Re: BUG: mmapfile/writev spurious zero bytes (x86_64/not i386,bisected, reproducable)
From: Linus Torvalds
Date: Tue Jun 17 2008 - 16:42:27 EST
On Tue, 17 Jun 2008, Linus Torvalds wrote:
>
> I actually am starting to think that the bug is in
> __copy_to_user_inatomic_nocache().
Confirmed.
The uncached user copies are totally broken. The number of bytes left
uncopied is simply wrong, because of how it does that unrolled loop and
doesn't account for the fact that just doing loads does not actually
increase the number of bytes copied at all.
So because the "copy_to_user_inatomic()" logic cares _deeply_ about how
many bytes were actually copied, when the copy count is wrong, the code
ends up thinking that it copied more bytes than it actually did, resulting
in the corruption in the page cache.
Nasty.
That whole file is a mess. Sadly, so is the regular "copy_user_64.S" too
(it has the same totally broken comment, too!), this is not just the
uncached version.
And the only reason that it only shows up with the uncached version in
_practice_ is that the routine that uses the x86 string instructions (ie
the "rep movsq" in copy_user_generic_string) actually gets this all right.
So the bug is hidden in that case - which is most CPU's out there (all
CPU's that have X86_FEATURE_REP_GOOD set).
I don't think that code is reasonably salvageable. Damn.
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/