Hi all
I found an (IMHO) silly bug in do_sendfile in 2.6.13.x kernels (at
least in 2.6.13.3 and .4, didn't backtrack to find where it
originated). Without the patch all I apparently get from sys_sendfile
is an oops due to a call in sys_sendfile with ppos being NULL. With the
patch it works OK. Noticed in vsftpd.
The patch may apply with some fuzz as my kernel is somehwat patched but
the gist of the patch is the same anyway
Regards,
Grzegorz Nosek
--- linux-2.6/fs/read_write.c~ 2005-10-06 21:35:03.000000000 +0200
+++ linux-2.6/fs/read_write.c 2005-10-05 19:14:04.000000000 +0200
@@ -719,7 +719,7 @@
current->syscr++;
current->syscw++;
- if (*ppos > max)
+ if (ppos && *ppos > max)
retval = -EOVERFLOW;
fput_out:
Grzegorz Nosek napsal(a):
>Hi all
>
>I found an (IMHO) silly bug in do_sendfile in 2.6.13.x kernels (at
>least in 2.6.13.3 and .4, didn't backtrack to find where it
>originated). Without the patch all I apparently get from sys_sendfile
>is an oops due to a call in sys_sendfile with ppos being NULL. With the
>patch it works OK. Noticed in vsftpd.
>
>The patch may apply with some fuzz as my kernel is somehwat patched but
>the gist of the patch is the same anyway
>
>Regards,
> Grzegorz Nosek
>
>--- linux-2.6/fs/read_write.c~ 2005-10-06 21:35:03.000000000 +0200
>+++ linux-2.6/fs/read_write.c 2005-10-05 19:14:04.000000000 +0200
>@@ -719,7 +719,7 @@
> current->syscr++;
> current->syscw++;
>
>- if (*ppos > max)
>+ if (ppos && *ppos > max)
>
>
I don't know the code surrounding this, but shouldn't be this
(!ppos || *ppos > max)?
> retval = -EOVERFLOW;
>
> fput_out:
>
>
--
js
On Tue, Oct 11, 2005 at 10:56:43AM +0200, Grzegorz Nosek wrote:
> I found an (IMHO) silly bug in do_sendfile in 2.6.13.x kernels (at
> least in 2.6.13.3 and .4, didn't backtrack to find where it
> originated). Without the patch all I apparently get from sys_sendfile
> is an oops due to a call in sys_sendfile with ppos being NULL. With the
> patch it works OK. Noticed in vsftpd.
>
> @@ -719,7 +719,7 @@
> current->syscr++;
> current->syscw++;
>
> - if (*ppos > max)
> + if (ppos && *ppos > max)
That change can't fix a bug in 2.6.13, because ppos is forced to be
non-null further up the file:
622 static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
...
647 if (!ppos)
648 ppos = &in_file->f_pos;
...
684 pos = *ppos;
...
701 current->syscr++;
702 current->syscw++;
703
704 if (*ppos > max)
705 retval = -EOVERFLOW;
(line numbers from 2.6.13.)
So there must be something else at work. Perhaps your patches?
On Tue, Oct 11, 2005 at 04:53:47PM +0200, Jiri Slaby wrote:
> I don't know the code surrounding this, but shouldn't be this
> (!ppos || *ppos > max)?
That would be wrong, too; if it were valid to call in with ppos==0, you
wouldn't want to return EOVERFLOW; and if ppos==0 were not valid and you
wanted to return an error, EOVERFLOW would be the wrong error to return.
-andy
* Grzegorz Nosek ([email protected]) wrote:
> --- linux-2.6/fs/read_write.c~ 2005-10-06 21:35:03.000000000 +0200
> +++ linux-2.6/fs/read_write.c 2005-10-05 19:14:04.000000000 +0200
> @@ -719,7 +719,7 @@
> current->syscr++;
> current->syscw++;
>
> - if (*ppos > max)
> + if (ppos && *ppos > max)
> retval = -EOVERFLOW;
This doesn't make sense. ppos must not be NULL.
Code looks like this:
if (!ppos)
ppos = &in_file->f_pos;
...
pos = *ppos;
...
if (*ppos > max)
So it can't be NULL, and if somehow it were, the oops would've already
happened.
2005/10/12, Andy Isaacson <[email protected]>:
> On Tue, Oct 11, 2005 at 10:56:43AM +0200, Grzegorz Nosek wrote:
> > I found an (IMHO) silly bug in do_sendfile in 2.6.13.x kernels (at
> > least in 2.6.13.3 and .4, didn't backtrack to find where it
> > originated). Without the patch all I apparently get from sys_sendfile
> > is an oops due to a call in sys_sendfile with ppos being NULL. With the
> > patch it works OK. Noticed in vsftpd.
> >
> > @@ -719,7 +719,7 @@
> > current->syscr++;
> > current->syscw++;
> >
> > - if (*ppos > max)
> > + if (ppos && *ppos > max)
>
> That change can't fix a bug in 2.6.13, because ppos is forced to be
> non-null further up the file:
>
> 622 static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
> ...
> 647 if (!ppos)
> 648 ppos = &in_file->f_pos;
> ...
> 684 pos = *ppos;
> ...
> 701 current->syscr++;
> 702 current->syscw++;
> 703
> 704 if (*ppos > max)
> 705 retval = -EOVERFLOW;
>
> (line numbers from 2.6.13.)
>
> So there must be something else at work. Perhaps your patches?
>
> On Tue, Oct 11, 2005 at 04:53:47PM +0200, Jiri Slaby wrote:
> > I don't know the code surrounding this, but shouldn't be this
> > (!ppos || *ppos > max)?
>
> That would be wrong, too; if it were valid to call in with ppos==0, you
> wouldn't want to return EOVERFLOW; and if ppos==0 were not valid and you
> wanted to return an error, EOVERFLOW would be the wrong error to return.
>
> -andy
>
OK so I must have a broken kernel tree then. The lines you mention in
my version belong to vfs_sendfile function which indeed ensures ppos
is a valid pointer but do_sendfile is called from sys_sendfile(64).
I'll find the patch that did the change (some must have, obviously)
and report it there (probably linux-vserver is to blame)
This section of the file in vanilla 2.6.13.4 looks nothing like in my
file and the 2.6.13.3 and 2.6.13.4 patches have no changes there so at
least that's cleared up.
Regards,
Greg
2005/10/12, Chris Wright <[email protected]>:
> * Grzegorz Nosek ([email protected]) wrote:
> > --- linux-2.6/fs/read_write.c~ 2005-10-06 21:35:03.000000000 +0200
> > +++ linux-2.6/fs/read_write.c 2005-10-05 19:14:04.000000000 +0200
> > @@ -719,7 +719,7 @@
> > current->syscr++;
> > current->syscw++;
> >
> > - if (*ppos > max)
> > + if (ppos && *ppos > max)
> > retval = -EOVERFLOW;
>
> This doesn't make sense. ppos must not be NULL.
>
> Code looks like this:
>
> if (!ppos)
> ppos = &in_file->f_pos;
> ...
> pos = *ppos;
> ...
> if (*ppos > max)
>
> So it can't be NULL, and if somehow it were, the oops would've already
> happened.
>
Yeah, I know. It turned out to be a 3rd-party patch (vserver
probably). My read_write.c looks very different and somehow I
overlooked that while checking with vanilla 2.6.13.3. Sorry for the
confusion.
Regards,
Greg