On Thu, Sep 12, 2013 at 9:58 PM, Thomas Gleixner tglx@linutronix.de wrote:
On Thu, Sep 12, 2013 at 6:22 PM, Peter Zijlstra peterz@infradead.org wrote:
If 'sane' userspace is never supposed to do this, then only insane userspace is going to hurt from this and that's a GOOD (tm) thing, right? ;-)
Afaik sane userspace doesn't hit the _deadlock_ (or lifelock if we have the set_need_resched in there). drm/i915 is a bit different since we have just one lock, and so the same design would actually deadlock even for sane userspace. But hitting contention there and yielding is somewhat expected. Obviously shouldn't happen too often since it'll hurt performance, with either blocking or the yield spinning loop.
So this is actually a non priviledged DoS interface, right?
I think for ttm drivers it's just execbuf being exploitable. But on drm/i915 we've had the same issue with the pwrite/pread ioctls, so a simple glBufferData(glMap) kind of recursion from gl clients blew the kernel to pieces ... -Daniel