af_unix: limit unix_tot_inflight

Eric Dumazet · davem330 · commit 9915672d4127 · 2010-11-24T09:15:27.000-08:00
Vegard Nossum found a unix socket OOM was possible, posting an exploit
program.

My analysis is we can eat all LOWMEM memory before unix_gc() being
called from unix_release_sock(). Moreover, the thread blocked in
unix_gc() can consume huge amount of time to perform cleanup because of
huge working set.

One way to handle this is to have a sensible limit on unix_tot_inflight,
tested from wait_for_unix_gc() and to force a call to unix_gc() if this
limit is hit.

This solves the OOM and also reduce overall latencies, and should not
slowdown normal workloads.

Reported-by: Vegard Nossum &lt;vegard.nossum@gmail.com&gt;
Signed-off-by: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
@@ -259,9 +259,16 @@ static void inc_inflight_move_tail(struct unix_sock *u)
 }
 
 static bool gc_in_progress = false;
+#define UNIX_INFLIGHT_TRIGGER_GC 16000
 
 void wait_for_unix_gc(void)
 {
+	/*
+	 * If number of inflight sockets is insane,
+	 * force a garbage collect right now.
+	 */
+	if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress)
+		unix_gc();
 	wait_event(unix_gc_wait, gc_in_progress == false);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -259,9 +259,16 @@ static void inc_inflight_move_tail(struct unix_sock *u)`
`259`	`259`	`}`
`260`	`260`
`261`	`261`	`static bool gc_in_progress = false;`
	`262`	`+#define UNIX_INFLIGHT_TRIGGER_GC 16000`
`262`	`263`
`263`	`264`	`void wait_for_unix_gc(void)`
`264`	`265`	`{`
	`266`	`+ /*`
	`267`	`+ * If number of inflight sockets is insane,`
	`268`	`+ * force a garbage collect right now.`
	`269`	`+ */`
	`270`	`+ if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress)`
	`271`	`+ unix_gc();`
`265`	`272`	`wait_event(unix_gc_wait, gc_in_progress == false);`
`266`	`273`	`}`
`267`	`274`