Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 11 Sep 2021 17:04:01 GMT
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 2884918c7338 - main - aio: Fix up the opcode in aiocb32_copyin()
Message-ID:  <202109111704.18BH41RO096221@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=2884918c73389bebfc8025bfb267adae086ee0bd

commit 2884918c73389bebfc8025bfb267adae086ee0bd
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-09-11 16:55:32 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-09-11 16:58:41 +0000

    aio: Fix up the opcode in aiocb32_copyin()
    
    With lio_listio(2), the opcode is specified by userspace rather than
    being hard-coded by the system call (e.g., aio_readv() -> LIO_READV).
    kern_lio_listio() calls aio_aqueue() with an opcode of LIO_NOP, which
    gets fixed up when the aiocb is copied in.
    
    When copying in a job request for vectored I/O, we need to dynamically
    allocate a uio to wrap an iovec.  So aiocb_copyin() needs to get the
    opcode from the aiocb and then decide whether an allocation is required.
    We failed to do this in the COMPAT_FREEBSD32 case.  Fix it.
    
    Reported by:    syzbot+27eab6f2c2162f2885ee@syzkaller.appspotmail.com
    Reviewed by:    kib, asomers
    Fixes:  f30a1ae8d529 ("lio_listio(2):  Allow LIO_READV and LIO_WRITEV.")
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D31914
---
 sys/kern/vfs_aio.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c
index 602c91b542de..2da1a81d41bc 100644
--- a/sys/kern/vfs_aio.c
+++ b/sys/kern/vfs_aio.c
@@ -2826,6 +2826,8 @@ aiocb32_copyin(struct aiocb *ujob, struct kaiocb *kjob, int type)
 	CP(job32, *kcb, aio_fildes);
 	CP(job32, *kcb, aio_offset);
 	CP(job32, *kcb, aio_lio_opcode);
+	if (type == LIO_NOP)
+		type = kcb->aio_lio_opcode;
 	if (type & LIO_VECTORED) {
 		iov32 = PTRIN(job32.aio_iov);
 		CP(job32, *kcb, aio_iovcnt);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109111704.18BH41RO096221>