Date: Sun, 5 Feb 2012 19:00:32 GMT From: Bruce Evans <brde@optusnet.com.au> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/164793: 'write' system call violates POSIX standard Message-ID: <201202051900.q15J0Wxo063755@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR standards/164793; it has been noted by GNATS. From: Bruce Evans <brde@optusnet.com.au> To: Nicolas Bourdaud <nicolas.bourdaud@gmail.com> Cc: freebsd-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org Subject: Re: kern/164793: 'write' system call violates POSIX standard Date: Mon, 6 Feb 2012 05:54:50 +1100 (EST) On Sun, 5 Feb 2012, Nicolas Bourdaud wrote: >> Description: > When a write() cannot transfer as many bytes as requested (because of a file > limit), it fails instead of transferring as many bytes as there is room to > write. > > This is a violation of the POSIX standard: > http://pubs.opengroup.org/onlinepubs/007904975/functions/write.html FreeBSD's handling of the maxfilesize limits is similar, so it has the same bug. This affects many fileystems which copied the buggy code from ffs. (Both truncate() and write() fail if extending to or writing the full number of bytes would exceed the limit. This is correct for truncate(), but write() is required to creep up on the limit.) I think this is actually a bug in POSIX (XSI). Most programs aren't prepared to deal with short writes, and returning an error like truncate() is specified to is adequate. For regular files, most file systems in FreeBSD back out of writes after an i/o error, using ftruncate() (some truncation is necessary for security, since the place at which the error occurred is usually not known precisely), so the following bug in the upper layer rarely matters. From an old version of sys_generic.c, for writing (reading has a similar bug): % if ((error = fo_write(fp, &auio, td->td_ucred, flags, td))) { % /* XXX short write botch. */ % if (auio.uio_resid != cnt && (error == ERESTART || % error == EINTR || error == EWOULDBLOCK)) % error = 0; The XXX comment is only in my version. Here (auio.uio_resid != cnt) means that some i/o was done. In that case, write() is required to return the amount done, with no error, which is implemented by setting `error' to 0. But this is only done if `error' is one of ERESTART, EINTR or EWOULDBLOCK. At least the case of the most common error that is not one of these, namely EIO, is broken. The handling of the special 3 here is delicate: - ERESTART: hopefully can't happen, since if it happens then we should restart. This error is a non-error that in most cases means that the we handled a signal but are not returning with EINTR because SA_RESTART says to restart instead of returning. - EINTR: since we have this and not ERESTART, it is clearly correct to return, but if we did some i/o then we must return its amount and there is no way to return EINTR. - EWOULDBLOCK: similar to EINTR for a SIGALRM, but more precise. I guess this is here since it is the only other common error, and it is not really an error so failing for it would be obviously wrong (except when no i/o was done, EWOULDBLOCK = EAGAIN is the standard way to indicate this). The flag that controls backing out of writes is IO_UNIT. This is always set for write(2), and probably should be set unconditionally (so it shouldn't exist), since not setting it mainly asks for security holes and most cases are write(2) anyway. IO_UNIT means that the i/o is done as an "atomic unit". The semantics of "unit" probably includes doing all of it or none of it, so it would have to be broken to match the POSIX spec. > Patch attached with submission follows: > ... > int main(void) > { > struct rlimit lim; > int fd; > ssize_t retc; > size_t count = 0; > const char pattern[PATTSIZE] = "Hello world!"; > > signal(SIGXFSZ, SIG_IGN); > lim.rlim_cur = LIMSIZE; > setrlimit(RLIMIT_FSIZE, &lim); This is missing initialization of at least lim.rlim_max in lim. This gave the bizarre behaviour that when the program was statically linked, it failed for the first write, because the stack garbage for lim.rlim_max happened to be 0. Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201202051900.q15J0Wxo063755>