git: 2884918c7338 - main - aio: Fix up the opcode in aiocb32_copyin()
Mark Johnston
markj at FreeBSD.org
Sat Sep 11 17:04:01 UTC 2021
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=2884918c73389bebfc8025bfb267adae086ee0bd
commit 2884918c73389bebfc8025bfb267adae086ee0bd
Author: Mark Johnston <markj at FreeBSD.org>
AuthorDate: 2021-09-11 16:55:32 +0000
Commit: Mark Johnston <markj at FreeBSD.org>
CommitDate: 2021-09-11 16:58:41 +0000
aio: Fix up the opcode in aiocb32_copyin()
With lio_listio(2), the opcode is specified by userspace rather than
being hard-coded by the system call (e.g., aio_readv() -> LIO_READV).
kern_lio_listio() calls aio_aqueue() with an opcode of LIO_NOP, which
gets fixed up when the aiocb is copied in.
When copying in a job request for vectored I/O, we need to dynamically
allocate a uio to wrap an iovec. So aiocb_copyin() needs to get the
opcode from the aiocb and then decide whether an allocation is required.
We failed to do this in the COMPAT_FREEBSD32 case. Fix it.
Reported by: syzbot+27eab6f2c2162f2885ee at syzkaller.appspotmail.com
Reviewed by: kib, asomers
Fixes: f30a1ae8d529 ("lio_listio(2): Allow LIO_READV and LIO_WRITEV.")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D31914
---
sys/kern/vfs_aio.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sys/kern/vfs_aio.c b/sys/kern/vfs_aio.c
index 602c91b542de..2da1a81d41bc 100644
--- a/sys/kern/vfs_aio.c
+++ b/sys/kern/vfs_aio.c
@@ -2826,6 +2826,8 @@ aiocb32_copyin(struct aiocb *ujob, struct kaiocb *kjob, int type)
CP(job32, *kcb, aio_fildes);
CP(job32, *kcb, aio_offset);
CP(job32, *kcb, aio_lio_opcode);
+ if (type == LIO_NOP)
+ type = kcb->aio_lio_opcode;
if (type & LIO_VECTORED) {
iov32 = PTRIN(job32.aio_iov);
CP(job32, *kcb, aio_iovcnt);
More information about the dev-commits-src-main
mailing list