Re: [PATCH v3] dma-buf/heaps: system_heap: avoid too much allocation

[Michal Hocko]

On Wed 12-04-23 18:44:40, Jaewon Kim wrote:
> >On Wed 12-04-23 17:57:26, Jaewon Kim wrote:
> >> >Sorry for being late. I know there was some pre-existing discussion
> >> >around that but I didn't have time to participate.
> >> >
> >> >On Mon 10-04-23 16:32:28, Jaewon Kim wrote:
> >> >> @@ -350,6 +350,9 @@ static struct dma_buf *system_heap_allocate(struct dma_heap *heap,
> >> >>  	struct page *page, *tmp_page;
> >> >>  	int i, ret = -ENOMEM;
> >> >>  
> >> >> +	if (len / PAGE_SIZE > totalram_pages())
> >> >> +		return ERR_PTR(-ENOMEM);
> >> >> +
> >> >
> >> >This is an antipattern imho. Check 7661809d493b ("mm: don't allow
> >> >oversized kvmalloc() calls") how kvmalloc has dealt with a similar
> >> 
> >> Hello Thank you for the information.
> >> 
> >> I tried to search the macro of INT_MAX.
> >> 
> >> include/vdso/limits.h
> >> #define INT_MAX         ((int)(~0U >> 1))
> >> 
> >> AFAIK the dma-buf system heap user can request that huge size more than 2GB.
> >
> >Do you have any pointers? This all is unreclaimable memory, right? How
> >are those users constrained to not go overboard?
> 
> Correct dma-buf system heap memory is unreclaimable. To avoid that huge request,
> this patch includes __GFP_RETRY_MAYFAIL.

__GFP_RETRY_MAYFAIL doesn't avoud huge requests. It will drain the free
available memory to the edge of OOM (especially for low order requests)
so effectively anybody else requesting any memory (GFP_KERNEL like req.)
will hit the oom killer very likely).

>  #define LOW_ORDER_GFP (GFP_HIGHUSER | __GFP_ZERO | __GFP_RETRY_MAYFAIL)
> 
> >
> >> So
> >> I think totalram_pages() is better than INT_MAX in this case.
> >> 
> >> >issue. totalram_pages doesn't really tell you anything about incorrect
> >> >users. You might be on a low memory system where the request size is
> >> >sane normally, it just doesn't fit into memory on that particular
> >> >machine.
> >> 
> >> Sorry maybe I'm not fully understand what you meant. User may requested
> >> a huge size like 3GB on 2GB ram device. But I think that should be rejected
> >> because it is bigger than the device ram size.
> >
> >Even totalram_pages/10 can be just unfeasible amount of data to be
> >allocated without a major disruption. totalram_pages is no measure of
> >the memory availability.
> >If you want to have a ballpark estimation then si_mem_available might be
> >something you are looking for. But I thought the sole purpose of this
> >patch is to catch obviously buggy callers (like sign overflow lenght
> >etc) rather than any memory consumption sanity check.
> 
> Yes if we want to avoid some big size, si_mem_available could be one option.
> Actually I tried to do totalram_pages() / 2 like the old ion system heap in
> the previous patch version. Anyway totalram_pages in this patch is used to
> avoid the buggy size.

So let me repeat that totalram_pages is a wrong thing to do(tm).

This is not a subsystem I would feel like nacking a patch, but consider
this feedback as strong of a rejection as somebody external can give
you. A mm internal allocator would get an outright nack.

What you are doing is just wrong and an antipattern to what other
allocators do. Either use something like INT_MAX to catch overflows or
do not try to catch buggy code but pretend a better memory consumer
citizen by using something like si_mem_available (ideally think of
other potential memory users so do not allow any request to use all
of it). The later might require much more involved interface and I do
rememeber some attempts to account and limit dmabuf memory better.

> And as we discussed in v2 patch, __GFP_RETRY_MAYFAIL was added. And I think
> the gfp makes us feel better in memory perspective.

wishful thinking that is.
-- 
Michal Hocko
SUSE Labs