[nacked] proc-fix-comm_write-return-value-when-truncated-or-error.patch removed from -mm tree

All of lore.kernel.org
 help / color / mirror / Atom feed

* [nacked] proc-fix-comm_write-return-value-when-truncated-or-error.patch removed from -mm tree
@ 2026-04-24 14:12 Andrew Morton
  0 siblings, 0 replies; only message in thread
From: Andrew Morton @ 2026-04-24 14:12 UTC (permalink / raw)
  To: mm-commits, jstultz, adobriyan, me, akpm


The quilt patch titled
     Subject: proc: fix comm_write return value when truncated or error
has been removed from the -mm tree.  Its filename was
     proc-fix-comm_write-return-value-when-truncated-or-error.patch

This patch was dropped because it was nacked

------------------------------------------------------
From: "Shengzhuo Wei" <me@cherr.cc>
Subject: proc: fix comm_write return value when truncated or error
Date: Fri, 24 Apr 2026 04:06:21 +0800

When count exceeds TASK_COMM_LEN-1, comm_write() copies at most
TASK_COMM_LEN-1 bytes but returns the original count.  This violates
write(2) semantics, which require returning the number of bytes actually
written.

The count parameter is size_t and should not be repurposed to carry a
negative error code on the same_thread_group() failure path.

Introduce a local len for the truncated length and a separate ssize_t ret
for the return value.

Link: https://lore.kernel.org/20260424-fix_proc_write_return-v1-1-7a793c2aad32@cherr.cc
Fixes: 4614a696bd1c ("procfs: allow threads to rename siblings via /proc/pid/tasks/tid/comm")
Signed-off-by: Shengzhuo Wei <me@cherr.cc>
Cc: John Stultz <jstultz@google.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 fs/proc/base.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

--- a/fs/proc/base.c~proc-fix-comm_write-return-value-when-truncated-or-error
+++ a/fs/proc/base.c
@@ -1727,8 +1727,10 @@ static ssize_t comm_write(struct file *f
 	struct task_struct *p;
 	char buffer[TASK_COMM_LEN] = {};
 	const size_t maxlen = sizeof(buffer) - 1;
+	size_t len = count > maxlen ? maxlen : count;
+	ssize_t ret;
 
-	if (copy_from_user(buffer, buf, count > maxlen ? maxlen : count))
+	if (copy_from_user(buffer, buf, len))
 		return -EFAULT;
 
 	p = get_proc_task(inode);
@@ -1738,13 +1740,14 @@ static ssize_t comm_write(struct file *f
 	if (same_thread_group(current, p)) {
 		set_task_comm(p, buffer);
 		proc_comm_connector(p);
+		ret = len;
+	} else {
+		ret = -EINVAL;
 	}
-	else
-		count = -EINVAL;
 
 	put_task_struct(p);
 
-	return count;
+	return ret;
 }
 
 static int comm_show(struct seq_file *m, void *v)
_

Patches currently in -mm which might be from me@cherr.cc are



^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2026-04-24 14:12 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-24 14:12 [nacked] proc-fix-comm_write-return-value-when-truncated-or-error.patch removed from -mm tree Andrew Morton

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.