git: c6c0b631fa26 - stable/13 - aio: Fix up the opcode in aiocb32_copyin()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 06 Sep 2023 21:56:34 UTC
The branch stable/13 has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=c6c0b631fa26afc22c8476f577728d65a003e801
commit c6c0b631fa26afc22c8476f577728d65a003e801
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-09-11 16:55:32 +0000
Commit: John Baldwin <jhb@FreeBSD.org>
CommitDate: 2023-09-06 21:56:09 +0000
aio: Fix up the opcode in aiocb32_copyin()
With lio_listio(2), the opcode is specified by userspace rather than
being hard-coded by the system call (e.g., aio_readv() -> LIO_READV).
kern_lio_listio() calls aio_aqueue() with an opcode of LIO_NOP, which
gets fixed up when the aiocb is copied in.
When copying in a job request for vectored I/O, we need to dynamically
allocate a uio to wrap an iovec. So aiocb_copyin() needs to get the
opcode from the aiocb and then decide whether an allocation is required.
We failed to do this in the COMPAT_FREEBSD32 case. Fix it.
Reported by: syzbot+27eab6f2c2162f2885ee@syzkaller.appspotmail.com
Reviewed by: kib, asomers
Fixes: f30a1ae8d529 ("lio_listio(2): Allow LIO_READV and LIO_WRITEV.")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D31914
(cherry picked from commit 2884918c73389bebfc8025bfb267adae086ee0bd)
---
sys/kern/vfs_aio.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c
index 02014ceefdf5..5ad912ea38c4 100644
--- a/sys/kern/vfs_aio.c
+++ b/sys/kern/vfs_aio.c
@@ -2829,6 +2829,8 @@ aiocb32_copyin(struct aiocb *ujob, struct kaiocb *kjob, int type)
CP(job32, *kcb, aio_fildes);
CP(job32, *kcb, aio_offset);
CP(job32, *kcb, aio_lio_opcode);
+ if (type == LIO_NOP)
+ type = kcb->aio_lio_opcode;
if (type & LIO_VECTORED) {
iov32 = PTRIN(job32.aio_iov);
CP(job32, *kcb, aio_iovcnt);