (likely(v > 0))
-			goto out;
-		if (unlikely(v < 0)) {
+		if (unlikely(v > 65535)) {
+			if (max < v) max = v;
+			printk_ratelimited("overflow %d max %d\n", v, max);
 			mm_mapcount_overflow(page);
 			goto out;
 		}
+		if (likely(v > 0))
+			goto out;
 	}
 	__mod_lruvec_page_state(page, NR_FILE_MAPPED, nr);
 out:

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.