Thread (9 messages) 9 messages, 4 authors, 2018-10-04

Re: [PATCH] Input: mousedev - add a schedule point in mousedev_write()

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date: 2018-10-04 19:38:12
Also in: lkml 

On October 4, 2018 12:28:56 PM PDT, Eric Dumazet [off-list ref] wrote:
On Thu, Oct 4, 2018 at 11:59 AM Dmitry Torokhov
[off-list ref] wrote:
quoted
Hi Eric,

On Thu, Oct 04, 2018 at 08:47:49AM -0700, Eric Dumazet wrote:
quoted
syzbot was able to trigger rcu stalls by calling write()
with large number of bytes.

Add a cond_resched() in the loop to avoid this.
I think this simply masks a deeper issue. The code fetches characters
from userspace in a loop, takes a lock, quickly places response in an
output buffer, and releases interrupt. I do not see why this should
cause stalls as we do not hold spinlock/interrupts off for extended
period of time.

Adding Paul so he can straighten me out...
Well...

write(fd, buffer, 0x7FFF0000);

Takes between 20 seconds and 2 minutes depending on CONFIG options ....
That's fine even if it takes a couple of years. We are not holding spinlock for the entirety of this time, so we should get bumped off CPU at some point.

So either apply my patch, or add a limit on the max count, and
possibly break legitimate user space ?
Legitimate users write a single character at a time and read response, so exciting after, let's say, 32 bytes would be fine. But I still want to understand why we have to do that.

I dunno...
quoted
quoted
Link: https://lkml.org/lkml/2018/8/23/1106
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+9436b02171ac0894d33e@syzkaller.appspotmail.com
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: linux-input@vger.kernel.org
---
 drivers/input/mousedev.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/input/mousedev.c b/drivers/input/mousedev.c
index
e08228061bcdd2f97aaadece31d6c83eb7539ae5..412fa71245afe26a7a8ad75705566f83633ba347
100644
quoted
quoted
--- a/drivers/input/mousedev.c
+++ b/drivers/input/mousedev.c
@@ -707,6 +707,7 @@ static ssize_t mousedev_write(struct file
*file, const char __user *buffer,
quoted
quoted
              mousedev_generate_response(client, c);

              spin_unlock_irq(&client->packet_lock);
+             cond_resched();
      }

      kill_fasync(&client->fasync, SIGIO, POLL_IN);
--
2.19.0.605.g01d371f741-goog
Thanks.

--
Dmitry

Thanks.

-- 
Dmitry
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help