[PATCH 1/1] xfstests 286: test for 2G overflows in AIO

[Eric Sandeen <sandeen@sandeen.net>]

On 5/20/12 11:50 PM, Linus Torvalds wrote:
> On Sun, May 20, 2012 at 8:28 PM, manish honap
> <manish_honap_vit@yahoo.co.in> wrote:
>> Hello Linus,
>>
>> The overflow issue was seen during async dio path
> 
> Christ. fs/aio.c doesn't do the proper rw_verify_area().
> 
> As a result, it doesn't check file locks, and it doesn't seem to check
> offset overflows either.
> 
> The vector versions kind of get the size limit by mistake (because
> they at least use rw_copy_check_uvector(), which does limit things to
> MAX_RW_COUNT), but they don't do the offset overflow check either.
> 
> Does this patch work for you? What it *should* do is the same that the
> other read/write paths do (and the vector path for aio already do),
> namely truncate reads or writes to MAX_RW_COUNT (which is INT_MAX
> aligned down to a page).
> 
> This patch is entirely untested,
> 
>                      Linus

Here's a testcase for xfstests.
---

Add new testcase looking for overflows in AIO code when 2G write
requests are issued.

Also fix up ltp/aio-stress.c to not overflow before the request
ever gets to the kernel...

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
---

diff --git a/286 b/286
new file mode 100755
index 0000000..f5daa96
--- /dev/null
+++ b/286
@@ -0,0 +1,75 @@
+#! /bin/bash
+# FS QA Test No. 286
+#
+# Check for 2G overflows in AIO
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2012 Red Hat, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+#
+# creator
+owner=sandeen@sandeen.net
+
+seq=`basename $0`
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+    cd /
+    rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+# real QA test starts here
+rm -f $seq.full
+
+# Modify as appropriate.
+_supported_fs generic
+_supported_os IRIX Linux
+# Because we will be writing some big files
+_require_scratch
+[ -x $here/ltp/aio-stress ] || _notrun "aio-stress not built for this platform"
+
+_scratch_mkfs > $seq.full 2>&1
+_scratch_mount
+# A little over 4G
+_require_fs_space $SCRATCH_MNT 4194500
+
+expected=4294967296
+
+# 4x 1G IOs, should pass
+$here/ltp/aio-stress -d 1 -b 1 -i 1 -O -I 4 -s 4096 -r 1048576 -v $SCRATCH_MNT/aiofile >> $seq.full 2>&1
+size=$(ls -l $SCRATCH_MNT/aiofile | $AWK_PROG '{print $5}')
+[ "$size" -ne $expected ] && _fail "2 x 1G IOs: filesize $size not $expected"
+
+rm -f $SCRATCH_MNT/aiofile
+
+# 2x 2G IOs, has failed in past
+$here/ltp/aio-stress -d 1 -b 1 -i 1 -O -I 2 -s 4096 -r 2097152 -v $SCRATCH_MNT/aiofile >> $seq.full 2>&1
+size=$(ls -l $SCRATCH_MNT/aiofile | $AWK_PROG '{print $5}')
+[ "$size" -ne $expected ] && _fail "1 x 2G IOs: filesize $size not $expected"
+
+# success, all done
+status=0
+exit
diff --git a/286.out b/286.out
new file mode 100644
index 0000000..6415ad8
--- /dev/null
+++ b/286.out
@@ -0,0 +1 @@
+QA output created by 286
diff --git a/group b/group
index 17afdcd..e91abd6 100644
--- a/group
+++ b/group
@@ -404,3 +404,4 @@ deprecated
 283 dump ioctl auto quick
 284 auto
 285 repair
+286 aio auto
diff --git a/ltp/aio-stress.c b/ltp/aio-stress.c
index 57a2158..40651b4 100644
--- a/ltp/aio-stress.c
+++ b/ltp/aio-stress.c
@@ -92,7 +92,7 @@ int completion_latency_stats = 0;
 int io_iter = 8;
 int iterations = RUN_FOREVER;
 int max_io_submit = 0;
-long rec_len = 64 * 1024;
+size_t rec_len = 64 * 1024;
 int depth = 64;
 int num_threads = 1;
 int num_contexts = 1;
@@ -102,7 +102,7 @@ int use_shm = 0;
 int shm_id;
 char *unaligned_buffer = NULL;
 char *aligned_buffer = NULL;
-int padded_reclen = 0;
+size_t padded_reclen = 0;
 int stonewall = 1;
 int verify = 0;
 char *verify_buf = NULL;
@@ -661,7 +661,7 @@ finish_oper(struct thread_info *t, struct io_oper *oper)
  * null on error
  */
 static struct io_oper * 
-create_oper(int fd, int rw, off_t start, off_t end, int reclen, int depth,
+create_oper(int fd, int rw, off_t start, off_t end, size_t reclen, int depth,
             int iter, char *file_name)
 {
     struct io_oper *oper;
@@ -925,7 +925,7 @@ void aio_setup(io_context_t *io_ctx, int n)
  */
 int setup_ious(struct thread_info *t, 
               int num_files, int depth, 
-	      int reclen, int max_io_submit) {
+	      size_t reclen, int max_io_submit) {
     int i;
     size_t bytes = num_files * depth * sizeof(*t->ios);
 
@@ -989,7 +989,7 @@ free_buffers:
  * buffers to
  */
 int setup_shared_mem(int num_threads, int num_files, int depth, 
-                     int reclen, int max_io_submit) 
+                     size_t reclen, int max_io_submit) 
 {
     char *p = NULL;
     size_t total_ram;