fix(mm/vfs): 修复 writev 无法正确处理部分 iov 为受保护内存空间的情况

mistcoversmyeyes · mistcoversmyeyes · commit a91605c40d2b · 2025-11-17T21:15:15.000+08:00
- 引入 user_accessible_len() 以测量从给定地址 `address` 开始，能够被访问的最长连续字节长度（注：使用vma进行校验）
- 使 IoVecs::gather 返回 Result 并仅聚合可以被读取的 `buf` 部分（注意，一旦碰到不可访问的 iov，后面的iov都会被抛弃）
- 在 writev/pwritev 中传播新的 Result 以支持 gVisor 下的部分写入
diff --git a/kernel/src/filesystem/vfs/iov.rs b/kernel/src/filesystem/vfs/iov.rs
@@ -1,7 +1,10 @@
 use alloc::vec::Vec;
 use system_error::SystemError;
 
-use crate::syscall::user_access::{UserBufferReader, UserBufferWriter};
+use crate::{
+    mm::VirtAddr,
+    syscall::user_access::{user_accessible_len, UserBufferReader, UserBufferWriter},
+};
 #[repr(C)]
 #[derive(Debug, Clone, Copy)]
 pub struct IoVec {
@@ -73,24 +76,55 @@ impl IoVecs {
     /// This function reads data from each IoVec in sequence and combines them into
     /// a single contiguous buffer.
     ///
-    /// # Returns
+    /// **Returns:**
     ///
-    /// Returns a [`Vec<u8>`] containing all the data from the IoVecs.
+    /// Returns a [`Vec<u8>`] containing the data copied from the IoVecs.
     ///
-    /// # Examples
+    /// **To Be patient:**
     ///
-    /// ```rust
-    /// let iovecs = IoVecs::from_user(/* ... */)?;
-    /// let buffer = iovecs.gather();
-    /// ```
-    pub fn gather(&self) -> Vec<u8> {
-        let mut buf = Vec::new();
-        for slice in self.0.iter() {
-            let buf_reader = UserBufferReader::new(slice.iov_base, slice.iov_len, true).unwrap();
-            let slice = buf_reader.buffer::<u8>(0).unwrap();
-            buf.extend_from_slice(slice);
+    /// If a buffer is only partially accessible, data is copied up to **the first
+    /// inaccessible byte** and the remaining iovecs are ignored. If no data can be
+    /// read at all, `Err(SystemError::EFAULT)` is returned.
+    pub fn gather(&self) -> Result<Vec<u8>, SystemError> {
+        let mut buf = Vec::with_capacity(self.total_len());
+
+        for iov in self.0.iter() {
+            // 检查从 iov_base 开始有多少连续可访问的空间
+            let accessible =
+                user_accessible_len(VirtAddr::new(iov.iov_base as usize), iov.iov_len, false);
+
+            // log::debug!(
+            //     "iov is {:?}. iov_len: {}; accessible len:{}",
+            //     iov,
+            //     iov.iov_len,
+            //     accessible
+            // );
+
+            // 如果一个字节都不能访问
+            if accessible == 0 {
+                if buf.is_empty() {
+                    // log::error!(
+                    //     "The first iov is empty, returning EFAULT. iov shape: {:?}",
+                    //     iov
+                    // );
+                    return Err(SystemError::EFAULT);
+                }
+                return Ok(buf);
+            }
+
+            // 复制可访问的部分
+            unsafe {
+                let src = core::slice::from_raw_parts(iov.iov_base as *const u8, accessible);
+                buf.extend_from_slice(src);
+            }
+
+            // 如果没有读取完整个 iov，说明遇到了不可访问的区域
+            if accessible < iov.iov_len {
+                return Ok(buf);
+            }
         }
-        return buf;
+
+        Ok(buf)
     }
 
     /// Scatters the given data into the IoVecs.
diff --git a/kernel/src/filesystem/vfs/syscall/sys_pwritev.rs b/kernel/src/filesystem/vfs/syscall/sys_pwritev.rs
@@ -40,7 +40,7 @@ impl Syscall for SysPwriteVHandle {
 
         // 将用户态传入的指向用户态应用的数据结构重新在内核栈上构造
         let iovecs = unsafe { IoVecs::from_user(iov, iov_count, false) }?;
-        let data = iovecs.gather();
+        let data = iovecs.gather()?;
 
         do_pwritev(fd, &data, offset)
     }
diff --git a/kernel/src/filesystem/vfs/syscall/sys_writev.rs b/kernel/src/filesystem/vfs/syscall/sys_writev.rs
@@ -45,7 +45,7 @@ impl Syscall for SysWriteVHandle {
 
