RE: [tip: sched/core] sched/psi: Correct overly pessimistic size calculation

2019-09-16 Thread David Laight 
From: Miles Chen
> Sent: 13 September 2019 23:43
> The following commit has been merged into the sched/core branch of tip:
> 
> Commit-ID: 4adcdcea717cb2d8436bef00dd689aa5bc76f11b
> Gitweb:
> https://git.kernel.org/tip/4adcdcea717cb2d8436bef00dd689aa5bc76f11b
> Author:Miles Chen 
> AuthorDate:Thu, 12 Sep 2019 18:34:52 +08:00
> Committer: Ingo Molnar 
> CommitterDate: Fri, 13 Sep 2019 07:49:28 +02:00
> 
> sched/psi: Correct overly pessimistic size calculation
> 
> When passing a equal or more then 32 bytes long string to psi_write(),
> psi_write() copies 31 bytes to its buf and overwrites buf[30]
> with '\0'. Which makes the input string 1 byte shorter than
> it should be.
> 
> Fix it by copying sizeof(buf) bytes when nbytes >= sizeof(buf).
> 
> This does not cause problems in normal use case like:
> "some 50 1000" or "full 50 1000" because they
> are less than 32 bytes in length.
> 
>   /* assuming nbytes == 35 */
>   char buf[32];
> 
>   buf_size = min(nbytes, (sizeof(buf) - 1)); /* buf_size = 31 */
>   if (copy_from_user(buf, user_buf, buf_size))
>   return -EFAULT;
> 
>   buf[buf_size - 1] = '\0'; /* buf[30] = '\0' */

Wouldn't it be better to also allow the user to pass
an unterminated string?
So leave the '-1' on the assignment to buf_size, but remove
it from the last line.

David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, 
UK
Registration No: 1397386 (Wales)

[tip: sched/core] sched/psi: Correct overly pessimistic size calculation

2019-09-13 Thread tip-bot2 for Miles Chen 
The following commit has been merged into the sched/core branch of tip:

Commit-ID: 4adcdcea717cb2d8436bef00dd689aa5bc76f11b
Gitweb:
https://git.kernel.org/tip/4adcdcea717cb2d8436bef00dd689aa5bc76f11b
Author:Miles Chen 
AuthorDate:Thu, 12 Sep 2019 18:34:52 +08:00
Committer: Ingo Molnar 
CommitterDate: Fri, 13 Sep 2019 07:49:28 +02:00

sched/psi: Correct overly pessimistic size calculation

When passing a equal or more then 32 bytes long string to psi_write(),
psi_write() copies 31 bytes to its buf and overwrites buf[30]
with '\0'. Which makes the input string 1 byte shorter than
it should be.

Fix it by copying sizeof(buf) bytes when nbytes >= sizeof(buf).

This does not cause problems in normal use case like:
"some 50 1000" or "full 50 1000" because they
are less than 32 bytes in length.

/* assuming nbytes == 35 */
char buf[32];

buf_size = min(nbytes, (sizeof(buf) - 1)); /* buf_size = 31 */
if (copy_from_user(buf, user_buf, buf_size))
return -EFAULT;

buf[buf_size - 1] = '\0'; /* buf[30] = '\0' */

Before:

 %cd /proc/pressure/
 %echo "123456789|123456789|123456789|1234" > memory
 [   22.473497] nbytes=35,buf_size=31
 [   22.473775] 123456789|123456789|123456789| (print 30 chars)
 %sh: write error: Invalid argument

 %echo "123456789|123456789|123456789|1" > memory
 [   64.916162] nbytes=32,buf_size=31
 [   64.916331] 123456789|123456789|123456789| (print 30 chars)
 %sh: write error: Invalid argument

After:

 %cd /proc/pressure/
 %echo "123456789|123456789|123456789|1234" > memory
 [  254.837863] nbytes=35,buf_size=32
 [  254.838541] 123456789|123456789|123456789|1 (print 31 chars)
 %sh: write error: Invalid argument

 %echo "123456789|123456789|123456789|1" > memory
 [ 9965.714935] nbytes=32,buf_size=32
 [ 9965.715096] 123456789|123456789|123456789|1 (print 31 chars)
 %sh: write error: Invalid argument

Also remove the superfluous parentheses.

Signed-off-by: Miles Chen 
Cc: 
Cc: 
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Link: https://lkml.kernel.org/r/20190912103452.13281-1-miles.c...@mediatek.com
Signed-off-by: Ingo Molnar 
---
 kernel/sched/psi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c
index 7acc632..4b14a32 100644
--- a/kernel/sched/psi.c
+++ b/kernel/sched/psi.c
@@ -1190,7 +1190,7 @@ static ssize_t psi_write(struct file *file, const char 
__user *user_buf,
if (static_branch_likely(&psi_disabled))
return -EOPNOTSUPP;
 
-   buf_size = min(nbytes, (sizeof(buf) - 1));
+   buf_size = min(nbytes, sizeof(buf));
if (copy_from_user(buf, user_buf, buf_size))
return -EFAULT;