From owner-dev-commits-src-all@freebsd.org  Tue Jan 12 02:53:16 2021
Return-Path: <owner-dev-commits-src-all@freebsd.org>
Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id E74F84EEA91;
 Tue, 12 Jan 2021 02:53:16 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4DFFWJ6G8tz3pJr;
 Tue, 12 Jan 2021 02:53:16 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C9E6F25933;
 Tue, 12 Jan 2021 02:53:16 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 10C2rGuw009192;
 Tue, 12 Jan 2021 02:53:16 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 10C2rGBW009191;
 Tue, 12 Jan 2021 02:53:16 GMT (envelope-from git)
Date: Tue, 12 Jan 2021 02:53:16 GMT
Message-Id: <202101120253.10C2rGBW009191@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-main@FreeBSD.org
From: Alan Somers <asomers@FreeBSD.org>
Subject: git: ff1a30780199 - main - lio_listio: validate aio_lio_opcode
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: asomers
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: ff1a307801994e18a87929898225f09d31f3e1fa
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-all@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commit messages for all branches of the src repository
 <dev-commits-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-all>, 
 <mailto:dev-commits-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-all/>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Help: <mailto:dev-commits-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all>, 
 <mailto:dev-commits-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2021 02:53:17 -0000

The branch main has been updated by asomers:

URL: https://cgit.FreeBSD.org/src/commit/?id=ff1a307801994e18a87929898225f09d31f3e1fa

commit ff1a307801994e18a87929898225f09d31f3e1fa
Author:     Alan Somers <asomers@FreeBSD.org>
AuthorDate: 2021-01-10 03:23:05 +0000
Commit:     Alan Somers <asomers@FreeBSD.org>
CommitDate: 2021-01-12 02:53:01 +0000

    lio_listio: validate aio_lio_opcode
    
    Previously, we would accept any kind of LIO_* opcode, including ones
    that were intended for in-kernel use only like LIO_SYNC (which is not
    defined in userland).  The situation became more serious with
    022ca2fc7fe08d51f33a1d23a9be49e6d132914e.  After that revision, setting
    aio_lio_opcode to LIO_WRITEV or LIO_READV would trigger an assertion.
    
    Note that POSIX does not specify what should happen if aio_lio_opcode is
    invalid.
    
    MFC-with:       022ca2fc7fe08d51f33a1d23a9be49e6d132914e
    Reviewed by:    jhb, tmunro, 0mp
    Differential Revision:  <https://reviews.freebsd.org/D28078
---
 lib/libc/sys/aio_return.2 |  8 +++++++-
 sys/kern/vfs_aio.c        | 20 ++++++++++++++-----
 sys/sys/aio.h             |  2 +-
 tests/sys/aio/lio_test.c  | 51 +++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 74 insertions(+), 7 deletions(-)

diff --git a/lib/libc/sys/aio_return.2 b/lib/libc/sys/aio_return.2
index d94fcc7eba62..aebe978fe140 100644
--- a/lib/libc/sys/aio_return.2
+++ b/lib/libc/sys/aio_return.2
@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd January 2, 2021
+.Dd January 11, 2021
 .Dt AIO_RETURN 2
 .Os
 .Sh NAME
@@ -75,6 +75,12 @@ The
 .Fa iocb
 argument
 does not reference a completed asynchronous I/O request.
+.It Bq Er EINVAL
+The I/O operation was submitted with
+.Fn lio_listio ,
+and the value of the
+.Fa aio_lio_opcode
+is invalid.
 .El
 .Sh SEE ALSO
 .Xr aio_cancel 2 ,
diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c
index 8666d6ea4217..bc0d7e04c9d5 100644
--- a/sys/kern/vfs_aio.c
+++ b/sys/kern/vfs_aio.c
@@ -1556,16 +1556,26 @@ aio_aqueue(struct thread *td, struct aiocb *ujob, struct aioliojob *lj,
 		goto err2;
 	}
 
+	/* Get the opcode. */
+	if (type == LIO_NOP) {
+		switch (job->uaiocb.aio_lio_opcode) {
+		case LIO_WRITE:
+		case LIO_NOP:
+		case LIO_READ:
+			opcode = job->uaiocb.aio_lio_opcode;
+			break;
+		default:
+			error = EINVAL;
+			goto err2;
+		}
+	} else
+		opcode = job->uaiocb.aio_lio_opcode = type;
+
 	ksiginfo_init(&job->ksi);
 
 	/* Save userspace address of the job info. */
 	job->ujob = ujob;
 
