On Wed, Feb 17, 2016 at 3:02 AM, <chenjie6@xxxxxxxxxx> wrote: > From: chenjie <chenjie6@xxxxxxxxxx> > > when we run fs_fsbase_t, some testcase like > write05 failed > > write05 0 TINFO : Enter Block 1: test with bad fd > write05 1 TPASS : received EBADF as expected. > write05 0 TINFO : Exit Block 1 > write05 0 TINFO : Enter Block 2: test with a bad address > write05 2 TFAIL : write() on an invalid buffer succeeded, > but should have failed I'm not sure what fs_fsbase_t is, but when testing by hand I do correctly see an error when I give a bogus user address to dax_io(). Here's the check that fails: if (iov_iter_rw(iter) == WRITE) { len = copy_from_iter_pmem(dax.addr, max - pos, iter); need_wmb = true; } else if (!hole) len = copy_to_iter((void __force *) dax.addr, max - pos, iter); else len = iov_iter_zero(max - pos, iter); if (!len) { rc = -EFAULT; break; } This last if(!len) check fails, and we return -EFAULT. Can you share a small test program to that reproduces incorrect behavior? > > Cc: <stable@xxxxxxxxxxxxxxx> > Signed-off-by: chenjie <chenjie6@xxxxxxxxxx> > > --- > fs/dax.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/fs/dax.c b/fs/dax.c > index fc2e314..e1b1ff6 100644 > --- a/fs/dax.c > +++ b/fs/dax.c > @@ -214,6 +214,11 @@ static ssize_t dax_io(struct inode *inode, struct iov_iter *iter, > max = min(pos + size, end); > } > > + if (unlikely(iov_iter_fault_in_readable(iter, max - pos))) { > + retval = -EFAULT; This doesn't compile... s/retval/rc/ -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html