On Mon, Jun 10, 2024 at 02:00:21PM +0200, Michal Hocko wrote: > On Fri 07-06-24 17:50:34, Jann Horn wrote: > [...] > > Or, from a different angle: You're trying to allocate memory, and you > > can't make forward progress until that memory has been allocated > > (unless the process is killed). That's what GFP_KERNEL is for. Stuff > > like "__GFP_NOWARN | __GFP_NORETRY" is for when you have a backup plan > > that lets you make progress (perhaps in a slightly less efficient way, > > or by dropping some incoming data, or something like that), and it > > hints to the page allocator that it doesn't have to try hard to > > reclaim memory if it can't find free memory quickly. > > Correct. A psedu-busy wait for allocation to succeed sounds like a very > bad idea to imprint into ABI. Is there really any design requirement to > make these mappings to never cause the OOM killer? > > Making the content dropable under memory pressure because it is > inherently recoverable is something else (this is essentially an > implicit MADV_FREE semantic) but putting a requirement on the memory > allocation on the fault sounds just wrong to me. The idea is that syscall getrandom() won't make a process be killed, so neither should vgetrandom(). But there's an argument to be made that the NOWARN|NORETRY logic only made sense with the now-dropped "skip instruction on fault" patch that was so controversial before, since in that case, there wouldn't be infinite retry, but rather skipping and then falling back to the syscall. I think this is nicer behavior, but the implementation caused a stir, so I'm not at the moment going that route. Given that, I think I'll follow your advice and get rid of NOWARN|NORETRY for this too. And then maybe we'll all revisit that later. Jason
