Re: 2.6.19-rc4-mm1: writev() _functional_ regression

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Andrew Morton wrote:
On Sun, 12 Nov 2006 17:30:24 -0500
Nick Orlov <[email protected]> wrote:


Andrew,

Somewhere in between 2.6.18-mm3 and 2.6.19-rc4-mm1 writev() got screwed.
It does not accept zero-length segments anymore.

Bad thing that it is extremely easy to trigger (even w/o explicit writev calls).
For example the following innocent program will fail with 2.6.19-rc4-mm1:

======================
#include <string.h>
#include <fstream>

int main()
{
 char buf[1024];
 memset(buf, 'A', sizeof(buf));
 std::ofstream ofs("test");
 //ofs << 1 << '\n';
 ofs.write(buf, sizeof(buf));
 return 0;
}
======================


Here is the corresponding part if strace:

======================
open("test", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
writev(3, [{NULL, 0}, {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 1024}], 2) = -1 EFAULT (Bad address)
close(3)                                = 0
======================


With 2.6.18-mm3 it works

======================
open("test", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
writev(3, [{NULL, 0}, {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 1024}], 2) = 1024
close(3)                                = 0
======================


It works with 2.6.19-rc4-mm1 _if_ zero-length segments are eliminated
(by uncommenting ofs << 1 << '\n'):

======================
open("test", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
writev(3, [{"1\n", 2}, {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 1024}], 2) = 1026
close(3)                                = 0
======================


Given that _all_ applications using C++ streams are potentially affected
I think it's better to preserve the previous behavior even if it is
something from "undefined behavior world" (or a plain bug).

The bug is quite dangerous (I was really close to wipe out my mp3 collection).



OK, thanks.  Those patches do need more work.  I'll shelve them for a while.

Yeah, this just needs some kind of 0 size check in the access check
(arguably fault_in_pages_readable could check for zero size, but it could
go into the caller just as easily).

Thanks for reporting.

--
SUSE Labs, Novell Inc.
Send instant messages to your online friends http://au.messenger.yahoo.com -
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux