From: "Shengzhuo Wei" <me@cherr.cc>
To: "John Stultz" <johnstul@us.ibm.com>,
"Andrew Morton" <akpm@linux-foundation.org>
Cc: "Yao Zi" <me@ziyao.cc>, <linux-kernel@vger.kernel.org>,
<linux-fsdevel@vger.kernel.org>, "Shengzhuo Wei" <me@cherr.cc>
Subject: [PATCH] proc: fix comm_write return value when truncated or error
Date: Fri, 24 Apr 2026 04:06:21 +0800 [thread overview]
Message-ID: <20260424-fix_proc_write_return-v1-1-7a793c2aad32@cherr.cc> (raw)
When count exceeds TASK_COMM_LEN-1, comm_write() copies at most
TASK_COMM_LEN-1 bytes but returns the original count. This violates
write(2) semantics, which require returning the number of bytes
actually written.
The count parameter is size_t and should not be repurposed to carry a
negative error code on the same_thread_group() failure path.
Introduce a local len for the truncated length and a separate ssize_t
ret for the return value.
Fixes: 4614a696bd1c ("procfs: allow threads to rename siblings via /proc/pid/tasks/tid/comm")
Signed-off-by: Shengzhuo Wei <me@cherr.cc>
---
fs/proc/base.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index d9acfa89c894bd1608580331e1d5b3018c59123b..5d34590dbe9d9f05147c3e6b34c615cbf0984b1c 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1727,8 +1727,10 @@ static ssize_t comm_write(struct file *file, const char __user *buf,
struct task_struct *p;
char buffer[TASK_COMM_LEN] = {};
const size_t maxlen = sizeof(buffer) - 1;
+ size_t len = count > maxlen ? maxlen : count;
+ ssize_t ret;
- if (copy_from_user(buffer, buf, count > maxlen ? maxlen : count))
+ if (copy_from_user(buffer, buf, len))
return -EFAULT;
p = get_proc_task(inode);
@@ -1738,13 +1740,14 @@ static ssize_t comm_write(struct file *file, const char __user *buf,
if (same_thread_group(current, p)) {
set_task_comm(p, buffer);
proc_comm_connector(p);
+ ret = len;
+ } else {
+ ret = -EINVAL;
}
- else
- count = -EINVAL;
put_task_struct(p);
- return count;
+ return ret;
}
static int comm_show(struct seq_file *m, void *v)
---
base-commit: 2e68039281932e6dc37718a1ea7cbb8e2cda42e6
change-id: 20260424-fix_proc_write_return-cd48edb86600
Best regards,
--
Shengzhuo Wei <me@cherr.cc>
next reply other threads:[~2026-04-23 20:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-23 20:06 Shengzhuo Wei [this message]
2026-04-24 10:50 ` [PATCH] proc: fix comm_write return value when truncated or error Andrew Morton
2026-04-24 13:28 ` Alexey Dobriyan
2026-04-24 18:03 ` Shengzhuo Wei
2026-04-24 18:52 ` Alexey Dobriyan
2026-04-24 13:35 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260424-fix_proc_write_return-v1-1-7a793c2aad32@cherr.cc \
--to=me@cherr.cc \
--cc=akpm@linux-foundation.org \
--cc=johnstul@us.ibm.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=me@ziyao.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox