Re: 2.6.19-rc4-mm1: writev() _functional_ regression

Andrew Morton wrote:

On Sun, 12 Nov 2006 17:30:24 -0500
Nick Orlov <[email protected]> wrote:

Andrew,

Somewhere in between 2.6.18-mm3 and 2.6.19-rc4-mm1 writev() got screwed.
It does not accept zero-length segments anymore.

Bad thing that it is extremely easy to trigger (even w/o explicit writev calls).
For example the following innocent program will fail with 2.6.19-rc4-mm1:

======================
#include <string.h>
#include <fstream>

int main()
{
 char buf[1024];
 memset(buf, 'A', sizeof(buf));
 std::ofstream ofs("test");
 //ofs << 1 << '\n';
 ofs.write(buf, sizeof(buf));
 return 0;
}
======================


Here is the corresponding part if strace:

======================
open("test", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
writev(3, [{NULL, 0}, {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 1024}], 2) = -1 EFAULT (Bad address)
close(3)                                = 0
======================


With 2.6.18-mm3 it works

======================
open("test", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
writev(3, [{NULL, 0}, {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 1024}], 2) = 1024
close(3)                                = 0
======================


It works with 2.6.19-rc4-mm1 _if_ zero-length segments are eliminated
(by uncommenting ofs << 1 << '\n'):

======================
open("test", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
writev(3, [{"1\n", 2}, {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 1024}], 2) = 1026
close(3)                                = 0
======================


Given that _all_ applications using C++ streams are potentially affected
I think it's better to preserve the previous behavior even if it is
something from "undefined behavior world" (or a plain bug).

The bug is quite dangerous (I was really close to wipe out my mp3 collection).



OK, thanks.  Those patches do need more work.  I'll shelve them for a while.


Yeah, this just needs some kind of 0 size check in the access check
(arguably fault_in_pages_readable could check for zero size, but it could
go into the caller just as easily).

Thanks for reporting.

--
SUSE Labs, Novell Inc.

Send instant messages to your online friends http://au.messenger.yahoo.com-

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

References:
- 2.6.19-rc4-mm1: writev() _functional_ regression
  - From: Nick Orlov <[email protected]>
- Re: 2.6.19-rc4-mm1: writev() _functional_ regression
  - From: Andrew Morton <[email protected]>

Prev by Date: Re: [2.6 patch] NET_SCH_ATM doesn't need ipcommon.o
Next by Date: [PATCH] selinux: fix dentry_open() error check
Previous by thread: Re: 2.6.19-rc4-mm1: writev() _functional_ regression
Next by thread: 2.6.18.2: BUG: soft lockup detected on CPU#1!
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]