[valgrind] [Bug 430971] invalid memory size for io_setup syscall

[Paul Floyd]

https://bugs.kde.org/show_bug.cgi?id=430971

--- Comment #5 from Paul Floyd <pjfl...@wanadoo.fr> ---
Here's my take on this.

The man page says

DESCRIPTION
       Note:  this page describes the raw Linux system call interface.  The
wrapper function provided by libaio uses a differ‐
       ent type for the ctx_idp argument.  See VERSIONS.

       The io_setup() system call creates an asynchronous I/O context suitable
for concurrently  processing  nr_events  opera‐
       tions.   The  ctx_idp argument must not point to an AIO context that
already exists, and must be initialized to 0 prior
       to the call.  On successful creation of the AIO context, *ctx_idp is
filled in with the resulting handle.


We have one testcase that uses io_setup (from bug420682).
This does at like the manpage above. Unfortunately (a)io_context is opaque and
I can't see what is inside it in GDB. I do just see the nr_events and the
pointer to the opaque io_context being passed to the syscall. From what I see
in the kernel source it's just an unsigned long that will contain the context
user_id.

I can't see anything in the kernel related to struct aio_ring. The kernel does
allocate a struct kioctx but that's in kernel memory space.

Looking at pmap -x there is

00007ffff7ff4000       8       8       0 rw-s- [aio] (deleted)

And that's the address that comes back in ctx. If that thing is pointing to a
struct aio_ring then what I see all matches this patch.
The size of both struct aio_ring and struct io_event are 32 bytes. Without the
patch ARG1 is 1 so size is 64 rounded up to a page, so 4k.
With the patch, r->rn is 255 so size is 32 + 32*255 or 32*256 = 8k. What that's
what I saw in the pmap -x output.

I can see the value of AIO_RING_MAGIC. I don't follow what is happening in
aio_setup_ring

        nr_events += 2; /* 1 is required, 2 for good luck */

        size = sizeof(struct aio_ring);
        size += sizeof(struct io_event) * nr_events;

        nr_pages = PFN_UP(size);

In the TC nr_events is 1, so this will make it 3. Size will be 4*32=128.
nr_pages should be 1.

Then there's this

        nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring))
                        / sizeof(struct io_event);

I make that 127 not 255.

For the mmap I see that they use the value of a loop counter after looping over
nr_pages. So that should be 2.

Finally
        ring->nr = nr_events;   /* user copy */
        ring->id = ~0U;

I'd expect that id to be 0xffffffff. 

Apart from me probably not being able to read the kernel code this does look
OK.

-- 
You are receiving this mail because:
You are watching all bug changes.