         // IoVecs会进行用户态检验
         let iovecs = unsafe { IoVecs::from_user(iov, count, false) }?;
-        let data = iovecs.gather();
+        let data = iovecs.gather()?;
         do_write(fd, &data)
     }
 
diff --git a/kernel/src/syscall/user_access.rs b/kernel/src/syscall/user_access.rs
@@ -1,6 +1,7 @@
 //! This file contains functions for kernel-space access to user-space data
 
 use core::{
+    cmp::min,
     mem::size_of,
     num::NonZero,
     slice::{from_raw_parts, from_raw_parts_mut},
@@ -12,7 +13,7 @@ use defer::defer;
 
 use crate::{
     arch::MMArch,
-    mm::{verify_area, MemoryManagementArch, VirtAddr},
+    mm::{verify_area, MemoryManagementArch, VirtAddr, VmFlags},
     process::ProcessManager,
 };
 
@@ -704,3 +705,81 @@ fn check_user_access_by_page_table(addr: VirtAddr, size: usize, check_write: boo
 
     return true;
 }
+
+/// Compute the contiguous accessible length starting at `addr`.
+///
+/// Returns the number of bytes that can be accessed before hitting an unmapped
+/// page or a page that lacks the requested permissions.
+pub fn user_accessible_len(addr: VirtAddr, size: usize, check_write: bool) -> usize {
+    // log::error!(
+    //     "user_accessible_len(addr: {:?}, size:{:?}, check_write:{:?}",
+    //     addr,
+    //     size,
+    //     check_write
+    // );
+    if size == 0 || addr.is_null() {
+        return 0;
+    }
+
+    // 获取当前进程的 VMA （可访问的地址空间）
+    let vm = match ProcessManager::current_pcb().basic().user_vm() {
+        Some(vm) => vm,
+        None => return 0,
+    };
+
+    let vma_read_guard = vm.read_irqsave();
+    let mappings = &vma_read_guard.mappings;
+
+    let mut checked = 0usize;
+    let mut current = addr;
+
+    while checked < size {
+        // 判断当前地址是否落在一个有效 VMA 中
+        let Some(vma) = mappings.contains(current) else {
+            break;
+        };
+
+        let (region_end, vm_flags) = {
+            let guard = vma.lock_irqsave();
+            let region_end = guard.region().end().data();
+            let vm_flags = *guard.vm_flags();
+            (region_end, vm_flags)
+        };
+
+        // 根据 vm_flags 判断是否具备访问权限
+        let has_permission = if check_write {
+            vm_flags.contains(VmFlags::VM_WRITE)
+        } else {
+            vm_flags.contains(VmFlags::VM_READ)
+        };
+
+        if !has_permission {
+            break;
+        }
+
+        let current_addr = current.data();
+        let available = region_end.saturating_sub(current_addr);
+        if available == 0 {
+            break;
+        }
+
+        // 这里的 `step` 要区分两种情况
+        // - 第一种情况：`available`（当前 VMA 剩余长度）已经覆盖了 `size - checked`，说明
+        //   本次检查的剩余数据全部落在这个 VMA 内，`step` 直接等于 `size - checked`。
+        // - 第二种情况：`available` 比 `size - checked` 小，意味着我们会在这个 VMA 的末尾停下，
+        //   需要等下一次循环再确认后续地址是否仍有 VMA 覆盖。
+        // - 例如 (addr = 0x1, size = 10)，若某个 VMA 只覆盖 [0x0, 0x5)，则第一轮只能推进 4 个字节，
+        //   后续是否继续完全取决于下一个 VMA 是否与 0x5 处相接且具有相同访问权限。
+        //   若下一轮 VMA 覆盖 [0x5, 0xf)，虽然这块 VMA 可访问空间 available == 10 ,但是我们需要检查的部分就只剩 10 - 4 = 6 bytes。
+        //   所以 `step` 选择为  size - checked
+        let step = min(available, size - checked);
+        checked += step;
+
+        let Some(next) = current_addr.checked_add(step) else {
+            break;
+        };
+        current = VirtAddr::new(next);
+    }
+
+    checked
+}

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ impl Syscall for SysPwriteVHandle {`
`40`	`40`
`41`	`41`	`// 将用户态传入的指向用户态应用的数据结构重新在内核栈上构造`
`42`	`42`	`let iovecs = unsafe { IoVecs::from_user(iov, iov_count, false) }?;`
`43`		`- let data = iovecs.gather();`
	`43`	`+ let data = iovecs.gather()?;`
`44`	`44`
`45`	`45`	`do_pwritev(fd, &data, offset)`
`46`	`46`	`}`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ impl Syscall for SysWriteVHandle {`
`45`	`45`
`46`	`46`	`// IoVecs会进行用户态检验`
`47`	`47`	`let iovecs = unsafe { IoVecs::from_user(iov, count, false) }?;`
`48`		`- let data = iovecs.gather();`
	`48`	`+ let data = iovecs.gather()?;`
`49`	`49`	`do_write(fd, &data)`
`50`	`50`	`}`
`51`	`51`