[openib-general] [PATCH][SDP] AIO buffer corruption

Libor Michalek libor at topspin.com
Wed Apr 27 18:22:54 PDT 2005


  Patch to fix the problem a few people reported as ttcp.aio.c 
aborting with an error (-104) on longer AIO runs.

  The bug is in the calculation of an AIO buffers starting address. 
It would cause data to potentially be written past the end of the 
AIO buffer corrupting whatever happen to be there. In the case of
ttcp.aio.c this happen to be the iocb array, which once corrupted
would generate this error when passed to io_submit.

-Libor

Signed-off-by: Libor Michalek <libor at topspin.com>

Index: sdp_recv.c
===================================================================
--- sdp_recv.c	(revision 2220)
+++ sdp_recv.c	(working copy)
@@ -674,14 +674,16 @@
 #ifndef _SDP_DATA_PATH_NULL
 		memcpy((addr + offset), buff->data, copy);
 #endif
-    
+
 		buff->data += copy;
 		iocb->post += copy;
 		iocb->len  -= copy;
 
 		offset     += copy;
 		offset     &= (~PAGE_MASK);
-		
+
+		iocb->io_addr += copy;
+
 		sdp_kunmap(iocb->page_array[counter++]);
 	}
 	/*
@@ -1443,7 +1445,8 @@
 			iocb->size = size;
 			iocb->req  = req;
 			iocb->key  = req->ki_key;
-			iocb->addr = (unsigned long)msg->msg_iov->iov_base;
+			iocb->addr = ((unsigned long)msg->msg_iov->iov_base -
+				      copied);
 
 			req->ki_cancel = sdp_inet_read_cancel;
 
Index: sdp_send.c
===================================================================
--- sdp_send.c	(revision 2220)
+++ sdp_send.c	(working copy)
@@ -751,6 +751,7 @@
 		buff->tail      += copy;
 		iocb->post      += copy;
 		iocb->len       -= copy;
+		iocb->io_addr   += copy;
 
 		offset += copy;
 		offset &= (~PAGE_MASK);
@@ -2195,7 +2196,7 @@
 		iocb->size = size;
 		iocb->req  = req;
 		iocb->key  = req->ki_key;
-		iocb->addr = (unsigned long)msg->msg_iov->iov_base;
+		iocb->addr = (unsigned long)msg->msg_iov->iov_base - copied;
       
 		req->ki_cancel = sdp_inet_write_cancel;
 



More information about the general mailing list