On 5/20/12 11:50 PM, Linus Torvalds wrote: > On Sun, May 20, 2012 at 8:28 PM, manish honap > <manish_honap_vit@xxxxxxxxxxx> wrote: >> Hello Linus, >> >> The overflow issue was seen during async dio path > > Christ. fs/aio.c doesn't do the proper rw_verify_area(). > > As a result, it doesn't check file locks, and it doesn't seem to check > offset overflows either. > > The vector versions kind of get the size limit by mistake (because > they at least use rw_copy_check_uvector(), which does limit things to > MAX_RW_COUNT), but they don't do the offset overflow check either. > > Does this patch work for you? What it *should* do is the same that the > other read/write paths do (and the vector path for aio already do), > namely truncate reads or writes to MAX_RW_COUNT (which is INT_MAX > aligned down to a page). > > This patch is entirely untested, > > Linus Here's a testcase for xfstests. --- Add new testcase looking for overflows in AIO code when 2G write requests are issued. Also fix up ltp/aio-stress.c to not overflow before the request ever gets to the kernel... Signed-off-by: Eric Sandeen <sandeen@xxxxxxxxxx> --- diff --git a/286 b/286 new file mode 100755 index 0000000..f5daa96 --- /dev/null +++ b/286 @@ -0,0 +1,75 @@ +#! /bin/bash +# FS QA Test No. 286 +# +# Check for 2G overflows in AIO +# +#----------------------------------------------------------------------- +# Copyright (c) 2012 Red Hat, Inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- +# +# creator +owner=sandeen@xxxxxxxxxxx + +seq=`basename $0` +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common.rc +. ./common.filter + +# real QA test starts here +rm -f $seq.full + +# Modify as appropriate. +_supported_fs generic +_supported_os IRIX Linux +# Because we will be writing some big files +_require_scratch +[ -x $here/ltp/aio-stress ] || _notrun "aio-stress not built for this platform" + +_scratch_mkfs > $seq.full 2>&1 +_scratch_mount +# A little over 4G +_require_fs_space $SCRATCH_MNT 4194500 + +expected=4294967296 + +# 4x 1G IOs, should pass +$here/ltp/aio-stress -d 1 -b 1 -i 1 -O -I 4 -s 4096 -r 1048576 -v $SCRATCH_MNT/aiofile >> $seq.full 2>&1 +size=$(ls -l $SCRATCH_MNT/aiofile | $AWK_PROG '{print $5}') +[ "$size" -ne $expected ] && _fail "2 x 1G IOs: filesize $size not $expected" + +rm -f $SCRATCH_MNT/aiofile + +# 2x 2G IOs, has failed in past +$here/ltp/aio-stress -d 1 -b 1 -i 1 -O -I 2 -s 4096 -r 2097152 -v $SCRATCH_MNT/aiofile >> $seq.full 2>&1 +size=$(ls -l $SCRATCH_MNT/aiofile | $AWK_PROG '{print $5}') +[ "$size" -ne $expected ] && _fail "1 x 2G IOs: filesize $size not $expected" + +# success, all done +status=0 +exit diff --git a/286.out b/286.out new file mode 100644 index 0000000..6415ad8 --- /dev/null +++ b/286.out @@ -0,0 +1 @@ +QA output created by 286 diff --git a/group b/group index 17afdcd..e91abd6 100644 --- a/group +++ b/group @@ -404,3 +404,4 @@ deprecated 283 dump ioctl auto quick 284 auto 285 repair +286 aio auto diff --git a/ltp/aio-stress.c b/ltp/aio-stress.c index 57a2158..40651b4 100644 --- a/ltp/aio-stress.c +++ b/ltp/aio-stress.c @@ -92,7 +92,7 @@ int completion_latency_stats = 0; int io_iter = 8; int iterations = RUN_FOREVER; int max_io_submit = 0; -long rec_len = 64 * 1024; +size_t rec_len = 64 * 1024; int depth = 64; int num_threads = 1; int num_contexts = 1; @@ -102,7 +102,7 @@ int use_shm = 0; int shm_id; char *unaligned_buffer = NULL; char *aligned_buffer = NULL; -int padded_reclen = 0; +size_t padded_reclen = 0; int stonewall = 1; int verify = 0; char *verify_buf = NULL; @@ -661,7 +661,7 @@ finish_oper(struct thread_info *t, struct io_oper *oper) * null on error */ static struct io_oper * -create_oper(int fd, int rw, off_t start, off_t end, int reclen, int depth, +create_oper(int fd, int rw, off_t start, off_t end, size_t reclen, int depth, int iter, char *file_name) { struct io_oper *oper; @@ -925,7 +925,7 @@ void aio_setup(io_context_t *io_ctx, int n) */ int setup_ious(struct thread_info *t, int num_files, int depth, - int reclen, int max_io_submit) { + size_t reclen, int max_io_submit) { int i; size_t bytes = num_files * depth * sizeof(*t->ios); @@ -989,7 +989,7 @@ free_buffers: * buffers to */ int setup_shared_mem(int num_threads, int num_files, int depth, - int reclen, int max_io_submit) + size_t reclen, int max_io_submit) { char *p = NULL; size_t total_ram; -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html