-	/* Get the opcode. */
-	if (type != LIO_NOP)
-		job->uaiocb.aio_lio_opcode = type;
-	opcode = job->uaiocb.aio_lio_opcode;
-
 	/*
 	 * Validate the opcode and fetch the file object for the specified
 	 * file descriptor.
diff --git a/sys/sys/aio.h b/sys/sys/aio.h
index dbfbadcd1254..ee928b8bf846 100644
--- a/sys/sys/aio.h
+++ b/sys/sys/aio.h
@@ -43,7 +43,7 @@
 #define	LIO_NOP			0x0
 #define LIO_WRITE		0x1
 #define	LIO_READ		0x2
-#ifdef _KERNEL
+#if defined(_KERNEL) || defined(_WANT_ALL_LIO_OPCODES)
 #define	LIO_SYNC		0x3
 #define	LIO_MLOCK		0x4
 #define	LIO_WRITEV		0x5
diff --git a/tests/sys/aio/lio_test.c b/tests/sys/aio/lio_test.c
index b6965cc9a4ee..fb519aac978d 100644
--- a/tests/sys/aio/lio_test.c
+++ b/tests/sys/aio/lio_test.c
@@ -26,8 +26,11 @@
  * $FreeBSD$
  */
 
+#define _WANT_ALL_LIO_OPCODES
+
 #include <sys/param.h>
 #include <sys/event.h>
+#include <sys/uio.h>
 
 #include <aio.h>
 #include <fcntl.h>
@@ -198,6 +201,53 @@ ATF_TC_BODY(lio_listio_empty_nowait_thread, tc)
 	ATF_REQUIRE_EQ(0, sem_destroy(&completions));
 }
 
+/*
+ * Only select opcodes are allowed with lio_listio
+ */
+ATF_TC_WITHOUT_HEAD(lio_listio_invalid_opcode);
+ATF_TC_BODY(lio_listio_invalid_opcode, tc)
+{
+	struct aiocb sync_cb, mlock_cb, writev_cb, readv_cb;
+	struct aiocb *list[] = {&sync_cb, &mlock_cb, &writev_cb, &readv_cb};
+	struct iovec iov;
+	int fd;
+
+	fd = open("testfile", O_CREAT | O_RDWR);
+	ATF_REQUIRE_MSG(fd >= 0, "open: %s", strerror(errno));
+
+	bzero(&sync_cb, sizeof(sync_cb));
+	sync_cb.aio_fildes = fd;
+	sync_cb.aio_lio_opcode = LIO_SYNC;
+
+	bzero(&mlock_cb, sizeof(mlock_cb));
+	mlock_cb.aio_lio_opcode = LIO_MLOCK;
+
+	iov.iov_base = NULL;
+	iov.iov_len = 0;
+
+	bzero(&readv_cb, sizeof(readv_cb));
+	readv_cb.aio_fildes = fd;
+	readv_cb.aio_lio_opcode = LIO_READV;
+	readv_cb.aio_iov = &iov;
+	readv_cb.aio_iovcnt = 1;
+
+	bzero(&writev_cb, sizeof(writev_cb));
+	writev_cb.aio_fildes = fd;
+	writev_cb.aio_lio_opcode = LIO_WRITEV;
+	writev_cb.aio_iov = &iov;
+	writev_cb.aio_iovcnt = 1;
+
+	ATF_CHECK_ERRNO(EIO, lio_listio(LIO_WAIT, list, nitems(list), NULL));
+	ATF_CHECK_EQ(EINVAL, aio_error(&sync_cb));
+	ATF_CHECK_ERRNO(EINVAL, aio_return(&sync_cb) < 0);
+	ATF_CHECK_EQ(EINVAL, aio_error(&mlock_cb));
+	ATF_CHECK_ERRNO(EINVAL, aio_return(&mlock_cb) < 0);
+	ATF_CHECK_EQ(EINVAL, aio_error(&readv_cb));
+	ATF_CHECK_ERRNO(EINVAL, aio_return(&readv_cb) < 0);
+	ATF_CHECK_EQ(EINVAL, aio_error(&writev_cb));
+	ATF_CHECK_ERRNO(EINVAL, aio_return(&writev_cb) < 0);
+}
+
 
 ATF_TP_ADD_TCS(tp)
 {
@@ -207,6 +257,7 @@ ATF_TP_ADD_TCS(tp)
 	ATF_TP_ADD_TC(tp, lio_listio_empty_nowait_signal);
 	ATF_TP_ADD_TC(tp, lio_listio_empty_nowait_thread);
 	ATF_TP_ADD_TC(tp, lio_listio_empty_wait);
+	ATF_TP_ADD_TC(tp, lio_listio_invalid_opcode);
 
 	return (atf_no_error());
 }