Christoph Hellwig <hch@xxxxxx> writes: > On Fri, Apr 06, 2018 at 04:16:30AM +0100, Al Viro wrote: >> BTW, this is only tangentially related, but... does *anything* call >> io_submit() for huge amounts of iocb? I don't know. If an application did that, as many I/Os as could fit into the ring buffer would be submitted, and that's what gets returned from the system call (the number of submitted iocbs). >> Check in do_io_submit() is insane - "no more than MAX_LONG total of >> _pointers_". Compat variant goes for "no more than a page worth of >> pointers" and there's a hard limit in ioctx_alloc() - we can't ever >> get more than 8M slots in ring buffer... > > Logical upper bound for io_submit is nr_events passed to io_setup(), > which is bound by aio_max_nr. Except that we never actually check > against nr_events (or max_reqs as it is known in kernel) in io_submit. > Sigh.. io_submit_one calls aio_get_req which calls get_reqs_available, which is what does the checking for an available ring buffer entry. -Jeff
