On Fri, May 31, 2024 at 12:48:58PM +0200, Jann Horn wrote: > On Tue, May 28, 2024 at 2:24 PM Jason A. Donenfeld <Jason@xxxxxxxxx> wrote: > > c) If there's not enough memory to service a page fault, it's not fatal. > [...] > > @@ -5689,6 +5689,10 @@ vm_fault_t handle_mm_fault(struct vm_area_struct *vma, unsigned long address, > > > > lru_gen_exit_fault(); > > > > + /* If the mapping is droppable, then errors due to OOM aren't fatal. */ > > + if (vma->vm_flags & VM_DROPPABLE) > > + ret &= ~VM_FAULT_OOM; > > Can you remind me how this is supposed to work? If we get an OOM > error, and the error is not fatal, does that mean we'll just keep > hitting the same fault handler over and over again (until we happen to > have memory available again I guess)? Right, it'll just keep retrying. I agree this isn't great, which is why in the 2023 patchset, I had additional code to simply skip the faulting instruction, and then the userspace code would notice the inconsistency and fallback to the syscall. This worked pretty well. But it meant decoding the instruction and in general skipping instructions is weird, and that made this patchset very very contentious. Since the skipping behavior isn't actually required by the /security goals/ of this, I figured I'd just drop that. And maybe we can all revisit it together sometime down the line. But for now I'm hoping for something a little easier to swallow. Jason
