2018-01-19 08:20:56

by Ivan Vecera

[permalink] [raw]
Subject: [PATCH driver-core] kernfs: fix regression in kernfs_fop_write caused by wrong type

Commit b7ce40cff0b9 ("kernfs: cache atomic_write_len in
kernfs_open_file") changes type of local variable 'len' from ssize_t
to size_t. This change caused that the *ppos value is updated also
when the previous write callback failed.

Mentioned snippet:
...
len = ops->write(...); <- return value can be negative
...
if (len > 0) <- true here in this case
*ppos += len;
...

Fixes: b7ce40cff0b9 ("kernfs: cache atomic_write_len in kernfs_open_file")
Signed-off-by: Ivan Vecera <[email protected]>
---
fs/kernfs/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c
index 9698e51656b1..d8f49c412f50 100644
--- a/fs/kernfs/file.c
+++ b/fs/kernfs/file.c
@@ -275,7 +275,7 @@ static ssize_t kernfs_fop_write(struct file *file, const char __user *user_buf,
{
struct kernfs_open_file *of = kernfs_of(file);
const struct kernfs_ops *ops;
- size_t len;
+ ssize_t len;
char *buf;

if (of->atomic_write_len) {
--
2.13.6



2018-01-19 17:17:30

by Tejun Heo

[permalink] [raw]
Subject: Re: [PATCH driver-core] kernfs: fix regression in kernfs_fop_write caused by wrong type

On Fri, Jan 19, 2018 at 09:18:54AM +0100, Ivan Vecera wrote:
> Commit b7ce40cff0b9 ("kernfs: cache atomic_write_len in
> kernfs_open_file") changes type of local variable 'len' from ssize_t
> to size_t. This change caused that the *ppos value is updated also
> when the previous write callback failed.
>
> Mentioned snippet:
> ...
> len = ops->write(...); <- return value can be negative
> ...
> if (len > 0) <- true here in this case
> *ppos += len;
> ...
>
> Fixes: b7ce40cff0b9 ("kernfs: cache atomic_write_len in kernfs_open_file")
> Signed-off-by: Ivan Vecera <[email protected]>

Oops.

Acked-by: Tejun Heo <[email protected]>

Thanks.

--
tejun

2018-01-19 17:19:31

by Al Viro

[permalink] [raw]
Subject: Re: [PATCH driver-core] kernfs: fix regression in kernfs_fop_write caused by wrong type

On Fri, Jan 19, 2018 at 09:16:36AM -0800, Tejun Heo wrote:
> On Fri, Jan 19, 2018 at 09:18:54AM +0100, Ivan Vecera wrote:
> > Commit b7ce40cff0b9 ("kernfs: cache atomic_write_len in
> > kernfs_open_file") changes type of local variable 'len' from ssize_t
> > to size_t. This change caused that the *ppos value is updated also
> > when the previous write callback failed.
> >
> > Mentioned snippet:
> > ...
> > len = ops->write(...); <- return value can be negative
> > ...
> > if (len > 0) <- true here in this case
> > *ppos += len;
> > ...
> >
> > Fixes: b7ce40cff0b9 ("kernfs: cache atomic_write_len in kernfs_open_file")
> > Signed-off-by: Ivan Vecera <[email protected]>
>
> Oops.
>
> Acked-by: Tejun Heo <[email protected]>

Applied.