Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759129AbXKLOI0 (ORCPT ); Mon, 12 Nov 2007 09:08:26 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1758736AbXKLOIS (ORCPT ); Mon, 12 Nov 2007 09:08:18 -0500 Received: from ns2.suse.de ([195.135.220.15]:44297 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758580AbXKLOIR (ORCPT ); Mon, 12 Nov 2007 09:08:17 -0500 Message-ID: <47385E4A.5030306@suse.de> Date: Mon, 12 Nov 2007 23:08:10 +0900 From: Tejun Heo User-Agent: Thunderbird 2.0.0.6 (X11/20070801) MIME-Version: 1.0 To: Miao Xie Cc: gregkh@suse.de, linux-kernel@vger.kernel.org Subject: Re: [PATCH] sysfs: fix off-by-one error in fill_read_buffer References: <4732EDD2.2050406@cn.fujitsu.com> In-Reply-To: <4732EDD2.2050406@cn.fujitsu.com> X-Enigmail-Version: 0.95.3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1806 Lines: 45 Miao Xie wrote: > Hi,everyone. > I found that there is a off-by-one problem in the following code. > > Version: 2.6.24-rc2 > File: fs/sysfs/file.c:118-122 > Function: fill_read_buffer > -------------------------------------------------------------------- > count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page); > > sysfs_put_active_two(attr_sd); > > BUG_ON(count > (ssize_t)PAGE_SIZE); > -------------------------------------------------------------------- > Because according to the specification of the sysfs and the implement of > the > show methods, the show methods return the number of bytes which would be > generated for the given input, excluding the trailing null.So if the return > value of the show methods equals PAGE_SIZE - 1, the buffer is full in fact. > And if the return value equals PAGE_SIZE, the resulting string was already > truncated,or buffer overflow occurred. > > This patch fixes an off-by-one error in fill_read_buffer. > > Signed-off-by: Miao Xie It isn't strictly a bug. If the ->show() op fills full PAGE_SIZE and returns PAGE_SIZE, the user will get full PAGE_SIZE bytes correctly, so it will work. However, considering normal use cases, return value of PAGE_SIZE very likely indicates an error condition, so considering it a BUG condition is a good idea. Miao, can you please note that the code works fine with PAGE_SIZE return but it's likely to indicate truncated result or overflow in normal use cases as a comment on top of the BUG_ON()? Thanks. -- tejun - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/