Re: [PATCH 2/5] fs: charge pipe buffers to memcg

From: Andrew Morton
Date: Tue Sep 29 2015 - 18:57:28 EST

Next message: Peter Kieser: "Re: [PATCH] bcache: Fix writeback_thread never writing back incomplete stripes."
Previous message: David Rientjes: "Re: can't oom-kill zap the victim's memory?"
In reply to: Vladimir Davydov: "[PATCH 2/5] fs: charge pipe buffers to memcg"
Next in thread: Vladimir Davydov: "Re: [PATCH 2/5] fs: charge pipe buffers to memcg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 26 Sep 2015 13:45:54 +0300 Vladimir Davydov <vdavydov@xxxxxxxxxxxxx> wrote:

> Pipe buffers can be generated unrestrictedly by an unprivileged
> userspace process, so they shouldn't go unaccounted.
>
> ...
>
> --- a/fs/pipe.c
> +++ b/fs/pipe.c
> @@ -400,7 +400,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
> int copied;
>
> if (!page) {
> - page = alloc_page(GFP_HIGHUSER);
> + page = alloc_kmem_pages(GFP_HIGHUSER, 0);
> if (unlikely(!page)) {
> ret = ret ? : -ENOMEM;
> break;

This seems broken. We have a page buffer page which has a weird
->mapcount. Now it gets stolen (generic_pipe_buf_steal()) and spliced
into pagecache. Then the page gets mmapped and MM starts playing with
its ->_mapcount?

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Peter Kieser: "Re: [PATCH] bcache: Fix writeback_thread never writing back incomplete stripes."
Previous message: David Rientjes: "Re: can't oom-kill zap the victim's memory?"
In reply to: Vladimir Davydov: "[PATCH 2/5] fs: charge pipe buffers to memcg"
Next in thread: Vladimir Davydov: "Re: [PATCH 2/5] fs: charge pipe buffers to memcg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]