Re: [PATCH 1/3] memcg: limit the number of thresholds per-memcg
From: Kirill A. Shutemov <hidden>
Date: 2013-08-07 22:04:56
Also in:
cgroups, lkml
On Wed, Aug 07, 2013 at 04:37:27PM +0200, Michal Hocko wrote:
On Wed 07-08-13 09:58:18, Tejun Heo wrote:quoted
Hello, On Wed, Aug 07, 2013 at 03:46:54PM +0200, Michal Hocko wrote:quoted
OK, I have obviously misunderstood your concern mentioned in the other email. Could you be more specific what is the DoS scenario which was your concern, then?So, let's say the file is write-accessible to !priv user which is under reasonable resource limits. Normally this shouldn't affect priv system tools which are monitoring the same event as it shouldn't be able to deplete resources as long as the resource control mechanisms are configured and functioning properly; however, the memory usage event puts all event listeners into a single contiguous table which a !priv user can easily expand to a size where the table can no longer be enlarged and if a priv system tool or another user tries to register event afterwards, it'll fail. IOW, it creates a shared resource which isn't properly provisioned and can be trivially filled up making it an easy DoS target.OK, got your point. You are right and I haven't considered the size of the table and the size restrictions of kmalloc. Thanks for pointing this out! --- From cde8a3333296eddd288780e78803610127401b6a Mon Sep 17 00:00:00 2001 From: Michal Hocko <redacted> Date: Wed, 7 Aug 2013 11:11:22 +0200 Subject: [PATCH] memcg: limit the number of thresholds per-memcg There is no limit for the maximum number of threshold events registered per memcg. It is even worse that all the events are stored in a per-memcg table which is enlarged when a new event is registered. This can lead to the following issue mentioned by Tejun: " So, let's say the file is write-accessible to !priv user which is under reasonable resource limits. Normally this shouldn't affect priv system tools which are monitoring the same event as it shouldn't be able to deplete resources as long as the resource control mechanisms are configured and functioning properly; however, the memory usage event puts all event listeners into a single contiguous table which a !priv user can easily expand to a size where the table can no longer be enlarged and if a priv system tool or another user tries to register event afterwards, it'll fail. IOW, it creates a shared resource which isn't properly provisioned and can be trivially filled up making it an easy DoS target. " Let's be more strict and cap the number of events that might be registered. MAX_THRESHOLD_EVENTS value is more or less random. The expectation is that it should be high enough to cover reasonable usecases while not too high to allow excessive resources consumption. 1024 events consume something like 16KB which shouldn't be a big deal and it should be good enough.
Is it correct that you fix one local DoS by introducing a new one? With the page the !priv user can block root from registering a threshold. Is it really the way we want to fix it? -- Kirill A. Shutemov -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>