svn commit: r324941 - in head: lib/libc/sys sys/kern
Conrad Meyer
cem at freebsd.org
Thu Oct 26 02:24:16 UTC 2017
Hi Alan,
Coverity reports a mismatch between the loop quoted in the context
below and the dynamic array size nent. (The mismatch predates your
change, due to the invariant nent <= aio_listio_max and aiol_zone
sized in terms of aio_listio_max.)
CID is 1382114.
On Mon, Oct 23, 2017 at 4:12 PM, Alan Somers <asomers at freebsd.org> wrote:
> Author: asomers
> Date: Mon Oct 23 23:12:01 2017
> New Revision: 324941
> URL: https://svnweb.freebsd.org/changeset/base/324941
>
> Log:
> Remove artificial restriction on lio_listio's operation count
> ...
> Modified: head/sys/kern/vfs_aio.c
> ==============================================================================
> --- head/sys/kern/vfs_aio.c Mon Oct 23 23:05:29 2017 (r324940)
> +++ head/sys/kern/vfs_aio.c Mon Oct 23 23:12:01 2017 (r324941)
>...
> @@ -2812,7 +2809,7 @@ freebsd32_aio_suspend(struct thread *td, struct freebs
> } else
> tsp = NULL;
>
> - ujoblist = uma_zalloc(aiol_zone, M_WAITOK);
> + ujoblist = malloc(uap->nent * sizeof(ujoblist[0]), M_AIOS, M_WAITOK);
> ujoblist32 = (uint32_t *)ujoblist;
> error = copyin(uap->aiocbp, ujoblist32, uap->nent *
> sizeof(ujoblist32[0]));
> if (error == 0) {
> for (i = uap->nent; i > 0; i--)
Probably, this should be: for (i = uap->nent - 1; i > 0; i--)
> ujoblist[i] = PTRIN(ujoblist32[i]);
>
> error = kern_aio_suspend(td, uap->nent, ujoblist, tsp);
> }
> - uma_zfree(aiol_zone, ujoblist);
> + free(ujoblist, M_AIOS);
> return (error);
> }
I think this loop was wrong when it was introduced in r185878, but
have not investigated that thoroughly.
Best,
Conrad
More information about the svn-src-head
mailing list