Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 Oct 2017 19:16:59 -0700
From:      Conrad Meyer <cem@freebsd.org>
To:        Alan Somers <asomers@freebsd.org>
Cc:        src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org,  svn-src-head@freebsd.org, John Baldwin <jhb@freebsd.org>
Subject:   Re: svn commit: r324941 - in head: lib/libc/sys sys/kern
Message-ID:  <CAG6CVpVy84WRLD7ghiLbxFObJ8SBU8WsEpEhjsQfR9ZZxCNoaA@mail.gmail.com>
In-Reply-To: <201710232312.v9NNC1B0011025@repo.freebsd.org>
References:  <201710232312.v9NNC1B0011025@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi Alan,

Coverity reports a mismatch between the loop quoted in the context
below and the dynamic array size nent.  (The mismatch predates your
change, due to the invariant nent <= aio_listio_max and aiol_zone
sized in terms of aio_listio_max.)

CID is 1382114.

On Mon, Oct 23, 2017 at 4:12 PM, Alan Somers <asomers@freebsd.org> wrote:
> Author: asomers
> Date: Mon Oct 23 23:12:01 2017
> New Revision: 324941
> URL: https://svnweb.freebsd.org/changeset/base/324941
>
> Log:
>   Remove artificial restriction on lio_listio's operation count
> ...
> Modified: head/sys/kern/vfs_aio.c
> ==============================================================================
> --- head/sys/kern/vfs_aio.c     Mon Oct 23 23:05:29 2017        (r324940)
> +++ head/sys/kern/vfs_aio.c     Mon Oct 23 23:12:01 2017        (r324941)
>...
> @@ -2812,7 +2809,7 @@ freebsd32_aio_suspend(struct thread *td, struct freebs
>         } else
>                 tsp = NULL;
>
> -       ujoblist = uma_zalloc(aiol_zone, M_WAITOK);
> +       ujoblist = malloc(uap->nent * sizeof(ujoblist[0]), M_AIOS, M_WAITOK);
>         ujoblist32 = (uint32_t *)ujoblist;
>         error = copyin(uap->aiocbp, ujoblist32, uap->nent *
>             sizeof(ujoblist32[0]));
>         if (error == 0) {
>                 for (i = uap->nent; i > 0; i--)

Probably, this should be: for (i = uap->nent - 1; i > 0; i--)

>                         ujoblist[i] = PTRIN(ujoblist32[i]);
>
>                 error = kern_aio_suspend(td, uap->nent, ujoblist, tsp);
>         }
> -       uma_zfree(aiol_zone, ujoblist);
> +       free(ujoblist, M_AIOS);
>         return (error);
>  }

I think this loop was wrong when it was introduced in r185878, but
have not investigated that thoroughly.

Best,
Conrad

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG6CVpVy84WRLD7ghiLbxFObJ8SBU8WsEpEhjsQfR9ZZxCNoaA>